Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Windows 11 ARM64 Processor x86, x64 COM API Hook Crash. #292

Open
kimjw0820 opened this issue Jul 12, 2023 · 2 comments
Open

Windows 11 ARM64 Processor x86, x64 COM API Hook Crash. #292

kimjw0820 opened this issue Jul 12, 2023 · 2 comments
Labels
bug Something isn't working

Comments

@kimjw0820
Copy link

kimjw0820 commented Jul 12, 2023

Windows 11 ARM64 Processor x86, x64 COM Hook Crash.
We tested using the latest sources. (main - 2022-08-16 commit)
[Surface pro 9 Microsoft SQ3 3.00 GHz Windows 11 ARM64]

[success]

On Windows 11 ARM64, x64 processes are emulated. Therefore, ARM, ARM64, x86, and x64 processes operate in the ARM64 environment. There is no problem with win32 API Hooking of x86 and x64 processes in the ARM64 environment.
image

[crash]

The problem occurs when hooking the COM API of x86 and x64 processes in an ARM64 environment. Crash when running Detours samples/commem.
image

code - samples/commem/commem.cpp

https://github.com/microsoft/Detours/blob/734ac64899c44933151c1335f6ef54a590219221/samples/commem/commem.cpp#L95C4-L95C4

DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourAttach(&(PVOID&)RealIStreamWrite, MineIStreamWrite);
DetourTransactionCommit();

printf("commem: Calling Write w/o after attach.\n");

li.QuadPart = 1;
hr = pStream->lpVtbl->Write(pStream, &li, sizeof(li), NULL);  // <-- crash

ERROR_CODE: (NTSTATUS) 0xc000001d - { }

Is there anything else I need to do to hook COM API of x86,x64 process in ARM64 environment?

@honkstar1
Copy link

We are having a similar issue atm. Trying to detour an x64 binary when running from arm64 windows. Would love to get advice how to fix or a fix itself :-)

@kimjw0820
Copy link
Author

kimjw0820 commented Dec 6, 2024

We are having a similar issue atm. Trying to detour an x64 binary when running from arm64 windows. Would love to get advice how to fix or a fix itself :-)

We have been solving the problem by using VMT Hooking method without Detours for COM API so far to bypass the problem. However, we have recently discovered XFG(Microsoft eXtended Flow Guard) protected API and analyzed that certain APIs cannot be controlled with that method. VMT Hooking method was sufficient to control CFG(Control Flow Guard) protected COM API, but it cannot control XFG protected COM API. I think that in order to control x86, x64 COM API of ARM64, it is necessary to use Detours and directly modify the Detours code.


Microsoft eXtended Flow Guard
eXtended Flow Guard (XFG) has not been officially released yet, but is available in the Windows Insider preview and was publicly presented at Bluehat Shanghai in 2019.[29]

XFG extends CFG by validating function call signatures to ensure that indirect function calls are only to the subset of functions with the same signature. Function call signature validation is implemented by adding instructions to store the target function's hash in register r10 immediately prior to the indirect call and storing the calculated function hash in the memory immediately preceding the target address's code. When the indirect call is made, the XFG validation function compares the value in r10 to the target function's stored hash. [30][31]

https://en.wikipedia.org/wiki/Control-flow_integrity#Microsoft_eXtended_Flow_Guard

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants