Compatibility with Microsoft's new "ProcessDynamicCodePolicy" #39
Comments
|
Update: I've tried that and it didn't work. Even protecting with |
|
From MSDN:
If existing executable code cannot be modified, then we cannot even set a trampoline. So allocating executable memory is a secondary issue here. |
|
The executable code can be modified. In one of my tests, I changed minhook's allocation to I trying to figure out how BlackBone can remotely map modules into processes protected by ProcessDynamicCodePolicy. It can create dynamic executable memory somehow. I use it to inject (manually map) my module, and the module runs without problems, proving that there's a way to execute dynamic code in the process. |
karliwson
changed the title
|
In this case, I believe that reserving some space inside MinHook's code section and using it for the trampolines might work for supporting a fixed amount of hooked functions. For 64-bit, that's not a complete solution, as the code section might be located too far from the hooked function to be supported by a short jump. That's some food for thought. I didn't think about it thoroughly, neither did I look at BlackBone - perhaps they have thought of a more elegant solution. |
|
Seems to be a way. Regarding 64-bit, couldn't we use a |
|
We could, and it would work, but it would require to patch about 10 bytes instead of 5. The result is that short functions won't be supported. It might, or might not, work for you, depending on your needs. |
|
This just came to my mind, 6-byte absolute indirect JMP would work. |
|
FYI this is also a potential security issue on Windows 7+ systems without this policy. Here is a BlackHat presentation covering the issues. |
|
@codypierce That's true, allocating or changing executable memory in processes with that mitigation policy is now completely prohibited (I've tested in MS Edge on Windows 10 1703). It won't be possible to even patch the original function, because we can't change its memory from RX to RWX. Thus, it's not possible to use the indirect jump as @TsudaKageyu suggested. As of now, I've only seen MS Edge (content child processes) and Google Chrome (renderer child processes) using that mitigation policy. |
In
Windows 10Windows 8, Microsoft introduced ProcessDynamicCodePolicy, a new security feature that forbids allocating or protecting dynamically allocated memory withPAGE_EXECUTE_READWRITEor any execution permission. It breaks MinHook, because it allocates virtual memory with that protection.MH_CreateHook()returnsMH_ERROR_MEMORY_ALLOC, and the exact error is:#define STATUS_DYNAMIC_CODE_BLOCKED 0xC0000604Steps to reproduce the error:
Inject something that uses MinHook into Microsoft Edge's content process ( MicrosoftEdgeCP.exe ) or any other process that uses "Dynamic code prohibited" policy.
Here's a screenshot of the process' information:
http://prntscr.com/e3wekq
I'm not familiar with the way MinHook handles memory, but I guess that it could simply allocate memory with
PAGE_READWRITEprotection and set it toPAGE_EXECUTE_READwhen a hook is created using that memory piece.The text was updated successfully, but these errors were encountered: