Windows 10 "Redstone3" and injection/hooking

c++ / delphi package - dll injection and api hooking
madshi
Site Admin
Posts: 10338
Joined: Sun Mar 21, 2004 5:25 pm

Re: Windows 10 "Redstone3" and injection/hooking

Post by madshi »

iconic kindly linked to this in another thread:

https://theryuu.github.io/ifeo-mitigationoptions.txt

It seems to allow turning the "dynamic code" and "signature" policies on or off for specific exe files via registry. Supposedly this should also affect Edge, but I haven't tested it yet myself.
mediant
Posts: 2
Joined: Sun Oct 01, 2017 12:01 pm

Re: Windows 10 "Redstone3" and injection/hooking

Post by mediant »

I think I tried both Image Execution Options and Group Policy (which can be extended to 64-bit to include ACG and such) in the past, but to no avail - Edge is created by COM+, and its mitigation settings are provided with process creation parameters. It looks like Image Execution Options and GP can only turn these settings ON.

On RS3 ACG is turned on by default for some processes beyond Edge, e.g. DllHost and some SvcHost instances. So one rather annoying issue we encountered with madCodeHook driver injection is that the driver hooks NtTestAlert, but the injected code is unable to remove that hook due to ACG, resulting in an endless initialization loop.

Any thoughts on how to "mitigate" this, so to say? Except for not using InjectLibraryOld32, obviously...
madshi
Site Admin
Posts: 10338
Joined: Sun Mar 21, 2004 5:25 pm

Re: Windows 10 "Redstone3" and injection/hooking

Post by madshi »

The NtTestAlert endless initialization loop problem should be fixed in the current official version (both v3 and v4). Probably you're still using an older version?
mediant
Posts: 2
Joined: Sun Oct 01, 2017 12:01 pm

Re: Windows 10 "Redstone3" and injection/hooking

Post by mediant »

Most likely, will check. Thanks for prompt response!
Post Reply