And also thanks for pointing out that Windows only cares about RET with Intel’s CET, it’s a relief. If Windows adopted the full IBT enforcement at the hardware level both jumps and calls would also be under scrutiny. Luckily, MS likely realized that their own hotpatching/detours/DLL Shims would also refuse to function.
The "hotfix" build seems to be stable. A big security company has tested it for their internal use and found no issues (so far), so I think the hotfix is probably good to go for release builds. I do plan to release an "official" new build soon(ish), but it's likely to be identical to the current hotfix, with just the documentation/version information updated. I don't really have a schedule/ETA for an official build atm, because I'm busy with another urgent project.
MCH v4.0 is definitely worth the upgrade as there have been several fixes and additions since v3.0 which is now nearly 10 years old! Highly recommend the upgrade
for the shadow stack overflow would be to pop the correct number of return addresses off the shadow stack when you do the corresponding pop of the data stack. The shadow stack can be popped using the following assembly instructions:
mov ecx, 1
incsspq rcx
or this C compiler intrinsic:
void __cdecl _incsspq (unsigned __int64);
I have tried calling _incsspq(1) before returning from the PeekMessageW hook but it doesn't help. I created a test app that simply repeatedly calls PeekMessageW when it is hooked, it is terminated after a few seconds.
Do you happen to have a crash dump or maybe you can share your code (callback only)? Does this happen with an empty callback where you just call the next hook? Lastly, and most importantly, does this happen with any other hooked APIs set in the Chrome process or is this only a PeekMessageW() issue you're experiencing?
FWIW, nobody else has reported any CET issues for now. Can you reproduce the issue outside of chrome? I wonder if it's something specific to chrome which is causing this.
Also, could you please try the latest build, which has some further bugfixes (I don't recall anything CET related, though):
Here is a stand-alone test app and dump file https://www.dropbox.com/s/34fnbg8vbx9o2 ... 3.zip?dl=0. I just took a VisualStudio app wizard, repeatedly called PeekMessage and enabled CET. As noted by Google, this manifests as a shadow stack overflow on CET supported hardware. I can replicate this situation by hooking other APIs, not just PeekMessageW.
I've just noticed that my madCodeHook subscription has expired... I'll get that renewed ASAP. I am using the version of madCollectionUpdate from this thread dated March 18.