Add support for Microsoft Edge

[adevelopcr]

Can you add support for microsoft edge or tell the functions to hook to sniff before sending ssl requests and after reading ssl requests Hooking the raw sockets won't give readable text but encrypted

[NytroRST]

Yes, Edge is on my list. However, they use process mitigations so there are problems with the injections/ When I will have some time, I will look into how to bypass it.

[adevelopcr]

could you explain what is process mitigations ?

[NytroRST]

Here are some details: https://docs.microsoft.com/en-us/windows/desktop/api/processthreadsapi/nf-processthreadsapi-setprocessmitigationpolicy

[adevelopcr]

So edge uses SetProcessMitigationPolicy with ProcessDynamicCodePolicy flag to prevent overwriting the executable code (hooking function by placing jump) is this the problem ? If it's then there are multiple ways to bypass this

[NytroRST]

It has some mitigations, but I did not check which of them. I know an article about a bypass and I will look into this as soon as possible. If you have any details about bypasses, can you post here the links?

---

From: adevelopcr notifications@github.com Sent: Sunday, July 8, 2018 8:00:21 PM To: NytroRST/NetRipper Cc: Ionut Popescu; Comment Subject: Re: [NytroRST/NetRipper] Add support for Microsoft Edge (#22)

So edge uses SetProcessMitigationPolicy with ProcessDynamicCodePolicy flag to prevent overwriting the executable code (hooking function by placing jump) is this the problem ? If it' then there are multiple ways to bypass this

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FNytroRST%2FNetRipper%2Fissues%2F22%23issuecomment-403301242&data=02%7C01%7C%7Cea7971492db8400a6cb108d5e4f44b44%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636666660238304854&sdata=7jASNf1TPOT%2FWW%2F6LbI3Z9s%2BM2gtwXpJOKqcIEubt3U%3D&reserved=0, or mute the threadhttps://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAMoRQbacrLoucmE0FiTNc3f5jzYmXgjZks5uEjqlgaJpZM4VGjHN&data=02%7C01%7C%7Cea7971492db8400a6cb108d5e4f44b44%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636666660238461100&sdata=o3eSttUPHWopxOf%2FbV6ZEk2bxyn%2FwtVvyJvlhBRW2Do%3D&reserved=0.

[adevelopcr]

After some search (I still don't understand what this mitigation actually prevents) here what I came with : 1 - firstly I think you aren't using manual mapping but hooking via LoadLibrary which will load the dll and edge uses another mitigation which disables loading non signed dlls and edge doesn't prevent dynamic code generation as from here http://www.sekoia.fr/blog/microsoft-edge-binary-injection-mitigation-overview/ They said that they injected a shellcode successfully into edge . If this is true then my injector should be already suitable for injecting dlls inside edge

If this is false and edge really disables dynamic executable code generation : 2 - from here : https://www.unknowncheats.me/forum/playerunknown-s-battlegrounds/245691-allocating-executable-memory-remote-process-ntallocatevirtualmemory.html The function sets the flag of the protection inside EPROCESS structure and it can be overwritten with WriteProcessMemory to disable the dynamic code mitigation

3 - you can perform aggressive hooking by hooking CreateProcess in explorer.exe and other running processes to suspend and hook edge on its early launch and before setting the protection flag

4 - you can use the new injection techniques which doesn't require to write executable code in the target

I have no access to a computer now and probably for more than week so I couldn't try my injector to inject into edge

[NytroRST]

Very nice, thanks a lot! I also read some time ago the sekoia article, but I did not know about the other one. I will check what it is possible to do on this topic. It should be possible, as we are already executing code on the target machine. Hopefully, it should be possible from user-mode only...

---

From: adevelopcr notifications@github.com Sent: 08 July 2018 21:37 To: NytroRST/NetRipper Cc: Ionut Popescu; Comment Subject: Re: [NytroRST/NetRipper] Add support for Microsoft Edge (#22)

After some search (I still don't understand what this mitigation actually prevents) here what I came with : 1 - firstly I think you aren't using manual mapping but hooking via LoadLibrary which will load the dll and edge uses another mitigation which disables loading non signed dlls and edge doesn't prevent dynamic code generation as from here http://www.sekoia.fr/blog/microsoft-edge-binary-injection-mitigation-overview/https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.sekoia.fr%2Fblog%2Fmicrosoft-edge-binary-injection-mitigation-overview%2F&data=02%7C01%7C%7C464f01d41b2a4a90564208d5e501cb19%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636666718212614867&sdata=6wGQ69Ltr6dJVCf0KR07C%2Bp5eFR8esCcyoCmXhyzlgI%3D&reserved=0 They said that they injected a shellcode successfully into edge . If this is true then my injector should be already suitable for injecting dlls inside edge

If this is false and edge really disables dynamic executable code generation : 2 - from here : https://www.unknowncheats.me/forum/playerunknown-s-battlegrounds/245691-allocating-executable-memory-remote-process-ntallocatevirtualmemory.htmlhttps://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.unknowncheats.me%2Fforum%2Fplayerunknown-s-battlegrounds%2F245691-allocating-executable-memory-remote-process-ntallocatevirtualmemory.html&data=02%7C01%7C%7C464f01d41b2a4a90564208d5e501cb19%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636666718212771120&sdata=xVjm5%2Bhhj5K2SAzppO0DnEecaglz7r1auuLVsCwzu0o%3D&reserved=0 The function sets the flag of the protection inside EPROCESS structure and it can be overwritten with WriteProcessMemory to disable the dynamic code mitigation

3 - you can perform aggressive hooking by hooking CreateProcess in explorer.exe and other running processes to suspend and hook edge on its early launch and before setting the protection flag

5 - you can use the new injection techniques which doesn't require to write executable code in the target

I have no access to a computer now and probably for more than week so I couldn't try my injector to inject into edge

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FNytroRST%2FNetRipper%2Fissues%2F22%23issuecomment-403307048&data=02%7C01%7C%7C464f01d41b2a4a90564208d5e501cb19%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636666718212771120&sdata=Mo2xIsSVCydYxlDDYaaD9TtCcy%2FgO3%2BlrWkTqCenTUE%3D&reserved=0, or mute the threadhttps://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAMoRQRhrYhoPij-65NHtKtct3pm3arQdks5uElFMgaJpZM4VGjHN&data=02%7C01%7C%7C464f01d41b2a4a90564208d5e501cb19%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636666718212771120&sdata=LyFGUQQ6y5vGF6mr9xITkVHGolyhf3s0wXfaupwmddY%3D&reserved=0.

[adevelopcr]

Then which function need to be hooked ? And were you using usual dll injection and not manual mapping ? as I saw that netripper has reflective dll injection

[adevelopcr]

I'm sure now manual mapping will work See here on rohitab : http://www.rohitab.com/discuss/topic/42220-injecting-microsoft-edge/

and from this article on microsoft blog : https://blogs.windows.com/msedgedev/2015/11/17/microsoft-edge-module-code-integrity/ they said that edge is protected from the windows kernel . If this is true it won't be possible to load unsigned dll into edge without a driver which requires to be signed on 64 systems so signing the dll is easier

[NytroRST]

Usefuk links, thanks a lot! I will look into this and I will let you know.

---

From: adevelopcr notifications@github.com Sent: Monday, July 9, 2018 12:22:48 AM To: NytroRST/NetRipper Cc: Ionut Popescu; Comment Subject: Re: [NytroRST/NetRipper] Add support for Microsoft Edge (#22)

I'm sure now manual mapping will work See here on rohitab : http://www.rohitab.com/discuss/topic/42220-injecting-microsoft-edge/https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rohitab.com%2Fdiscuss%2Ftopic%2F42220-injecting-microsoft-edge%2F&data=02%7C01%7C%7Ce9cd8224911a461edd7608d5e518f4b9%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636666817694911409&sdata=ZUCID5xpiE3R4yGts7jUHKmy4WMExga7MW9HKCoX3%2FA%3D&reserved=0

and from this article on microsoft blog : https://blogs.windows.com/msedgedev/2015/11/17/microsoft-edge-module-code-integrity/https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fblogs.windows.com%2Fmsedgedev%2F2015%2F11%2F17%2Fmicrosoft-edge-module-code-integrity%2F&data=02%7C01%7C%7Ce9cd8224911a461edd7608d5e518f4b9%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636666817694921414&sdata=0kYmXa4xD%2Bx%2B8EvcULtwImN7hAhq3sJnBD54lDkZldM%3D&reserved=0 they said that edge is protected from the windows kernel . If this is true it won't be possible to load unsigned dll into edge without a driver which requires to be signed on 64 systems so signing the dll is easier

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FNytroRST%2FNetRipper%2Fissues%2F22%23issuecomment-403318228&data=02%7C01%7C%7Ce9cd8224911a461edd7608d5e518f4b9%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636666817694931425&sdata=NQ%2FHrDMRQzIQreTe9WKqpijlGXIuXCH7WSGVgixqZyw%3D&reserved=0, or mute the threadhttps://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAMoRQTGltCEvnyBIoEttNC8wTV_8s99oks5uEngogaJpZM4VGjHN&data=02%7C01%7C%7Ce9cd8224911a461edd7608d5e518f4b9%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636666817694941430&sdata=%2BMRdzWYOaj2EaDeaOa0KTTOSsek35aGh5%2FjJZ74T5yw%3D&reserved=0.

[adevelopcr]

I think you also can make what I called "aggressive hooking" by hooking CreateProcess in explorer.exe and other running apps for one time and the hook will copy itself to every program started by these hooked programs usually users start most programs including edge with double click so it will be started from explorer.exe

In case of hooking edge only you will compare the name of the process parameter in CreateProcess with edge executable name and once you get it you can use NtSuspendProcess , hook and finally NtResumeProcess or simply start the process with CREATE_SUSPENDED (you hooked CreateProcess) and hook your target functions

what I understood for now is that edge may be using a protection from the kernel against loading unsigned dlls but the protection starts only after setting the mitigation policy with the function mentioned above

I had to search for the techniques used by malwares to bypass this protection and most of them manual mapped the dll but I found one malware which used this method

https://www.proofpoint.com/us/threat-insight/post/Death-Comes-Calling-Thanatos-Alphabot-Trojan-Hits-Market

I think I'll soon create a protector against these attacks even if the attack was applied

The strange thing I noticed is that these attacks exist since long time probably more than 10 years but the browsers companies are only responsible for finding ways to collect more money for them

[NytroRST]

I would not like to invest too much time on this. I will just take a look and if I manage to do something, I will update NetRipper.

Thank you very much for your support, useful info!

[adevelopcr]

I'm looking forward to seeing your update And I think edge will be using some winapi functions like internet explorer maybe wininet or winhttp or something similar But also it may be using some c++\cx or c++ winrt interfaces (it's uwp)

[NytroRST]

It might use SslEncryptPacket and SslDecryptPacket, I will check as well.

---

From: adevelopcr notifications@github.com Sent: Monday, July 9, 2018 7:22:48 PM To: NytroRST/NetRipper Cc: Ionut Popescu; Comment Subject: Re: [NytroRST/NetRipper] Add support for Microsoft Edge (#22)

I'm looking forward to seeing your update And I think edge will be using some winapi functions like internet explorer maybe wininet or winhttp or something similar But also it may be using some c++\cx or c++ winrt interfaces (it's uwp)

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FNytroRST%2FNetRipper%2Fissues%2F22%23issuecomment-403537040&data=02%7C01%7C%7C10c52d9bdfe5402d02ee08d5e5b83637%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636667501695134364&sdata=4obvs2EMwYoU6lob%2FZ5SP7ImsFqmWaEbq%2FZBAeECmjA%3D&reserved=0, or mute the threadhttps://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAMoRQRa7__PljiE1vB-qiPbYPQ939c53ks5uE4NYgaJpZM4VGjHN&data=02%7C01%7C%7C10c52d9bdfe5402d02ee08d5e5b83637%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636667501695134364&sdata=HQ%2FC6Lglx%2FIeSCHeIe1QSYn0kPv%2BZvaAdu29Wjg9%2F4s%3D&reserved=0.

[adevelopcr]

CNG isn't available for uwp applications

[NytroRST]

On my first checks, it looks like this is the issue: https://docs.microsoft.com/en-us/windows/desktop/api/winnt/ns-winnt-_process_mitigation_dynamic_code_policy . I have an idea about how to bypass it.

Also, it loads ncrypt.dll which has the SslEncrypt/DecryptPacket which are used by Internet Explorer (that's why I think they are also used by Edge) as a layer below WinInet/WinHttp.

[adevelopcr]

yes you are right Edge was updated and prevented dynamic code generation so what's your idea ? The protection is called acg as from here : https://blogs.windows.com/msedgedev/2017/02/23/mitigating-arbitrary-native-code-execution/

see here also : https://github.com/TsudaKageyu/minhook/issues/39

now the injection and hooking must be done before any protection is applied to microsoft edge as the booking will be impossible after the kernel protects the process

I think early hooking is my really option now

[adevelopcr]

From this : https://habrahabr.info/development/system-programming/1944-the-arbitrary-code-guard-acg-mechanism-is-an-example-of-microsoft-edge.html

You can still allocate executable memory in the target process from a process that has a handle for this process and doesn't set the policy

It seems that this function belongs to the caller so if a process doesn't use it it can use VirtualAllocEx to allocate executable memory in a remote process

But this isn't a solution , you still can't set hooks

[NytroRST]

I will look into them. I will also check this presentation: https://www.slideshare.net/JamesForshaw1/the-joy-of-sandbox-mitigations My idea is to call SetProcessMitigationPolicy / Initialize/UpdateProcThreadAttributeList to disable the protections. I am not sure how, but I will try.

[adevelopcr]

As I said it depends on the caller not the target so my idea is to hook remotely from your process but how ? If you are hooking functions in kernel32 or ntdll or user32 it's very simple as all addresses will be the same for all processes

Otherwise the injector will allocate a memory in the target which will fit to a suitable structure that will contain the addresses of the functions in the target and the dll will write the addresses there (you can pass the address of this area with CreateThread to the loader shell which will load the dll in the target) and you now can make your hooks remotely

[adevelopcr]

the solution you came with is improvement for my solution (hooking explorer.exe) So here how the two functions work :

1 - create a list using InitializeProcThreadAttributeList this will return a list which you will fill with your needs

2 - use UpdateProcThreadAttribute to update the list with PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY as dwFlags and PROCESS_CREATION_MITIGATION_POLICY_PROHIBIT_DYNAMIC_CODE_ALWAYS_OFF as the lpValue

3 - use CreateProcess and combine the flags with EXTENDED_STARTUPINFO_PRESENT (you can check if it's already included in the flags) and in STARTUPINFOEX parameter assign lpAttributeList to the list you created and updated

4 - launch the process without any suspending as these mitigations can't be changed after the process started

5 - finally delete the list with DeleteProcThreadAttributeList

you can also update the list multiple times so that you can even allow loading unsigned dlls

As you can see all the work is done in the parent process (explorer.exe or cmd) but the disadvantage of this method is that you can't do anything if edge is already running and it's very easy to detect that edge is hacked

I'll try to implement the methods listed here once I get tto the computer

[NytroRST]

My idea was to use CreateRemoteThreadEx with lpAttributeList. I am not sure it will work. I was also thinking to something similar to classic DLL Injection. Instead of writing a DLL name into target process memory, to write the process mitigation structure. Unfortunately, we can only use one parameter.

Your idea should work, sounds good, but it is a bit limited for that reason.

I am looking at the James presentation and it looks like this should work: https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/nf-wdm-zwmapviewofsection

The checks, as you mentioned, are done against the calling process - the mitigations are not supposed to protect against DLL injection, but to protect against exploits (e.g. an exploit cannot write and execute code).

I will continue looking into this when I'll have more time and I will update this post.

Thanks a lot for your ideas!

[adevelopcr]

Ah I forgot you can do IAT hooking instead of the trampoline The IAT table is set to read only after resolving imports so you will iterate through the import table until you find your target function the use VirtualProtect to change the protection of PIMAGE_THUNK_DATA->Function to PAGE_READWRITE the assign to the address of your function and finally restore the old protection This is also suitable for firefox as it imports PR_Read and PR_Write from a dll = it stores the address of the function there and retrieve it every time it's called

you here are bypassing mitigations effectively as you aren't allocating any executable memory in the microsoft edge . But be sure you aren't allocating executable memory from your dll and don't use LoadLibrary to load unsigned dll as you adapt to the mitigation

And all executable memory allocation will be performed from your injector : writing and aligning sections and relocating the dll Then resolving imports and delayed imports and managing tls will be performed in the target by the shellcode loader you will execute using CreateRemoteThread As far as your dll doesn't depend on unsigned dll and doesn't allocate executable memory then no problems

This is my favourite hooking method for the small jobs especially before I learnet inline hooking

This solution won't work for chrome but the inline hooking

And an improvement to my previous solution : you can use named pipes to get the addresses of the functions to hook from the dll you allocated inside edge the hook remotely using inline hooking , I have a method to make the inline hooking thread safe and don't require to patch and repatch the hooked functions every time to use them so the program continue running without crashing or losing its functionality

[NytroRST]

Yes, sounds good and it should work. I will do some tests.

---

From: adevelopcr notifications@github.com Sent: 10 July 2018 01:49 To: NytroRST/NetRipper Cc: Ionut Popescu; Comment Subject: Re: [NytroRST/NetRipper] Add support for Microsoft Edge (#22)

Ah I forgot you can do IAT hooking instead of the trampoline The reloc section is iat table is set to read only after resolving imports so you will iterate through the import table until you find your target function the use VirtualProtect to change the protection of PIMAGE_THUNK_DATA->Function to PAGE_READWRITE the assign to the address of your function and finally restore the old protection This is also suitable for firefox as it imports PR_Read and PR_Write from a dll = it stores the address of the function there and retrieve it every time it's called

you here are bypassing mitigations effectively as you aren't allocating any executable memory in the microsoft edge . But be sure you aren't allocating executable memory from your dll and don't use LoadLibrary to load unsigned dll as you adapt to the mitigation

And all executable memory allocation will be performed from your injector : writing and aligning sections and relocating the dll Then resolving imports and delayed imports and managing tls will be performed in the target by the shellcode loader you will execute using CreateRemoteThread As far as your dll doesn't depend on unsigned dll and doesn't allocate executable memory then no problems

This is my favourite hooking method for the small jobs especially before I learnet inline hooking

This solution won't work for chrome but the inline hooking

And an improvement to my previous solution : you can use named pipes to get the addresses of the functions to hook from the dll you allocated inside edge the hook remotely using inline hooking , I have a method to make the inline hooking thread safe and don't require to patch and repatch the hooked functions every time to use them so the program continue running without crashing or losing its functionality

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FNytroRST%2FNetRipper%2Fissues%2F22%23issuecomment-403644320&data=02%7C01%7C%7C474a89e8be7e4c0b487008d5e5ee4d43%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636667734011308458&sdata=aJoCLYZtqdToT%2Fgq%2FIiKF3GF0O%2BnQ2ffF05MGUYzmnc%3D&reserved=0, or mute the threadhttps://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAMoRQVwYVPTCPKeNvKcW5flGs_KzAe8Pks5uE94XgaJpZM4VGjHN&data=02%7C01%7C%7C474a89e8be7e4c0b487008d5e5ee4d43%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636667734011308458&sdata=f00sMLFRziapIuP0VTO%2F8ZyKJR08KCWzTGBi4oX9etU%3D&reserved=0.

[bcebere]

Hi. Did you manage to get the API hooking to work for Edge?

From the discussion above, I don't understand one thing : doesn't Edge allow only Microsoft or Microsoft Store signed dlls/binaries? How can the CreateRemoteThreadEx/IAT hooking ideas work in this scenario?

Sorry for the noob question. Thanks

[NytroRST]

Hi,

I did not manage to work at all on this, but I will start working soon. However, the focus will be on making it work with other software as well, so I am not sure when I will look into this.

I am not sure which process mitigations are in place, it might not be possible do no anything, but I will try. I will try to find a way to load and execute arbitrary code into the Edge process memory, but I am not sure how or if it will work.

The Windows APIs, such as CreateRemoteThread or ZwMapViewOfSection should work as expected, if the mitigations are not affected. For example, if mitigations allow only trusted DLLs, it might be possible (if mitigations allow) to write a small shellcode into the process.

I will let you know when I have an update.

Thank you!

[adevelopcr]

Simply just hook explorer.exe and place the hooks from there on CreateProcess You will likely use manual mapping I can help with the manual mapping but I can't impelement the full hooking now because I can't install windows 10 on the pc I'm currently using

[bcebere]

Another idea that seems to work is to use Blackbone and hook MicrosoftEdgeCP.exe for SSLDecryptPacket and SSLEncryptPacket with a hwbp/int3 hook.

Not sure I understand why interrupts are ok here, though

[adevelopcr]

Blackbone is a library for manual mapping which I learned a lot from and darthon helped me a lot to finish my pe loader but it has much features that aren't needed here and I prefer to use a code that is small as possible and this will give you better control and ability to solve the problems

And , do say that you tried hooking via blackbone successfully . I know that blackbone has some hooking method but I didn't try them before

[bcebere]

I didn't test enough for crashes, but yes, an int3 hook seems to do the job for MicrosoftEdgeCP and ncrypt.dll exports.

[adevelopcr]

Yes problem isn't in hooking but in creating the trampoline . Hooks can be set remotely or locally with iat redirection which doesn't need allocating executable memory . But as you said int3 hooks don't use trampolines but they continuously set and remove breakpoints so they aren't thread safe and the same method can be used with other hooking techniques .

So hooking before the mitigations are set is the best method . Otherwise the hooks can be applied with manual method by allocating and writing in the executable area from our process and the dll injected in edge will send us the data to write and we will send it the addresses where the data is allocated . I've done a method like this in retrieving Gpu Card name from a Windows service by injecting the shellcode into another process and passing an address where the buffer will be written and then retrieving the buffer

[sevagas]

Hi, I just posted an paper explaining how to disable ACG ans hook Edge at: https://blog.sevagas.com:80/?Code-Injection-Disable-Dynamic-Code-Mitigation-ACG Easy to reuse in NetRipper