Injecting code to non-protected process. getting error loading dll.

Discussion on reverse-engineering and debugging.
Post Reply
Iradicator
Posts: 3
Joined: Wed Mar 13, 2019 9:49 pm

Injecting code to non-protected process. getting error loading dll.

Post by Iradicator » Wed Mar 13, 2019 10:18 pm

Hi,

I'm using driver that inject code to user-space processes using APC. my injection function first call ntdll!ldrLoadDll to load my dll to the target process.
the target process is OfficeHubTaskHost.exe, and it seems un-protected, so altering the process memory is allowed.

Code: Select all

//getting process _EPROCESS addr 
1: kd> !process
PROCESS ffffaf0431d3e080
    SessionId: 1  Cid: 12cc    Peb: 8a0632e000  ParentCid: 02e4
    DirBase: 50e10002  ObjectTable: ffffc18dfcf992c0  HandleCount: 564.
    Image: OfficeHubTaskHost.exe
    
// using _EPROCESS addr to get protection status 
1: kd> dt _EPROCESS ffffaf0431d3e080
ntdll!_EPROCESS
   +0x000 Pcb              : _KPROCESS
   ...
   ..
   .
   +0x6ca Protection       : _PS_PROTECTION

// parsing protection status using the offset from previous stage (0x6ca  + ffffaf0431d3e080) : 
(*((ntdll!_PS_PROTECTION *)0xffffaf0431d3e74a))                 [Type: _PS_PROTECTION]
    [+0x000] Level            : 0x0 [Type: unsigned char]
    [+0x000 ( 2: 0)] Type             : 0x0 [Type: unsigned char]
    [+0x000 ( 3: 3)] Audit            : 0x0 [Type: unsigned char]
    [+0x000 ( 7: 4)] Signer           : 0x0 [Type: unsigned char]

//seems unprotected,right 
However, while trying to load my dll for injection, I get an exception on winDbg with the following explanation :

Code: Select all

******************************************************************
* This break indicates this binary is not signed correctly: \Device\HarddiskVolume3\Program Files\myinject.dll
* and does not meet the system policy.
* The binary was attempted to be loaded in the process: \Device\HarddiskVolume3\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.10314.31700.1000_x64__8wekyb3d8bbwe\Office16\OfficeHubTaskHost.exe
* This is not a failure in CI, but a problem with the failing binary.
* Please contact the binary owner for getting the binary correctly signed.
******************************************************************

Perhaps I'm not checking the protection status correctly ? maybe the sign enforcement doesn't relate to process protection ?


Any idea why this is happening ?

thanks,

User avatar
EP_X0FF
Global Moderator
Posts: 4883
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Injecting code to non-protected process. getting error loading dll.

Post by EP_X0FF » Thu Mar 14, 2019 3:16 am

Look for this process mitigation policies.

ProcessSignaturePolicy
https://docs.microsoft.com/en-us/window ... ion_policy

AFAIR it is in EPROCESS field MitigationFlagsValues.
Ring0 - the source of inspiration

Iradicator
Posts: 3
Joined: Wed Mar 13, 2019 9:49 pm

Re: Injecting code to non-protected process. getting error loading dll.

Post by Iradicator » Thu Mar 14, 2019 2:28 pm

Yes, that was the reason I couldn't load my library. Thanks.

Post Reply