Page 3 of 3

Re: Edge Code Injection

Posted: Mon Nov 30, 2015 10:56 am
by madshi
Oh well. Could it be that some debugging stuff (e.g. Application Verifyer) or some extra agressive security software (e.g. Microsoft's EMET) is active on that VM? Or maybe there's another hooking library active which collides with madCodeHook in some way?

Re: Edge Code Injection

Posted: Fri Mar 03, 2017 12:14 pm
by ExPx
I think this issue is not closed. On Win10 64bit computer my system wide hook dll successfully injected all processes except microsoftedgecp.exe. When I start Microsoft Edge, process explorer shows me one MicrosoftEdge.exe and two MicrosoftEdgeCP.exe processes. MicrosoftEdge.exe and first MicrosoftEdgeCP.exe loaded my injection dll. But second MicrosoftEdgeCP.exe cant load it. I really want to know hooking (socket apis) is still available MS Edge browser ?

Re: Edge Code Injection

Posted: Fri Mar 03, 2017 12:38 pm
by madshi
It might have been better to start a new thread instead of reviving a 2 year old thread which may or may not be related.

Anyway.

1) Do you start injection first, and Edge afterwards? Or the other way round?
2) Does your hook dll have NTFS read/execute rights for "ALL APPLICATION PACKAGES"?

Re: Edge Code Injection

Posted: Sat Mar 04, 2017 5:29 am
by ExPx
Hi madshi, here is the summary

* I have a service running (singed with EV cert).
* My hook dll is under System32 (signed wit same cert)
* Injection is started on windows boot.
* I start Edge.
* In process explorer I can see one MicrosoftEdge.exe process and two MicrosoftEdgeCP.exe process.
* My dll succesfully injected MicrosoftEdge.exe and one of the MicrosoftEdgeCP.exe process. Other MicrosoftEdgeCP.exe not injected.
* Dll has ALL APPLICATION PACKAGES read and read/execute rights.
* Microsoft Edge 38.14393.0.0
* Microsoft EdgeHTML 14.14393
* Windows 10 Pro 1607, 14393.693 64bit

Note : My dll calls OutputDebugString before start hook functions(xxxx.exe injected). In DgbView I can see messages from injected proecesses except MicrosoftEdgeCP.exe and MicrosoftEdge.exe

Re: Edge Code Injection

Posted: Sat Mar 04, 2017 7:35 am
by madshi
Neither your driver nor your hook dll have to be in system32. I'd recommend to keep both in your installation directory, to keep things cleaner. But that's got nothing to do with the problem.

Can you please double check if the same problem also occurs with these two demo projects?

http://madshi.net/PrintMonitor.zip
http://madshi.net/PrintMonitor40.zip

Re: Edge Code Injection

Posted: Sun Mar 05, 2017 6:45 pm
by ExPx
Hi mad.
I tried both demos on my home computer (win10 home). 2 MicrosoftEdgeCP.exe and one MicrosoftEdge.exe process succesfully injected. While testing print preview with Chrome I can get log messages on print monitor. But no log messages for MS edge preview screen. I will test it with printer tomorrow.

Re: Edge Code Injection

Posted: Mon Mar 06, 2017 8:31 am
by madshi
So injection completely succeeds with both demos? In that case the big question is why it succeeds with the demos, but not with your real project. Maybe you can compare the source code to try to find out?