Re: MCH3: W10 Insider DllHost injecting crash
Posted: Fri Apr 07, 2017 8:47 am
Ok, I'll work on a fix, already have something in mind.
high quality low level programming
http://forum.madshi.net/
Code: Select all
typedef enum _PROCESS_MITIGATION_POLICY {
ProcessDEPPolicy = 0,
ProcessASLRPolicy = 1,
ProcessDynamicCodePolicy = 2,
ProcessStrictHandleCheckPolicy = 3,
ProcessSystemCallDisablePolicy = 4,
ProcessMitigationOptionsMask = 5,
ProcessExtensionPointDisablePolicy = 6,
ProcessControlFlowGuardPolicy = 7,
ProcessSignaturePolicy = 8,
ProcessFontDisablePolicy = 9,
ProcessImageLoadPolicy = 10,
MaxProcessMitigationPolicy = 11
} PROCESS_MITIGATION_POLICY, *PPROCESS_MITIGATION_POLICY;
typedef struct _PROCESS_MITIGATION_DYNAMIC_CODE_POLICY {
union {
DWORD Flags;
struct {
DWORD ProhibitDynamicCode :1;
DWORD AllowThreadOptOut :1;
DWORD ReservedFlags :30;
};
};
} PROCESS_MITIGATION_DYNAMIC_CODE_POLICY, *PPROCESS_MITIGATION_DYNAMIC_CODE_POLICY;
typedef BOOL (WINAPI *PSetProcessMitigationPolicy)(PROCESS_MITIGATION_POLICY MitigationPolicy,
PVOID lpBuffer,
SIZE_T dwLength);
/*
Get/SetThreadInformation() share the same prototype, no sense in creating 2
*/
typedef BOOL (WINAPI *PGetSetThreadInformation)(HANDLE hThread,
ULONG ThreadInformationClass,
PULONG ThreadInformation,
ULONG ThreadInformationSize);
#define THREAD_DYNAMIC_CODE_DISALLOW 0
#define THREAD_DYNAMIC_CODE_ALLOW 1
#define ThreadDynamicCodePolicy 2
#define ERROR_DYNAMIC_CODE_BLOCKED 0x677
#define gpa_SpmP "SetProcessMitigationPolicy"
#define gpa_Sti "SetThreadInformation"
#define gpa_Gti "GetThreadInformation"
#define KRNL32 L"kernel32.dll"
void TestDynCodeModify()
{
HMODULE hKrnl32 = GetModuleHandleW(KRNL32);
PSetProcessMitigationPolicy Spmp =
(PSetProcessMitigationPolicy)GetProcAddress(hKrnl32,
"SetProcessMitigationPolicy");
PGetSetThreadInformation Sti =
(PGetSetThreadInformation)GetProcAddress(hKrnl32,
"SetThreadInformation");
PGetSetThreadInformation Gti =
(PGetSetThreadInformation)GetProcAddress(hKrnl32,
"GetThreadInformation");
if (Spmp == NULL || Sti == NULL || Gti == NULL)
{
printf("A function pointer is NULL... Aborting\n");
getchar();
return;
}
PROCESS_MITIGATION_DYNAMIC_CODE_POLICY Pmdcp = {0};
/*
prohibit dynamic code modifications but allow threads to opt out individually
*/
Pmdcp.ProhibitDynamicCode = 1;
/*
has to be set in first call to SetProcessMitigationPolicy() otherwise it is ignored
*/
Pmdcp.AllowThreadOptOut = 1;
if (Spmp(ProcessDynamicCodePolicy, &Pmdcp, sizeof(PROCESS_MITIGATION_DYNAMIC_CODE_POLICY)))
{
printf("SetProcessMitigationPolicy(DYNAMIC_CODE_POLICY) Success!!!\n\n");
}
else
{
printf("SetProcessMitigationPolicy() Failed - 0x%08x\n", GetLastError());
getchar();
return;
}
DWORD dwThreadPolicy = THREAD_DYNAMIC_CODE_ALLOW;
if (Sti(GetCurrentThread(), ThreadDynamicCodePolicy, &dwThreadPolicy, sizeof(DWORD)))
{
printf("Allowing Current Thread to Make PAGE_EXECUTE_XxX Modifications\n");
}
else
{
printf("SetThreadInformation() Failed - 0x%08x\n", GetLastError());
getchar();
return;
}
printf("Checking Current Thread Policy for Dynamic Code Modifications...\n");
if (Gti(GetCurrentThread(), ThreadDynamicCodePolicy, &dwThreadPolicy, sizeof(DWORD)))
{
printf("Current Thread Policy Allows for Dynamic Code Modifications: %s\n", ((dwThreadPolicy != 0) ? "YES" : "NO"));
}
else
{
printf("GetThreadInformation() Failed - 0x%08x\n", GetLastError());
getchar();
return;
}
ULONG oldProtect;
if (VirtualProtect((void*)GetModuleHandle(NULL), 2, PAGE_EXECUTE_READWRITE, &oldProtect))
{
printf("VirtualProtect() Succeeded!\n");
VirtualProtect((void*)GetModuleHandle(NULL), 2, oldProtect, &oldProtect);
}
else
{
printf("VirtualProtect() Failed - 0x%08x\n", GetLastError());
getchar();
return;
}
printf("\n");
dwThreadPolicy = THREAD_DYNAMIC_CODE_DISALLOW;
if (Sti(GetCurrentThread(), ThreadDynamicCodePolicy, &dwThreadPolicy, sizeof(DWORD)))
{
printf("DisAllowing Current Thread to Make PAGE_EXECUTE_XxX Modifications\n");
}
else
{
printf("SetThreadInformation() Failed - 0x%08x\n", GetLastError());
getchar();
return;
}
printf("Checking Current Thread Policy for Dynamic Code Modifications...\n");
if (Gti(GetCurrentThread(), ThreadDynamicCodePolicy, &dwThreadPolicy, sizeof(DWORD)))
{
printf("Current Thread Policy Allows for Dynamic Code Modifications: %s\n", ((dwThreadPolicy != 0) ? "YES" : "NO"));
}
else
{
printf("GetThreadInformation() Failed - 0x%08x\n", GetLastError());
getchar();
return;
}
if (VirtualProtect((void*)GetModuleHandle(NULL), 2, PAGE_EXECUTE_READWRITE, &oldProtect))
{
printf("Success! VirtualProtect() Succeeded!\n");
VirtualProtect((void*)GetModuleHandle(NULL), 2, oldProtect, &oldProtect);
getchar();
}
else
{
printf("VirtualProtect() Failed - 0x%08x\n", GetLastError());
printf("Expected Error on Failure (ERROR_DYNAMIC_CODE_BLOCKED) Returned: %s\n", (GetLastError() == ERROR_DYNAMIC_CODE_BLOCKED) ? "YES" : "NO");
getchar();
return;
}
}
Have you had a chance to test my fixed beta build yet? Thanks...EaSy wrote:sorry, but I must ask you. Will you be able to fix this or at least work around this before the creators update goes live (in 4 days)? Thx.
We would love to have at least 1 day to prepare updates, because it also affects all versions of MCH previously released.