Hi,
I'm using driver that inject code to user-space processes using APC. my injection function first call ntdll!ldrLoadDll to load my dll to the target process.
the target process is OfficeHubTaskHost.exe, and it seems un-protected, so altering the process memory is allowed.
Perhaps I'm not checking the protection status correctly ? maybe the sign enforcement doesn't relate to process protection ?
Any idea why this is happening ?
thanks,
I'm using driver that inject code to user-space processes using APC. my injection function first call ntdll!ldrLoadDll to load my dll to the target process.
the target process is OfficeHubTaskHost.exe, and it seems un-protected, so altering the process memory is allowed.
Code: Select all
However, while trying to load my dll for injection, I get an exception on winDbg with the following explanation : //getting process _EPROCESS addr
1: kd> !process
PROCESS ffffaf0431d3e080
SessionId: 1 Cid: 12cc Peb: 8a0632e000 ParentCid: 02e4
DirBase: 50e10002 ObjectTable: ffffc18dfcf992c0 HandleCount: 564.
Image: OfficeHubTaskHost.exe
// using _EPROCESS addr to get protection status
1: kd> dt _EPROCESS ffffaf0431d3e080
ntdll!_EPROCESS
+0x000 Pcb : _KPROCESS
...
..
.
+0x6ca Protection : _PS_PROTECTION
// parsing protection status using the offset from previous stage (0x6ca + ffffaf0431d3e080) :
(*((ntdll!_PS_PROTECTION *)0xffffaf0431d3e74a)) [Type: _PS_PROTECTION]
[+0x000] Level : 0x0 [Type: unsigned char]
[+0x000 ( 2: 0)] Type : 0x0 [Type: unsigned char]
[+0x000 ( 3: 3)] Audit : 0x0 [Type: unsigned char]
[+0x000 ( 7: 4)] Signer : 0x0 [Type: unsigned char]
//seems unprotected,right
Code: Select all
******************************************************************
* This break indicates this binary is not signed correctly: \Device\HarddiskVolume3\Program Files\myinject.dll
* and does not meet the system policy.
* The binary was attempted to be loaded in the process: \Device\HarddiskVolume3\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.10314.31700.1000_x64__8wekyb3d8bbwe\Office16\OfficeHubTaskHost.exe
* This is not a failure in CI, but a problem with the failing binary.
* Please contact the binary owner for getting the binary correctly signed.
******************************************************************
Perhaps I'm not checking the protection status correctly ? maybe the sign enforcement doesn't relate to process protection ?
Any idea why this is happening ?
thanks,
