NVDA is unable to hook into metro apps

[mdcurran]

Whether or not NVDA has the uiAccess privilages, it is not able to inject into the processes of metro apps. This means that:

• There is no typed characters spoken,
• No chance of display model information,
• No virtualBuffers.

We currently try to inject in to any app via an in-process winEvent hook. We may be able to investigate other tricks like opening the process and creating a remote thread, though if thei're not allowing winEvents, then they're probably not allowing openProcess.
We'll have to find out Microsoft's plans for this security-wize.

[mdcurran]

Further technical info:

1. SetWinEventHook? does allow for hooking in to metro apps on Windows 8 but it seems that Windows itself when loading the dll containing the hook into each process, is not loading with the LOAD_AS_ALTERED_PATH, which means that if the dll is linked against any other dll which should be found in the same directory, this second dll is never found and therefore the load fails. The hook is not executed in-process, instead the dll is never loaded and the hook is executed out-of-process.

nvdaHelperRemote.dll links against minhook.dll, which is located in the same directory. Windows cannot locate minhook.dll in Metro apps.
We can solve this issue by loading minhook.dll from nvdaHelperRemote.dll using LoadLibrary? and then mapping the symbols with getProcAddress, rather than linking against it.
However, we have requested that Microsoft fix this... so we shall see what happens.

2. Apps from the Windows store, and the content process of the Metro-style Internet Explorer, and the included metro apps (Store, Calendar etc) are all run with a new appContainer integrity level. This integrity level is a new level lower than the previous lowest one (low) which has always been used for content processes in Internet Explorer (protected mode).

NVDA cannot function at all well in-process when the process has the appContainer integrity level. RPC client requests seem to fail, they are extremely hard to debug, oddly even the Beep function does not even work.
We have requested further info from Microsoft in regards to exactly what does and does not work in appContainer integrity. However it may end up being that we just cannot function in these situations in-process and therefore will have to resort to out-of-process forms of interaction in these apps (including Internet Explorer metro app). Relying on UI Automation in these situations may improve the experience a little.

[mdcurran]

Some ongoing work for injection in to metro apps in this branch:
 http://bzr.nvaccess.org/nvda/win8Injection
Not finished yet.

• Loading of minHook has been fixed: Minhook is now marked as a delay loaded dll, but before any function from minHook is called, LoadLibrary? is used to load it manually using an absolute path.
• Inproc code can now contact NVDA's rpc server: RpcUseProtseqEp? and the new RpcServerRegisterIf3 functions needed to take a security descriptor who's DACL allowed generic all for the AC sid (AppContainer? integrity level).
  • NVDA's process and the injectionDoneEvent event needed to have a security descriptor who's DACL allowed synchronize (0x100000) for the AC sid (AppContainer? integrity level) so that code in an AppContainer? could wait on both our process and the event as expected.

NVDA can now at least speak typed characters (and I assume report input lang changes) in Metro apps.

But! Still no success with running an rpc server from within an AppContainer?, therefore no virtualBuffers or displayModel yet. Still working on it.

also the security descriptors used are way too wide open (a part from allwoing AppContainer? level, they are allowing generic all for all authenticated users, as I can't yet find a simple way to do inheritence or defaults)

[mdcurran]

Hooking in to metro style apps is now complete, giving support for speak typed characters, displayModel (if GDI is used) and browse mode for web documents (including full support for the metro version of Internet Explorer 10). Note though that NVDA can only hook in to metro apps if it has the UIAccess privilidge meaning that snapshots and any portable copies cannot do this, only just installed copies that are signed.
Merged in changeset:main,5120.