A forum for reverse engineering, OS internals and malware analysis 

 #32684  by Iradicator
 Wed Mar 13, 2019 10:18 pm
Hi,

I'm using driver that inject code to user-space processes using APC. my injection function first call ntdll!ldrLoadDll to load my dll to the target process.
the target process is OfficeHubTaskHost.exe, and it seems un-protected, so altering the process memory is allowed.
Code: Select all
//getting process _EPROCESS addr 
1: kd> !process
PROCESS ffffaf0431d3e080
    SessionId: 1  Cid: 12cc    Peb: 8a0632e000  ParentCid: 02e4
    DirBase: 50e10002  ObjectTable: ffffc18dfcf992c0  HandleCount: 564.
    Image: OfficeHubTaskHost.exe
    
// using _EPROCESS addr to get protection status 
1: kd> dt _EPROCESS ffffaf0431d3e080
ntdll!_EPROCESS
   +0x000 Pcb              : _KPROCESS
   ...
   ..
   .
   +0x6ca Protection       : _PS_PROTECTION

// parsing protection status using the offset from previous stage (0x6ca  + ffffaf0431d3e080) : 
(*((ntdll!_PS_PROTECTION *)0xffffaf0431d3e74a))                 [Type: _PS_PROTECTION]
    [+0x000] Level            : 0x0 [Type: unsigned char]
    [+0x000 ( 2: 0)] Type             : 0x0 [Type: unsigned char]
    [+0x000 ( 3: 3)] Audit            : 0x0 [Type: unsigned char]
    [+0x000 ( 7: 4)] Signer           : 0x0 [Type: unsigned char]

//seems unprotected,right 
However, while trying to load my dll for injection, I get an exception on winDbg with the following explanation :
Code: Select all
******************************************************************
* This break indicates this binary is not signed correctly: \Device\HarddiskVolume3\Program Files\myinject.dll
* and does not meet the system policy.
* The binary was attempted to be loaded in the process: \Device\HarddiskVolume3\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.10314.31700.1000_x64__8wekyb3d8bbwe\Office16\OfficeHubTaskHost.exe
* This is not a failure in CI, but a problem with the failing binary.
* Please contact the binary owner for getting the binary correctly signed.
******************************************************************

Perhaps I'm not checking the protection status correctly ? maybe the sign enforcement doesn't relate to process protection ?


Any idea why this is happening ?

thanks,