New protection from dll injection in Google Chrome

c++ / delphi package - dll injection and api hooking

New protection from dll injection in Google Chrome

Postby ezh » Mon Jul 23, 2018 4:24 pm

Few days ago Google release Chrome Canary (v.70) where it implemented some protection from dll injection. They had announce about this feature some time ago - https://blog.chromium.org/2017/11/reduc ... third.html and now finally it is enabled in Chrome Canary and looks like it a month it will be available in public Google Chrome.

Injecting using madCodeHook into this protected Chrome doesn't work anymore, even if Chrome was started with "--no-sandbox" option.

Do you have any ideas what kind of protection they use? Are there any chances to find a workaround?
ezh
 
Posts: 6
Joined: Tue Sep 22, 2015 10:20 am

Re: New protection from dll injection in Google Chrome

Postby madshi » Mon Jul 23, 2018 9:13 pm

According to the blog, "Microsoft signed" DLLs will be excluded from the DLL injection blocking. Which means that if you EV sign your hook DLLs and send them in to Microsoft for EV cross signing, injection might still work. Furthermore, there'll soon be a new v4 build which an alternative DLL injection method which *may* work around the DLL injection blocking. I'm not sure, though, I haven't tested it. But I don't really see how Chrome would be able to block the new DLL injection method - unless they install a kernel mode driver - or actually simply detect the DLL injection and exit Chrome out of protest.
madshi
Site Admin
 
Posts: 9821
Joined: Sun Mar 21, 2004 5:25 pm

Re: New protection from dll injection in Google Chrome

Postby ezh » Tue Jul 24, 2018 7:46 am

You say we can cross-sign our DLL (not driver, but user-mode DLL) ? Does it work in a similar way to driver cross-signature or there is another workflow?
ezh
 
Posts: 6
Joined: Tue Sep 22, 2015 10:20 am

Re: New protection from dll injection in Google Chrome

Postby madshi » Tue Jul 24, 2018 7:48 am

Well, I haven't actually done it myself (I don't even have an EV certificate, so I can't try), but a customer told me he did that and it allowed him to inject into Edge (or was it IE? I don't remember).
madshi
Site Admin
 
Posts: 9821
Joined: Sun Mar 21, 2004 5:25 pm

Re: New protection from dll injection in Google Chrome

Postby ExPx » Mon Oct 22, 2018 8:12 am

How can I get detailed information about "sending DLLs to Microsoft for EV cross signing"
ExPx
 
Posts: 29
Joined: Fri Oct 21, 2016 3:20 pm

Re: New protection from dll injection in Google Chrome

Postby madshi » Mon Oct 22, 2018 10:59 am

I suppose the MS documentation should explain that somehow.

You'll find some more discussion about it here:

viewtopic.php?f=7&t=28050
madshi
Site Admin
 
Posts: 9821
Joined: Sun Mar 21, 2004 5:25 pm


Return to madCodeHook

Who is online

Users browsing this forum: No registered users and 7 guests