NtCreateSection() - relation between parent and child process

Hi again,

Another question came to my mind.

I hooked NtCreateSection() (as was suggested by the guys from
www.sysinternals.com back in 1997) right below the frontier from user mode to kernel mode
(changed the SDT entry). Since currently my driver produces some debug output,
I see a query of the section for the child process each second or so and
obviously coming from the parent process. How is that? What does it mean?

Could it be that this is how the parent determines wether the child process
is still active (one of the infamous Wait* functions maybe?!).

Does anyone have some details on that?

Oliver

The whole concept of hooking is a BAD IDEA. Hopefully this is for a driver
for you testing only, commercial software with this is a PIECE OF SHIT.

Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting

----- Original Message -----
From:
To: “Windows System Software Devs Interest List”
Sent: Monday, January 26, 2004 9:46 AM
Subject: [ntdev] NtCreateSection() - relation between parent and child
process

> Hi again,
>
> Another question came to my mind.
>
> I hooked NtCreateSection() (as was suggested by the guys from
> www.sysinternals.com back in 1997) right below the frontier from user mode
to kernel mode
> (changed the SDT entry). Since currently my driver produces some debug
output,
> I see a query of the section for the child process each second or so and
> obviously coming from the parent process. How is that? What does it mean?
>
> Could it be that this is how the parent determines wether the child
process
> is still active (one of the infamous Wait* functions maybe?!).
>
> Does anyone have some details on that?
>
> Oliver
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@acm.org
> To unsubscribe send a blank email to xxxxx@lists.osr.com

Hi Don,

it’s not only for testing, but it will definitely not be commercial :wink:
I also see some drawbacks with hooking: imagine one driver hooks some system
service. Another driver does so, too. Then the first driver is unloaded. The
second driver will still point to the function address of the first one.

But besides all cursing, do you have any idea on that?

The idea is to block execution of processes in the system. The means the GPO
provides for this purpose are lame: i.e. you can define a file name but not
a path. Imagine you restrict execution of setup.exe … this will be
systemwide no matter in which path the module is located.
There’s already a free product for this: Trust-no-Exe (they basically do the
same as I) - but it has some minor drawbacks I’d like to overcome.

Oliver

The whole concept of hooking is a BAD IDEA. Hopefully this is for a
driver
for you testing only, commercial software with this is a PIECE OF SHIT.

Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting

----- Original Message -----
From:
> To: “Windows System Software Devs Interest List”
> Sent: Monday, January 26, 2004 9:46 AM
> Subject: [ntdev] NtCreateSection() - relation between parent and child
> process
>
>
> > Hi again,
> >
> > Another question came to my mind.
> >
> > I hooked NtCreateSection() (as was suggested by the guys from
> > www.sysinternals.com back in 1997) right below the frontier from user
> mode
> to kernel mode
> > (changed the SDT entry). Since currently my driver produces some debug
> output,
> > I see a query of the section for the child process each second or so and
> > obviously coming from the parent process. How is that? What does it
> mean?
> >
> > Could it be that this is how the parent determines wether the child
> process
> > is still active (one of the infamous Wait* functions maybe?!).
> >
> > Does anyone have some details on that?
> >
> > Oliver
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@acm.org
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@gmxpro.net
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

Fine use PsSetLoadImageNotifyRoutine, this will do exactly what you are
trying to with hooking NtCreateSection and it is documented. While it is
not documented, if you terminate the calling thread of this routine, you
terminate the process cleanly. As far as user account, you are going to
have to have a user piece if you want anything more than the SID.

Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

----- Original Message -----
From:
To: “Windows System Software Devs Interest List”
Sent: Monday, January 26, 2004 9:58 AM
Subject: Re: [ntdev] NtCreateSection() - relation between parent and child
process

> Hi Don,
>
> it’s not only for testing, but it will definitely not be commercial :wink:
> I also see some drawbacks with hooking: imagine one driver hooks some
system
> service. Another driver does so, too. Then the first driver is unloaded.
The
> second driver will still point to the function address of the first one.
>
> But besides all cursing, do you have any idea on that?
>
> The idea is to block execution of processes in the system. The means the
GPO
> provides for this purpose are lame: i.e. you can define a file name but
not
> a path. Imagine you restrict execution of setup.exe … this will be
> systemwide no matter in which path the module is located.
> There’s already a free product for this: Trust-no-Exe (they basically do
the
> same as I) - but it has some minor drawbacks I’d like to overcome.
>
> Oliver
>
> > The whole concept of hooking is a BAD IDEA. Hopefully this is for a
> > driver
> > for you testing only, commercial software with this is a PIECE OF SHIT.
> >
> > Don Burn (MVP, Windows DDK)
> > Windows 2k/XP/2k3 Filesystem and Driver Consulting
> >
> > ----- Original Message -----
> > From:
> > To: “Windows System Software Devs Interest List”
> > Sent: Monday, January 26, 2004 9:46 AM
> > Subject: [ntdev] NtCreateSection() - relation between parent and child
> > process
> >
> >
> > > Hi again,
> > >
> > > Another question came to my mind.
> > >
> > > I hooked NtCreateSection() (as was suggested by the guys from
> > > www.sysinternals.com back in 1997) right below the frontier from user
> > mode
> > to kernel mode
> > > (changed the SDT entry). Since currently my driver produces some debug
> > output,
> > > I see a query of the section for the child process each second or so
and
> > > obviously coming from the parent process. How is that? What does it
> > mean?
> > >
> > > Could it be that this is how the parent determines wether the child
> > process
> > > is still active (one of the infamous Wait* functions maybe?!).
> > >
> > > Does anyone have some details on that?
> > >
> > > Oliver
> > >
> > >
> > > —
> > > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> > >
> > > You are currently subscribed to ntdev as: xxxxx@acm.org
> > > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@gmxpro.net
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@acm.org
> To unsubscribe send a blank email to xxxxx@lists.osr.com

Wait,

I was aware of this function PsSetLoadImageNotifyRoutine() but it is invoked
somewhen AFTER the process runs, or not? This is how I understood it. The
alternative sounds much better indeed. Will try it out.

Thanks for the help,

Oliver

Fine use PsSetLoadImageNotifyRoutine, this will do exactly what you are
trying to with hooking NtCreateSection and it is documented. While it is
not documented, if you terminate the calling thread of this routine, you
terminate the process cleanly. As far as user account, you are going to
have to have a user piece if you want anything more than the SID.

No. It is invoked from MmCreateProcessAddressSpace when EXE is mapped to
the process, this is inside NtCreateProcess.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Oliver Schneider”
To: “Windows System Software Devs Interest List”
Sent: Monday, January 26, 2004 7:05 PM
Subject: Re: [ntdev] NtCreateSection() - relation between parent and child
process

> Wait,
>
> I was aware of this function PsSetLoadImageNotifyRoutine() but it is invoked
> somewhen AFTER the process runs, or not? This is how I understood it. The
> alternative sounds much better indeed. Will try it out.
>
> Thanks for the help,
>
> Oliver
>
> > Fine use PsSetLoadImageNotifyRoutine, this will do exactly what you are
> > trying to with hooking NtCreateSection and it is documented. While it is
> > not documented, if you terminate the calling thread of this routine, you
> > terminate the process cleanly. As far as user account, you are going to
> > have to have a user piece if you want anything more than the SID.
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

Aha,

so it only gets invoked when NtCreateProcess() (the system service) is
used?! That’s bad. There are nice examples on how to create a process without this
system service.

Thanks for the information.

@Don: Seems I have to fall back to the Hooking method. Although it’s not
nice I am sure it will work since I am the admin on the machines where it is to
be used :wink:

Oliver

No. It is invoked from MmCreateProcessAddressSpace when EXE is mapped
to
the process, this is inside NtCreateProcess.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Oliver Schneider”
> To: “Windows System Software Devs Interest List”
> Sent: Monday, January 26, 2004 7:05 PM
> Subject: Re: [ntdev] NtCreateSection() - relation between parent and child
> process
>
>
> > Wait,
> >
> > I was aware of this function PsSetLoadImageNotifyRoutine() but it is
> invoked
> > somewhen AFTER the process runs, or not? This is how I understood it.
> The
> > alternative sounds much better indeed. Will try it out.
> >
> > Thanks for the help,
> >
> > Oliver
> >
> > > Fine use PsSetLoadImageNotifyRoutine, this will do exactly what you
> are
> > > trying to with hooking NtCreateSection and it is documented. While it
> is
> > > not documented, if you terminate the calling thread of this routine,
> you
> > > terminate the process cleanly. As far as user account, you are going
> to
> > > have to have a user piece if you want anything more than the SID.
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@gmxpro.net
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

NO, the PsSetLoadImageNotifyRoutine is always invoked.

Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting

----- Original Message -----
From:
To: “Windows System Software Devs Interest List”
Sent: Monday, January 26, 2004 11:34 AM
Subject: Re: [ntdev] NtCreateSection() - relation between parent and child
process

> Aha,
>
> so it only gets invoked when NtCreateProcess() (the system service) is
> used?! That’s bad. There are nice examples on how to create a process
without this
> system service.
>
> Thanks for the information.
>
> @Don: Seems I have to fall back to the Hooking method. Although it’s not
> nice I am sure it will work since I am the admin on the machines where it
is to
> be used :wink:
>
> Oliver
>
> > No. It is invoked from MmCreateProcessAddressSpace when EXE is
mapped
> > to
> > the process, this is inside NtCreateProcess.
> >
> > Maxim Shatskih, Windows DDK MVP
> > StorageCraft Corporation
> > xxxxx@storagecraft.com
> > http://www.storagecraft.com
> >
> >
> > ----- Original Message -----
> > From: “Oliver Schneider”
> > To: “Windows System Software Devs Interest List”
> > Sent: Monday, January 26, 2004 7:05 PM
> > Subject: Re: [ntdev] NtCreateSection() - relation between parent and
child
> > process
> >
> >
> > > Wait,
> > >
> > > I was aware of this function PsSetLoadImageNotifyRoutine() but it is
> > invoked
> > > somewhen AFTER the process runs, or not? This is how I understood it.
> > The
> > > alternative sounds much better indeed. Will try it out.
> > >
> > > Thanks for the help,
> > >
> > > Oliver
> > >
> > > > Fine use PsSetLoadImageNotifyRoutine, this will do exactly what you
> > are
> > > > trying to with hooking NtCreateSection and it is documented. While
it
> > is
> > > > not documented, if you terminate the calling thread of this routine,
> > you
> > > > terminate the process cleanly. As far as user account, you are
going
> > to
> > > > have to have a user piece if you want anything more than the SID.
> > >
> > >
> > > —
> > > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> > >
> > > You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> > > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@gmxpro.net
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@acm.org
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

We hook all sorts of things all the time, and we don’t have any problems.
And our software is very much commercial grade, and no, it isn’t a piece of
shit !

Point being: do the job right, and hooking is invisible.

Alberto.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Don Burn
Sent: Monday, January 26, 2004 9:49 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] NtCreateSection() - relation between parent and
child process

The whole concept of hooking is a BAD IDEA. Hopefully this is for a driver
for you testing only, commercial software with this is a PIECE OF SHIT.

Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting

----- Original Message -----
From:
To: “Windows System Software Devs Interest List”
Sent: Monday, January 26, 2004 9:46 AM
Subject: [ntdev] NtCreateSection() - relation between parent and child
process

> Hi again,
>
> Another question came to my mind.
>
> I hooked NtCreateSection() (as was suggested by the guys from
> www.sysinternals.com back in 1997) right below the frontier from user mode
to kernel mode
> (changed the SDT entry). Since currently my driver produces some debug
output,
> I see a query of the section for the child process each second or so and
> obviously coming from the parent process. How is that? What does it mean?
>
> Could it be that this is how the parent determines wether the child
process
> is still active (one of the infamous Wait* functions maybe?!).
>
> Does anyone have some details on that?
>
> Oliver
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@acm.org
> To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@compuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

The contents of this e-mail are intended for the named addressee only. It
contains information that may be confidential. Unless you are the named
addressee or an authorized designee, you may not copy or use it, or disclose
it to anyone else. If you received it in error please notify us immediately
and then destroy it.

Ok, so I understand fully that a debugger must do these things (or at least,
if you want a complete debugging tool, e.g., SoftICE, you must do this,
unless you can convince MS to have an undocumented (or documented) way of
officially “hooking” system calls).

I just wonder how you deal with competing “hookers” (no pun intended) that
may have got there before you, and potentially gets the unloaded at a later
stage, which means that your “old hook” pointer is no pointing into dead
space in memory? Obviously, I can understand that the answer is a “company
secret”, and if it is, can you just explain as much as possible about it,
without revealing the “secret” bits?

I’m just curious, rather than having any specific use for this. In fact, I
haven’t “hooked” anything since I left off the Atari ST that used to be my
home-computer many years ago. At that time, hooking into the OS was just
about the only way to do things if you didn’t have a “public” support for
it.


Mats

-----Original Message-----
From: Moreira, Alberto [mailto:xxxxx@compuware.com]
Sent: Tuesday, January 27, 2004 4:06 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] NtCreateSection() - relation between parent and
child process

We hook all sorts of things all the time, and we don’t have
any problems.
And our software is very much commercial grade, and no, it
isn’t a piece of
shit !

Point being: do the job right, and hooking is invisible.

Alberto.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Don Burn
Sent: Monday, January 26, 2004 9:49 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] NtCreateSection() - relation between parent and
child process

The whole concept of hooking is a BAD IDEA. Hopefully this
is for a driver
for you testing only, commercial software with this is a
PIECE OF SHIT.

Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting

----- Original Message -----
From:
> To: “Windows System Software Devs Interest List”
> Sent: Monday, January 26, 2004 9:46 AM
> Subject: [ntdev] NtCreateSection() - relation between parent and child
> process
>
>
> > Hi again,
> >
> > Another question came to my mind.
> >
> > I hooked NtCreateSection() (as was suggested by the guys from
> > www.sysinternals.com back in 1997) right below the frontier
> from user mode
> to kernel mode
> > (changed the SDT entry). Since currently my driver produces
> some debug
> output,
> > I see a query of the section for the child process each
> second or so and
> > obviously coming from the parent process. How is that? What
> does it mean?
> >
> > Could it be that this is how the parent determines wether the child
> process
> > is still active (one of the infamous Wait* functions maybe?!).
> >
> > Does anyone have some details on that?
> >
> > Oliver
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@acm.org
> > To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as:
> xxxxx@compuware.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
> The contents of this e-mail are intended for the named
> addressee only. It
> contains information that may be confidential. Unless you are
> the named
> addressee or an authorized designee, you may not copy or use
> it, or disclose
> it to anyone else. If you received it in error please notify
> us immediately
> and then destroy it.
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@3dlabs.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Sorry, hooking is never invisible since you cannot tell who is going to
layer on next, or who got there before you. Yes in the case of SoftIce
since you are present at all times this may not be a problem, but having
been bitten by products that think they can hook with impunity, and then
fail when the world changes, I will repeat my comment that this is BAD IDEA.

More importantly, if you really need to do this for a general purpose
driver, you should at least make the effort to see if there is another
approach that will work, or ask Microsoft for a long term solution.

Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting

----- Original Message -----
From: “Moreira, Alberto”
To: “Windows System Software Devs Interest List”
Sent: Tuesday, January 27, 2004 11:05 AM
Subject: RE: [ntdev] NtCreateSection() - relation between parent and child
process

> We hook all sorts of things all the time, and we don’t have any problems.
> And our software is very much commercial grade, and no, it isn’t a piece
of
> shit !
>
> Point being: do the job right, and hooking is invisible.
>
>
> Alberto.
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com]On Behalf Of Don Burn
> Sent: Monday, January 26, 2004 9:49 AM
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] NtCreateSection() - relation between parent and
> child process
>
>
> The whole concept of hooking is a BAD IDEA. Hopefully this is for a
driver
> for you testing only, commercial software with this is a PIECE OF SHIT.
>
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
>
> ----- Original Message -----
> From:
> To: “Windows System Software Devs Interest List”
> Sent: Monday, January 26, 2004 9:46 AM
> Subject: [ntdev] NtCreateSection() - relation between parent and child
> process
>
>
> > Hi again,
> >
> > Another question came to my mind.
> >
> > I hooked NtCreateSection() (as was suggested by the guys from
> > www.sysinternals.com back in 1997) right below the frontier from user
mode
> to kernel mode
> > (changed the SDT entry). Since currently my driver produces some debug
> output,
> > I see a query of the section for the child process each second or so and
> > obviously coming from the parent process. How is that? What does it
mean?
> >
> > Could it be that this is how the parent determines wether the child
> process
> > is still active (one of the infamous Wait* functions maybe?!).
> >
> > Does anyone have some details on that?
> >
> > Oliver
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@acm.org
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@compuware.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
> The contents of this e-mail are intended for the named addressee only. It
> contains information that may be confidential. Unless you are the named
> addressee or an authorized designee, you may not copy or use it, or
disclose
> it to anyone else. If you received it in error please notify us
immediately
> and then destroy it.
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@acm.org
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

Sounds like this week we will have a very strong exchanges of email !!!

For a while it was quite. To the best of knowledge, the pattern is
discrete state continous time brownian motion :-). So waiting for a peak !

–prokash

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Moreira, Alberto
Sent: Tuesday, January 27, 2004 8:06 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] NtCreateSection() - relation between parent and
child process

We hook all sorts of things all the time, and we don’t have any problems.
And our software is very much commercial grade, and no, it isn’t a piece of
shit !

Point being: do the job right, and hooking is invisible.

Alberto.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Don Burn
Sent: Monday, January 26, 2004 9:49 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] NtCreateSection() - relation between parent and
child process

The whole concept of hooking is a BAD IDEA. Hopefully this is for a driver
for you testing only, commercial software with this is a PIECE OF SHIT.

Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting

----- Original Message -----
From:
To: “Windows System Software Devs Interest List”
Sent: Monday, January 26, 2004 9:46 AM
Subject: [ntdev] NtCreateSection() - relation between parent and child
process

> Hi again,
>
> Another question came to my mind.
>
> I hooked NtCreateSection() (as was suggested by the guys from
> www.sysinternals.com back in 1997) right below the frontier from user mode
to kernel mode
> (changed the SDT entry). Since currently my driver produces some debug
output,
> I see a query of the section for the child process each second or so and
> obviously coming from the parent process. How is that? What does it mean?
>
> Could it be that this is how the parent determines wether the child
process
> is still active (one of the infamous Wait* functions maybe?!).
>
> Does anyone have some details on that?
>
> Oliver
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@acm.org
> To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@compuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

The contents of this e-mail are intended for the named addressee only. It
contains information that may be confidential. Unless you are the named
addressee or an authorized designee, you may not copy or use it, or disclose
it to anyone else. If you received it in error please notify us immediately
and then destroy it.


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@garlic.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

We hook with BoundsChecker, TrueTime, TrueCoverage, and we can run software
in production mode while hooked by those products, that’s what they’re
designed for.

When I was at Number Nine we hooked the GDI extensively, and we got lots of
press awards for our product. In fact sometimes we went as far as rewriting
substantial portions of the GDI for speed, and we were never known for
instability or for low quality.

And if a product thinks they can hook and they cannot, that’s because they
didn’t do their job right.

And no, why should I involve Microsoft ? It should be exactly the other way
around, give me a strong, stable, well documented API, with no surprises,
get out of the way, and hooking shouldn’t be any problem whatsoever.

Alberto.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Don Burn
Sent: Tuesday, January 27, 2004 11:14 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] NtCreateSection() - relation between parent and
child process

Sorry, hooking is never invisible since you cannot tell who is going to
layer on next, or who got there before you. Yes in the case of SoftIce
since you are present at all times this may not be a problem, but having
been bitten by products that think they can hook with impunity, and then
fail when the world changes, I will repeat my comment that this is BAD IDEA.

More importantly, if you really need to do this for a general purpose
driver, you should at least make the effort to see if there is another
approach that will work, or ask Microsoft for a long term solution.

Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting

----- Original Message -----
From: “Moreira, Alberto”
To: “Windows System Software Devs Interest List”
Sent: Tuesday, January 27, 2004 11:05 AM
Subject: RE: [ntdev] NtCreateSection() - relation between parent and child
process

> We hook all sorts of things all the time, and we don’t have any problems.
> And our software is very much commercial grade, and no, it isn’t a piece
of
> shit !
>
> Point being: do the job right, and hooking is invisible.
>
>
> Alberto.
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com]On Behalf Of Don Burn
> Sent: Monday, January 26, 2004 9:49 AM
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] NtCreateSection() - relation between parent and
> child process
>
>
> The whole concept of hooking is a BAD IDEA. Hopefully this is for a
driver
> for you testing only, commercial software with this is a PIECE OF SHIT.
>
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
>
> ----- Original Message -----
> From:
> To: “Windows System Software Devs Interest List”
> Sent: Monday, January 26, 2004 9:46 AM
> Subject: [ntdev] NtCreateSection() - relation between parent and child
> process
>
>
> > Hi again,
> >
> > Another question came to my mind.
> >
> > I hooked NtCreateSection() (as was suggested by the guys from
> > www.sysinternals.com back in 1997) right below the frontier from user
mode
> to kernel mode
> > (changed the SDT entry). Since currently my driver produces some debug
> output,
> > I see a query of the section for the child process each second or so and
> > obviously coming from the parent process. How is that? What does it
mean?
> >
> > Could it be that this is how the parent determines wether the child
> process
> > is still active (one of the infamous Wait* functions maybe?!).
> >
> > Does anyone have some details on that?
> >
> > Oliver
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@acm.org
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@compuware.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
> The contents of this e-mail are intended for the named addressee only. It
> contains information that may be confidential. Unless you are the named
> addressee or an authorized designee, you may not copy or use it, or
disclose
> it to anyone else. If you received it in error please notify us
immediately
> and then destroy it.
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@acm.org
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@compuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

The contents of this e-mail are intended for the named addressee only. It
contains information that may be confidential. Unless you are the named
addressee or an authorized designee, you may not copy or use it, or disclose
it to anyone else. If you received it in error please notify us immediately
and then destroy it.

We extensively hooked the GDI when I was at Number Nine, and we never had
any stability issues.

But for example, I want to collect timing statistics of a live system: I
turn on TrueTime, it hooks the world and a half, yet things go on. I want to
check coverage on a live system, so, I turn on TrueCoverage, it hooks just
about everything under the sun, things go on normally. I want to profile
memory allocation and deallocation patterns, so, I hook the memory
alloc/dealloc functions and collect data for future data reduction. I want
to perform a live measurement of my OpenGL or Direct3D frame rate, so I hook
SwapBuffers and I compute the frame rate inside that hook, and I then access
physical video memory to optionally superimpose a frame rate gauge to the
current screen. I want to measure how many times I call glBegin/glEnd, and I
want to split the number of calls according to which polygon I’m drawing. I
want to time a bitblt according to which ROP it invokes. I want to trap that
elusive problem that happens every night around 3 in the morning, so, I turn
on BoundsChecker on the live system, and bingo, I get my event recorded and
data I can analyze, and, if that hook generates an Int 3, I can write my own
Int 3 driver - hook Int 3, that is - and grab information on the fly.

And so on, there’s more to hooking than single-stepping through a debugger.

Alberto.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of
xxxxx@3Dlabs.com
Sent: Tuesday, January 27, 2004 11:17 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] NtCreateSection() - relation between parent and
child process

Ok, so I understand fully that a debugger must do these things (or at least,
if you want a complete debugging tool, e.g., SoftICE, you must do this,
unless you can convince MS to have an undocumented (or documented) way of
officially “hooking” system calls).

I just wonder how you deal with competing “hookers” (no pun intended) that
may have got there before you, and potentially gets the unloaded at a later
stage, which means that your “old hook” pointer is no pointing into dead
space in memory? Obviously, I can understand that the answer is a “company
secret”, and if it is, can you just explain as much as possible about it,
without revealing the “secret” bits?

I’m just curious, rather than having any specific use for this. In fact, I
haven’t “hooked” anything since I left off the Atari ST that used to be my
home-computer many years ago. At that time, hooking into the OS was just
about the only way to do things if you didn’t have a “public” support for
it.


Mats

-----Original Message-----
From: Moreira, Alberto [mailto:xxxxx@compuware.com]
Sent: Tuesday, January 27, 2004 4:06 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] NtCreateSection() - relation between parent and
child process

We hook all sorts of things all the time, and we don’t have
any problems.
And our software is very much commercial grade, and no, it
isn’t a piece of
shit !

Point being: do the job right, and hooking is invisible.

Alberto.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Don Burn
Sent: Monday, January 26, 2004 9:49 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] NtCreateSection() - relation between parent and
child process

The whole concept of hooking is a BAD IDEA. Hopefully this
is for a driver
for you testing only, commercial software with this is a
PIECE OF SHIT.

Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting

----- Original Message -----
From:
> To: “Windows System Software Devs Interest List”
> Sent: Monday, January 26, 2004 9:46 AM
> Subject: [ntdev] NtCreateSection() - relation between parent and child
> process
>
>
> > Hi again,
> >
> > Another question came to my mind.
> >
> > I hooked NtCreateSection() (as was suggested by the guys from
> > www.sysinternals.com back in 1997) right below the frontier
> from user mode
> to kernel mode
> > (changed the SDT entry). Since currently my driver produces
> some debug
> output,
> > I see a query of the section for the child process each
> second or so and
> > obviously coming from the parent process. How is that? What
> does it mean?
> >
> > Could it be that this is how the parent determines wether the child
> process
> > is still active (one of the infamous Wait* functions maybe?!).
> >
> > Does anyone have some details on that?
> >
> > Oliver
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@acm.org
> > To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as:
> xxxxx@compuware.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
> The contents of this e-mail are intended for the named
> addressee only. It
> contains information that may be confidential. Unless you are
> the named
> addressee or an authorized designee, you may not copy or use
> it, or disclose
> it to anyone else. If you received it in error please notify
> us immediately
> and then destroy it.
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@3dlabs.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@compuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

The contents of this e-mail are intended for the named addressee only. It
contains information that may be confidential. Unless you are the named
addressee or an authorized designee, you may not copy or use it, or disclose
it to anyone else. If you received it in error please notify us immediately
and then destroy it.