The truth behind DLL injection with metro applications, Nektra vs Komodia

Question

DLL injection is not possible with Modern UI on Windows 8,It is possible to inject DLLs into Metro apps, BUT, you will not be able to redirect Winsock traffic to localhost.

In other words windows metro application working into sandboxed environment, which DLL injection can't be done.

Let's see what Nektra says:

We realized we needed to sign our DLL with a cross-certificate, like those used to sign kernel-mode drivers. We already had a method for injecting a DLL in WinRT applications: copy the DLL file inside the System32 folder and voilá!

As you can see Komodia and Nektra says a conflicting information, my question is what's the true behind DLL injection under windows 8, can I inject my code into metro application as usual(NT,win9x) like Nektra says?

Are you sure that the first link is not meant to be interpreted as: 'You can do DLL injection but you can't do it to redirect traffic'? — Patashu, Apr 29 '13 at 00:51
Whenever someone says something "is not possible" what they really mean is something like "is not supposed to be possible" or even just "I don't know any way to do this". Nektra found a way: put the DLL in system32. — Harry Johnston, Apr 29 '13 at 02:57
@Sebastian: I'll ask you directly: when i put my DLL into the system32 and make a hook to a metro application, can i get a full control to the hooked process(eg: redirect winsock traffic, deny the call to a "dangerous" api ?). Please make us a great answer we need really some kind of information. — Marwen Trabelsi, Apr 29 '13 at 17:41
@SmartyTwiti Mauro, the author of the article, will answer soon. — sw., Apr 29 '13 at 20:20
If you inject any DLL into any Cygwin process, you will make the BLODA list. Don't inject DLLs into process that aren't yours and you haven't studied for side effects. — Joshua, Apr 29 '13 at 18:31

score 10 · Accepted Answer · answered Apr 29 '13 at 20:48

I'm the author of Nektra's article. The research began when we wanted to add more features to the limited Metro Mail application that comes with Windows 8.

Although the process was not exactly the same than in desktop applications because usually metro apps are suspended, we hooked first DCOM service.

When DCOM service launches the Metro Mail application, in that point we inject the dll using the well-known method CreateRemoteThread/LoadLibrary call.

In the initial tests we tried to inject a dll located in the same folder were our test was located and discovered that, if the dll was in system32, it loads fine.

Later we do the further research to see why the dll was not loading if not on system32 folder.

About hooking winsock, we didn't test that but I think it should be possible because, at least on desktop computers, behind metro there are the commonly known dlls (kernel32, user32 and so on) and we hooked some api's without problems.

score 9 · Answer 2 · edited Oct 01 '13 at 01:53

I'm the author of the Komodia article and our article doesn't conflict with Nektra, it is possible to hook Metro apps, or the sandbox that runs the Metro apps, but you can't connect to localhost, not because of hooking but because of Metro limitation on localhost connections. In our first test we used our Win7 WFP (which is a network driver) and modified the IP of packets to localhost which didn't work with Metro apps, NDIS will not work just the same, the only way to do so is using Microsoft's WFP proxy redirection.

Maybe someone will eventually find or already found a hack that allows for localhost direct connection, and as with any hacks, there are risks to consider. If you want an approved method, WFP proxy redirection is the only way to go.

It was very helpful for me and for future readers, Thank you both. — Marwen Trabelsi, Apr 30 '13 at 02:50

Laie · Answer 3 · 2015-08-27T07:50:45.663

4

I hereby answer because everyone else is out of point with this. The dll file needs to have read/execute permission to "All Application Packages" group. With this, the loader will allow you to load arbitrary dlls in Immersive apps(=metro apps).

edited Aug 27 '15 at 07:50

answered Aug 18 '15 at 03:37

Laie

540
5
14

I think this is already answered by @Mauro, putting the dll in the system32 folder is equivalent to having r&x permissions. – Marwen Trabelsi Aug 21 '15 at 09:40
r&x permission to "All Application Packages", exactly – Laie Aug 22 '15 at 17:36
Note that for some apps, R&X permissions are also required for "All Restricted Application Packages" (S-1-15-2-2) – Adi Lester Mar 05 '18 at 11:46

score 2 · Answer 4 · edited Oct 01 '13 at 01:51

2

In the initial tests we tried to inject a dll located in the same folder were our test was located and discovered that, if the dll was in system32, it loads fine.

Yes, because System32 is in the search order for Metro (Windows store) applications. There's no magic to it.

Likewise your test's folder was likely not in the DLL search order for the app (System32, the app's package dependency graph, etc), thus the Loader wouldn't find your DLL for the app.

edited Oct 01 '13 at 01:51

n00begon

3,503
3
29
42

answered May 01 '13 at 14:01

Howard Kapustein

527
4
6

1

You can change the search path with LdrLoadDll but it has no effect. – Mauro H. Leggieri Jul 01 '13 at 14:58
I don't know what LdrLoadDll is. From a quick net search it appears to be some undocumented implementation detail in Windows. I'm unsurprised it does you no good. The Loader was *changed* to support Metro (Windows store) apps, so code paths and permutations differ in significant ways. – Howard Kapustein Sep 03 '13 at 01:19
1

LdrLoadDll is the API that does all the LoadLibrary work (LoadLibrary acts like a wrapper). The api declaration does not change from a long long time although internally now supports metro applications. And some checks are done in kernel-mode to avoid some hacks. – Mauro H. Leggieri Sep 04 '13 at 16:00

The truth behind DLL injection with metro applications, Nektra vs Komodia

4 Answers4