Microsoft Edge injection

c++ / delphi package - dll injection and api hooking

Microsoft Edge injection

Postby tinessnaj » Fri Jul 21, 2017 3:58 pm

Hello,

I'm using madCodeHook (v3.1.16) to inject a hook DLL which intercepts function calls to the "send" and "WSASend" functions of the Windows Sockets 2 API (ws2_32.dll) to do some sort of basic internet filtering and it always worked well with the common internet browsers. It even worked with Microsoft Edge until Microsoft released the Windows 10 Creator's Update. I had to put some effort into getting the injection to work, but it seems like Microsoft Edge doesn't use the mentioned functions anymore. I gave a few API Monitor tools a try to find out which APIs and functions Edge uses but unlike with madCodeHook any injection attempts were unsuccessful due to the hardened security that comes with Edge. Do you know if Microsoft replaced these winsock functions with another new API or am I confronted with another security layer problem? Is there any way to work around this issue?

Thank you very much.
tinessnaj
 
Posts: 2
Joined: Fri Jul 21, 2017 2:46 pm

Re: Microsoft Edge injection

Postby madshi » Fri Jul 21, 2017 5:42 pm

I'm not sure which exact protection Edge has right now. If it has the "dynamic code" mitigation enabled then installing API hooks should fail completely. Do your HookAPI() calls return true or false?
madshi
Site Admin
 
Posts: 9431
Joined: Sun Mar 21, 2004 5:25 pm

Re: Microsoft Edge injection

Postby tinessnaj » Thu Jul 27, 2017 2:53 pm

Thank you for your reply. My HookAPI() calls return true and my hook DLL shows up in Process Explorer. It gets injected to MicrosoftEdge.exe, MicrosoftEdgeCP.exe and browser_broker.exe.
tinessnaj
 
Posts: 2
Joined: Fri Jul 21, 2017 2:46 pm

Re: Microsoft Edge injection

Postby madshi » Thu Jul 27, 2017 3:56 pm

Does HookAPI() return true in *all* of those 3 processes? It's probably not all processes which are protected by the process mitigation settings. So it will return true in all unprotected processes, but might return false in just the one which is protected (and might be the key process for your hooks to work).

I'm only guessing here, though. It's also possible that the API hooks installed correctly but there could be another reason for the hooks failing to work. E.g. Edge might use undocumented APIs instead of WinSock now to do its internet communication.
madshi
Site Admin
 
Posts: 9431
Joined: Sun Mar 21, 2004 5:25 pm


Return to madCodeHook

Who is online

Users browsing this forum: No registered users and 3 guests

cron