Chrome 78 Canary blocks injection to Chrome renderer processes #597
Comments
|
Let's see if the change will be kept to the final release. |
|
ditto for recent chrome dev (78.0.3876.0). |
|
确实,78版本以后,宋体就变成了老样子,用--disable-features=RendererCodeIntegrity才能正常渲染 |
|
我一直使用Mac Type+替换去除hinting的雅黑和宋体配合使用。一开始还没发现这个问题,因为去除Hinting的雅黑和MacType的默认渲染效果差不多,可能只是稍微细了一点。但是今天我访问百度百科,这个网站默认字体是宋体,宋体即便除去了hinting,在小字体下也是强制GridFit的,这点超蛋疼,然后我就发现了实际上是Chrome(我用的是Chromium内核的Edge)无法被渲染了。用--disable-features=RendererCodeIntegrity的话,只能从指定快捷方式打开Chrome,相当不方便,求修复。 |
|
78.0.3904.70 stable has released. |
|
Thanks for your report. |
|
新版的Edge,不管是稳定通道还是金丝雀通道,这个block都不再起作用了(大概至少一个礼拜之前就是这样了)。不知道是不是微软禁止了这个功能,建议如果在使用Chrome,可以试试Edge。 |
|
Closed? There's no workaround for this? :( |
|
Is this issue solved? |
|
This issue wasn't present in 78.0.3904.108. --disable-features=RendererCodeIntegrity seems to fix the issue. Please see https://support.symantec.com/us/en/article.tech256047.html I think you might have to hook the mitigation policy function after all. |
|
Sure, however, I already tried too many times pulling the chromium code without success... it's simply too big... |
目前 Edge Chromium 版本 80.0.361.48 也有这个问题了。 |
|
Mactype works fine in Chromium Edge(Version 80.0.361.62 (Official build) (64-bit)) with Thanks for the solution. |
|
You could also insert the DWORD "RendererCodeIntegrityEnabled" with a value of 0 into
- HKLM\Software\Policies\Chromium, for Chromium
- HKLM\Software\Policies\Google\Chrome, for Chrome
- I'm assuming HKLM\Software\Policies\Microsoft\Edge, for Edge
I don't have a computer at hand at the moment so I can't test it sorry...
EDIT: policies typo
…On Wed, Mar 4, 2020, 4:17 AM kpcheong ***@***.***> wrote:
Mactype works fine in Chromium Edge(Version 80.0.361.62 (Official build)
(64-bit)) with --disable-features=RendererCodeIntegrity.
Thanks for the solution.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#597?email_source=notifications&email_token=ALJKQE3BPGBY42N5OCLPUSLRFXB4BA5CNFSM4IK5PPGKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOENWFUWI#issuecomment-594303577>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ALJKQEZ5B73Z2R6KQ2KU7L3RFXB4BANCNFSM4IK5PPGA>
.
|
亲测有效,谢谢。it works thanks |
You are really a life saver. Wiki updated. Thank you! |
|
My pleasure! I tried using it with the --disable-features setting but it wouldn't work if I opened it up from a link or something, this is more of a global workaround. |
Maybe Microsoft has heard our solution of |
|
i don't think they'd disable the setting deliberately, probably just a bug
but yeah, the registry edit is pretty nice (thank you symantec endpoint
protection for the idea)
…On Fri, Mar 6, 2020, 4:59 AM kpcheong ***@***.***> wrote:
You could also insert the DWORD "RendererCodeIntegrityEnabled" with a
value of 0 into - HKLM\Software\Policies\Chromium, for Chromium -
HKLM\Software\Policies\Google\Chrome, for Chrome - I'm assuming
HKLM\Software\Policies\Microsoft\Edge, for Edge I don't have a computer at
hand at the moment so I can't test it sorry... EDIT: policies typo
… <#m_-65730208534365685_>
On Wed, Mar 4, 2020, 4:17 AM kpcheong *@*.***> wrote: Mactype works fine
in Chromium Edge(Version 80.0.361.62 (Official build) (64-bit)) with
--disable-features=RendererCodeIntegrity. Thanks for the solution. — You
are receiving this because you commented. Reply to this email directly,
view it on GitHub <#597 <#597>?email_source=notifications&email_token=ALJKQE3BPGBY42N5OCLPUSLRFXB4BA5CNFSM4IK5PPGKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOENWFUWI#issuecomment-594303577>,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/ALJKQEZ5B73Z2R6KQ2KU7L3RFXB4BANCNFSM4IK5PPGA
.
Maybe Microsoft has heard our solution of
--disable-features=RendererCodeIntegrity, now this code fails in the
latest Chromium Edge (Version 80.0.361.66 (Official build) (64-bit)).
Fortunately the DWORD solution still work!!! Thank you, @kcohar
<https://github.com/kcohar> !
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#597?email_source=notifications&email_token=ALJKQE6AGMUSJU3VRKRU2ODRGBYIXA5CNFSM4IK5PPGKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEN77NDI#issuecomment-595588749>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ALJKQEZVJTRVETJEDMDKUBDRGBYIXANCNFSM4IK5PPGA>
.
|
|
By the way I managed to get it to work in Brave too by adding "RendererCodeIntegrityEnabled" with the value 0 to HKLM\Software\Policies\BraveSoftware\Brave |
|
It works on Chromium Edge 81.0.416.28 (Official build) beta (64-bit). Thanks for your solution! |
|
也许签名DLL和程序能解决? |
|
不行的,如你补充的,必须是Microsoft签名或者是几种高级别的签名才行,一般软件签名是没用的,只能禁止验证。 |
Sorry,忘记补充自己的结果了,是没用的。而且Chrome甚至能覆盖Windows Defender里面的相关开关,只能注册表了。但那个组织管理真令人窒息 |
|
Even Micrsoft Edge Enabled in Mactype, font render seems still terrible. Do anyone know whether Mactype implemented for Edge? |
|
What you're looking for is a better way to intercept DirectWrite which, AFAIK, doesn't exist. |
|
I found an script |
|
https://chromium-review.googlesource.com/c/chromium/src/+/1629607 |
|
You have no way to hook it since you have no way to inject mactype dll in the first place. |
You don't have to. Simple creating a policy for Chrome would solve the problem: Disabling sandbox is completely overkilling. |
|
I'm just really worried about this:
https://www.reddit.com/r/sysadmin/comments/dlvu88/chrome_78_update_symantec_endpoint_protection/f4yaguj/
People have been using this workaround to be able to get their security
tools to run in Chrome (disabling Chrome security to get better security
LOL), but it's actually quite possible that Google may remove the ability
to disable the renderer code integrity feature later on, and that would
take us right back to square one.
…On Sun, Apr 26, 2020 at 4:15 AM snowie2000 ***@***.***> wrote:
I found --no-sandbox to be a functional workaround for 81.0.4044.113
… <#m_-4686504664055242039_>
On abr. 25 2020, at 9:14 pm, railjty *@*.*> wrote: > It simply adds a
text shadow to everything to make texts soft > 暂时作为应急用吧! > — You are
receiving this because you are subscribed to this thread. Reply to this
email directly, view it on GitHub @.*/0?redirect=https%3A%2F%2Fgithub.com%2Fsnowie2000%2Fmactype%2Fissues%2F597%23issuecomment-619463220&recipient=cmVwbHkrQUNRQk5LTk5TQjZQV0pGWE9CTTVEUzU0V0RBV1ZFVkJOSEhCWkU2SzRNQHJlcGx5LmdpdGh1Yi5jb20%3D),
or unsubscribe *@*
.***/1?redirect=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FACQBNKLQUAM3FWE3WV43523ROODGVANCNFSM4IK5PPGA&recipient=cmVwbHkrQUNRQk5LTk5TQjZQV0pGWE9CTTVEUzU0V0RBV1ZFVkJOSEhCWkU2SzRNQHJlcGx5LmdpdGh1Yi5jb20%3D).
You don't have to. Simple creating a policy for Chrome would solve the
problem:
https://github.com/snowie2000/mactype/wiki/Google-Chrome#policy-thanks-to-kcohar
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#597 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ALJKQE4QYU3OD6LVDS437KLROOKM7ANCNFSM4IK5PPGA>
.
|
That will be a disaster for us then... |
|
Yes, it is an serious problem. People disabled more security options to use their tools.
…------------------ 原始邮件 ------------------
发件人: "Kre&#x161;imir &#x10C;ohar"<notifications@github.com>;
发送时间: 2020年4月26日(星期天) 上午10:32
收件人: "snowie2000/mactype"<mactype@noreply.github.com>;
抄送: "金泰洋"<335908093@qq.com>; "Comment"<comment@noreply.github.com>;
主题: Re: [snowie2000/mactype] Chrome 78 Canary blocks injection to Chrome renderer processes (#597)
I'm just really worried about this:
https://www.reddit.com/r/sysadmin/comments/dlvu88/chrome_78_update_symantec_endpoint_protection/f4yaguj/
People have been using this workaround to be able to get their security
tools to run in Chrome (disabling Chrome security to get better security
LOL), but it's actually quite possible that Google may remove the ability
to disable the renderer code integrity feature later on, and that would
take us right back to square one.
On Sun, Apr 26, 2020 at 4:15 AM snowie2000 <notifications@github.com> wrote:
> I found --no-sandbox to be a functional workaround for 81.0.4044.113
> … <#m_-4686504664055242039_>
> On abr. 25 2020, at 9:14 pm, railjty *@*.*> wrote: > It simply adds a
> text shadow to everything to make texts soft > 暂时作为应急用吧! > — You are
> receiving this because you are subscribed to this thread. Reply to this
> email directly, view it on GitHub @.*/0?redirect=https%3A%2F%2Fgithub.com%2Fsnowie2000%2Fmactype%2Fissues%2F597%23issuecomment-619463220&recipient=cmVwbHkrQUNRQk5LTk5TQjZQV0pGWE9CTTVEUzU0V0RBV1ZFVkJOSEhCWkU2SzRNQHJlcGx5LmdpdGh1Yi5jb20%3D),
> or unsubscribe *@*
> .***/1?redirect=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FACQBNKLQUAM3FWE3WV43523ROODGVANCNFSM4IK5PPGA&recipient=cmVwbHkrQUNRQk5LTk5TQjZQV0pGWE9CTTVEUzU0V0RBV1ZFVkJOSEhCWkU2SzRNQHJlcGx5LmdpdGh1Yi5jb20%3D).
>
> You don't have to. Simple creating a policy for Chrome would solve the
> problem:
>
> https://github.com/snowie2000/mactype/wiki/Google-Chrome#policy-thanks-to-kcohar
>
> —
> You are receiving this because you were mentioned.
> Reply to this email directly, view it on GitHub
> <#597 (comment)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/ALJKQE4QYU3OD6LVDS437KLROOKM7ANCNFSM4IK5PPGA>
> .
>
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
|
The problem is I haven't understood the way Chrome whitelist dlls, if I can somehow figure out how they did it, I may have a chance to hook and insert our dll to be part of it. |
|
The source code shows that maybe they only use file name?
…------------------ 原始邮件 ------------------
发件人: "snowie2000"<notifications@github.com>;
发送时间: 2020年4月26日(星期天) 上午10:38
收件人: "snowie2000/mactype"<mactype@noreply.github.com>;
抄送: "金泰洋"<335908093@qq.com>; "Comment"<comment@noreply.github.com>;
主题: Re: [snowie2000/mactype] Chrome 78 Canary blocks injection to Chrome renderer processes (#597)
The problem is I haven't understood the way Chrome whitelist dlls, if I can somehow figure out how they did it, I may have a chance to hook and insert our dll as part of it.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
|
The source code is too huge to be examined ... or searched ... |
|
… ------------------ 原始邮件 ------------------
发件人: "snowie2000"<notifications@github.com>;
发送时间: 2020年4月26日(星期天) 上午10:41
收件人: "snowie2000/mactype"<mactype@noreply.github.com>;
抄送: "金泰洋"<335908093@qq.com>; "Comment"<comment@noreply.github.com>;
主题: Re: [snowie2000/mactype] Chrome 78 Canary blocks injection to Chrome renderer processes (#597)
The source code is too huge to be examined ... or searched ...
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
|
The src is too crazy that even right-click on a source file can freeze my explorer for seconds |
|
I knew that this is the key: But I failed to figure how the rule is added😕 |
|
Should we file a bug with the chromium devs? Who knows, they might be
willing to help?
…On Sun, Apr 26, 2020 at 4:48 AM snowie2000 ***@***.***> wrote:
I knew that this is the key:
result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_SIGNED_BINARY,
sandbox::TargetPolicy::SIGNED_ALLOW_LOAD,
GetModulePath(dll).value().c_str());
But I failed to figure how the rule is added😕
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#597 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ALJKQE734SJYPYBOPW6HL3LROOOGJANCNFSM4IK5PPGA>
.
|
|
I have never thought they would provide us a way to add external dlls as it's sandbox exceptions. |
|
It is an Win32 API. But we cannot hook it and add an rule without disabling CIG. 把Mactype的核心变成单个dll,直接改名chrome_elf.dll+签名(这个不需要微软的),在我们自己的dll里面添加那条rule并加载原始的chrome_elf.dll
…------------------ 原始邮件 ------------------
发件人: "snowie2000"<notifications@github.com>;
发送时间: 2020年4月26日(星期天) 上午10:48
收件人: "snowie2000/mactype"<mactype@noreply.github.com>;
抄送: "金泰洋"<335908093@qq.com>; "Comment"<comment@noreply.github.com>;
主题: Re: [snowie2000/mactype] Chrome 78 Canary blocks injection to Chrome renderer processes (#597)
I knew that this is the key:
result = policy->AddRule(sandbox::TargetPolicy::SUBSYS_SIGNED_BINARY, sandbox::TargetPolicy::SIGNED_ALLOW_LOAD, GetModulePath(dll).value().c_str());
But I failed to figure how the rule is added😕
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
|
Why can't we hook it? (despite doing it for good or bad) |
|
I happened to find out a way to walkaround this and successfully tricked chrome to disable the integrity check, but I'm still looking for more "secure" ways to do it. |
You can show it for those who doesn't need a safe browser |
|
My method does disable some of the new safety measurements but still have the sandbox enabled and all the basic protections are still working. So it’s technically speaking it is still safe but I want the impact to be as least as possible. |
|
The problem of my new method is that it doesn’t only allow Mactype to be injected into the chrome. Like disabling code integrity check, all the other tools can be injected. |
I think the CIG is not suitable for Chrome because the browser's dynamic libraries like chrone_elf.dll is in the whitelist, so it doesn't need Microsoft's certificate. We can make an new dynamic library which only add an rule to whitelist and pass other functions to the original chrome_elf.dll |
|
I tried several other ways today and they are either too hard to implement or have potential risks that I'd rather not put them into the final release. I know I can just hook |
|
Update: I figured out a perfect way to load MacType into the latest Chrome in Windows 10, and the method also worked for Microsoft Edge (chromium-based) with very little compromise on security. |
|
Wow that's amazing, props! Are we gonna see this in master?
…On Tuesday, April 28, 2020, snowie2000 ***@***.***> wrote:
Update:
I figured a perfect way to load MacType into the latest Chrome in Windows
10, and the method also worked for Microsoft Edge (chromium-based).
[image: edge]
<https://user-images.githubusercontent.com/11767189/80449416-af9ed600-8951-11ea-9e3c-cfefda6e4484.png>
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#597 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ALJKQE2O46RKJTX5BLTG5J3ROZQO5ANCNFSM4IK5PPGA>
.
|
|
awesome |
|
update: this version of chromium Edge (83.0.478.54 ) still works under "--disable-features=RendererCodeIntegrity" |
looking forward it lollllll |
|
Hi there, for a while I’ve used the solution of the command line "C:\Program Files\Vivaldi\Application\vivaldi.exe" --disable-features=RendererCodeIntegrity and forcing Windows 8 compatibility in order for MacType to work inside Vivaldi. However, after Windows updates KB5000842 and KB4589212 were installed, this no longer seems to work. I’ve never been able to do the registry method outlined above as the keys simply are not there for Vivaldi. Under HKLM\Software\Policies I only have Adobe and Microsoft, and no Google. Is there somewhere else I can add the registry key(s)? Edit: I have updated MacType to the latest version. Also one of my shortcuts was missing the --disable-features=RendererCodeIntegrity; I’ve now added --disable-lcd-text as well. This appears to have solved the problem. |
|
create a key called HKLM\SOFTWARE\Policies\Vivaldi, and put a DWORD in
there called RendererCodeIntegrityEnabled, with a value of "0"
once the next version of mactype comes out we won't have to do this anymore
…On Sat, Apr 10, 2021 at 1:17 AM Lucire ***@***.***> wrote:
Hi there, for a while I’ve used the solution of the command line
"C:\Program Files\Vivaldi\Application\vivaldi.exe"
--disable-features=RendererCodeIntegrity and forcing Windows 8
compatibility in order for MacType to work inside Vivaldi. However, after
Windows updates KB5000842 and KB4589212 were installed, this no longer
seems to work.
I’ve never been able to do the registry method outlined above as the keys
simply are not there for Vivaldi. Under HKLM\Software\Policies I only have
Adobe and Microsoft, and no Google. Is there somewhere else I can add the
registry key(s)?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#597 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ALJKQE6WBWHFFW3ZHZOLYKDTH6DHVANCNFSM4IK5PPGA>
.
|
According Chromium Issue #990640 and Chromium Review #1629607,
Chrome 78 Canary is starting to block injection to Chrome renderer processes. Mactype
Beta 6can not work correctly since78.0.3874.0.Currently, we can use
--disable-features=RendererCodeIntegrityto avoid blockI think I should bring this messsage to you, no matter that it would be fixed or not.
Here is some screenshots.
It's more obvious and different in Chinese. Please take two screenshots in image viewer, and switch sometimes:
Without any argument. work incorrectly and cannot enable in Process Manager:
Work fine with `--disable-features=RendererCodeIntegrity:
The text was updated successfully, but these errors were encountered: