Page 1 of 1

Microsoft Edge injection

Posted: Fri Jul 21, 2017 3:58 pm
by tinessnaj
Hello,

I'm using madCodeHook (v3.1.16) to inject a hook DLL which intercepts function calls to the "send" and "WSASend" functions of the Windows Sockets 2 API (ws2_32.dll) to do some sort of basic internet filtering and it always worked well with the common internet browsers. It even worked with Microsoft Edge until Microsoft released the Windows 10 Creator's Update. I had to put some effort into getting the injection to work, but it seems like Microsoft Edge doesn't use the mentioned functions anymore. I gave a few API Monitor tools a try to find out which APIs and functions Edge uses but unlike with madCodeHook any injection attempts were unsuccessful due to the hardened security that comes with Edge. Do you know if Microsoft replaced these winsock functions with another new API or am I confronted with another security layer problem? Is there any way to work around this issue?

Thank you very much.

Re: Microsoft Edge injection

Posted: Fri Jul 21, 2017 5:42 pm
by madshi
I'm not sure which exact protection Edge has right now. If it has the "dynamic code" mitigation enabled then installing API hooks should fail completely. Do your HookAPI() calls return true or false?

Re: Microsoft Edge injection

Posted: Thu Jul 27, 2017 2:53 pm
by tinessnaj
Thank you for your reply. My HookAPI() calls return true and my hook DLL shows up in Process Explorer. It gets injected to MicrosoftEdge.exe, MicrosoftEdgeCP.exe and browser_broker.exe.

Re: Microsoft Edge injection

Posted: Thu Jul 27, 2017 3:56 pm
by madshi
Does HookAPI() return true in *all* of those 3 processes? It's probably not all processes which are protected by the process mitigation settings. So it will return true in all unprotected processes, but might return false in just the one which is protected (and might be the key process for your hooks to work).

I'm only guessing here, though. It's also possible that the API hooks installed correctly but there could be another reason for the hooks failing to work. E.g. Edge might use undocumented APIs instead of WinSock now to do its internet communication.