Page 2 of 2

Re: Windows 10 "Redstone3" and injection/hooking

PostPosted: Tue Sep 19, 2017 7:28 pm
by madshi
iconic kindly linked to this in another thread:

https://theryuu.github.io/ifeo-mitigationoptions.txt

It seems to allow turning the "dynamic code" and "signature" policies on or off for specific exe files via registry. Supposedly this should also affect Edge, but I haven't tested it yet myself.

Re: Windows 10 "Redstone3" and injection/hooking

PostPosted: Sun Oct 01, 2017 12:23 pm
by mediant
I think I tried both Image Execution Options and Group Policy (which can be extended to 64-bit to include ACG and such) in the past, but to no avail - Edge is created by COM+, and its mitigation settings are provided with process creation parameters. It looks like Image Execution Options and GP can only turn these settings ON.

On RS3 ACG is turned on by default for some processes beyond Edge, e.g. DllHost and some SvcHost instances. So one rather annoying issue we encountered with madCodeHook driver injection is that the driver hooks NtTestAlert, but the injected code is unable to remove that hook due to ACG, resulting in an endless initialization loop.

Any thoughts on how to "mitigate" this, so to say? Except for not using InjectLibraryOld32, obviously...

Re: Windows 10 "Redstone3" and injection/hooking

PostPosted: Sun Oct 01, 2017 1:00 pm
by madshi
The NtTestAlert endless initialization loop problem should be fixed in the current official version (both v3 and v4). Probably you're still using an older version?

Re: Windows 10 "Redstone3" and injection/hooking

PostPosted: Sun Oct 01, 2017 1:58 pm
by mediant
Most likely, will check. Thanks for prompt response!