You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Windows 11 ARM64 Processor x86, x64 COM Hook Crash.
We tested using the latest sources. (main - 2022-08-16 commit)
[Surface pro 9 Microsoft SQ3 3.00 GHz Windows 11 ARM64]
[success]
On Windows 11 ARM64, x64 processes are emulated. Therefore, ARM, ARM64, x86, and x64 processes operate in the ARM64 environment. There is no problem with win32 API Hooking of x86 and x64 processes in the ARM64 environment.
[crash]
The problem occurs when hooking the COM API of x86 and x64 processes in an ARM64 environment. Crash when running Detours samples/commem.
We are having a similar issue atm. Trying to detour an x64 binary when running from arm64 windows. Would love to get advice how to fix or a fix itself :-)
We are having a similar issue atm. Trying to detour an x64 binary when running from arm64 windows. Would love to get advice how to fix or a fix itself :-)
We have been solving the problem by using VMT Hooking method without Detours for COM API so far to bypass the problem. However, we have recently discovered XFG(Microsoft eXtended Flow Guard) protected API and analyzed that certain APIs cannot be controlled with that method. VMT Hooking method was sufficient to control CFG(Control Flow Guard) protected COM API, but it cannot control XFG protected COM API. I think that in order to control x86, x64 COM API of ARM64, it is necessary to use Detours and directly modify the Detours code.
Microsoft eXtended Flow Guard
eXtended Flow Guard (XFG) has not been officially released yet, but is available in the Windows Insider preview and was publicly presented at Bluehat Shanghai in 2019.[29]
XFG extends CFG by validating function call signatures to ensure that indirect function calls are only to the subset of functions with the same signature. Function call signature validation is implemented by adding instructions to store the target function's hash in register r10 immediately prior to the indirect call and storing the calculated function hash in the memory immediately preceding the target address's code. When the indirect call is made, the XFG validation function compares the value in r10 to the target function's stored hash. [30][31]
Windows 11 ARM64 Processor x86, x64 COM Hook Crash.
We tested using the latest sources. (main - 2022-08-16 commit)
[Surface pro 9 Microsoft SQ3 3.00 GHz Windows 11 ARM64]
[success]
On Windows 11 ARM64, x64 processes are emulated. Therefore, ARM, ARM64, x86, and x64 processes operate in the ARM64 environment. There is no problem with win32 API Hooking of x86 and x64 processes in the ARM64 environment.
[crash]
The problem occurs when hooking the COM API of x86 and x64 processes in an ARM64 environment. Crash when running Detours samples/commem.
code - samples/commem/commem.cpp
https://github.com/microsoft/Detours/blob/734ac64899c44933151c1335f6ef54a590219221/samples/commem/commem.cpp#L95C4-L95C4
ERROR_CODE: (NTSTATUS) 0xc000001d - { }
Is there anything else I need to do to hook COM API of x86,x64 process in ARM64 environment?
The text was updated successfully, but these errors were encountered: