MCH3: Chrome and MIXTURE_MODE

c++ / delphi package - dll injection and api hooking
Post Reply
EaSy
Posts: 150
Joined: Tue Oct 23, 2012 12:33 pm

MCH3: Chrome and MIXTURE_MODE

Post by EaSy »

Hi,
originally I investigated an issue with Bitdefender and chrome failing to start while hooking NtOpenProcess or NtCreateFile. Later i realized, that Bitdefender does nothing bad. Its hooks are just forcing MCH to use MIXTURE_MODE instead of default hooking. Once I disabled Bitdefender and set flag MIXTURE_MODE to force using mixture mode chrome is failing to start again showing only black tabs. There is definitely a problem in chrome while using MCH's MIXTURE_MODE.

It look like everything was success, import and export tables are all patched, but somehow chrome doesn't load properly. What is wrong?
All I know is that the problem is happening in the MAIN chrome process. Other chrome child subprocesses seems to be OK with MIXTURE_MODE. :?
Our testing hooks are only using minimum code like return orig(params).
I am using W10 x64, but i think that OS is not important.
I am using latest beta version of MCH3 downloaded in viewtopic.php?f=7&t=28273.

I was able to do a workaround using FOLLOW_JMP. It helps to bypass Bitdefender's jmp hooks that cause to use MIXTURE_MODE. But that is not a pernament solution, or is it? :)

Can you try to look into this? Do you need more info? Thx.

PP
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: MCH3: Chrome and MIXTURE_MODE

Post by madshi »

I'm actually considering switching to FOLLOW_JMP by default. I've not done that yet because there are some further tweaks planned for FOLLOW_JMP to make it even better than it already is, and I didn't want to change a solution which seemed to work decent in the past with a new solution which might not have been tested as much yet. But I know that several madCodeHook users are already using FOLLOW_JMP and it works well for them. So IMHO you can simply switch FOLLOW_JMP and be done with it.

The main problem with FOLLOW_JMP is that you're not hooking the target API, anymore, but the other hooking library's callback function. Which means that if the other hooking library unhooks, your hooks will not work any longer, either. Other than that, FOLLOW_JMP should work pretty well...
EaSy
Posts: 150
Joined: Tue Oct 23, 2012 12:33 pm

Re: MCH3: Chrome and MIXTURE_MODE

Post by EaSy »

OK,
we will use FOLLOW_JMP in this case.

Do you plan to check why the MIXTURE_MODE breaks chrome startup?

PP
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: MCH3: Chrome and MIXTURE_MODE

Post by madshi »

I'm not sure if I need to, cause MIXTURE_MODE will probably be disabled in the near future.
EaSy
Posts: 150
Joined: Tue Oct 23, 2012 12:33 pm

Re: MCH3: Chrome and MIXTURE_MODE

Post by EaSy »

Hi, I'd like to reopen this issue, because Bitdefender guys changed their hooks.

Lines with * are bitdefender's code.

Code: Select all

0:009> u ntdll!ntopenprocess
ntdll!NtOpenProcess:
*00007ff8`8ee46580 48b85c060597f77f0000 mov rax,7FF79705065Ch
*00007ff8`8ee4658a 50              push    rax
*00007ff8`8ee4658b c3              ret
00007ff8`8ee4658c 03fe            add     edi,esi
00007ff8`8ee4658e 7f01            jg      ntdll!NtOpenProcess+0x11 (00007ff8`8ee46591)
00007ff8`8ee46590 7503            jne     ntdll!NtOpenProcess+0x15 (00007ff8`8ee46595)
00007ff8`8ee46592 0f05            syscall
00007ff8`8ee46594 c3              ret

0:009> u 7FF79705065Ch
*00007ff7`9705065c 48b800000497f77f0000 mov rax,7FF797040000h
*00007ff7`97050666 50              push    rax
*00007ff7`97050667 48b890100697f77f0000 mov rax,7FF797061090h
*00007ff7`97050671 c3              ret
00007ff7`97050672 4c8bd1          mov     r10,rcx
00007ff7`97050675 b845000000      mov     eax,45h
00007ff7`9705067a f604250803fe7f01 test    byte ptr [SharedUserData+0x308 (00000000`7ffe0308)],1
00007ff7`97050682 50              push    rax

0:009> u 7FF797040000h
*00007ff7`97040000 4156            push    r14
*00007ff7`97040002 55              push    rbp
*00007ff7`97040003 4881ec08010000  sub     rsp,108h
*00007ff7`9704000a 4c89442470      mov     qword ptr [rsp+70h],r8
*00007ff7`9704000f 4c894c2478      mov     qword ptr [rsp+78h],r9
*00007ff7`97040014 4c89942480000000 mov     qword ptr [rsp+80h],r10
*00007ff7`9704001c 4c899c2488000000 mov     qword ptr [rsp+88h],r11
*00007ff7`97040024 4c89a42490000000 mov     qword ptr [rsp+90h],r12
...
Your FOLLOW_JMP doesn't handle this code:

Code: Select all

mov rax,7FF79705065Ch
push    rax
ret
MIXTURE_MODE is used instead of the normal mode and chrome crashes again...

Any idea how to make FOLLOW_JMP work again?
Writing my own follow jmp routine for this case comes up in my mind, but maybe you will want to improve your default routine to handle this case.

Thx.

PP
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: MCH3: Chrome and MIXTURE_MODE

Post by madshi »

I suppose this only applies to x64? No changes needed for 32bit?
EaSy
Posts: 150
Joined: Tue Oct 23, 2012 12:33 pm

Re: MCH3: Chrome and MIXTURE_MODE

Post by EaSy »

Hi,
I believe it is only 64b related. I haven't seen any problems related to 32b code yet.

PP
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: MCH3: Chrome and MIXTURE_MODE

Post by madshi »

This build should fix it:

http://madshi.net/madCollectionBeta.exe (installer 2.8.2.2)

Can you confirm? I don't have Bitdefender installed, so I couldn't verify if the fix works, but I think it should.
EaSy
Posts: 150
Joined: Tue Oct 23, 2012 12:33 pm

Re: MCH3: Chrome and MIXTURE_MODE

Post by EaSy »

It works. Thx.

PP
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: MCH3: Chrome and MIXTURE_MODE

Post by madshi »

Thanks for the quick test/feedback.
Post Reply