Edge Code Injection

c++ / delphi package - dll injection and api hooking

Re: Edge Code Injection

Postby Absolute_Zero » Tue Nov 24, 2015 8:37 pm

Gah, I didn't properly think through the implications of enabling the api hooks with the shared memory pointer at null. Rats. Shift + restart click at the logon screen isn't booting me into safe mode and neither does F8 at boot with UEFI bios and a boot SSD.

I may be gone for a while :(
Absolute_Zero
 
Posts: 39
Joined: Fri Jan 26, 2007 11:12 am

Re: Edge Code Injection

Postby madshi » Tue Nov 24, 2015 8:50 pm

Oh, sorry to hear that.
madshi
Site Admin
 
Posts: 9340
Joined: Sun Mar 21, 2004 5:25 pm

Re: Edge Code Injection

Postby Absolute_Zero » Tue Nov 24, 2015 10:12 pm

If all else fails, brute force and ignorance...

I pulled the power early in the boot sequence. After the third try it went into diagnostic mode at boot.

Nerves shredded, I will return to this (chastened) tomorrow.
Absolute_Zero
 
Posts: 39
Joined: Fri Jan 26, 2007 11:12 am

Re: Edge Code Injection

Postby madshi » Tue Nov 24, 2015 10:51 pm

Haha! Maybe this would be a good time to suggest (once more) to try the PrintMonitor demo. 10 seconds download. No installation necessary. 30 seconds testing. Done.
madshi
Site Admin
 
Posts: 9340
Joined: Sun Mar 21, 2004 5:25 pm

Re: Edge Code Injection

Postby Absolute_Zero » Wed Nov 25, 2015 4:08 pm

PrintMonitor works fine. I would've been surprised if it didn't... it's only Edge that has given me difficulties. Firefox, Chrome, a plethora of windows apps, explorer etc, all okay.

I tested my injection dll's again with api hooks active, this time calling the original functions immediately and then returning. No problem with Edge.

As it stands, my issue with Edge *seems* to solely relate to CreateGlobalFileMapping.
Absolute_Zero
 
Posts: 39
Joined: Fri Jan 26, 2007 11:12 am

Re: Edge Code Injection

Postby madshi » Wed Nov 25, 2015 4:27 pm

I didn't mean you to run PrintMonitor and then stop it again. The purpose of the test was to run PrintMonitor, and *while it runs* start Edge, to see if the PrintMonitor hook dlls stop Edge from working or not... :wink:
madshi
Site Admin
 
Posts: 9340
Joined: Sun Mar 21, 2004 5:25 pm

Re: Edge Code Injection

Postby Absolute_Zero » Wed Nov 25, 2015 4:44 pm

Sorry I wasn't sufficiently explicit. I did try that... PrintMonitor doesn't interfere with Edge.
Absolute_Zero
 
Posts: 39
Joined: Fri Jan 26, 2007 11:12 am

Re: Edge Code Injection

Postby madshi » Wed Nov 25, 2015 4:58 pm

But PrintMonitor uses IPC, too! It does not use CreateGlobalFileMapping, though. CreateGlobalFileMapping internally enables a lot of privileges, because some of them are needed to be able to create global resources. Do you absolutely *have* to do that? None of my demos tries to *create* a global object. Maybe you can create the file mapping in your EXE and just open it in your hook dll?
madshi
Site Admin
 
Posts: 9340
Joined: Sun Mar 21, 2004 5:25 pm

Re: Edge Code Injection

Postby Absolute_Zero » Wed Nov 25, 2015 5:49 pm

It won't actually get created as such in Edge. Other processes ( e.g. explorer.exe) will have created the shared memory before Edge is launched. i.e. in Edge GetLastError will return ERROR_ALREADY_EXISTS. If that makes any difference.
Absolute_Zero
 
Posts: 39
Joined: Fri Jan 26, 2007 11:12 am

Re: Edge Code Injection

Postby madshi » Wed Nov 25, 2015 10:01 pm

No, it doesn't. CreateGlobalFileMapping internally *ALWAYS* enables those privileges first, before trying to create the file mapping. So it doesn't matter if the file mapping already existed or not.

Can't you pre-create the file mapping in your EXE, and then just use OpenGlobalFileMapping in your hook dll? That should fully solve the problem.

P.S: Or alternatively check "If GetModuleFileName(0) = Edge then OpenGlobalFileMapping else CreateGlobalFileMapping". But it would be better to avoid calling *Create*GlobalFileMapping in the hook dll altogether.
madshi
Site Admin
 
Posts: 9340
Joined: Sun Mar 21, 2004 5:25 pm

Re: Edge Code Injection

Postby Absolute_Zero » Thu Nov 26, 2015 3:48 pm

I've rewritten my code to to ensure that OpenGlobalFileMapping is used when injected in Edge... and all is well. Thanks for the assistance!

In my use case, Edge will never be the first injected application, so the following *should* work reliably...
Code: Select all
   g_hMapFile = OpenGlobalFileMapping(g_szIpcName, TRUE);

   if (g_hMapFile == NULL)
   {
      if (GetLastError() == ERROR_FILE_NOT_FOUND)
      {
         g_hMapFile = CreateGlobalFileMapping(g_szIpcName, sizeof(MY_DAT));

         if (g_hMapFile == NULL)
            return FALSE;

         if (GetLastError() != ERROR_ALREADY_EXISTS)
         {
            PSECURITY_DESCRIPTOR pSD = NULL;

            // make memory low integrity
            if (ConvertStringSecurityDescriptorToSecurityDescriptor(L"S:(ML;;NW;;;LW)", SDDL_REVISION_1, &pSD, NULL))
            {
               PACL pSacl = NULL;
               BOOL fSaclPresent = FALSE;
               BOOL fSaclDefaulted = FALSE;

               if (GetSecurityDescriptorSacl(pSD, &fSaclPresent, &pSacl, &fSaclDefaulted))
                  SetNamedSecurityInfoA(g_szIpcName, SE_KERNEL_OBJECT, LABEL_SECURITY_INFORMATION, NULL, NULL, NULL, pSacl);

               LocalFree(pSD);
            }

            dbg("%s created", g_szIpcName);
         }
      } else
         return FALSE;
   }
Absolute_Zero
 
Posts: 39
Joined: Fri Jan 26, 2007 11:12 am

Re: Edge Code Injection

Postby madshi » Thu Nov 26, 2015 3:52 pm

Glad to hear that. So it appears Edge injection is still working well with madCodeHook (provided DLL injection is started before Edge), and I don't need to change anything, is that correct?
madshi
Site Admin
 
Posts: 9340
Joined: Sun Mar 21, 2004 5:25 pm

Re: Edge Code Injection

Postby Absolute_Zero » Thu Nov 26, 2015 4:04 pm

Yeah, I think so... and I use a fairly broad range of your tech. HookApi, SendIpcMessage etc.
Absolute_Zero
 
Posts: 39
Joined: Fri Jan 26, 2007 11:12 am

Re: Edge Code Injection

Postby madshi » Thu Nov 26, 2015 4:05 pm

Cool, thanks.
madshi
Site Admin
 
Posts: 9340
Joined: Sun Mar 21, 2004 5:25 pm

Re: Edge Code Injection

Postby DSp_nrg » Mon Nov 30, 2015 9:28 am

Hi,

sorry for my late response to this topic. I took some time to test the PrintMonitor Demo on my Win10 (32bit) VM.

Even if I start PrintMonitor before starting Edge the HookPrintAPI DLLs don't get injected. When starting EdgeCP process from debugger I see the same exception as in my first post.
It seems to be the same problem for my code and PrintMonitor code.

Update:
I just cross checked the issue on multiple VMs. It seems like an issue on that specific VM, I don't know why, but on other VMs (32 & 64bit) it works just fine.
I'm not sure if only that specific VM got an CodeIntegrity patch which was withdrawn afterwards, or if something is broken on the VM. I can't figure differences from version numbers or release notes.
DSp_nrg
 
Posts: 18
Joined: Mon Aug 04, 2014 10:26 am

PreviousNext

Return to madCodeHook

Who is online

Users browsing this forum: No registered users and 1 guest