New protection from dll injection in Google Chrome

c++ / delphi package - dll injection and api hooking
Post Reply
ezh
Posts: 6
Joined: Tue Sep 22, 2015 10:20 am

New protection from dll injection in Google Chrome

Post by ezh »

Few days ago Google release Chrome Canary (v.70) where it implemented some protection from dll injection. They had announce about this feature some time ago - https://blog.chromium.org/2017/11/reduc ... third.html and now finally it is enabled in Chrome Canary and looks like it a month it will be available in public Google Chrome.

Injecting using madCodeHook into this protected Chrome doesn't work anymore, even if Chrome was started with "--no-sandbox" option.

Do you have any ideas what kind of protection they use? Are there any chances to find a workaround?
madshi
Site Admin
Posts: 10339
Joined: Sun Mar 21, 2004 5:25 pm

Re: New protection from dll injection in Google Chrome

Post by madshi »

According to the blog, "Microsoft signed" DLLs will be excluded from the DLL injection blocking. Which means that if you EV sign your hook DLLs and send them in to Microsoft for EV cross signing, injection might still work. Furthermore, there'll soon be a new v4 build which an alternative DLL injection method which *may* work around the DLL injection blocking. I'm not sure, though, I haven't tested it. But I don't really see how Chrome would be able to block the new DLL injection method - unless they install a kernel mode driver - or actually simply detect the DLL injection and exit Chrome out of protest.
ezh
Posts: 6
Joined: Tue Sep 22, 2015 10:20 am

Re: New protection from dll injection in Google Chrome

Post by ezh »

You say we can cross-sign our DLL (not driver, but user-mode DLL) ? Does it work in a similar way to driver cross-signature or there is another workflow?
madshi
Site Admin
Posts: 10339
Joined: Sun Mar 21, 2004 5:25 pm

Re: New protection from dll injection in Google Chrome

Post by madshi »

Well, I haven't actually done it myself (I don't even have an EV certificate, so I can't try), but a customer told me he did that and it allowed him to inject into Edge (or was it IE? I don't remember).
ExPx
Posts: 34
Joined: Fri Oct 21, 2016 3:20 pm

Re: New protection from dll injection in Google Chrome

Post by ExPx »

How can I get detailed information about "sending DLLs to Microsoft for EV cross signing"
madshi
Site Admin
Posts: 10339
Joined: Sun Mar 21, 2004 5:25 pm

Re: New protection from dll injection in Google Chrome

Post by madshi »

I suppose the MS documentation should explain that somehow.

You'll find some more discussion about it here:

viewtopic.php?f=7&t=28050
Post Reply