Page 1 of 3

Edge Code Injection

Posted: Thu Nov 19, 2015 10:23 am
by DSp_nrg
Hi all,

I've built a software which hooks WinInet in Microsoft Edge using madCodeHook. This worked fine until the new Windows 10 update, where it seems like Edge won't accept any third party DLLs anymore. I've found this Blogpost regarding the issue:
http://blogs.windows.com/msedgedev/2015 ... integrity/

They describe that:
Starting with EdgeHTML 13, Microsoft Edge defends the user’s browsing experience by blocking injection of DLLs into the browser unless they are Windows components or signed device drivers. DLLs that are either Microsoft-signed, or WHQL-signed, will be allowed to load, and all others will be blocked. “Microsoft-signed” allows for Edge components, Windows components, and other Microsoft-supplied features to be loaded. WHQL (Windows Hardware Quality Lab) signed DLLs are device drivers for things like the webcam, some of which need to run in-process in Edge to work.
I've had a deeper look what's happening. I noticed that my DLL stays loaded in the main process MicrosoftEdge.exe but not in the renderer processes MicrosoftEdgeCP.exe.
When loading the module in the renderer process I notice this:

Code: Select all

ModLoad: 754f0000 7551f000   C:\WINDOWS\system32\IMM32.DLL
inetcore\lib\codeintegrity\edgecipolicy.cxx(363)\MicrosoftEdgeCP.exe!00C44766: (caller: 00C43DD1) FailFast(1) tid(1078) 8000FFFF Schwerwiegender Fehler
(7e8.1078): Security check failure or stack buffer overrun - code c0000409 (!!! second chance !!!)
*** ERROR: Module load completed but symbols could not be loaded for MicrosoftEdgeCP.exe
eax=00000001 ebx=00c44700 ecx=00000007 edx=00000000 esi=00000004 edi=00000000
eip=00c45977 esp=0014e680 ebp=0014fb50 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
MicrosoftEdgeCP+0x5977:
00c45977 cd29            int     29h
0:000> g
WARNING: Continuing a non-continuable exception
>>>>>>> ModLoad: 64950000 649b7000  C:\Program Files\MyPath\MyDLL.dll <<<<<<<<<<<<
ModLoad: 753e0000 75472000   C:\WINDOWS\system32\OLEAUT32.dll
ModLoad: 73dd0000 73df8000   C:\WINDOWS\SYSTEM32\ntmarta.dll
(7e8.1078): Security check failure or stack buffer overrun - code c0000409 (!!! second chance !!!)
eax=00000001 ebx=00c44700 ecx=00000007 edx=00000000 esi=00000004 edi=00000000
eip=00c45977 esp=0014e680 ebp=0014fb50 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
MicrosoftEdgeCP+0x5977:
00c45977 cd29            int     29h
(I've marked my DLL with >>>> <<<<< )

It seems like the codeintegrity check refuses MyDLL.
  • Do you see any possibility to get a DLL injected with the new changes in Edge?
  • Do you have any idea what I could try to get it injected?
  • Would it be an option to get the DLL WHQL signed? They mention that WHQL signed binaries will still be accepted, but I have no experience with WHQL.

Re: Edge Code Injection

Posted: Thu Nov 19, 2015 11:24 am
by madshi
Does injection even fail if you start injection first, before starting Edge? Usually this way around it works. But I suppose it's possible that they now block that, too.

Trying to use WHQL signing might be a workaround, but I'm not sure if you can do that for a hook dll. It might only be allowed for real hardware driver dlls. But I've zero knowledge about WHQL, so I can't say for sure.

One more option would be to not "officially" inject the dll, but to manually map it into the process by replicating all the things that a DLL load would do, without using the OS dll loader routines. That sounds very fishy, though, so I'm not sure if that's a good idea.

Re: Edge Code Injection

Posted: Sun Nov 22, 2015 5:30 pm
by Absolute_Zero
Using MCH driver injection, Edge *seems* to start okay... however no page is displayed and after ~20 seconds it terminates.

Using CreateProcessEx from user-land, Edge never appears.

Re: Edge Code Injection

Posted: Mon Nov 23, 2015 8:36 am
by DSp_nrg
The injection is started on system start. I'm already using the driver injection and as mentioned before it worked fine until the new patch was released (Build 10547).

@madshi:
* I also think that WHQL won't sign the injected DLL. I just hoped someone already tried it.
* I think manual implementation of the injection would be too overkill. Also I think I'm missing the experience on that level for a stable implementation.

Re: Edge Code Injection

Posted: Mon Nov 23, 2015 11:07 am
by Absolute_Zero
I tried with a do-nothing dll injected by the MCH driver, just InitializeMadCHook, return TRUE on DLL_PROCESS_ATTACH

According to Proc Explorer, the injection dll is loaded okay... and Edge is functional. So I'm thinking something else/additional is going on with the latest Edge.

Re: Edge Code Injection

Posted: Mon Nov 23, 2015 11:14 am
by DSp_nrg
Hey Absolute_Zero,

could you please add more informations about your test system? Win10 BuildNumber, Edge Version and Architecture of your system? So I'm able to verify on my side wether there are different behaviors possible?

Re: Edge Code Injection

Posted: Mon Nov 23, 2015 2:41 pm
by Absolute_Zero
Windows 10 Pro - 64-bit
ver 10.0.10586

Microsoft Edge 25.10586.0.0
Microsoft EdgeHTML 13.10586

I sign my injection dll's using the same cert as the driver... that *might* be a factor.

N.B. if you want to try that, don't forget to sign the injection dll's *before* using madconfigdrv to prep the driver for signing.

Re: Edge Code Injection

Posted: Mon Nov 23, 2015 2:44 pm
by DSp_nrg
Hi,

I'm working with exact same version numbers except I'm using 32-bit version. Maybe this makes a difference, will validate that and post my results.

I'm also signing the DLLs with the same certificate as the driver, just without Cross-Certificate.
don't forget to sign the injection dll's *before* using madconfigdrv to prep the driver for signing.
Already implemented like that.

Re: Edge Code Injection

Posted: Mon Nov 23, 2015 2:49 pm
by Absolute_Zero
Mine are cross-signed IIRC... also folder permission "ALL APPLICATION PACKAGES" is set on the dll's

Re: Edge Code Injection

Posted: Mon Nov 23, 2015 2:54 pm
by DSp_nrg
Will try that.
"ALL APPLICATION PACKAGES"
is already set.

Re: Edge Code Injection

Posted: Tue Nov 24, 2015 5:31 pm
by madshi
Absolute_Zero wrote:I tried with a do-nothing dll injected by the MCH driver, just InitializeMadCHook, return TRUE on DLL_PROCESS_ATTACH

According to Proc Explorer, the injection dll is loaded okay... and Edge is functional. So I'm thinking something else/additional is going on with the latest Edge.
1) What happens if you link in madCodeHook, but without calling any madCodeHook APIs?
2) What happens if you call InitializeMadCHook() + FinalizeMadCHook(), but make no actual HookAPI() calls?
3) What happens if you try to run the PrintMonitor demo before starting Edge?

http://madshi.net/PrintMonitor.zip

Plan to install Windows 10 on my development PC later this week. For now debugging these kind of problems is a bit cumbersome (VM and stuff).

Re: Edge Code Injection

Posted: Tue Nov 24, 2015 7:36 pm
by Absolute_Zero
#1 no problems, Edge starts
#2 problem with or without HookAPI

So I started commenting out the code related to DLL_PROCESS_ATTACH... the problem remained until I commented out...

Code: Select all

	g_hMapFile = CreateGlobalFileMapping(g_szIpcName, sizeof(MY_DAT));
	
	if (g_hMapFile == NULL)
		return FALSE;

	if (GetLastError() != ERROR_ALREADY_EXISTS)
	{
		PSECURITY_DESCRIPTOR pSD			= NULL;
		PACL				 pSacl			= NULL;
		BOOL				 fSaclPresent	= FALSE;
		BOOL				 fSaclDefaulted = FALSE;

		if (ConvertStringSecurityDescriptorToSecurityDescriptor(L"S:(ML;;NW;;;LW)", SDDL_REVISION_1, &pSD, NULL))
		{
			if (GetSecurityDescriptorSacl(pSD, &fSaclPresent, &pSacl, &fSaclDefaulted))
				SetNamedSecurityInfoA(g_szIpcName, SE_KERNEL_OBJECT, LABEL_SECURITY_INFORMATION, NULL, NULL, NULL, pSacl);

			LocalFree(pSD);
		}
	}

	g_pDat = (LPVDM_DAT) MapViewOfFile(g_hMapFile, FILE_MAP_ALL_ACCESS, 0, 0, sizeof(MY_DAT));

	if (g_pDat == NULL)
		return FALSE;

Re: Edge Code Injection

Posted: Tue Nov 24, 2015 7:43 pm
by madshi
Is that my code or yours? It doesn't look familiar to me, but I'm not sure.

For testing #2, did you use the #1 project files and just added InitializeMadCHook() + FinalizeMadCHook() calls? Or did you take your full DLL project and comment out all the HookAPI() calls?

Re: Edge Code Injection

Posted: Tue Nov 24, 2015 7:58 pm
by Absolute_Zero
My code... I took the full DLL project and commented out all of the HookAPI calls... to no avail, Edge wouldn't start. When I then commented out the CreateGlobalFileMapping [madCHook] and related [MapViewOfFile] calls, Edge started okay.

Re: Edge Code Injection

Posted: Tue Nov 24, 2015 8:06 pm
by madshi
Ok, so what happens if you leave this code commented out but put the HookAPI calls back in? Also it would be interesting to test that PrintMonitor demo I mentioned earlier.