Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging

The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.

Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/

Best Of

Re: WinDbg Preview vs WinDbg

Is the crash dump from a really new system? Is it user mode or kernel mode?

I just looked on my system and the debugger engine DLLs in WinDbg Preview (somewhere like C:\Program Files\WindowsApps\Microsoft.WinDbg_BLAH_BLAH\amd64) are newer than the ones in the latest WinDbg. You can try replacing the WinDbg DLLs with the WinDbg Preview ones and see if that works.

Scott_Noone_(OSR)

Re: Shouldn't memory manager bring back paged out memory in PASSIVE_LEVEL IRQL?

we are doing anti cheat companies favors too because without us they are out of job

Sounds of idiots who don't know what's more important and more valuable.

Actually, the OP presents quite an interesting argument. After all, if you stretch your imagination a bit, you can extend this logic not only to the malware writers who can be claimed "to do a favour to the AV companies", but to the burglars as well. Imagine a lawyer claiming that his
client who stands a trial on the burglary charges had actually "tried to do a favour to the security firm, because it would be out of business otherwise". I just wonder what the judge's reaction would be like.......

Anton Bassov

anton_bassov

Re: Most stable way of finding executable pages in kernel?

as a aside, it is clear that the level of technical skill demanded to write and effective cheating system is impressively high. Maybe not as high as that needed to use network monitoring software to steal state secrets, but the mark of really good malware is that it does not cause observable effects that cause people to go looking.

but your underlying problem has only two theoretical solutions

you can run your security protection in a hypervisor underneath the OS
you can make the end PC a 'dumb terminal' and have all processing done on a physically secured server

or you change the world and reintroduce rings as hardware enforced security boundaries inside the machine.

but the point is that it is an n/p hard problem to find or prevent 'all' cheating software that runs on machines that you do not control

MBond2

Re: Most stable way of finding executable pages in kernel?

You could use NtSystemDebugControl (see LiveDump for a start). Still undocumented but better than walking page tables...

(Note that I admittedly haven't tried this is a couple of years but it appears to still be available in 2004)

Scott_Noone_(OSR)

Re: Most stable way of finding executable pages in kernel?

How would you do a kernel memory dump without using any third party programs, and obviously from kernel ?
All I've seen on the NT documentation is a function that initialize a crash dump header (KeInitializeCrashDumpHeader).

ThatsBerkan

Re: Most stable way of finding executable pages in kernel?

I've thought of (and written) so many different answers...This is what I've ended up with:

Let Windows worry about this and require your customers to run Win10 with HVCI enabled. Done. It's the only way to know that you don't now (and won't in the future) have any WX pages. As a bonus you also get enforcement of the MS recommended driver block policy.

If your supervisor is convinced that finding executable pages at a particular moment in time will tell you something (I have no idea what), then understand that you don't have access to the locks necessary to walk the page tables safely. Consider periodically creating memory snapshots with something like LiveKD and walking the tables in the resulting crash dump. You at least have a stable image, get to write all code in user mode, and won't crash the machine if you get it wrong.

Lastly, make sure you understand the threat model that you're defending against. I used to think all this stink around anti-cheat was stupid (I loved my Game Genie) but turns out the cheat authors are both very clever AND motivated by significant financial gain. Be careful not to create something incredibly complicated that impacts the reliability and performance of the system for minimal protection against cheating...

Speaking of drivers and cheating: Riot got a lot of shit a couple of years ago for introducing their Vanguard anti-cheat driver. The developers clearly understand the problem space, it loads at boot, is heavily obfuscated with VMProtect (which puts me off from using it), and appears to have taken a significant development effort. Even with all that they're still playing catch up: Riot plans to take action against increase in Valorant cheating.

Scott_Noone_(OSR)

Re: Most stable way of finding executable pages in kernel?

but no one usually uses the Nx ones)

True for OLDER drivers; Should not be the case for NEWER drivers.... which should all be calling ExInitializeDriverRuntime(DrvRtPoolNxOptIn);

As much as I'd like to chastise the OP for his quest... it seems clear to me that he understands the consequences of what he's asking to do. He appears to know that it's not supported, and a dangerous game that he's playing.

Several years ago we were approached by one of the anti-cheat companies to do anti-cheat stuff like this. We respectfully declined the project, because we couldn't stomach the level of hackery necessary to do what they needed done. Not saying it's evil; Just, you know, "Do no harm"...

So... yeah... manually parsing the page tables is really going to be his best bet. At least you have a structure there that's defined in hardware, and therefore is less likely to change in a service pack (or whatever). Sure, this brings with it a raft of problems, but...

Peter

Peter_Viscarola_(OSR)

Re: Shouldn't memory manager bring back paged out memory in PASSIVE_LEVEL IRQL?

most likely writing some bad-bad russian/chinese anti-cheat

As long as we believe he’s not writing malware, per se, I’ll let him keep his account here (all things being equal).

If the general consensus becomes that he’s writing malware, I’ll ban him.

Peter

Peter_Viscarola_(OSR)

Re: WSCInstallProvider() vs FwpmProviderAdd0()

I gather that you have an existing Layered Service Provider (LSP) and want to migrate it to newer OS versions? At a high level, what does your LSP do?

The guidance to move to windows filtering platform is very generic. Many and probably most LSPs were developed to filter connections or packets in some way and WFP is a much easier way to do that. But your description of a custom address family does not jive with that. Usually though, custom address family requires a NDIS protocol driver and not an LSP so I am confused

MBond2

Re: Execute Native Application in Windows 10 and 8.1

This is an application not a driver so you don't want a WDM project...I got this to work:

#include <Windows.h>
#include <winternl.h>

NTSYSCALLAPI NTSTATUS NTAPI NtDisplayString(PUNICODE_STRING DisplayString);
NTSYSAPI NTSTATUS NTAPI NtTerminateProcess(HANDLE ProcessHandle, NTSTATUS ExitStatus);

VOID NtProcessStartup(PVOID StartupArgument)
{
    UNICODE_STRING str;
    RtlInitUnicodeString(&str, L"Hello, world!\n");
    NtDisplayString(&str);
    NtTerminateProcess((HANDLE)(-1), 0);
}

With the following vcxproj file that I hacked together...Note that I don't claim this to be definitive (haven't had the need for a production native app in a very long time) but should put you on the right path:

<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <ItemGroup Label="ProjectConfigurations">
    <ProjectConfiguration Include="Debug|Win32">
      <Configuration>Debug</Configuration>
      <Platform>Win32</Platform>
    </ProjectConfiguration>
    <ProjectConfiguration Include="Release|Win32">
      <Configuration>Release</Configuration>
      <Platform>Win32</Platform>
    </ProjectConfiguration>
    <ProjectConfiguration Include="Debug|x64">
      <Configuration>Debug</Configuration>
      <Platform>x64</Platform>
    </ProjectConfiguration>
    <ProjectConfiguration Include="Release|x64">
      <Configuration>Release</Configuration>
      <Platform>x64</Platform>
    </ProjectConfiguration>
  </ItemGroup>
  <PropertyGroup Label="Globals">
    <VCProjectVersion>16.0</VCProjectVersion>
    <Keyword>Win32Proj</Keyword>
    <ProjectGuid>{528ca95a-561b-4343-bd8a-205b5d808828}</ProjectGuid>
    <RootNamespace>NativeApp</RootNamespace>
    <WindowsTargetPlatformVersion>$(LatestTargetPlatformVersion)</WindowsTargetPlatformVersion>
  </PropertyGroup>
  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
    <ConfigurationType>Application</ConfigurationType>
    <UseDebugLibraries>true</UseDebugLibraries>
    <PlatformToolset>v142</PlatformToolset>
    <CharacterSet>Unicode</CharacterSet>
    <Driver_SpectreMitigation>false</Driver_SpectreMitigation>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
    <ConfigurationType>Application</ConfigurationType>
    <UseDebugLibraries>false</UseDebugLibraries>
    <PlatformToolset>v142</PlatformToolset>
    <WholeProgramOptimization>true</WholeProgramOptimization>
    <CharacterSet>Unicode</CharacterSet>
    <Driver_SpectreMitigation>false</Driver_SpectreMitigation>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
    <ConfigurationType>Application</ConfigurationType>
    <UseDebugLibraries>true</UseDebugLibraries>
    <PlatformToolset>v142</PlatformToolset>
    <CharacterSet>Unicode</CharacterSet>
    <Driver_SpectreMitigation>false</Driver_SpectreMitigation>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
    <ConfigurationType>Application</ConfigurationType>
    <UseDebugLibraries>false</UseDebugLibraries>
    <PlatformToolset>v142</PlatformToolset>
    <WholeProgramOptimization>true</WholeProgramOptimization>
    <CharacterSet>Unicode</CharacterSet>
    <Driver_SpectreMitigation>false</Driver_SpectreMitigation>
  </PropertyGroup>
  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
  <ImportGroup Label="ExtensionSettings">
  </ImportGroup>
  <ImportGroup Label="Shared">
  </ImportGroup>
  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
  </ImportGroup>
  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
  </ImportGroup>
  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
  </ImportGroup>
  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
  </ImportGroup>
  <PropertyGroup Label="UserMacros" />
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
    <LinkIncremental>false</LinkIncremental>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
    <LinkIncremental>false</LinkIncremental>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
    <LinkIncremental>false</LinkIncremental>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
    <LinkIncremental>false</LinkIncremental>
  </PropertyGroup>
  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
    <ClCompile>
      <WarningLevel>Level3</WarningLevel>
      <SDLCheck>true</SDLCheck>
      <PreprocessorDefinitions>_DEBUG%(PreprocessorDefinitions)</PreprocessorDefinitions>
      <ConformanceMode>true</ConformanceMode>
      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
      <SupportJustMyCode>false</SupportJustMyCode>
      <BufferSecurityCheck>false</BufferSecurityCheck>
      <ExceptionHandling>false</ExceptionHandling>
      <BasicRuntimeChecks>Default</BasicRuntimeChecks>
    </ClCompile>
    <Link>
      <SubSystem>Native</SubSystem>
      <GenerateDebugInformation>true</GenerateDebugInformation>
      <AdditionalDependencies>ntdll.lib</AdditionalDependencies>
      <IgnoreAllDefaultLibraries>true</IgnoreAllDefaultLibraries>
    </Link>
  </ItemDefinitionGroup>
  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
    <ClCompile>
      <WarningLevel>Level3</WarningLevel>
      <FunctionLevelLinking>true</FunctionLevelLinking>
      <IntrinsicFunctions>true</IntrinsicFunctions>
      <SDLCheck>true</SDLCheck>
      <PreprocessorDefinitions>NDEBUG%(PreprocessorDefinitions)</PreprocessorDefinitions>
      <ConformanceMode>true</ConformanceMode>
      <BufferSecurityCheck>false</BufferSecurityCheck>
      <ExceptionHandling>false</ExceptionHandling>
    </ClCompile>
    <Link>
      <SubSystem>Native</SubSystem>
      <EnableCOMDATFolding>true</EnableCOMDATFolding>
      <OptimizeReferences>true</OptimizeReferences>
      <GenerateDebugInformation>true</GenerateDebugInformation>
      <AdditionalDependencies>ntdll.lib</AdditionalDependencies>
      <IgnoreAllDefaultLibraries>true</IgnoreAllDefaultLibraries>
    </Link>
  </ItemDefinitionGroup>
  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
    <ClCompile>
      <WarningLevel>Level3</WarningLevel>
      <SDLCheck>true</SDLCheck>
      <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
      <ConformanceMode>true</ConformanceMode>
      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
      <SupportJustMyCode>false</SupportJustMyCode>
      <BufferSecurityCheck>false</BufferSecurityCheck>
      <ExceptionHandling>false</ExceptionHandling>
      <BasicRuntimeChecks>Default</BasicRuntimeChecks>
    </ClCompile>
    <Link>
      <SubSystem>Native</SubSystem>
      <GenerateDebugInformation>true</GenerateDebugInformation>
      <AdditionalDependencies>ntdll.lib</AdditionalDependencies>
      <IgnoreAllDefaultLibraries>true</IgnoreAllDefaultLibraries>
    </Link>
  </ItemDefinitionGroup>
  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
    <ClCompile>
      <WarningLevel>Level3</WarningLevel>
      <FunctionLevelLinking>true</FunctionLevelLinking>
      <IntrinsicFunctions>true</IntrinsicFunctions>
      <SDLCheck>true</SDLCheck>
      <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
      <ConformanceMode>true</ConformanceMode>
      <BufferSecurityCheck>false</BufferSecurityCheck>
      <ExceptionHandling>false</ExceptionHandling>
    </ClCompile>
    <Link>
      <SubSystem>Native</SubSystem>
      <EnableCOMDATFolding>true</EnableCOMDATFolding>
      <OptimizeReferences>true</OptimizeReferences>
      <GenerateDebugInformation>true</GenerateDebugInformation>
      <AdditionalDependencies>ntdll.lib</AdditionalDependencies>
      <IgnoreAllDefaultLibraries>true</IgnoreAllDefaultLibraries>
    </Link>
  </ItemDefinitionGroup>
  <ItemGroup>
    <ClCompile Include="NativeApp.c" />
  </ItemGroup>
  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
  <ImportGroup Label="ExtensionTargets">
  </ImportGroup>
</Project>

Scott_Noone_(OSR)