Edge Code Injection

c++ / delphi package - dll injection and api hooking

Re: Edge Code Injection

Postby madshi » Mon Nov 30, 2015 10:56 am

Oh well. Could it be that some debugging stuff (e.g. Application Verifyer) or some extra agressive security software (e.g. Microsoft's EMET) is active on that VM? Or maybe there's another hooking library active which collides with madCodeHook in some way?
madshi
Site Admin
 
Posts: 9265
Joined: Sun Mar 21, 2004 5:25 pm

Re: Edge Code Injection

Postby ExPx » Fri Mar 03, 2017 12:14 pm

I think this issue is not closed. On Win10 64bit computer my system wide hook dll successfully injected all processes except microsoftedgecp.exe. When I start Microsoft Edge, process explorer shows me one MicrosoftEdge.exe and two MicrosoftEdgeCP.exe processes. MicrosoftEdge.exe and first MicrosoftEdgeCP.exe loaded my injection dll. But second MicrosoftEdgeCP.exe cant load it. I really want to know hooking (socket apis) is still available MS Edge browser ?
ExPx
 
Posts: 13
Joined: Fri Oct 21, 2016 3:20 pm

Re: Edge Code Injection

Postby madshi » Fri Mar 03, 2017 12:38 pm

It might have been better to start a new thread instead of reviving a 2 year old thread which may or may not be related.

Anyway.

1) Do you start injection first, and Edge afterwards? Or the other way round?
2) Does your hook dll have NTFS read/execute rights for "ALL APPLICATION PACKAGES"?
madshi
Site Admin
 
Posts: 9265
Joined: Sun Mar 21, 2004 5:25 pm

Re: Edge Code Injection

Postby ExPx » Sat Mar 04, 2017 5:29 am

Hi madshi, here is the summary

* I have a service running (singed with EV cert).
* My hook dll is under System32 (signed wit same cert)
* Injection is started on windows boot.
* I start Edge.
* In process explorer I can see one MicrosoftEdge.exe process and two MicrosoftEdgeCP.exe process.
* My dll succesfully injected MicrosoftEdge.exe and one of the MicrosoftEdgeCP.exe process. Other MicrosoftEdgeCP.exe not injected.
* Dll has ALL APPLICATION PACKAGES read and read/execute rights.
* Microsoft Edge 38.14393.0.0
* Microsoft EdgeHTML 14.14393
* Windows 10 Pro 1607, 14393.693 64bit

Note : My dll calls OutputDebugString before start hook functions(xxxx.exe injected). In DgbView I can see messages from injected proecesses except MicrosoftEdgeCP.exe and MicrosoftEdge.exe
ExPx
 
Posts: 13
Joined: Fri Oct 21, 2016 3:20 pm

Re: Edge Code Injection

Postby madshi » Sat Mar 04, 2017 7:35 am

Neither your driver nor your hook dll have to be in system32. I'd recommend to keep both in your installation directory, to keep things cleaner. But that's got nothing to do with the problem.

Can you please double check if the same problem also occurs with these two demo projects?

http://madshi.net/PrintMonitor.zip
http://madshi.net/PrintMonitor40.zip
madshi
Site Admin
 
Posts: 9265
Joined: Sun Mar 21, 2004 5:25 pm

Re: Edge Code Injection

Postby ExPx » Sun Mar 05, 2017 6:45 pm

Hi mad.
I tried both demos on my home computer (win10 home). 2 MicrosoftEdgeCP.exe and one MicrosoftEdge.exe process succesfully injected. While testing print preview with Chrome I can get log messages on print monitor. But no log messages for MS edge preview screen. I will test it with printer tomorrow.
ExPx
 
Posts: 13
Joined: Fri Oct 21, 2016 3:20 pm

Re: Edge Code Injection

Postby madshi » Mon Mar 06, 2017 8:31 am

So injection completely succeeds with both demos? In that case the big question is why it succeeds with the demos, but not with your real project. Maybe you can compare the source code to try to find out?
madshi
Site Admin
 
Posts: 9265
Joined: Sun Mar 21, 2004 5:25 pm

Previous

Return to madCodeHook

Who is online

Users browsing this forum: Baidu [Spider], Google [Bot] and 5 guests