MCH 4 Chrome & Follow_jmp

c++ / delphi package - dll injection and api hooking

MCH 4 Chrome & Follow_jmp

Postby Nash70 » Wed Mar 01, 2017 5:00 pm

Hi everyone,

Mch4 in windows10 (aniversary with secure boot disabled), has the same behavior described in the thread http://forum.madshi.net/viewtopic.php?f=7&t=28319
if the antivirus (symantec EndPoint Protection 12.1.16) and chrome (56.0.2924.87 (Official build) (64 bits)) are present, the FOLLOW_JMP flag resolves the issue of black tabs. The problem is with the uninject method. Leaves some threads injected. I have tried the uninjectcallback with same results. With windbg i can see that the DLL_PROCESS_DETACH is not called in these threads...

Can be the limit of 10 jumps in FOLLOW_JPM?
Nash70
 
Posts: 14
Joined: Mon Jun 02, 2014 6:50 pm

Re: MCH 4 Chrome & Follow_jmp

Postby madshi » Wed Mar 01, 2017 5:06 pm

What do you mean with "leaves some threads injected"? Does your hook dll create its own threads? It's not supposed to, see hooking rule 9:

http://help.madshi.net/HookingRules.htm
madshi
Site Admin
 
Posts: 9265
Joined: Sun Mar 21, 2004 5:25 pm

Re: MCH 4 Chrome & Follow_jmp

Postby Nash70 » Wed Mar 01, 2017 5:36 pm

as usual, fast like lightning madshi :wink:

are from chrome, not mine.
if not running AV or inject without FOLLOW_JMP the uninjection is done correctly
Nash70
 
Posts: 14
Joined: Mon Jun 02, 2014 6:50 pm

Re: MCH 4 Chrome & Follow_jmp

Postby madshi » Wed Mar 01, 2017 5:49 pm

I can be fast, and I can be slow, as some of my customers will tell you... :shock:

This sounds really complicated. I'm not sure why there's a problem. My best guess right now would be that madCodeHook doesn't manage to get the access rights to uninstall the API hooks when uninjecting the hook dll. That's really bad, though.

Is there any chance you could provide a small(ish) VM for me to download with which I could reproduce the issue?
madshi
Site Admin
 
Posts: 9265
Joined: Sun Mar 21, 2004 5:25 pm

Re: MCH 4 Chrome & Follow_jmp

Postby Nash70 » Wed Mar 01, 2017 11:28 pm

i will try to generate one, but it can't be difficulty because is the environment of a customer. I will send you a PM.
Nash70
 
Posts: 14
Joined: Mon Jun 02, 2014 6:50 pm

Re: MCH 4 Chrome & Follow_jmp

Postby madshi » Thu Mar 02, 2017 7:53 am

I think I've disabled PM, but you can email me, of course.
madshi
Site Admin
 
Posts: 9265
Joined: Sun Mar 21, 2004 5:25 pm


Return to madCodeHook

Who is online

Users browsing this forum: Baidu [Spider], Google [Bot] and 5 guests