Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Grinder for Edge on Win10 #62

Open
pyoor opened this issue Oct 23, 2015 · 14 comments
Open

Grinder for Edge on Win10 #62

pyoor opened this issue Oct 23, 2015 · 14 comments

Comments

@pyoor
Copy link
Contributor

pyoor commented Oct 23, 2015

Has anyone got a working stub for Edge on Win10?
@hacksysteam
Copy link
Contributor

@pyoor I will be starting to write one now. Let me see how it works out.

@mtowalski
Copy link

@hacksysteam I hope that You will succeed :)

@ca0nguyen
Copy link

Latest Edge come with new mitigation that prevent inject unsigned DLL. Grinder logger works only with successful dll injection. This is a problem :(.
https://blogs.windows.com/msedgedev/2015/11/17/microsoft-edge-module-code-integrity/

@v-p-b
Copy link

v-p-b commented Dec 18, 2015

Can't you workaround this problem with some leaked code signing certs? (e.g. https://www.duosecurity.com/static/files/DellCertificates.zip)

@hacksysteam
Copy link
Contributor

@v-p-b Nice. But how about self signed certificate and trusting the root CA?

@v-p-b
Copy link

v-p-b commented Dec 18, 2015

@hacksysteam Sounds good! Self-signed might be problematic but registering an internal CA seems like a universal solution.

@ca0nguyen
Copy link

I've already tried to add a Root CA and signed the DLL. Windows 10 tells "This digital signature is OK", but still cannot inject to MicrosoftEdgeCP.exe. According to msedgedev blog, Edge uses enforcement in the kernel. Maybe have to look the kernel to see what happening.

@hacksysteam
Copy link
Contributor

@ca0nguyen Quoting from MS Edge blog *"DLLs that are either Microsoft-signed, or WHQL-signed, will be allowed to load, and all others will be blocked." *. I guess we need to dig kernel then.

@ca0nguyen
Copy link

@hacksysteam Thanks to point out. I missed that part and took hours to make signtool work. The more challenge now since I don't know much about kernel stuff.

@hacksysteam
Copy link
Contributor

@ca0nguyen Now, that's a good thing. We can now inject grinder_logger in Edge

http://www.sekoia.fr/blog/microsoft-edge-binary-injection-mitigation-overview/

@v-p-b
Copy link

v-p-b commented Mar 25, 2017

@hacksysteam Did you manage to create a PoC for this? If I understand correctly this would require patching LoadLibrary() (with a kernel debugger perhaps?), no configuration option is available, right?

@hacksysteam
Copy link
Contributor

@v-p-b unfortunately no. Currently I'm not fuzzing browsers. But with new mitigations in Edge, it would be hard to run this logger. However, I can not guarantee as I have not tested it.

@jessefmoore
Copy link

Can't you workaround this problem with some leaked code signing certs? (e.g. https://www.duosecurity.com/static/files/DellCertificates.zip)

Hi v-p-b, do you have that zip file still? I would like to use them. :-)

@jessefmoore
Copy link

DellCertificates.zip

Got it, never mind. https://duo.com/assets/files/DellCertificates.zip

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@v-p-b @pyoor @hacksysteam @jessefmoore @ca0nguyen @mtowalski