Page 1 of 1

New protection from dll injection in Google Chrome

Posted: Mon Jul 23, 2018 4:24 pm
by ezh
Few days ago Google release Chrome Canary (v.70) where it implemented some protection from dll injection. They had announce about this feature some time ago - https://blog.chromium.org/2017/11/reduc ... third.html and now finally it is enabled in Chrome Canary and looks like it a month it will be available in public Google Chrome.

Injecting using madCodeHook into this protected Chrome doesn't work anymore, even if Chrome was started with "--no-sandbox" option.

Do you have any ideas what kind of protection they use? Are there any chances to find a workaround?

Re: New protection from dll injection in Google Chrome

Posted: Mon Jul 23, 2018 9:13 pm
by madshi
According to the blog, "Microsoft signed" DLLs will be excluded from the DLL injection blocking. Which means that if you EV sign your hook DLLs and send them in to Microsoft for EV cross signing, injection might still work. Furthermore, there'll soon be a new v4 build which an alternative DLL injection method which *may* work around the DLL injection blocking. I'm not sure, though, I haven't tested it. But I don't really see how Chrome would be able to block the new DLL injection method - unless they install a kernel mode driver - or actually simply detect the DLL injection and exit Chrome out of protest.

Re: New protection from dll injection in Google Chrome

Posted: Tue Jul 24, 2018 7:46 am
by ezh
You say we can cross-sign our DLL (not driver, but user-mode DLL) ? Does it work in a similar way to driver cross-signature or there is another workflow?

Re: New protection from dll injection in Google Chrome

Posted: Tue Jul 24, 2018 7:48 am
by madshi
Well, I haven't actually done it myself (I don't even have an EV certificate, so I can't try), but a customer told me he did that and it allowed him to inject into Edge (or was it IE? I don't remember).

Re: New protection from dll injection in Google Chrome

Posted: Mon Oct 22, 2018 8:12 am
by ExPx
How can I get detailed information about "sending DLLs to Microsoft for EV cross signing"

Re: New protection from dll injection in Google Chrome

Posted: Mon Oct 22, 2018 10:59 am
by madshi
I suppose the MS documentation should explain that somehow.

You'll find some more discussion about it here:

viewtopic.php?f=7&t=28050