[madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected

c++ / delphi package - dll injection and api hooking
lovenamu
Posts: 21
Joined: Thu Dec 02, 2010 8:21 am

Re: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected

Post by lovenamu »

iconic wrote: Thu Nov 04, 2021 5:43 pm
This issue is because your DLL is not signed by Microsoft most likely, that's the policy that is very clear to me.

--Iconic
I'll check it right away.
Thank you.
lovenamu
Posts: 21
Joined: Thu Dec 02, 2010 8:21 am

Re: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected

Post by lovenamu »

lovenamu wrote: Fri Nov 05, 2021 2:11 am
iconic wrote: Thu Nov 04, 2021 5:43 pm
This issue is because your DLL is not signed by Microsoft most likely, that's the policy that is very clear to me.

--Iconic
I'll check it right away.
Thank you.
Despite of my dll & sys are signed by Microsoft, chrome injection failure issue is not solved.
036.png
036.png (20.23 KiB) Viewed 369 times
Other Injection ( e.g. notepad.exe ) has no problem.

Thank you
iconic
Site Admin
Posts: 1019
Joined: Wed Jun 08, 2005 5:08 am

Re: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected

Post by iconic »

Hello,

On the contrary, I beieve the Include param with Chrome as a target for injection is in fact solved as I mentioned yesterday. You can clearly see that
the Chrome instances without the signature restriction for Microsoft get injected just fine but those that have this enforcement do not.

If you check out the API SetProcessMitigation and the flag details for ProcessSignaturePolicy you see this:

ProcessSignaturePolicy
The policy of a process that can restrict image loading to those images that are either signed by Microsoft, by the Windows Store, or by Microsoft, the Windows Store and the Windows Hardware Quality Labs (WHQL). The lpBuffer parameter points to a PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY structure that specifies the signature policy flags.
Despite of my dll & sys are signed by Microsoft, chrome injection failure issue is not solved
Actually, your signature is equivalent to WHQL which is a signature you receive on your module after HCK/HLK tests pass or you go the attestation route. This is not the same thing as "Microsoft" only signature which is usually "Microsoft Windows" or "Microsoft Corporation" as the signer. There's a big difference here unfortunately. Chrome only loads DLLs that have Microsoft Windows/Corporation as the signer, nothing else.

Chrome can determine to enforce all Microsoft signatures or just one of them, it determines this and not us.

See here: https://docs.microsoft.com/en-us/window ... ure_policy

Chrome very well may be doing other things internally to filter out injections. Very possible like hooking LdrLoadDll() or using LdrRegisterDllNotification() much like Virtual Box does. I'm getting the same injection failure with other injection packages even when using a system DLL (after the process is initialized) so those instances aren't injectable.

Other Injection ( e.g. notepad.exe ) has no problem.
Notepad is a plain Win32 process (it's not even a metro app) and not a sandbox designed to keep out 3rd party DLLs. Sandboxed browsers like these (Edge, Chrome etc.)


--Iconic
iconic
Site Admin
Posts: 1019
Joined: Wed Jun 08, 2005 5:08 am

Re: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected

Post by iconic »

Code: Select all

  // Enable binary signing policies.
  if (flags & MITIGATION_FORCE_MS_SIGNED_BINS) {
    PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY policy = {};
    // Allow only MS signed binaries.
    policy.MicrosoftSignedOnly = true;
    // NOTE: there are two other flags available to allow
    // 1) Only Windows Store signed.
    // 2) MS-signed, Win Store signed, and WHQL signed binaries.
    // Support not added at the moment.
    if (!set_process_mitigation_policy(ProcessSignaturePolicy, &policy,
                                       sizeof(policy)) &&
        ERROR_ACCESS_DENIED != ::GetLastError()) {
      return false;
    }
  }
Source: https://chromium.googlesource.com/chrom ... gations.cc

--Iconic
iconic
Site Admin
Posts: 1019
Joined: Wed Jun 08, 2005 5:08 am

Re: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected

Post by iconic »

Hello,

I've just completed a series of EXCLUDE (not INCLUDE) tests with MCH Injection. I was not able to reproduce your issue at all, everything worked perfectly fine here. I tested in both Windows 7 x64 and Windows 10 x64.

My simple code is below which matches yours except it's in Delphi (which I doubt would make any bit of a difference):

Code: Select all

        LoadInjectionDriver('TestDriver', nil, 'DemoDriver64.sys');

        InjectLibraryW('TestDriver', 'lovenamu64.dll', ALL_SESSIONS, INJECT_SYSTEM_PROCESSES or INJECT_METRO_APPS,
        nil, 'Runtimebroker.exe|svchost.exe|notepad.exe', nil, nil, nil);

        InjectLibraryW('TestDriver', 'lovenamu32.dll', ALL_SESSIONS, INJECT_SYSTEM_PROCESSES or INJECT_METRO_APPS,
        nil, 'Runtimebroker.exe|svchost.exe|notepad.exe', nil, nil, nil);
 
Please see my screenshot using Process Explorer. RuntimeBroker, svchost and notepad were all running and none of them were injected which is what I expected since they are EXCLUDED.

If you want my original binaries to test yourself please feel free to ask me for them so I can upload them for your own testing. Are you able to reproduce this EXCLUDE issue with RuntimeBroker.exe on more than one machine? Madshi and I may have to give you a specially built debug build that will DbgPrint() the EXCLUDE list prior to injection as well as some other useful information so we can see why this is happening on your end.

https://imgur.com/a/EDcpPfk

*Edit*
I have updated my injection code to show the proper filename, I had renamed the modules to your username for clarity.

--Iconic
lovenamu
Posts: 21
Joined: Thu Dec 02, 2010 8:21 am

Re: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected

Post by lovenamu »

iconic wrote: Fri Nov 05, 2021 10:38 pm

Code: Select all

        LoadInjectionDriver('TestDriver', nil, 'DemoDriver64.sys');
        .......
Which codes are more recommended?
I'm using the B code.

A. LoadInjectionDriver('TestDriver', nil, 'DemoDriver64.sys');

B. LoadInjectionDriver('TestDriver', 'DemoDriver32.sys', 'DemoDriver64.sys');

I'll check your recommending code.
Thank you.
iconic
Site Admin
Posts: 1019
Joined: Wed Jun 08, 2005 5:08 am

Re: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected

Post by iconic »

B is recommended if you have to support both 32-bit and 64-bit OS versions. Since I was only testing with 64-bit Windows 10 I didn't need to use the 2nd parameter (which is the 32-bit driver filename).

--Iconic
lovenamu
Posts: 21
Joined: Thu Dec 02, 2010 8:21 am

Re: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected

Post by lovenamu »

iconic wrote: Fri Nov 05, 2021 10:38 pm Hello,

I've just completed a series of EXCLUDE (not INCLUDE) tests with MCH Injection. I was not able to reproduce your issue at all, everything worked perfectly fine here. I tested in both Windows 7 x64 and Windows 10 x64.

......
--Iconic
I have found how to reproduce my issue.
This issue happens only after Windows OS rebooting (and the first Windows Logon).
( The startup type of my Injector service is Automatic. )

Below picture is the screenshot of my issue happened after Windows OS reboot.
Though InjectLibraryW() INCLUDE only "cmd.exe", other programs are injected.

001.png
001.png (109.39 KiB) Viewed 238 times
A manual (re)start of the injector service after Windows OS reboot doesn't make produce the issue.
I hope it will help you.
Thank you.
iconic
Site Admin
Posts: 1019
Joined: Wed Jun 08, 2005 5:08 am

Re: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected

Post by iconic »

Hello,

I'll take a look into this ASAP and try to reproduce on my Windows 10 x64 setup. Thanks!

--Iconic
iconic
Site Admin
Posts: 1019
Joined: Wed Jun 08, 2005 5:08 am

Re: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected

Post by iconic »

Hello,

I've modified the code to only use the INCLUDE list with cmd.exe and copied my original demo code to a system service set to auto-start but I am not able to reproduce your issue once again. My tests worked correctly and only cmd.exe process was injected and no other processes even after restarting my PC for the first Windows logon. The only difference I see here is that my DLLs are located in C:\Windows but that's about it, can you please try on your end to see if this makes a difference at all? Your DLLs appear to be in the Program Files (x86) area so this could perhaps make a difference, we can rule that out after you've tested with C:\Windows\ instead *just a shot in the dark here*

Also, does your system service load very early with a load order group? That might be another detail that can matter in this case potentially. Maybe you could share the exact params you're using for CreateService() with us please.

test_pic_include.png
test_pic_include.png (166.94 KiB) Viewed 223 times

--Iconic
lovenamu
Posts: 21
Joined: Thu Dec 02, 2010 8:21 am

Re: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected

Post by lovenamu »

iconic wrote: Tue Nov 16, 2021 11:22 pm .... we can rule that out after you've tested with C:\Windows\ instead *just a shot in the dark here*

Also, does your system service load very early with a load order group? That might be another detail that can matter in this case potentially. Maybe you could share the exact params you're using for CreateService() with us please.

--Iconic
There is no difference between "C:\Windows" and "\Program Files (x86)\".
003.png
003.png (144.66 KiB) Viewed 205 times
As my injector service is registered by sc command, I share the registry screenshot.
004.png
004.png (30.31 KiB) Viewed 205 times
My company colleague told me an interesting experiment result about this issue.
The OutputDebugStringW() in DLL_PROCESS_ATTACH shows that other processes ( that are not in the INCLUDE list ) load the inject DLL.

Code: Select all

BOOL APIENTRY 
DllMain( HMODULE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved )
{
        WCHAR DebugStr_CurrentProcessName[_MAX_FNAME] = {0,};

        // Get Current Process Name 
        // ......
        
	if(ul_reason_for_call == DLL_PROCESS_ATTACH)
	{
                OutputDebugStringW(  DebugStr_CurrentProcessName  );
                return TRUE;
        }
(She says) Although the names of other processes are printed in dbgview,
you can not see the DLL in procexp ( maybe, because it is unloaded immediately).

Because this issue happens only after OS rebooting and first Windows Logon,
"fast dbgview.exe executing" ( after Windows logon ) is required.

If you reproduce this "misloading-and-fast-unloading" event,
I can make some guessing about this issue.

I hope it will help you.
Thank you.
iconic
Site Admin
Posts: 1019
Joined: Wed Jun 08, 2005 5:08 am

Re: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected

Post by iconic »

Hello,

I've not been able to reproduce any issues with both include and exclude lists even when using a service that is auto-started so I'm not sure what else I can do here to help. All of my different tests have worked fine on my PCs and I've tested more than 1 machine and OS.
I can make some guessing about this issue
We are open to hearing what you believe it might be.

--Iconic
madshi
Site Admin
Posts: 10434
Joined: Sun Mar 21, 2004 5:25 pm

Re: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected

Post by madshi »

@Iconic, maybe you could share one of your test projects, with source code and compiled binaries, so lovenamu can double check with the same project?
iconic
Site Admin
Posts: 1019
Joined: Wed Jun 08, 2005 5:08 am

Re: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected

Post by iconic »

Hello,

My source code for the service INCLUDE test is below, it's very simple. The DLLs are empty code wise and do absolutely nothing which is best for these types of tests as we only care about injection and not hooking in this scenario.

Code: Select all

unit uTestMCHInclude;

{$SetPEOptFlags $140} // DEP + ASLR
//{$DEFINE __dbg}

interface

uses
  Winapi.Windows, Vcl.SvcMgr, madCodeHook;

type
  TTestMCHInclude = class(TService)
    procedure ServiceExecute(Sender: TService);
    procedure ServiceStart(Sender: TService; var Started: Boolean);
  private
    { Private declarations }
  public
    function GetServiceController: TServiceController; override;
    { Public declarations }
  end;

var
  TestMCHInclude: TTestMCHInclude;

implementation

{$R *.DFM}
{$O+}

procedure ServiceController(CtrlCode: DWord); stdcall;
begin
     TestMCHInclude.Controller(CtrlCode);
end;

function TTestMCHInclude.GetServiceController: TServiceController;
begin
    result := ServiceController;
end;

procedure TTestMCHInclude.ServiceExecute(Sender: TService);
begin
    while not (Terminated) do
    begin
    ServiceThread.ProcessRequests(False);
    Sleep(5);
    end;
end;

procedure TTestMCHInclude.ServiceStart(Sender: TService; var Started: Boolean);
begin
     EnableAllPrivileges();
     LoadInjectionDriver('TestDriver', nil, 'DemoDriver64.sys');
     InjectLibraryW('TestDriver', 'lovenamu64.dll', ALL_SESSIONS,
     (INJECT_SYSTEM_PROCESSES or INJECT_METRO_APPS),
     'cmd.exe', nil, nil, nil, nil);
end;
end.
I've uploaded the 64-bit binaries below which are signed with a free cert, you'll need to place your x64 OS into Test Signing Mode with an elevated cmd prompt -> "bcdedit /set testsigning on"

Binary file(s) download link: https://gofile.io/d/aghhTj

After this reboot and install the service. I'd recommend placing the DLL, Driver and Service in C:\Windows since I used this for my tests. I opened an elevated cmd prompt and registered the service with "TestMCHInclude /install" and then ran "net start TestMCHInclude"

It doesn't matter how you start the service, you can even do it manually with the help of Services.msc and click to Start it or use SC. The above details are just how I performed the test and should be irrelevant to injection working properly.

You can reboot again after this and see if only cmd.exe is injected after opening it, it worked perfectly fine here on my machines. Let us know how your tests go please. Thanks!

--Iconic
madshi
Site Admin
Posts: 10434
Joined: Sun Mar 21, 2004 5:25 pm

Re: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected

Post by madshi »

Great - thanks!

@lovenamu, could you give Iconic's test project a try?

If you *can* reproduce the problem with the test project, then that means that there must be something different between your VM and Iconic's VM.

If you *cannot* reproduce the problem with the test project, then that means that there must be something different between your real project and Iconic's test project. In that case maybe you can try to figure out what the difference is exactly?
Post Reply