we are facing an issue with crashing Adobe Reader or MS Teams. The issue is related to NtOpenProcess hook. When our solution (using madCodeHook) and the one from Sentinel One are present in the system and both are injecting Adobe Reader or MS Teams and hooking the API, the processes are crashing.
When we changed the flags for the hook to NO_MIXTURE_MODE | FOLLOW_JMP application worked fine and hook as well.
We have discussed the issue with developers from Sentinel One and got the following information. Could you please look at the info and check if devs from Sentinel One have found some issue in madCodeHook that should be addressed or if there is some other problem on their site?
I will provide the dump from the crashing process asap. Here is the information from Sentinel One:
Thanks a lot!It seems that this is an issue of bad interaction between madhooks library and chromium sandbox.
It seems that under acrobat reader protected mode, acrobat.exe creates a child process acrobat.exe, that runs inside an app container. Looking at acrobat.exe, it seems that it uses a variant of chromium sandbox to run the restricted child process, which adds its own hooks (including a hook on NtOpenProcess).
The issue seems to be that madhooks sees the jmp instruction of S1 hook on NtOpenProcess, and falls back to what they call "mixture mode" in their documentation. As far as i understand, in this mode they hook both the IATs and the export tables. The entry for the function in the export table (NtOpenProcess in our case) is patched with a new value that is right after the end of ntdll image.
The problem is that to create the hook on the child process, chromium sandbox tries to read the first 32 bytes of a function to hook from the child process with ReadProcessMemory. The address that is read from is the pointer for the function from the export table of ntdll in the parent process (which should be identical).
Since the child is created as a suspended process, the patched pointer of the function doesn't exist in the child process (since stguard didn't load yet, so the hook wasn't created). This causes the ReadProcessMemory call to fail, which in turn fails the sandboxed process creation (which eventually causes adobe to display the dialog box).
i don't know why madhooks could not place a hook on NtOpenProcess, and decided to opt for the fallback, but since the S1 hook is a simple jmp instruction, i believe this is an issue is not specific to S1, and will happen with any other vendor that manages to hook a function before madCodeHook, and with any product that happen to use chromium sandbox (i didn't test on ms teams yet, but it is likely it uses chromium sandbox as well).
The relevant functions in chromium sandbox (the code isn't exactly the same as in acrobat.exe, but seems close enough)
PatchNtdll (main/sandbox/win/src/interception.cc 357)
https://github.com/chromium/chromium/bl ... on.cc#L357
PatchClientFunctions (main/sandbox/win/src/interception.cc 423)
https://github.com/chromium/chromium/bl ... on.cc#L423
ResolverThunk::Init main/sandbox/win/src/resolver.cc 18
https://github.com/chromium/chromium/bl ... ver.cc#L18
ServiceResolverThunk::ResolveTarget service_resolver.cc 27
https://github.com/chromium/chromium/bl ... ver.cc#L27
ServiceResolverThunk::IsFunctionAService service_resolver_64.cc 234
https://github.com/chromium/chromium/bl ... 64.cc#L234
Tom Svoboda