I'll check it right away.
Thank you.
Despite of my dll & sys are signed by Microsoft, chrome injection failure issue is not solved.
Actually, your signature is equivalent to WHQL which is a signature you receive on your module after HCK/HLK tests pass or you go the attestation route. This is not the same thing as "Microsoft" only signature which is usually "Microsoft Windows" or "Microsoft Corporation" as the signer. There's a big difference here unfortunately. Chrome only loads DLLs that have Microsoft Windows/Corporation as the signer, nothing else.Despite of my dll & sys are signed by Microsoft, chrome injection failure issue is not solved
Notepad is a plain Win32 process (it's not even a metro app) and not a sandbox designed to keep out 3rd party DLLs. Sandboxed browsers like these (Edge, Chrome etc.)Other Injection ( e.g. notepad.exe ) has no problem.
Code: Select all
// Enable binary signing policies.
if (flags & MITIGATION_FORCE_MS_SIGNED_BINS) {
PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY policy = {};
// Allow only MS signed binaries.
policy.MicrosoftSignedOnly = true;
// NOTE: there are two other flags available to allow
// 1) Only Windows Store signed.
// 2) MS-signed, Win Store signed, and WHQL signed binaries.
// Support not added at the moment.
if (!set_process_mitigation_policy(ProcessSignaturePolicy, &policy,
sizeof(policy)) &&
ERROR_ACCESS_DENIED != ::GetLastError()) {
return false;
}
}
Code: Select all
LoadInjectionDriver('TestDriver', nil, 'DemoDriver64.sys');
InjectLibraryW('TestDriver', 'lovenamu64.dll', ALL_SESSIONS, INJECT_SYSTEM_PROCESSES or INJECT_METRO_APPS,
nil, 'Runtimebroker.exe|svchost.exe|notepad.exe', nil, nil, nil);
InjectLibraryW('TestDriver', 'lovenamu32.dll', ALL_SESSIONS, INJECT_SYSTEM_PROCESSES or INJECT_METRO_APPS,
nil, 'Runtimebroker.exe|svchost.exe|notepad.exe', nil, nil, nil);
Which codes are more recommended?iconic wrote: ↑Fri Nov 05, 2021 10:38 pmCode: Select all
LoadInjectionDriver('TestDriver', nil, 'DemoDriver64.sys'); .......
I have found how to reproduce my issue.
There is no difference between "C:\Windows" and "\Program Files (x86)\".iconic wrote: ↑Tue Nov 16, 2021 11:22 pm .... we can rule that out after you've tested with C:\Windows\ instead *just a shot in the dark here*
Also, does your system service load very early with a load order group? That might be another detail that can matter in this case potentially. Maybe you could share the exact params you're using for CreateService() with us please.
--Iconic
Code: Select all
BOOL APIENTRY
DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved )
{
WCHAR DebugStr_CurrentProcessName[_MAX_FNAME] = {0,};
// Get Current Process Name
// ......
if(ul_reason_for_call == DLL_PROCESS_ATTACH)
{
OutputDebugStringW( DebugStr_CurrentProcessName );
return TRUE;
}
We are open to hearing what you believe it might be.I can make some guessing about this issue
Code: Select all
unit uTestMCHInclude;
{$SetPEOptFlags $140} // DEP + ASLR
//{$DEFINE __dbg}
interface
uses
Winapi.Windows, Vcl.SvcMgr, madCodeHook;
type
TTestMCHInclude = class(TService)
procedure ServiceExecute(Sender: TService);
procedure ServiceStart(Sender: TService; var Started: Boolean);
private
{ Private declarations }
public
function GetServiceController: TServiceController; override;
{ Public declarations }
end;
var
TestMCHInclude: TTestMCHInclude;
implementation
{$R *.DFM}
{$O+}
procedure ServiceController(CtrlCode: DWord); stdcall;
begin
TestMCHInclude.Controller(CtrlCode);
end;
function TTestMCHInclude.GetServiceController: TServiceController;
begin
result := ServiceController;
end;
procedure TTestMCHInclude.ServiceExecute(Sender: TService);
begin
while not (Terminated) do
begin
ServiceThread.ProcessRequests(False);
Sleep(5);
end;
end;
procedure TTestMCHInclude.ServiceStart(Sender: TService; var Started: Boolean);
begin
EnableAllPrivileges();
LoadInjectionDriver('TestDriver', nil, 'DemoDriver64.sys');
InjectLibraryW('TestDriver', 'lovenamu64.dll', ALL_SESSIONS,
(INJECT_SYSTEM_PROCESSES or INJECT_METRO_APPS),
'cmd.exe', nil, nil, nil, nil);
end;
end.