but, i cannot receive dll approval callback when x86 process injected.
Also, at the moment, once a process is approved, it doesn't ask if it is run again, but I want to ask every time a process is run.
On x64 Service, i set include mask totalcmd.exe|totalcmd64.exe ,
but i received only when totalcmd64.exe launched. besieds, only once.
i attachments my sys,dlls. Driver Name = "iMonLOPE1020", driver and dll signed.
Thank you for your test files, I was able to reproduce the issue on Windows 10. Injection approval worked fine for me (a week ago) on Windows 7 so this seems to be an OS version specific issue with said feature. Now that both Madshi and I are aware of this issue we will look further into this as soon as we can and add this to the internal bug list to be fixed. This issue seems to only pertain to newly created processes and not currently running processes from my tests while only affecting more modern versions of Windows.
I've taken a much closer look at the problem, here is what I've found.
 I wrote my own project for DLL approval (using my own DLLs and driver) and it actually works perfectly fine on 3 different OSs. Win 7 x64 SP1, Windows 8 x64 and Windows 10 1903 x64, for both 32-bit and 64-bit processes.
 Using the same injector code with your driver and DLLs causes this issue only for me, much like you have described in your first post about it. So, I do see this, but it's only with your binaries
 Your binaries have 3 signatures so I can't test this on Windows 7 since 2 of them are SHA-256 (prior to a hotfix for SP1) so I've been reduced to Windows 8+ testing only
 Your DLLs contain extra PE sections which is indicative of a packer, code permutator, OEP obfuscator etc. I believe it is the last one, identified as PEStubOEP according to software that I use for analysis
Can you test again with your own code only this time remove any PE protections? This may very well be your issue and IIRC approval needs to calculate some internal data that could be potentially wrong causing approval not to work.
I've attached my test signed binaries (2 DLLs, Driver and Loader) - please test them and ensure that you're getting real-time alerts of processes attempting to load the DLLs, you should be, as I am, even on Windows 10 1903. You'll want to boot into test mode with "bcdedit /set testsigning on" then reboot and run my demo. Code is also included in the ZIP archive.
We just need to figure out what the key difference is here, but I believe it's somehow due to #4.
P.S> To answer your last question, yes you can kill a process within the approval callback. Be careful however in case it's system critical. The nicest way to do it is without TerminateProcess so loaded DLLs receive DLL_PROCESS_DETACH and they have a chance to cleanup. Even a remote thread on ExitProcess is much nicer
- (870.76 KiB) Downloaded 360 times
IIRC, newly created processes inside of the approal callback are still in suspended state? I don't think the DLLs have even received DLL_PROCESS_ATTACH yet, or am I wrong?
Nope, you're right, had to check the code and in fact you are doing this basically as early as possible in the mapping phase so no DLL_PROCESS_ATTACH events should be dispatched yet to any modules. Only exception is a long wait inside the callback which exceeds the allotted 5 seconds to make a decision (i.e: checking the web for a hash or reputation, hashing a large DLL that takes long processing time etc.). Only then could it be a possibility that you've missed your window to answer and modules could be potentially initialized. TLS callbacks always execute before entry points and take the same DLLMain style "reason" for attach/detach events. I just think TerminateProcess is an ugly way to end a process, I could think of much cleaner ways to do so, it's likely where my mind is, focused on safety as much as possible
1) test for your dlls. and works for me, windows 10. so i test my own dlls, sys. but failed.
i didn't use *any* PE Packer or PE Protector at all. when only dual sign (SHA1, SHA256) test failed.
so, i test only sha1 sign test, but failed.
current running process approval callback works for me. but newly created process approval callback doesn't works for me. ( SHA1 only and Sha1,sha256 dual sign )
attachments : sha1 signed sys, dlls, driver name = TestDriver
test os : windows 10 1809, 17763.615,
dll build : compiler VS2015 , Target XP, release build
os : windows 10, 1903, 18362.10015, x64
dll : vs2015 target xp, release build
test result : works for me( very well!! )
ps. can I reliably obtain the handle of the process inside the dll approval callback?
ps. release date ETAs?