Page 1 of 1

MCH 4 Chrome & Follow_jmp

Posted: Wed Mar 01, 2017 5:00 pm
by Nash70
Hi everyone,

Mch4 in windows10 (aniversary with secure boot disabled), has the same behavior described in the thread viewtopic.php?f=7&t=28319
if the antivirus (symantec EndPoint Protection 12.1.16) and chrome (56.0.2924.87 (Official build) (64 bits)) are present, the FOLLOW_JMP flag resolves the issue of black tabs. The problem is with the uninject method. Leaves some threads injected. I have tried the uninjectcallback with same results. With windbg i can see that the DLL_PROCESS_DETACH is not called in these threads...

Can be the limit of 10 jumps in FOLLOW_JPM?

Re: MCH 4 Chrome & Follow_jmp

Posted: Wed Mar 01, 2017 5:06 pm
by madshi
What do you mean with "leaves some threads injected"? Does your hook dll create its own threads? It's not supposed to, see hooking rule 9:

http://help.madshi.net/HookingRules.htm

Re: MCH 4 Chrome & Follow_jmp

Posted: Wed Mar 01, 2017 5:36 pm
by Nash70
as usual, fast like lightning madshi :wink:

are from chrome, not mine.
if not running AV or inject without FOLLOW_JMP the uninjection is done correctly

Re: MCH 4 Chrome & Follow_jmp

Posted: Wed Mar 01, 2017 5:49 pm
by madshi
I can be fast, and I can be slow, as some of my customers will tell you... :shock:

This sounds really complicated. I'm not sure why there's a problem. My best guess right now would be that madCodeHook doesn't manage to get the access rights to uninstall the API hooks when uninjecting the hook dll. That's really bad, though.

Is there any chance you could provide a small(ish) VM for me to download with which I could reproduce the issue?

Re: MCH 4 Chrome & Follow_jmp

Posted: Wed Mar 01, 2017 11:28 pm
by Nash70
i will try to generate one, but it can't be difficulty because is the environment of a customer. I will send you a PM.

Re: MCH 4 Chrome & Follow_jmp

Posted: Thu Mar 02, 2017 7:53 am
by madshi
I think I've disabled PM, but you can email me, of course.