by mediant » Sun Oct 01, 2017 12:23 pm
I think I tried both Image Execution Options and Group Policy (which can be extended to 64-bit to include ACG and such) in the past, but to no avail - Edge is created by COM+, and its mitigation settings are provided with process creation parameters. It looks like Image Execution Options and GP can only turn these settings ON.
On RS3 ACG is turned on by default for some processes beyond Edge, e.g. DllHost and some SvcHost instances. So one rather annoying issue we encountered with madCodeHook driver injection is that the driver hooks NtTestAlert, but the injected code is unable to remove that hook due to ACG, resulting in an endless initialization loop.
Any thoughts on how to "mitigate" this, so to say? Except for not using InjectLibraryOld32, obviously...