Edge goes high CPU when injected via user-mode

c++ / delphi package - dll injection and api hooking

Edge goes high CPU when injected via user-mode

Postby choochy2003 » Thu Jan 11, 2018 11:47 pm

I have an issue at the moment, on some Windows 10 Fall Creators Update machines, where after our DLL is injected into Microsoft Edge it uses a really high amount of CPU (between 80-100%). This happens via the user-mode injection when Edge is already started and we start our product. If Edge starts later and the kernel injection kicks in, it does not have a problem.

The strange thing is that this behaviour does not happen on all similar systems, and looking at ProcMon Edge is in a loop access a set of registry keys. Where it normally accesses a few hundred registry values without our DLL injected, it is access the same 20 values millions of times a minute, which is where I think the CPU usage might be coming from.

The versions of our product's that I can reproduce this issue with, span back a number of MadCodeHook releases, so its nothing new.

Just wondering if anyone else has seen a similar issue?
choochy2003
 
Posts: 76
Joined: Fri Mar 21, 2008 4:52 am

Re: Edge goes high CPU when injected via user-mode

Postby choochy2003 » Fri Jan 12, 2018 2:53 am

It looks like it might not specifically have to do with just the injection itself. If I disable all the hooks inside the DLL, the issue also doesn't occur. However, it doesn't matter which API I hook, hooking any single API will cause this issue. So its a combination of a user-mode injected DLL hooking any API.
choochy2003
 
Posts: 76
Joined: Fri Mar 21, 2008 4:52 am

Re: Edge goes high CPU when injected via user-mode

Postby madshi » Fri Jan 12, 2018 8:18 am

I've never seen any issue like this. Which registry keys is it accessing again and again in a loop, and do you happen to have a thread callstack?

I suppose you've already tested with the latest madCodeHook builds (released late December 2017)?

Might make sense to double check with one of the demo projects compiled by me, just to make extra sure it's unrelated to your specific code and your linker/compiler settings etc:

http://madshi.net/PrintMonitor.zip
madshi
Site Admin
 
Posts: 9645
Joined: Sun Mar 21, 2004 5:25 pm


Return to madCodeHook

Who is online

Users browsing this forum: Google [Bot] and 2 guests