Chrome 78 Canary blocks injection to Chrome renderer processes

[zheung]

According Chromium Issue #990640 and Chromium Review #1629607, Chrome 78 Canary is starting to block injection to Chrome renderer processes. Mactype Beta 6 can not work correctly since 78.0.3874.0. Currently, we can use --disable-features=RendererCodeIntegrity to avoid block

I think I should bring this messsage to you, no matter that it would be fixed or not.

Here is some screenshots. It's more obvious and different in Chinese. Please take two screenshots in image viewer, and switch sometimes: Without any argument. work incorrectly and cannot enable in Process Manager:

Work fine with `--disable-features=RendererCodeIntegrity:

[snowie2000]

Let's see if the change will be kept to the final release. I'd rather not hook the SetProcessMitigationPolicy API. It's really one of the most important security parts of the Windows 10.

[nanake]

ditto for recent chrome dev (78.0.3876.0).

[BeLozmen]

确实，78版本以后，宋体就变成了老样子，用--disable-features=RendererCodeIntegrity才能正常渲染

[BeLozmen]

我一直使用Mac Type+替换去除hinting的雅黑和宋体配合使用。一开始还没发现这个问题，因为去除Hinting的雅黑和MacType的默认渲染效果差不多，可能只是稍微细了一点。但是今天我访问百度百科，这个网站默认字体是宋体，宋体即便除去了hinting，在小字体下也是强制GridFit的，这点超蛋疼，然后我就发现了实际上是Chrome（我用的是Chromium内核的Edge）无法被渲染了。用--disable-features=RendererCodeIntegrity的话，只能从指定快捷方式打开Chrome，相当不方便，求修复。

[RainkQ]

78.0.3904.70 stable has released. Blocking has been kept in this version.

[snowie2000]

Thanks for your report. Really bad news.

[BeLozmen]

新版的Edge，不管是稳定通道还是金丝雀通道，这个block都不再起作用了（大概至少一个礼拜之前就是这样了）。不知道是不是微软禁止了这个功能，建议如果在使用Chrome，可以试试Edge。

[Danita]

Closed? There's no workaround for this? :(

[hwooo]

Is this issue solved?

[kcohar]

This issue wasn't present in 78.0.3904.108. But it's back, and I can see it in Chrome 79.0.3945.79 (latest stable version as of Dec 12, 2019) and the canary version, 81.0.3993.0.

--disable-features=RendererCodeIntegrity seems to fix the issue.

Please see https://support.symantec.com/us/en/article.tech256047.html It seems that SEP was patched to mitigate this issue.

I think you might have to hook the mitigation policy function after all.

[snowie2000]

Sure, however, I already tried too many times pulling the chromium code without success... it's simply too big...

[ShadowLyin]

新版的Edge，不管是稳定通道还是金丝雀通道，这个block都不再起作用了（大概至少一个礼拜之前就是这样了）。不知道是不是微软禁止了这个功能，建议如果在使用Chrome，可以试试Edge。

目前 Edge Chromium 版本 80.0.361.48 也有这个问题了。

[kpcheong]

Mactype works fine in Chromium Edge(Version 80.0.361.62 (Official build) (64-bit)) with --disable-features=RendererCodeIntegrity.

Thanks for the solution.

[kcohar]

You could also insert the DWORD "RendererCodeIntegrityEnabled" with a value of 0 into

• HKLM\Software\Policies\Chromium, for Chromium
• HKLM\Software\Policies\Google\Chrome, for Chrome
• I'm assuming HKLM\Software\Policies\Microsoft\Edge, for Edge

I don't have a computer at hand at the moment so I can't test it sorry...

EDIT: policies typo

On Wed, Mar 4, 2020, 4:17 AM kpcheong notifications@github.com wrote:

Mactype works fine in Chromium Edge(Version 80.0.361.62 (Official build) (64-bit)) with --disable-features=RendererCodeIntegrity.

Thanks for the solution.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/snowie2000/mactype/issues/597?email_source=notifications&email_token=ALJKQE3BPGBY42N5OCLPUSLRFXB4BA5CNFSM4IK5PPGKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOENWFUWI#issuecomment-594303577, or unsubscribe https://github.com/notifications/unsubscribe-auth/ALJKQEZ5B73Z2R6KQ2KU7L3RFXB4BANCNFSM4IK5PPGA .

[BeLozmen]

You could also insert the DWORD "RendererCodeIntegrityEnabled" with the value of 0 into - HKLM\Software\Politics\Chromium, for Chromium - HKLM\Software\Politics\Google\Chrome, for Chrome - I'm assuming HKLM\Software\Politics\Microsoft\Edge, for Edge I don't have a computer at hand at the moment so I can't test it sorry... … On Wed, Mar 4, 2020, 4:17 AM kpcheong @.***> wrote: Mactype works fine in Chromium Edge(Version 80.0.361.62 (Official build) (64-bit)) with --disable-features=RendererCodeIntegrity. Thanks for the solution. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#597?email_source=notifications&email_token=ALJKQE3BPGBY42N5OCLPUSLRFXB4BA5CNFSM4IK5PPGKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOENWFUWI#issuecomment-594303577>, or unsubscribe https://github.com/notifications/unsubscribe-auth/ALJKQEZ5B73Z2R6KQ2KU7L3RFXB4BANCNFSM4IK5PPGA .

亲测有效，谢谢。it works thanks

[snowie2000]

You could also insert the DWORD "RendererCodeIntegrityEnabled" with a value of 0 into - HKLM\Software\Policies\Chromium, for Chromium - HKLM\Software\Policies\Google\Chrome, for Chrome - I'm assuming HKLM\Software\Policies\Microsoft\Edge, for Edge I don't have a computer at hand at the moment so I can't test it sorry... EDIT: policies typo … On Wed, Mar 4, 2020, 4:17 AM kpcheong @.***> wrote: Mactype works fine in Chromium Edge(Version 80.0.361.62 (Official build) (64-bit)) with --disable-features=RendererCodeIntegrity. Thanks for the solution. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#597?email_source=notifications&email_token=ALJKQE3BPGBY42N5OCLPUSLRFXB4BA5CNFSM4IK5PPGKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOENWFUWI#issuecomment-594303577>, or unsubscribe https://github.com/notifications/unsubscribe-auth/ALJKQEZ5B73Z2R6KQ2KU7L3RFXB4BANCNFSM4IK5PPGA .

You are really a life saver. Wiki updated. Thank you!

[kcohar]

My pleasure!

I tried using it with the --disable-features setting but it wouldn't work if I opened it up from a link or something, this is more of a global workaround.

[kpcheong]

You could also insert the DWORD "RendererCodeIntegrityEnabled" with a value of 0 into - HKLM\Software\Policies\Chromium, for Chromium - HKLM\Software\Policies\Google\Chrome, for Chrome - I'm assuming HKLM\Software\Policies\Microsoft\Edge, for Edge I don't have a computer at hand at the moment so I can't test it sorry... EDIT: policies typo … On Wed, Mar 4, 2020, 4:17 AM kpcheong @.***> wrote: Mactype works fine in Chromium Edge(Version 80.0.361.62 (Official build) (64-bit)) with --disable-features=RendererCodeIntegrity. Thanks for the solution. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#597?email_source=notifications&email_token=ALJKQE3BPGBY42N5OCLPUSLRFXB4BA5CNFSM4IK5PPGKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOENWFUWI#issuecomment-594303577>, or unsubscribe https://github.com/notifications/unsubscribe-auth/ALJKQEZ5B73Z2R6KQ2KU7L3RFXB4BANCNFSM4IK5PPGA .

Maybe Microsoft has heard our solution of --disable-features=RendererCodeIntegrity, now this code fails in the latest Chromium Edge (Version 80.0.361.66 (Official build) (64-bit)). Fortunately the DWORD solution still work!!! Thank you, @kcohar !

[kcohar]

i don't think they'd disable the setting deliberately, probably just a bug but yeah, the registry edit is pretty nice (thank you symantec endpoint protection for the idea)

On Fri, Mar 6, 2020, 4:59 AM kpcheong notifications@github.com wrote:

You could also insert the DWORD "RendererCodeIntegrityEnabled" with a value of 0 into - HKLM\Software\Policies\Chromium, for Chromium - HKLM\Software\Policies\Google\Chrome, for Chrome - I'm assuming HKLM\Software\Policies\Microsoft\Edge, for Edge I don't have a computer at hand at the moment so I can't test it sorry... EDIT: policies typo … <#m-65730208534365685> On Wed, Mar 4, 2020, 4:17 AM kpcheong @.***> wrote: Mactype works fine in Chromium Edge(Version 80.0.361.62 (Official build) (64-bit)) with --disable-features=RendererCodeIntegrity. Thanks for the solution. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#597 https://github.com/snowie2000/mactype/issues/597?email_source=notifications&email_token=ALJKQE3BPGBY42N5OCLPUSLRFXB4BA5CNFSM4IK5PPGKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOENWFUWI#issuecomment-594303577>, or unsubscribe https://github.com/notifications/unsubscribe-auth/ALJKQEZ5B73Z2R6KQ2KU7L3RFXB4BANCNFSM4IK5PPGA .

Maybe Microsoft has heard our solution of --disable-features=RendererCodeIntegrity, now this code fails in the latest Chromium Edge (Version 80.0.361.66 (Official build) (64-bit)). Fortunately the DWORD solution still work!!! Thank you, @kcohar https://github.com/kcohar !

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/snowie2000/mactype/issues/597?email_source=notifications&email_token=ALJKQE6AGMUSJU3VRKRU2ODRGBYIXA5CNFSM4IK5PPGKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEN77NDI#issuecomment-595588749, or unsubscribe https://github.com/notifications/unsubscribe-auth/ALJKQEZVJTRVETJEDMDKUBDRGBYIXANCNFSM4IK5PPGA .

[kcohar]

By the way I managed to get it to work in Brave too by adding "RendererCodeIntegrityEnabled" with the value 0 to HKLM\Software\Policies\BraveSoftware\Brave

[littleghost2016]

It works on Chromium Edge 81.0.416.28 (Official build) beta (64-bit). Thanks for your solution!

[hamjin]

也许签名DLL和程序能解决？ chrome://conflicts/ 这下面只有MacType没有签名 Edit:签名要Microsoft签名，这一点够呛了。

[snowie2000]

不行的，如你补充的，必须是Microsoft签名或者是几种高级别的签名才行，一般软件签名是没用的，只能禁止验证。

[hamjin]

不行的，如你补充的，必须是Microsoft签名或者是几种高级别的签名才行，一般软件签名是没用的，只能禁止验证。

Sorry,忘记补充自己的结果了，是没用的。而且Chrome甚至能覆盖Windows Defender里面的相关开关，只能注册表了。但那个组织管理真令人窒息

[jxcangel]

Even Micrsoft Edge Enabled in Mactype, font render seems still terrible. Do anyone know whether Mactype implemented for Edge?

[snowie2000]

What you're looking for is a better way to intercept DirectWrite which, AFAIK, doesn't exist.

[hamjin]

I found an script https://github.com/syhyz1990/mactype Edit: ONLY USE IT WHEN YOU CANNOT USE MACTYPE

[snowie2000]

It simply adds a text shadow to everything to make texts soft

[hamjin]

It simply adds a text shadow to everything to make texts soft

暂时作为应急用吧！

[broad-well]

I found --no-sandbox to be a functional workaround for 81.0.4044.113

On abr. 25 2020, at 9:14 pm, railjty notifications@github.com wrote:

It simply adds a text shadow to everything to make texts soft 暂时作为应急用吧！

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub (https://link.getmailspring.com/link/38331422-7B1B-4FF8-A37C-A2F0A1CD54BD@getmailspring.com/0?redirect=https%3A%2F%2Fgithub.com%2Fsnowie2000%2Fmactype%2Fissues%2F597%23issuecomment-619463220&recipient=cmVwbHkrQUNRQk5LTk5TQjZQV0pGWE9CTTVEUzU0V0RBV1ZFVkJOSEhCWkU2SzRNQHJlcGx5LmdpdGh1Yi5jb20%3D), or unsubscribe (https://link.getmailspring.com/link/38331422-7B1B-4FF8-A37C-A2F0A1CD54BD@getmailspring.com/1?redirect=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FACQBNKLQUAM3FWE3WV43523ROODGVANCNFSM4IK5PPGA&recipient=cmVwbHkrQUNRQk5LTk5TQjZQV0pGWE9CTTVEUzU0V0RBV1ZFVkJOSEhCWkU2SzRNQHJlcGx5LmdpdGh1Yi5jb20%3D).

[hamjin]

https://chromium-review.googlesource.com/c/chromium/src/+/1629607 According to the review, the chrome_child.dll and chrome_elf.dll is in the white list now. Maybe patch them? Edit: https://chromium-review.googlesource.com/c/chromium/src/+/1629607/20/chrome/browser/chrome_content_browser_client.cc#3713 chrome_elf.dll is always loaded and it is an render dll. Maybe hook it will be better.

[snowie2000]

You have no way to hook it since you have no way to inject mactype dll in the first place.

[snowie2000]

I found --no-sandbox to be a functional workaround for 81.0.4044.113

You don't have to. Simple creating a policy for Chrome would solve the problem: https://githubfast.com/snowie2000/mactype/wiki/Google-Chrome#policy-thanks-to-kcohar

Disabling sandbox is completely overkilling.

[kcohar]

I'm just really worried about this: https://www.reddit.com/r/sysadmin/comments/dlvu88/chrome_78_update_symantec_endpoint_protection/f4yaguj/ People have been using this workaround to be able to get their security tools to run in Chrome (disabling Chrome security to get better security LOL), but it's actually quite possible that Google may remove the ability to disable the renderer code integrity feature later on, and that would take us right back to square one.

On Sun, Apr 26, 2020 at 4:15 AM snowie2000 notifications@github.com wrote:

I found --no-sandbox to be a functional workaround for 81.0.4044.113 … <#m-4686504664055242039> On abr. 25 2020, at 9:14 pm, railjty @.> wrote: > It simply adds a text shadow to everything to make texts soft > 暂时作为应急用吧！ > — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub @./0?redirect=https%3A%2F%2Fgithub.com%2Fsnowie2000%2Fmactype%2Fissues%2F597%23issuecomment-619463220&recipient=cmVwbHkrQUNRQk5LTk5TQjZQV0pGWE9CTTVEUzU0V0RBV1ZFVkJOSEhCWkU2SzRNQHJlcGx5LmdpdGh1Yi5jb20%3D), or unsubscribe @ .***/1?redirect=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FACQBNKLQUAM3FWE3WV43523ROODGVANCNFSM4IK5PPGA&recipient=cmVwbHkrQUNRQk5LTk5TQjZQV0pGWE9CTTVEUzU0V0RBV1ZFVkJOSEhCWkU2SzRNQHJlcGx5LmdpdGh1Yi5jb20%3D).

You don't have to. Simple creating a policy for Chrome would solve the problem:

https://github.com/snowie2000/mactype/wiki/Google-Chrome#policy-thanks-to-kcohar

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/snowie2000/mactype/issues/597#issuecomment-619468613, or unsubscribe https://github.com/notifications/unsubscribe-auth/ALJKQE4QYU3OD6LVDS437KLROOKM7ANCNFSM4IK5PPGA .

[snowie2000]

Our Google support contact says the ability to suppress the feature will be removed after the next few versions.

That will be a disaster for us then...

[hamjin]

Yes, it is an serious problem. People disabled more security options to use their tools.

------------------ 原始邮件 ------------------ 发件人: "Kre&#x161;imir &#x10C;ohar"<notifications@github.com>; 发送时间: 2020年4月26日(星期天) 上午10:32 收件人: "snowie2000/mactype"<mactype@noreply.github.com>; 抄送: "金泰洋"<335908093@qq.com>; "Comment"<comment@noreply.github.com>; 主题: Re: [snowie2000/mactype] Chrome 78 Canary blocks injection to Chrome renderer processes (#597)

I'm just really worried about this: https://www.reddit.com/r/sysadmin/comments/dlvu88/chrome_78_update_symantec_endpoint_protection/f4yaguj/ People have been using this workaround to be able to get their security tools to run in Chrome (disabling Chrome security to get better security LOL), but it's actually quite possible that Google may remove the ability to disable the renderer code integrity feature later on, and that would take us right back to square one.

On Sun, Apr 26, 2020 at 4:15 AM snowie2000 <notifications@github.com> wrote:

> I found --no-sandbox to be a functional workaround for 81.0.4044.113 > … <#m-4686504664055242039> > On abr. 25 2020, at 9:14 pm, railjty @.> wrote: > It simply adds a > text shadow to everything to make texts soft > 暂时作为应急用吧！ > — You are > receiving this because you are subscribed to this thread. Reply to this > email directly, view it on GitHub @./0?redirect=https%3A%2F%2Fgithub.com%2Fsnowie2000%2Fmactype%2Fissues%2F597%23issuecomment-619463220&recipient=cmVwbHkrQUNRQk5LTk5TQjZQV0pGWE9CTTVEUzU0V0RBV1ZFVkJOSEhCWkU2SzRNQHJlcGx5LmdpdGh1Yi5jb20%3D), > or unsubscribe @ > .***/1?redirect=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FACQBNKLQUAM3FWE3WV43523ROODGVANCNFSM4IK5PPGA&recipient=cmVwbHkrQUNRQk5LTk5TQjZQV0pGWE9CTTVEUzU0V0RBV1ZFVkJOSEhCWkU2SzRNQHJlcGx5LmdpdGh1Yi5jb20%3D). > > You don't have to. Simple creating a policy for Chrome would solve the > problem: > > https://github.com/snowie2000/mactype/wiki/Google-Chrome#policy-thanks-to-kcohar > > — > You are receiving this because you were mentioned. > Reply to this email directly, view it on GitHub > <https://github.com/snowie2000/mactype/issues/597#issuecomment-619468613&gt;, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/ALJKQE4QYU3OD6LVDS437KLROOKM7ANCNFSM4IK5PPGA&gt; > . >

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

[snowie2000]

The problem is I haven't understood the way Chrome whitelist dlls, if I can somehow figure out how they did it, I may have a chance to hook and insert our dll to be part of it.

[hamjin]

The source code shows that maybe they only use file name?

------------------ 原始邮件 ------------------ 发件人: "snowie2000"<notifications@github.com>; 发送时间: 2020年4月26日(星期天) 上午10:38 收件人: "snowie2000/mactype"<mactype@noreply.github.com>; 抄送: "金泰洋"<335908093@qq.com>; "Comment"<comment@noreply.github.com>; 主题: Re: [snowie2000/mactype] Chrome 78 Canary blocks injection to Chrome renderer processes (#597)

The problem is I haven't understood the way Chrome whitelist dlls, if I can somehow figure out how they did it, I may have a chance to hook and insert our dll as part of it.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

[snowie2000]

The source code is too huge to be examined ... or searched ...

[hamjin]

https://chromium-review.googlesource.com/c/chromium/src/+/1629607/20/chrome/browser/chrome_content_browser_client.cc#3713 Only Here

------------------ 原始邮件 ------------------ 发件人: "snowie2000"<notifications@github.com>; 发送时间: 2020年4月26日(星期天) 上午10:41 收件人: "snowie2000/mactype"<mactype@noreply.github.com>; 抄送: "金泰洋"<335908093@qq.com>; "Comment"<comment@noreply.github.com>; 主题: Re: [snowie2000/mactype] Chrome 78 Canary blocks injection to Chrome renderer processes (#597)

The source code is too huge to be examined ... or searched ...

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

[snowie2000]

The src is too crazy that even right-click on a source file can freeze my explorer for seconds

[snowie2000]

I knew that this is the key:

result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_SIGNED_BINARY,
                             sandbox::TargetPolicy::SIGNED_ALLOW_LOAD,
                             GetModulePath(dll).value().c_str());

But I failed to figure how the rule is added😕

[kcohar]

Should we file a bug with the chromium devs? Who knows, they might be willing to help?

On Sun, Apr 26, 2020 at 4:48 AM snowie2000 notifications@github.com wrote:

I knew that this is the key:

result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_SIGNED_BINARY,

                         sandbox::TargetPolicy::SIGNED_ALLOW_LOAD,

                         GetModulePath(dll).value().c_str());

But I failed to figure how the rule is added😕

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/snowie2000/mactype/issues/597#issuecomment-619471583, or unsubscribe https://github.com/notifications/unsubscribe-auth/ALJKQE734SJYPYBOPW6HL3LROOOGJANCNFSM4IK5PPGA .

[snowie2000]

I have never thought they would provide us a way to add external dlls as it's sandbox exceptions.

[hamjin]

It is an Win32 API. But we cannot hook it and add an rule without disabling CIG. 把Mactype的核心变成单个dll，直接改名chrome_elf.dll+签名（这个不需要微软的）,在我们自己的dll里面添加那条rule并加载原始的chrome_elf.dll

------------------ 原始邮件 ------------------ 发件人: "snowie2000"<notifications@github.com>; 发送时间: 2020年4月26日(星期天) 上午10:48 收件人: "snowie2000/mactype"<mactype@noreply.github.com>; 抄送: "金泰洋"<335908093@qq.com>; "Comment"<comment@noreply.github.com>; 主题: Re: [snowie2000/mactype] Chrome 78 Canary blocks injection to Chrome renderer processes (#597)

I knew that this is the key: result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_SIGNED_BINARY, sandbox::TargetPolicy::SIGNED_ALLOW_LOAD, GetModulePath(dll).value().c_str());
But I failed to figure how the rule is added😕

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

[snowie2000]

Why can't we hook it? (despite doing it for good or bad)

[snowie2000]

I happened to find out a way to walkaround this and successfully tricked chrome to disable the integrity check, but I'm still looking for more "secure" ways to do it.

[hamjin]

I happened to find out a way to walkaround this and successfully tricked chrome to disable the integrity check, but I'm still looking for more "secure" ways to do it.

You can show it for those who doesn't need a safe browser

[snowie2000]

My method does disable some of the new safety measurements but still have the sandbox enabled and all the basic protections are still working. So it’s technically speaking it is still safe but I want the impact to be as least as possible.

[snowie2000]

The problem of my new method is that it doesn’t only allow Mactype to be injected into the chrome. Like disabling code integrity check, all the other tools can be injected.