Add support for Microsoft Edge #22
Comments
|
Yes, Edge is on my list. However, they use process mitigations so there are problems with the injections/ When I will have some time, I will look into how to bypass it. |
NytroRST
changed the title
|
could you explain what is process mitigations ? |
|
So edge uses SetProcessMitigationPolicy with ProcessDynamicCodePolicy flag to prevent overwriting the executable code (hooking function by placing jump) is this the problem ? |
|
It has some mitigations, but I did not check which of them. I know an article about a bypass and I will look into this as soon as possible. If you have any details about bypasses, can you post here the links?
…________________________________
From: adevelopcr <[email protected]>
Sent: Sunday, July 8, 2018 8:00:21 PM
To: NytroRST/NetRipper
Cc: Ionut Popescu; Comment
Subject: Re: [NytroRST/NetRipper] Add support for Microsoft Edge (#22)
So edge uses SetProcessMitigationPolicy with ProcessDynamicCodePolicy flag to prevent overwriting the executable code (hooking function by placing jump) is this the problem ?
If it' then there are multiple ways to bypass this
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FNytroRST%2FNetRipper%2Fissues%2F22%23issuecomment-403301242&data=02%7C01%7C%7Cea7971492db8400a6cb108d5e4f44b44%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636666660238304854&sdata=7jASNf1TPOT%2FWW%2F6LbI3Z9s%2BM2gtwXpJOKqcIEubt3U%3D&reserved=0>, or mute the thread<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAMoRQbacrLoucmE0FiTNc3f5jzYmXgjZks5uEjqlgaJpZM4VGjHN&data=02%7C01%7C%7Cea7971492db8400a6cb108d5e4f44b44%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636666660238461100&sdata=o3eSttUPHWopxOf%2FbV6ZEk2bxyn%2FwtVvyJvlhBRW2Do%3D&reserved=0>.
|
|
After some search (I still don't understand what this mitigation actually prevents) here what I came with : If this is false and edge really disables dynamic executable code generation : 3 - you can perform aggressive hooking by hooking CreateProcess in explorer.exe and other running processes to suspend and hook edge on its early launch and before setting the protection flag 4 - you can use the new injection techniques which doesn't require to write executable code in the target I have no access to a computer now and probably for more than week so I couldn't try my injector to inject into edge |
|
Very nice, thanks a lot! I also read some time ago the sekoia article, but I did not know about the other one.
I will check what it is possible to do on this topic. It should be possible, as we are already executing code on the target machine. Hopefully, it should be possible from user-mode only...
…________________________________
From: adevelopcr <[email protected]>
Sent: 08 July 2018 21:37
To: NytroRST/NetRipper
Cc: Ionut Popescu; Comment
Subject: Re: [NytroRST/NetRipper] Add support for Microsoft Edge (#22)
After some search (I still don't understand what this mitigation actually prevents) here what I came with :
1 - firstly I think you aren't using manual mapping but hooking via LoadLibrary which will load the dll and edge uses another mitigation which disables loading non signed dlls and edge doesn't prevent dynamic code generation as from here
http://www.sekoia.fr/blog/microsoft-edge-binary-injection-mitigation-overview/<https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.sekoia.fr%2Fblog%2Fmicrosoft-edge-binary-injection-mitigation-overview%2F&data=02%7C01%7C%7C464f01d41b2a4a90564208d5e501cb19%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636666718212614867&sdata=6wGQ69Ltr6dJVCf0KR07C%2Bp5eFR8esCcyoCmXhyzlgI%3D&reserved=0>
They said that they injected a shellcode successfully into edge . If this is true then my injector should be already suitable for injecting dlls inside edge
If this is false and edge really disables dynamic executable code generation :
2 - from here : https://www.unknowncheats.me/forum/playerunknown-s-battlegrounds/245691-allocating-executable-memory-remote-process-ntallocatevirtualmemory.html<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.unknowncheats.me%2Fforum%2Fplayerunknown-s-battlegrounds%2F245691-allocating-executable-memory-remote-process-ntallocatevirtualmemory.html&data=02%7C01%7C%7C464f01d41b2a4a90564208d5e501cb19%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636666718212771120&sdata=xVjm5%2Bhhj5K2SAzppO0DnEecaglz7r1auuLVsCwzu0o%3D&reserved=0>
The function sets the flag of the protection inside EPROCESS structure and it can be overwritten with WriteProcessMemory to disable the dynamic code mitigation
3 - you can perform aggressive hooking by hooking CreateProcess in explorer.exe and other running processes to suspend and hook edge on its early launch and before setting the protection flag
5 - you can use the new injection techniques which doesn't require to write executable code in the target
I have no access to a computer now and probably for more than week so I couldn't try my injector to inject into edge
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FNytroRST%2FNetRipper%2Fissues%2F22%23issuecomment-403307048&data=02%7C01%7C%7C464f01d41b2a4a90564208d5e501cb19%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636666718212771120&sdata=Mo2xIsSVCydYxlDDYaaD9TtCcy%2FgO3%2BlrWkTqCenTUE%3D&reserved=0>, or mute the thread<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAMoRQRhrYhoPij-65NHtKtct3pm3arQdks5uElFMgaJpZM4VGjHN&data=02%7C01%7C%7C464f01d41b2a4a90564208d5e501cb19%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636666718212771120&sdata=LyFGUQQ6y5vGF6mr9xITkVHGolyhf3s0wXfaupwmddY%3D&reserved=0>.
|
|
Then which function need to be hooked ? |
|
I'm sure now manual mapping will work and from this article on microsoft blog : |
|
I think you also can make what I called "aggressive hooking" by hooking CreateProcess in explorer.exe and other running apps for one time and the hook will copy itself to every program started by these hooked programs In case of hooking edge only you will compare the name of the process parameter in CreateProcess with edge executable name and once you get it you can use NtSuspendProcess , hook and finally NtResumeProcess or simply start the process with CREATE_SUSPENDED (you hooked CreateProcess) and hook your target functions what I understood for now is that edge may be using a protection from the kernel against loading unsigned dlls but the protection starts only after setting the mitigation policy with the function mentioned above I had to search for the techniques used by malwares to bypass this protection and most of them manual mapped the dll but I found one malware which used this method I think I'll soon create a protector against these attacks even if the attack was applied The strange thing I noticed is that these attacks exist since long time probably more than 10 years but the browsers companies are only responsible for finding ways to collect more money for them |
|
I would not like to invest too much time on this. I will just take a look and if I manage to do something, I will update NetRipper. Thank you very much for your support, useful info! |
|
I'm looking forward to seeing your update |
|
CNG isn't available for uwp applications |
|
On my first checks, it looks like this is the issue: https://docs.microsoft.com/en-us/windows/desktop/api/winnt/ns-winnt-_process_mitigation_dynamic_code_policy . I have an idea about how to bypass it. Also, it loads ncrypt.dll which has the SslEncrypt/DecryptPacket which are used by Internet Explorer (that's why I think they are also used by Edge) as a layer below WinInet/WinHttp. |
|
yes you are right see here also : now the injection and hooking must be done before any protection is applied to microsoft edge as the booking will be impossible after the kernel protects the process I think early hooking is my really option now |
|
You can still allocate executable memory in the target process from a process that has a handle for this process and doesn't set the policy It seems that this function belongs to the caller so if a process doesn't use it it can use VirtualAllocEx to allocate executable memory in a remote process But this isn't a solution , you still can't set hooks |
|
I will look into them. I will also check this presentation: https://www.slideshare.net/JamesForshaw1/the-joy-of-sandbox-mitigations |
|
As I said it depends on the caller not the target so my idea is to hook remotely from your process but how ? Otherwise the injector will allocate a memory in the target which will fit to a suitable structure that will contain the addresses of the functions in the target and the dll will write the addresses there (you can pass the address of this area with CreateThread to the loader shell which will load the dll in the target) and you now can make your hooks remotely |
|
the solution you came with is improvement for my solution (hooking explorer.exe) 1 - create a list using InitializeProcThreadAttributeList this will return a list which you will fill with your needs 2 - use UpdateProcThreadAttribute to update the list with PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY as dwFlags and PROCESS_CREATION_MITIGATION_POLICY_PROHIBIT_DYNAMIC_CODE_ALWAYS_OFF as the lpValue 3 - use CreateProcess and combine the flags with EXTENDED_STARTUPINFO_PRESENT (you can check if it's already included in the flags) and in STARTUPINFOEX parameter assign lpAttributeList to the list you created and updated 4 - launch the process without any suspending as these mitigations can't be changed after the process started 5 - finally delete the list with DeleteProcThreadAttributeList you can also update the list multiple times so that you can even allow loading unsigned dlls As you can see all the work is done in the parent process (explorer.exe or cmd) but the disadvantage of this method is that you can't do anything if edge is already running and it's very easy to detect that edge is hacked I'll try to implement the methods listed here once I get tto the computer |
|
My idea was to use CreateRemoteThreadEx with lpAttributeList. I am not sure it will work. I was also thinking to something similar to classic DLL Injection. Instead of writing a DLL name into target process memory, to write the process mitigation structure. Unfortunately, we can only use one parameter. Your idea should work, sounds good, but it is a bit limited for that reason. I am looking at the James presentation and it looks like this should work: https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/nf-wdm-zwmapviewofsection The checks, as you mentioned, are done against the calling process - the mitigations are not supposed to protect against DLL injection, but to protect against exploits (e.g. an exploit cannot write and execute code). I will continue looking into this when I'll have more time and I will update this post. Thanks a lot for your ideas! |
|
Ah I forgot you can do IAT hooking instead of the trampoline you here are bypassing mitigations effectively as you aren't allocating any executable memory in the microsoft edge . But be sure you aren't allocating executable memory from your dll and don't use LoadLibrary to load unsigned dll as you adapt to the mitigation And all executable memory allocation will be performed from your injector : writing and aligning sections and relocating the dll This is my favourite hooking method for the small jobs especially before I learnet inline hooking This solution won't work for chrome but the inline hooking And an improvement to my previous solution : you can use named pipes to get the addresses of the functions to hook from the dll you allocated inside edge the hook remotely using inline hooking , I have a method to make the inline hooking thread safe and don't require to patch and repatch the hooked functions every time to use them so the program continue running without crashing or losing its functionality |
|
Yes, sounds good and it should work. I will do some tests.
…________________________________
From: adevelopcr <[email protected]>
Sent: 10 July 2018 01:49
To: NytroRST/NetRipper
Cc: Ionut Popescu; Comment
Subject: Re: [NytroRST/NetRipper] Add support for Microsoft Edge (#22)
Ah I forgot you can do IAT hooking instead of the trampoline
The reloc section is iat table is set to read only after resolving imports so you will iterate through the import table until you find your target function the use VirtualProtect to change the protection of PIMAGE_THUNK_DATA->Function to PAGE_READWRITE the assign to the address of your function and finally restore the old protection
This is also suitable for firefox as it imports PR_Read and PR_Write from a dll = it stores the address of the function there and retrieve it every time it's called
you here are bypassing mitigations effectively as you aren't allocating any executable memory in the microsoft edge . But be sure you aren't allocating executable memory from your dll and don't use LoadLibrary to load unsigned dll as you adapt to the mitigation
And all executable memory allocation will be performed from your injector : writing and aligning sections and relocating the dll
Then resolving imports and delayed imports and managing tls will be performed in the target by the shellcode loader you will execute using CreateRemoteThread
As far as your dll doesn't depend on unsigned dll and doesn't allocate executable memory then no problems
This is my favourite hooking method for the small jobs especially before I learnet inline hooking
This solution won't work for chrome but the inline hooking
And an improvement to my previous solution : you can use named pipes to get the addresses of the functions to hook from the dll you allocated inside edge the hook remotely using inline hooking , I have a method to make the inline hooking thread safe and don't require to patch and repatch the hooked functions every time to use them so the program continue running without crashing or losing its functionality
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FNytroRST%2FNetRipper%2Fissues%2F22%23issuecomment-403644320&data=02%7C01%7C%7C474a89e8be7e4c0b487008d5e5ee4d43%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636667734011308458&sdata=aJoCLYZtqdToT%2Fgq%2FIiKF3GF0O%2BnQ2ffF05MGUYzmnc%3D&reserved=0>, or mute the thread<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAMoRQVwYVPTCPKeNvKcW5flGs_KzAe8Pks5uE94XgaJpZM4VGjHN&data=02%7C01%7C%7C474a89e8be7e4c0b487008d5e5ee4d43%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636667734011308458&sdata=f00sMLFRziapIuP0VTO%2F8ZyKJR08KCWzTGBi4oX9etU%3D&reserved=0>.
|
|
Hi. From the discussion above, I don't understand one thing : doesn't Edge allow only Microsoft or Microsoft Store signed dlls/binaries? How can the CreateRemoteThreadEx/IAT hooking ideas work in this scenario? Sorry for the noob question. |
|
Hi, I did not manage to work at all on this, but I will start working soon. However, the focus will be on making it work with other software as well, so I am not sure when I will look into this. I am not sure which process mitigations are in place, it might not be possible do no anything, but I will try. I will try to find a way to load and execute arbitrary code into the Edge process memory, but I am not sure how or if it will work. The Windows APIs, such as CreateRemoteThread or ZwMapViewOfSection should work as expected, if the mitigations are not affected. For example, if mitigations allow only trusted DLLs, it might be possible (if mitigations allow) to write a small shellcode into the process. I will let you know when I have an update. Thank you! |
|
Simply just hook explorer.exe and place the hooks from there on CreateProcess |
|
Another idea that seems to work is to use Blackbone and hook MicrosoftEdgeCP.exe for SSLDecryptPacket and SSLEncryptPacket with a hwbp/int3 hook. Not sure I understand why interrupts are ok here, though |
|
Blackbone is a library for manual mapping which I learned a lot from and darthon helped me a lot to finish my pe loader but it has much features that aren't needed here and I prefer to use a code that is small as possible and this will give you better control and ability to solve the problems And , do say that you tried hooking via blackbone successfully . I know that blackbone has some hooking method but I didn't try them before |
|
I didn't test enough for crashes, but yes, an int3 hook seems to do the job for MicrosoftEdgeCP and ncrypt.dll exports. |
|
Yes problem isn't in hooking but in creating the trampoline . Hooks can be set remotely or locally with iat redirection which doesn't need allocating executable memory . But as you said int3 hooks don't use trampolines but they continuously set and remove breakpoints so they aren't thread safe and the same method can be used with other hooking techniques . So hooking before the mitigations are set is the best method . |
|
Hi, I just posted an paper explaining how to disable ACG ans hook Edge at: https://blog.sevagas.com:80/?Code-Injection-Disable-Dynamic-Code-Mitigation-ACG |
Can you add support for microsoft edge or tell the functions to hook to sniff before sending ssl requests and after reading ssl requests
Hooking the raw sockets won't give readable text but encrypted
The text was updated successfully, but these errors were encountered: