madshi.net

[madshi]

iconic kindly linked to this in another thread:

https://theryuu.github.io/ifeo-mitigationoptions.txt

It seems to allow turning the "dynamic code" and "signature" policies on or off for specific exe files via registry. Supposedly this should also affect Edge, but I haven't tested it yet myself.

[mediant]

I think I tried both Image Execution Options and Group Policy (which can be extended to 64-bit to include ACG and such) in the past, but to no avail - Edge is created by COM+, and its mitigation settings are provided with process creation parameters. It looks like Image Execution Options and GP can only turn these settings ON.

On RS3 ACG is turned on by default for some processes beyond Edge, e.g. DllHost and some SvcHost instances. So one rather annoying issue we encountered with madCodeHook driver injection is that the driver hooks NtTestAlert, but the injected code is unable to remove that hook due to ACG, resulting in an endless initialization loop.

Any thoughts on how to "mitigate" this, so to say? Except for not using InjectLibraryOld32, obviously...

[madshi]

The NtTestAlert endless initialization loop problem should be fixed in the current official version (both v3 and v4). Probably you're still using an older version?

[mediant]

Most likely, will check. Thanks for prompt response!