Page 1 of 2

[Request] DLL Approval Callback

Posted: Tue Aug 27, 2019 4:15 am
by jgh0721
64bit service both inject x86 and x64 dll.
but, i cannot receive dll approval callback when x86 process injected.

Also, at the moment, once a process is approved, it doesn't ask if it is run again, but I want to ask every time a process is run.

Re: [Request] DLL Approval Callback

Posted: Tue Aug 27, 2019 6:19 am
by iconic
Please upload your code and I will take a look. Also, what OS version are you running, security software etc?

—Iconic

Re: [Request] DLL Approval Callback

Posted: Tue Aug 27, 2019 6:37 am
by jgh0721
Windows 10 , 1903, 18362.10015, X64

On x64 Service, i set include mask totalcmd.exe|totalcmd64.exe ,

but i received only when totalcmd64.exe launched. besieds, only once.

i attachments my sys,dlls. Driver Name = "iMonLOPE1020", driver and dll signed.

Re: [Request] DLL Approval Callback

Posted: Tue Aug 27, 2019 7:35 am
by iconic
I'll run some tests here on my end and post back as soon as I can, will be today at some point. I recently tested injection approval and it worked perfectly fine here however. I'll have to test Windows 10 1903 (I have it).

--Iconic

Re: [Request] DLL Approval Callback

Posted: Tue Aug 27, 2019 11:06 pm
by iconic
jgh0721,

Thank you for your test files, I was able to reproduce the issue on Windows 10. Injection approval worked fine for me (a week ago) on Windows 7 so this seems to be an OS version specific issue with said feature. Now that both Madshi and I are aware of this issue we will look further into this as soon as we can and add this to the internal bug list to be fixed. This issue seems to only pertain to newly created processes and not currently running processes from my tests while only affecting more modern versions of Windows.

--Iconic

Re: [Request] DLL Approval Callback

Posted: Wed Aug 28, 2019 12:44 am
by jgh0721
Thank you for reply.

In addition, would it be a problem for my system to kill the process inside Dll Approval Callback?

Re: [Request] DLL Approval Callback

Posted: Wed Aug 28, 2019 2:16 am
by iconic
Hello,

I've taken a much closer look at the problem, here is what I've found.

[1] I wrote my own project for DLL approval (using my own DLLs and driver) and it actually works perfectly fine on 3 different OSs. Win 7 x64 SP1, Windows 8 x64 and Windows 10 1903 x64, for both 32-bit and 64-bit processes.

[2] Using the same injector code with your driver and DLLs causes this issue only for me, much like you have described in your first post about it. So, I do see this, but it's only with your binaries

[3] Your binaries have 3 signatures so I can't test this on Windows 7 since 2 of them are SHA-256 (prior to a hotfix for SP1) so I've been reduced to Windows 8+ testing only

[4] Your DLLs contain extra PE sections which is indicative of a packer, code permutator, OEP obfuscator etc. I believe it is the last one, identified as PEStubOEP according to software that I use for analysis

Can you test again with your own code only this time remove any PE protections? This may very well be your issue and IIRC approval needs to calculate some internal data that could be potentially wrong causing approval not to work.

I've attached my test signed binaries (2 DLLs, Driver and Loader) - please test them and ensure that you're getting real-time alerts of processes attempting to load the DLLs, you should be, as I am, even on Windows 10 1903. You'll want to boot into test mode with "bcdedit /set testsigning on" then reboot and run my demo. Code is also included in the ZIP archive.

We just need to figure out what the key difference is here, but I believe it's somehow due to #4.

P.S> To answer your last question, yes you can kill a process within the approval callback. Be careful however in case it's system critical. The nicest way to do it is without TerminateProcess so loaded DLLs receive DLL_PROCESS_DETACH and they have a chance to cleanup. Even a remote thread on ExitProcess is much nicer

--Iconic

Re: [Request] DLL Approval Callback

Posted: Wed Aug 28, 2019 7:36 am
by madshi
Thanks for your support Iconic.

IIRC, newly created processes inside of the approal callback are still in suspended state? I don't think the DLLs have even received DLL_PROCESS_ATTACH yet, or am I wrong?

Re: [Request] DLL Approval Callback

Posted: Wed Aug 28, 2019 9:55 am
by iconic
Madshi,

Nope, you're right, had to check the code and in fact you are doing this basically as early as possible in the mapping phase so no DLL_PROCESS_ATTACH events should be dispatched yet to any modules. Only exception is a long wait inside the callback which exceeds the allotted 5 seconds to make a decision (i.e: checking the web for a hash or reputation, hashing a large DLL that takes long processing time etc.). Only then could it be a possibility that you've missed your window to answer and modules could be potentially initialized. TLS callbacks always execute before entry points and take the same DLLMain style "reason" for attach/detach events. I just think TerminateProcess is an ugly way to end a process, I could think of much cleaner ways to do so, it's likely where my mind is, focused on safety as much as possible :D

--Iconic

Re: [Request] DLL Approval Callback

Posted: Wed Aug 28, 2019 10:04 am
by madshi
I agree that TerminateThread is very ugly. However, any other method means that all the DLLs get first initialized and then have to be finalized. So that's a lot of extra CPU power wasted. So I wonder if in this very specific situation TerminateThread might not actually be the preferred solution? Anyway, I'm not 100% sure here, and it's not my decision to make, anyway, just posting my thoughts... :D

Re: [Request] DLL Approval Callback

Posted: Wed Aug 28, 2019 10:27 am
by iconic
Yes, in this specific case with MCH approval callbacks, TerminateProcess would be the preferable method =]

--Iconic

Re: [Request] DLL Approval Callback

Posted: Thu Aug 29, 2019 1:49 am
by jgh0721
sorry for late reply.

1) test for your dlls. and works for me, windows 10. so i test my own dlls, sys. but failed.

i didn't use *any* PE Packer or PE Protector at all. when only dual sign (SHA1, SHA256) test failed.

so, i test only sha1 sign test, but failed.

current running process approval callback works for me. but newly created process approval callback doesn't works for me. ( SHA1 only and Sha1,sha256 dual sign )

attachments : sha1 signed sys, dlls, driver name = TestDriver

test os : windows 10 1809, 17763.615,
dll build : compiler VS2015 , Target XP, release build

Re: [Request] DLL Approval Callback

Posted: Thu Aug 29, 2019 4:54 am
by iconic
Thanks for the reply and new binaries. I’ll plug them in to my test environment and debug the driver by Friday to see what is happening here. It’s possible that the PE hashing and/or authentication process for approval is somehow not functioning correctly in all cases. Of course this is only a blind assumption at the moment but my tests will undoubtedly reveal the issue

—Iconic

Re: [Request] DLL Approval Callback

Posted: Thu Aug 29, 2019 6:38 am
by madshi
Might also make sense to double check with the latest build, just to make sure it's not a problem that was already fixed:

http://madshi.net/madCollectionBeta.exe

Re: [Request] DLL Approval Callback

Posted: Thu Aug 29, 2019 8:35 am
by jgh0721
tested with latest build by first binaries( dual sign )

os : windows 10, 1903, 18362.10015, x64
dll : vs2015 target xp, release build

test result : works for me( very well!! )

ps. can I reliably obtain the handle of the process inside the dll approval callback?
ps. release date ETAs?