Hi everyone,
Mch4 in windows10 (aniversary with secure boot disabled), has the same behavior described in the thread viewtopic.php?f=7&t=28319
if the antivirus (symantec EndPoint Protection 12.1.16) and chrome (56.0.2924.87 (Official build) (64 bits)) are present, the FOLLOW_JMP flag resolves the issue of black tabs. The problem is with the uninject method. Leaves some threads injected. I have tried the uninjectcallback with same results. With windbg i can see that the DLL_PROCESS_DETACH is not called in these threads...
Can be the limit of 10 jumps in FOLLOW_JPM?
MCH 4 Chrome & Follow_jmp
Re: MCH 4 Chrome & Follow_jmp
What do you mean with "leaves some threads injected"? Does your hook dll create its own threads? It's not supposed to, see hooking rule 9:
http://help.madshi.net/HookingRules.htm
http://help.madshi.net/HookingRules.htm
Re: MCH 4 Chrome & Follow_jmp
as usual, fast like lightning madshi
are from chrome, not mine.
if not running AV or inject without FOLLOW_JMP the uninjection is done correctly
are from chrome, not mine.
if not running AV or inject without FOLLOW_JMP the uninjection is done correctly
Re: MCH 4 Chrome & Follow_jmp
I can be fast, and I can be slow, as some of my customers will tell you...
This sounds really complicated. I'm not sure why there's a problem. My best guess right now would be that madCodeHook doesn't manage to get the access rights to uninstall the API hooks when uninjecting the hook dll. That's really bad, though.
Is there any chance you could provide a small(ish) VM for me to download with which I could reproduce the issue?
This sounds really complicated. I'm not sure why there's a problem. My best guess right now would be that madCodeHook doesn't manage to get the access rights to uninstall the API hooks when uninjecting the hook dll. That's really bad, though.
Is there any chance you could provide a small(ish) VM for me to download with which I could reproduce the issue?
Re: MCH 4 Chrome & Follow_jmp
i will try to generate one, but it can't be difficulty because is the environment of a customer. I will send you a PM.
Re: MCH 4 Chrome & Follow_jmp
I think I've disabled PM, but you can email me, of course.