Issue after hooking MicrosoftEdgeCP.exe

Question

Issue after hooking MicrosoftEdgeCP.exe

sarathy365 opened this issue 5 years ago · comments

Running InjDrv successfully hooks all process once its' loaded.

But after injection on MicrosoftEdgeCP.exe the Edge browser stalls, and errors thrown at EventLogs. [After loading the driver, close all edge browser windows and open a new edge browser window ]

My Scenario:
I want to know all the processes that are opened and want to elegate/delegate some process specifically. InjDrv satisifies the need and it works perfect, except it stalls MicrosoftEdge browser. I have tried by modifying forceUserAPC but still its not working.

Kindly show the way to overcome it.

Petr Beneš · Answer 1 · Sun May 05 2019 21:18:05 GMT+0800 (China Standard Time)

Hi, unfortunatelly, I couldn't reproduce your issue. Could you provide more details? Crashdump, your source code changes, PDBs...

Also, could you please verify if the problem persist with current master branch? I've pushed a fix that resolved #7 and maybe it resolved this issue as well.

sarathy365 · Answer 2 · Mon May 06 2019 16:44:40 GMT+0800 (China Standard Time)

InjDrv.zip

Tried again with the latest source. Issue persists.
Attached the event logs and crash dumps.

Test Machine Detail:
Microsoft Windows Version 1703 (OS Build 15063.1387)
Microsoft Edge 40.15063.674.0

Petr Beneš · Answer 3 · Sun Aug 04 2019 21:31:15 GMT+0800 (China Standard Time)

Sorry for delayed answer. The reason is Edge uses ProcessDynamicCodePolicy, which prevents injdrv to allocate new executable memory. This is known limitation. I should probably extend this section to make it explicit: https://github.com/wbenny/injdrv#protected-processes

iradization · Answer 4 · Sun Aug 04 2019 23:08:26 GMT+0800 (China Standard Time)

Hi,

I'm using a similar injection technic and also have encountered the same exception code 0xc0000409 (Security check failure or stack buffer overrun)

The affected processes were all related to Microsoft edge (specifically browser_broker.exe , MicrosoftEdgeCP.exe and MicrosoftEdge.exe)

@wbenny , Perhaps you can confirm that all those should be identified using PsIsProtectedProcess method ?

Perhaps there's a way to check if process is protected from PEB or something from windbg ?

And one last insight, it looks like the problem occurs in MicrosoftEdge version 44.18362.1.0 from 2019 but not in version 42.17134.1.0 from 2018... Perhaps do you know if there were any change of behaviour between those 2 versions ?

thanks !