Page 2 of 3

Re: Edge Code Injection

Posted: Tue Nov 24, 2015 8:37 pm
by Absolute_Zero
Gah, I didn't properly think through the implications of enabling the api hooks with the shared memory pointer at null. Rats. Shift + restart click at the logon screen isn't booting me into safe mode and neither does F8 at boot with UEFI bios and a boot SSD.

I may be gone for a while :(

Re: Edge Code Injection

Posted: Tue Nov 24, 2015 8:50 pm
by madshi
Oh, sorry to hear that.

Re: Edge Code Injection

Posted: Tue Nov 24, 2015 10:12 pm
by Absolute_Zero
If all else fails, brute force and ignorance...

I pulled the power early in the boot sequence. After the third try it went into diagnostic mode at boot.

Nerves shredded, I will return to this (chastened) tomorrow.

Re: Edge Code Injection

Posted: Tue Nov 24, 2015 10:51 pm
by madshi
Haha! Maybe this would be a good time to suggest (once more) to try the PrintMonitor demo. 10 seconds download. No installation necessary. 30 seconds testing. Done.

Re: Edge Code Injection

Posted: Wed Nov 25, 2015 4:08 pm
by Absolute_Zero
PrintMonitor works fine. I would've been surprised if it didn't... it's only Edge that has given me difficulties. Firefox, Chrome, a plethora of windows apps, explorer etc, all okay.

I tested my injection dll's again with api hooks active, this time calling the original functions immediately and then returning. No problem with Edge.

As it stands, my issue with Edge *seems* to solely relate to CreateGlobalFileMapping.

Re: Edge Code Injection

Posted: Wed Nov 25, 2015 4:27 pm
by madshi
I didn't mean you to run PrintMonitor and then stop it again. The purpose of the test was to run PrintMonitor, and *while it runs* start Edge, to see if the PrintMonitor hook dlls stop Edge from working or not... :wink:

Re: Edge Code Injection

Posted: Wed Nov 25, 2015 4:44 pm
by Absolute_Zero
Sorry I wasn't sufficiently explicit. I did try that... PrintMonitor doesn't interfere with Edge.

Re: Edge Code Injection

Posted: Wed Nov 25, 2015 4:58 pm
by madshi
But PrintMonitor uses IPC, too! It does not use CreateGlobalFileMapping, though. CreateGlobalFileMapping internally enables a lot of privileges, because some of them are needed to be able to create global resources. Do you absolutely *have* to do that? None of my demos tries to *create* a global object. Maybe you can create the file mapping in your EXE and just open it in your hook dll?

Re: Edge Code Injection

Posted: Wed Nov 25, 2015 5:49 pm
by Absolute_Zero
It won't actually get created as such in Edge. Other processes ( e.g. explorer.exe) will have created the shared memory before Edge is launched. i.e. in Edge GetLastError will return ERROR_ALREADY_EXISTS. If that makes any difference.

Re: Edge Code Injection

Posted: Wed Nov 25, 2015 10:01 pm
by madshi
No, it doesn't. CreateGlobalFileMapping internally *ALWAYS* enables those privileges first, before trying to create the file mapping. So it doesn't matter if the file mapping already existed or not.

Can't you pre-create the file mapping in your EXE, and then just use OpenGlobalFileMapping in your hook dll? That should fully solve the problem.

P.S: Or alternatively check "If GetModuleFileName(0) = Edge then OpenGlobalFileMapping else CreateGlobalFileMapping". But it would be better to avoid calling *Create*GlobalFileMapping in the hook dll altogether.

Re: Edge Code Injection

Posted: Thu Nov 26, 2015 3:48 pm
by Absolute_Zero
I've rewritten my code to to ensure that OpenGlobalFileMapping is used when injected in Edge... and all is well. Thanks for the assistance!

In my use case, Edge will never be the first injected application, so the following *should* work reliably...

Code: Select all

	g_hMapFile = OpenGlobalFileMapping(g_szIpcName, TRUE);

	if (g_hMapFile == NULL)
	{
		if (GetLastError() == ERROR_FILE_NOT_FOUND)
		{
			g_hMapFile = CreateGlobalFileMapping(g_szIpcName, sizeof(MY_DAT));

			if (g_hMapFile == NULL)
				return FALSE;

			if (GetLastError() != ERROR_ALREADY_EXISTS)
			{
				PSECURITY_DESCRIPTOR pSD = NULL;

				// make memory low integrity
				if (ConvertStringSecurityDescriptorToSecurityDescriptor(L"S:(ML;;NW;;;LW)", SDDL_REVISION_1, &pSD, NULL))
				{
					PACL pSacl = NULL;
					BOOL fSaclPresent = FALSE;
					BOOL fSaclDefaulted = FALSE;

					if (GetSecurityDescriptorSacl(pSD, &fSaclPresent, &pSacl, &fSaclDefaulted))
						SetNamedSecurityInfoA(g_szIpcName, SE_KERNEL_OBJECT, LABEL_SECURITY_INFORMATION, NULL, NULL, NULL, pSacl);

					LocalFree(pSD);
				}

				dbg("%s created", g_szIpcName);
			}
		} else
			return FALSE;
	}

Re: Edge Code Injection

Posted: Thu Nov 26, 2015 3:52 pm
by madshi
Glad to hear that. So it appears Edge injection is still working well with madCodeHook (provided DLL injection is started before Edge), and I don't need to change anything, is that correct?

Re: Edge Code Injection

Posted: Thu Nov 26, 2015 4:04 pm
by Absolute_Zero
Yeah, I think so... and I use a fairly broad range of your tech. HookApi, SendIpcMessage etc.

Re: Edge Code Injection

Posted: Thu Nov 26, 2015 4:05 pm
by madshi
Cool, thanks.

Re: Edge Code Injection

Posted: Mon Nov 30, 2015 9:28 am
by DSp_nrg
Hi,

sorry for my late response to this topic. I took some time to test the PrintMonitor Demo on my Win10 (32bit) VM.

Even if I start PrintMonitor before starting Edge the HookPrintAPI DLLs don't get injected. When starting EdgeCP process from debugger I see the same exception as in my first post.
It seems to be the same problem for my code and PrintMonitor code.

Update:
I just cross checked the issue on multiple VMs. It seems like an issue on that specific VM, I don't know why, but on other VMs (32 & 64bit) it works just fine.
I'm not sure if only that specific VM got an CodeIntegrity patch which was withdrawn afterwards, or if something is broken on the VM. I can't figure differences from version numbers or release notes.