Edge Code Injection

c++ / delphi package - dll injection and api hooking
DSp_nrg
Posts: 18
Joined: Mon Aug 04, 2014 10:26 am

Edge Code Injection

Post by DSp_nrg »

Hi all,

I've built a software which hooks WinInet in Microsoft Edge using madCodeHook. This worked fine until the new Windows 10 update, where it seems like Edge won't accept any third party DLLs anymore. I've found this Blogpost regarding the issue:
http://blogs.windows.com/msedgedev/2015 ... integrity/

They describe that:
Starting with EdgeHTML 13, Microsoft Edge defends the user’s browsing experience by blocking injection of DLLs into the browser unless they are Windows components or signed device drivers. DLLs that are either Microsoft-signed, or WHQL-signed, will be allowed to load, and all others will be blocked. “Microsoft-signed” allows for Edge components, Windows components, and other Microsoft-supplied features to be loaded. WHQL (Windows Hardware Quality Lab) signed DLLs are device drivers for things like the webcam, some of which need to run in-process in Edge to work.
I've had a deeper look what's happening. I noticed that my DLL stays loaded in the main process MicrosoftEdge.exe but not in the renderer processes MicrosoftEdgeCP.exe.
When loading the module in the renderer process I notice this:

Code: Select all

ModLoad: 754f0000 7551f000   C:\WINDOWS\system32\IMM32.DLL
inetcore\lib\codeintegrity\edgecipolicy.cxx(363)\MicrosoftEdgeCP.exe!00C44766: (caller: 00C43DD1) FailFast(1) tid(1078) 8000FFFF Schwerwiegender Fehler
(7e8.1078): Security check failure or stack buffer overrun - code c0000409 (!!! second chance !!!)
*** ERROR: Module load completed but symbols could not be loaded for MicrosoftEdgeCP.exe
eax=00000001 ebx=00c44700 ecx=00000007 edx=00000000 esi=00000004 edi=00000000
eip=00c45977 esp=0014e680 ebp=0014fb50 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
MicrosoftEdgeCP+0x5977:
00c45977 cd29            int     29h
0:000> g
WARNING: Continuing a non-continuable exception
>>>>>>> ModLoad: 64950000 649b7000  C:\Program Files\MyPath\MyDLL.dll <<<<<<<<<<<<
ModLoad: 753e0000 75472000   C:\WINDOWS\system32\OLEAUT32.dll
ModLoad: 73dd0000 73df8000   C:\WINDOWS\SYSTEM32\ntmarta.dll
(7e8.1078): Security check failure or stack buffer overrun - code c0000409 (!!! second chance !!!)
eax=00000001 ebx=00c44700 ecx=00000007 edx=00000000 esi=00000004 edi=00000000
eip=00c45977 esp=0014e680 ebp=0014fb50 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
MicrosoftEdgeCP+0x5977:
00c45977 cd29            int     29h
(I've marked my DLL with >>>> <<<<< )

It seems like the codeintegrity check refuses MyDLL.
  • Do you see any possibility to get a DLL injected with the new changes in Edge?
  • Do you have any idea what I could try to get it injected?
  • Would it be an option to get the DLL WHQL signed? They mention that WHQL signed binaries will still be accepted, but I have no experience with WHQL.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Edge Code Injection

Post by madshi »

Does injection even fail if you start injection first, before starting Edge? Usually this way around it works. But I suppose it's possible that they now block that, too.

Trying to use WHQL signing might be a workaround, but I'm not sure if you can do that for a hook dll. It might only be allowed for real hardware driver dlls. But I've zero knowledge about WHQL, so I can't say for sure.

One more option would be to not "officially" inject the dll, but to manually map it into the process by replicating all the things that a DLL load would do, without using the OS dll loader routines. That sounds very fishy, though, so I'm not sure if that's a good idea.
Absolute_Zero
Posts: 39
Joined: Fri Jan 26, 2007 11:12 am

Re: Edge Code Injection

Post by Absolute_Zero »

Using MCH driver injection, Edge *seems* to start okay... however no page is displayed and after ~20 seconds it terminates.

Using CreateProcessEx from user-land, Edge never appears.
DSp_nrg
Posts: 18
Joined: Mon Aug 04, 2014 10:26 am

Re: Edge Code Injection

Post by DSp_nrg »

The injection is started on system start. I'm already using the driver injection and as mentioned before it worked fine until the new patch was released (Build 10547).

@madshi:
* I also think that WHQL won't sign the injected DLL. I just hoped someone already tried it.
* I think manual implementation of the injection would be too overkill. Also I think I'm missing the experience on that level for a stable implementation.
Absolute_Zero
Posts: 39
Joined: Fri Jan 26, 2007 11:12 am

Re: Edge Code Injection

Post by Absolute_Zero »

I tried with a do-nothing dll injected by the MCH driver, just InitializeMadCHook, return TRUE on DLL_PROCESS_ATTACH

According to Proc Explorer, the injection dll is loaded okay... and Edge is functional. So I'm thinking something else/additional is going on with the latest Edge.
DSp_nrg
Posts: 18
Joined: Mon Aug 04, 2014 10:26 am

Re: Edge Code Injection

Post by DSp_nrg »

Hey Absolute_Zero,

could you please add more informations about your test system? Win10 BuildNumber, Edge Version and Architecture of your system? So I'm able to verify on my side wether there are different behaviors possible?
Absolute_Zero
Posts: 39
Joined: Fri Jan 26, 2007 11:12 am

Re: Edge Code Injection

Post by Absolute_Zero »

Windows 10 Pro - 64-bit
ver 10.0.10586

Microsoft Edge 25.10586.0.0
Microsoft EdgeHTML 13.10586

I sign my injection dll's using the same cert as the driver... that *might* be a factor.

N.B. if you want to try that, don't forget to sign the injection dll's *before* using madconfigdrv to prep the driver for signing.
DSp_nrg
Posts: 18
Joined: Mon Aug 04, 2014 10:26 am

Re: Edge Code Injection

Post by DSp_nrg »

Hi,

I'm working with exact same version numbers except I'm using 32-bit version. Maybe this makes a difference, will validate that and post my results.

I'm also signing the DLLs with the same certificate as the driver, just without Cross-Certificate.
don't forget to sign the injection dll's *before* using madconfigdrv to prep the driver for signing.
Already implemented like that.
Absolute_Zero
Posts: 39
Joined: Fri Jan 26, 2007 11:12 am

Re: Edge Code Injection

Post by Absolute_Zero »

Mine are cross-signed IIRC... also folder permission "ALL APPLICATION PACKAGES" is set on the dll's
DSp_nrg
Posts: 18
Joined: Mon Aug 04, 2014 10:26 am

Re: Edge Code Injection

Post by DSp_nrg »

Will try that.
"ALL APPLICATION PACKAGES"
is already set.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Edge Code Injection

Post by madshi »

Absolute_Zero wrote:I tried with a do-nothing dll injected by the MCH driver, just InitializeMadCHook, return TRUE on DLL_PROCESS_ATTACH

According to Proc Explorer, the injection dll is loaded okay... and Edge is functional. So I'm thinking something else/additional is going on with the latest Edge.
1) What happens if you link in madCodeHook, but without calling any madCodeHook APIs?
2) What happens if you call InitializeMadCHook() + FinalizeMadCHook(), but make no actual HookAPI() calls?
3) What happens if you try to run the PrintMonitor demo before starting Edge?

http://madshi.net/PrintMonitor.zip

Plan to install Windows 10 on my development PC later this week. For now debugging these kind of problems is a bit cumbersome (VM and stuff).
Absolute_Zero
Posts: 39
Joined: Fri Jan 26, 2007 11:12 am

Re: Edge Code Injection

Post by Absolute_Zero »

#1 no problems, Edge starts
#2 problem with or without HookAPI

So I started commenting out the code related to DLL_PROCESS_ATTACH... the problem remained until I commented out...

Code: Select all

	g_hMapFile = CreateGlobalFileMapping(g_szIpcName, sizeof(MY_DAT));
	
	if (g_hMapFile == NULL)
		return FALSE;

	if (GetLastError() != ERROR_ALREADY_EXISTS)
	{
		PSECURITY_DESCRIPTOR pSD			= NULL;
		PACL				 pSacl			= NULL;
		BOOL				 fSaclPresent	= FALSE;
		BOOL				 fSaclDefaulted = FALSE;

		if (ConvertStringSecurityDescriptorToSecurityDescriptor(L"S:(ML;;NW;;;LW)", SDDL_REVISION_1, &pSD, NULL))
		{
			if (GetSecurityDescriptorSacl(pSD, &fSaclPresent, &pSacl, &fSaclDefaulted))
				SetNamedSecurityInfoA(g_szIpcName, SE_KERNEL_OBJECT, LABEL_SECURITY_INFORMATION, NULL, NULL, NULL, pSacl);

			LocalFree(pSD);
		}
	}

	g_pDat = (LPVDM_DAT) MapViewOfFile(g_hMapFile, FILE_MAP_ALL_ACCESS, 0, 0, sizeof(MY_DAT));

	if (g_pDat == NULL)
		return FALSE;
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Edge Code Injection

Post by madshi »

Is that my code or yours? It doesn't look familiar to me, but I'm not sure.

For testing #2, did you use the #1 project files and just added InitializeMadCHook() + FinalizeMadCHook() calls? Or did you take your full DLL project and comment out all the HookAPI() calls?
Absolute_Zero
Posts: 39
Joined: Fri Jan 26, 2007 11:12 am

Re: Edge Code Injection

Post by Absolute_Zero »

My code... I took the full DLL project and commented out all of the HookAPI calls... to no avail, Edge wouldn't start. When I then commented out the CreateGlobalFileMapping [madCHook] and related [MapViewOfFile] calls, Edge started okay.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Edge Code Injection

Post by madshi »

Ok, so what happens if you leave this code commented out but put the HookAPI calls back in? Also it would be interesting to test that PrintMonitor demo I mentioned earlier.
Post Reply