Hey @passthehashbrowns!
First of all, thanks for the great blog post and PoCs!
I was playing with the injector on different Windows versions and found out that it crashes on Windows Server 2019. My first thought was that it's related to the .mrdata / .data VEH list location differences (which you mention in the blog and code) but it turned out to be an interesting rabbit hole to dig into. So, the crash is actually CFG related.
To debug it I put getchar() after CreateProcessA, attach to the suspended process and continue the execution. After the expected Guard page violation exception there's another one which lands me into ntdll!RtlpCallVectoredHandlers+0x1bf.
The value of LdrpMrdataHeapUnprotected (which is a member of the "MRDATA_HEAP" struct like @ 0rigins calls it on UnKnoWnCheaTs) I guess is not defined, so the dereference is unsuccessful. Moreover, the RtlpCallVectoredHandlers logic implies that the .mrdata heap is CFG protected and cannot be modified from a remote process (?).
If we go to a Windows client and repeat the debug steps, we'll observe a different picture - there're no such CFG enabled checks prior handler execution at all.
Both images on the server and client are builtin notepad.exe - compiled with /guard:cf and the Guard flags are the same. Currently, I'm not completely sure what's happening on Server 2019 and if it can be bypassed without executing code in the target process, but may be you have some ideas...
CFG unaffected binaries are perfectly fine by the way :)
Hey @passthehashbrowns!
First of all, thanks for the great blog post and PoCs!
I was playing with the injector on different Windows versions and found out that it crashes on Windows Server 2019. My first thought was that it's related to the
.mrdata/.dataVEH list location differences (which you mention in the blog and code) but it turned out to be an interesting rabbit hole to dig into. So, the crash is actually CFG related.To debug it I put
getchar()afterCreateProcessA, attach to the suspended process and continue the execution. After the expected Guard page violation exception there's another one which lands me intontdll!RtlpCallVectoredHandlers+0x1bf.The value of
LdrpMrdataHeapUnprotected(which is a member of the "MRDATA_HEAP" struct like @ 0rigins calls it on UnKnoWnCheaTs) I guess is not defined, so the dereference is unsuccessful. Moreover, theRtlpCallVectoredHandlerslogic implies that the .mrdata heap is CFG protected and cannot be modified from a remote process (?).If we go to a Windows client and repeat the debug steps, we'll observe a different picture - there're no such CFG enabled checks prior handler execution at all.
Both images on the server and client are builtin notepad.exe - compiled with
/guard:cfand the Guard flags are the same. Currently, I'm not completely sure what's happening on Server 2019 and if it can be bypassed without executing code in the target process, but may be you have some ideas...CFG unaffected binaries are perfectly fine by the way :)