[Request] DLL Approval Callback

c++ / delphi package - dll injection and api hooking
jgh0721
Posts: 28
Joined: Tue Apr 22, 2014 8:06 am

[Request] DLL Approval Callback

Post by jgh0721 »

64bit service both inject x86 and x64 dll.
but, i cannot receive dll approval callback when x86 process injected.

Also, at the moment, once a process is approved, it doesn't ask if it is run again, but I want to ask every time a process is run.
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: [Request] DLL Approval Callback

Post by iconic »

Please upload your code and I will take a look. Also, what OS version are you running, security software etc?

—Iconic
jgh0721
Posts: 28
Joined: Tue Apr 22, 2014 8:06 am

Re: [Request] DLL Approval Callback

Post by jgh0721 »

Windows 10 , 1903, 18362.10015, X64

On x64 Service, i set include mask totalcmd.exe|totalcmd64.exe ,

but i received only when totalcmd64.exe launched. besieds, only once.

i attachments my sys,dlls. Driver Name = "iMonLOPE1020", driver and dll signed.
Attachments
pack.zip
(108.09 KiB) Downloaded 368 times
iMonProcMonx64_EV.7z
(216.66 KiB) Downloaded 353 times
iMonProcMonx86_EV.zip
Test DLL
(234.63 KiB) Downloaded 362 times
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: [Request] DLL Approval Callback

Post by iconic »

I'll run some tests here on my end and post back as soon as I can, will be today at some point. I recently tested injection approval and it worked perfectly fine here however. I'll have to test Windows 10 1903 (I have it).

--Iconic
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: [Request] DLL Approval Callback

Post by iconic »

jgh0721,

Thank you for your test files, I was able to reproduce the issue on Windows 10. Injection approval worked fine for me (a week ago) on Windows 7 so this seems to be an OS version specific issue with said feature. Now that both Madshi and I are aware of this issue we will look further into this as soon as we can and add this to the internal bug list to be fixed. This issue seems to only pertain to newly created processes and not currently running processes from my tests while only affecting more modern versions of Windows.

--Iconic
jgh0721
Posts: 28
Joined: Tue Apr 22, 2014 8:06 am

Re: [Request] DLL Approval Callback

Post by jgh0721 »

Thank you for reply.

In addition, would it be a problem for my system to kill the process inside Dll Approval Callback?
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: [Request] DLL Approval Callback

Post by iconic »

Hello,

I've taken a much closer look at the problem, here is what I've found.

[1] I wrote my own project for DLL approval (using my own DLLs and driver) and it actually works perfectly fine on 3 different OSs. Win 7 x64 SP1, Windows 8 x64 and Windows 10 1903 x64, for both 32-bit and 64-bit processes.

[2] Using the same injector code with your driver and DLLs causes this issue only for me, much like you have described in your first post about it. So, I do see this, but it's only with your binaries

[3] Your binaries have 3 signatures so I can't test this on Windows 7 since 2 of them are SHA-256 (prior to a hotfix for SP1) so I've been reduced to Windows 8+ testing only

[4] Your DLLs contain extra PE sections which is indicative of a packer, code permutator, OEP obfuscator etc. I believe it is the last one, identified as PEStubOEP according to software that I use for analysis

Can you test again with your own code only this time remove any PE protections? This may very well be your issue and IIRC approval needs to calculate some internal data that could be potentially wrong causing approval not to work.

I've attached my test signed binaries (2 DLLs, Driver and Loader) - please test them and ensure that you're getting real-time alerts of processes attempting to load the DLLs, you should be, as I am, even on Windows 10 1903. You'll want to boot into test mode with "bcdedit /set testsigning on" then reboot and run my demo. Code is also included in the ZIP archive.

We just need to figure out what the key difference is here, but I believe it's somehow due to #4.

P.S> To answer your last question, yes you can kill a process within the approval callback. Be careful however in case it's system critical. The nicest way to do it is without TerminateProcess so loaded DLLs receive DLL_PROCESS_DETACH and they have a chance to cleanup. Even a remote thread on ExitProcess is much nicer

--Iconic
Attachments
approval_test.zip
(870.76 KiB) Downloaded 360 times
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: [Request] DLL Approval Callback

Post by madshi »

Thanks for your support Iconic.

IIRC, newly created processes inside of the approal callback are still in suspended state? I don't think the DLLs have even received DLL_PROCESS_ATTACH yet, or am I wrong?
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: [Request] DLL Approval Callback

Post by iconic »

Madshi,

Nope, you're right, had to check the code and in fact you are doing this basically as early as possible in the mapping phase so no DLL_PROCESS_ATTACH events should be dispatched yet to any modules. Only exception is a long wait inside the callback which exceeds the allotted 5 seconds to make a decision (i.e: checking the web for a hash or reputation, hashing a large DLL that takes long processing time etc.). Only then could it be a possibility that you've missed your window to answer and modules could be potentially initialized. TLS callbacks always execute before entry points and take the same DLLMain style "reason" for attach/detach events. I just think TerminateProcess is an ugly way to end a process, I could think of much cleaner ways to do so, it's likely where my mind is, focused on safety as much as possible :D

--Iconic
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: [Request] DLL Approval Callback

Post by madshi »

I agree that TerminateThread is very ugly. However, any other method means that all the DLLs get first initialized and then have to be finalized. So that's a lot of extra CPU power wasted. So I wonder if in this very specific situation TerminateThread might not actually be the preferred solution? Anyway, I'm not 100% sure here, and it's not my decision to make, anyway, just posting my thoughts... :D
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: [Request] DLL Approval Callback

Post by iconic »

Yes, in this specific case with MCH approval callbacks, TerminateProcess would be the preferable method =]

--Iconic
jgh0721
Posts: 28
Joined: Tue Apr 22, 2014 8:06 am

Re: [Request] DLL Approval Callback

Post by jgh0721 »

sorry for late reply.

1) test for your dlls. and works for me, windows 10. so i test my own dlls, sys. but failed.

i didn't use *any* PE Packer or PE Protector at all. when only dual sign (SHA1, SHA256) test failed.

so, i test only sha1 sign test, but failed.

current running process approval callback works for me. but newly created process approval callback doesn't works for me. ( SHA1 only and Sha1,sha256 dual sign )

attachments : sha1 signed sys, dlls, driver name = TestDriver

test os : windows 10 1809, 17763.615,
dll build : compiler VS2015 , Target XP, release build
Attachments
DemoDriver64.7z
(40.3 KiB) Downloaded 370 times
DemoDll64.7z
(208.95 KiB) Downloaded 362 times
DemoDll32.7z
(189.47 KiB) Downloaded 367 times
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: [Request] DLL Approval Callback

Post by iconic »

Thanks for the reply and new binaries. I’ll plug them in to my test environment and debug the driver by Friday to see what is happening here. It’s possible that the PE hashing and/or authentication process for approval is somehow not functioning correctly in all cases. Of course this is only a blind assumption at the moment but my tests will undoubtedly reveal the issue

—Iconic
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: [Request] DLL Approval Callback

Post by madshi »

Might also make sense to double check with the latest build, just to make sure it's not a problem that was already fixed:

http://madshi.net/madCollectionBeta.exe
jgh0721
Posts: 28
Joined: Tue Apr 22, 2014 8:06 am

Re: [Request] DLL Approval Callback

Post by jgh0721 »

tested with latest build by first binaries( dual sign )

os : windows 10, 1903, 18362.10015, x64
dll : vs2015 target xp, release build

test result : works for me( very well!! )

ps. can I reliably obtain the handle of the process inside the dll approval callback?
ps. release date ETAs?
Post Reply