Microsoft Edge injection

c++ / delphi package - dll injection and api hooking
Post Reply
tinessnaj
Posts: 2
Joined: Fri Jul 21, 2017 2:46 pm

Microsoft Edge injection

Post by tinessnaj »

Hello,

I'm using madCodeHook (v3.1.16) to inject a hook DLL which intercepts function calls to the "send" and "WSASend" functions of the Windows Sockets 2 API (ws2_32.dll) to do some sort of basic internet filtering and it always worked well with the common internet browsers. It even worked with Microsoft Edge until Microsoft released the Windows 10 Creator's Update. I had to put some effort into getting the injection to work, but it seems like Microsoft Edge doesn't use the mentioned functions anymore. I gave a few API Monitor tools a try to find out which APIs and functions Edge uses but unlike with madCodeHook any injection attempts were unsuccessful due to the hardened security that comes with Edge. Do you know if Microsoft replaced these winsock functions with another new API or am I confronted with another security layer problem? Is there any way to work around this issue?

Thank you very much.
madshi
Site Admin
Posts: 10749
Joined: Sun Mar 21, 2004 5:25 pm

Re: Microsoft Edge injection

Post by madshi »

I'm not sure which exact protection Edge has right now. If it has the "dynamic code" mitigation enabled then installing API hooks should fail completely. Do your HookAPI() calls return true or false?
tinessnaj
Posts: 2
Joined: Fri Jul 21, 2017 2:46 pm

Re: Microsoft Edge injection

Post by tinessnaj »

Thank you for your reply. My HookAPI() calls return true and my hook DLL shows up in Process Explorer. It gets injected to MicrosoftEdge.exe, MicrosoftEdgeCP.exe and browser_broker.exe.
madshi
Site Admin
Posts: 10749
Joined: Sun Mar 21, 2004 5:25 pm

Re: Microsoft Edge injection

Post by madshi »

Does HookAPI() return true in *all* of those 3 processes? It's probably not all processes which are protected by the process mitigation settings. So it will return true in all unprotected processes, but might return false in just the one which is protected (and might be the key process for your hooks to work).

I'm only guessing here, though. It's also possible that the API hooks installed correctly but there could be another reason for the hooks failing to work. E.g. Edge might use undocumented APIs instead of WinSock now to do its internet communication.
Post Reply