Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting... Please check out the Community Guidelines in the
Announcements and Administration Category.

Write Current Process Memory From Kernel

Hi,
I have a solution for a problem I'm currently facing, but don't know how to do it.
I want to use the equivalents of "VirtualProtect" and "WriteProcessMemory" from kernel space.
More precisely, I run under the context of process A and just before the main thread has started to run (I'm in the context of the main thread, using PsSetCreateThreadNotifyRoutineEx).
I want to make the page where main function resides "Read Write Execute" instead of "Read Execute", and write over few of the first main's opcodes with opcodes given by my driver's data.
What I want to do is actually put the main thread in an infinite loop.

Thank you
«1

Comments

  • Tim_RobertsTim_Roberts Posts: 12,622
    On Dec 25, 2017, at 3:41 PM, xxxxx@gmail.com <xxxxx@lists.osr.com> wrote:
    >
    > I have a solution for a problem I'm currently facing, but don't know how to do it.
    > I want to use the equivalents of "VirtualProtect" and "WriteProcessMemory" from kernel space.

    Not hard, since every process's address space is accessible from the kernel.


    > I want to make the page where main function resides "Read Write Execute" instead of "Read Execute", and write over few of the first main's opcodes with opcodes given by my driver's data.
    > What I want to do is actually put the main thread in an infinite loop.

    Do you think it's not going to noticeable that every process goes into a tight CPU loop for a period before it starts?

    Tim Roberts, xxxxx@probo.com
    Providenza & Boekelheide, Inc.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • >Not hard, since every process's address space is accessible from the kernel.
    Well, what API should I use? Haven't found anything relevant and documented.
    I want to either change the permissions of an existing page (where the entry point resides) to RWX and write infinite loop in the beginning, or create a new page which can be accessed from usermode, and change the entrypoint to that page.


    >Do you think it's not going to noticeable that every process goes into a tight CPU loop for a period before it starts?

    I don't mind if its noticed or not, just so that my whole process won't take to long.
    What I do is pass the PID of the newly created process, put the process' thread in an infinite loop and then attach with a debugger to that process, and continue its execution in other place.
  • wdwd Posts: 25
    Sounds a bit like a procedure that could aid one in circumventing
    anti-piracy protection? Seriously though, what legitimate need do you have
    for what you're asking?

    On Tue, Dec 26, 2017 at 4:42 AM, xxxxx@gmail.com <
    xxxxx@lists.osr.com> wrote:

    > >Not hard, since every process's address space is accessible from the
    > kernel.
    > Well, what API should I use? Haven't found anything relevant and
    > documented.
    > I want to either change the permissions of an existing page (where the
    > entry point resides) to RWX and write infinite loop in the beginning, or
    > create a new page which can be accessed from usermode, and change the
    > entrypoint to that page.
    >
    >
    > >Do you think it's not going to noticeable that every process goes into a
    > tight CPU loop for a period before it starts?
    >
    > I don't mind if its noticed or not, just so that my whole process won't
    > take to long.
    > What I do is pass the PID of the newly created process, put the process'
    > thread in an infinite loop and then attach with a debugger to that process,
    > and continue its execution in other place.
    >
    > ---
    > NTDEV is sponsored by OSR
    >
    > Visit the list online at: showlists.cfm?list=ntdev>
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > software drivers!
    > Details at
    >
    > To unsubscribe, visit the List Server section of OSR Online at <
    > http://www.osronline.com/page.cfm?name=ListServer>;
    >



    --
    *Wade Dawson*
    *DT Multimedia*
  • > Sounds a bit like a procedure that could aid one in circumventing anti-piracy protection? Seriously though, what legitimate need do you have for what you're asking?

    Well, not exactly.
    I'm doing a project in the university (final, hopefully) which is basically a malware protection system (sort of).
    In my driver (which is 64 bit) I want to catch any 32 bit process that is created, pass it to my usermode Manager, and if the process is not whitelisted - he is opened under the inspection of another process that attaches to it. Otherwise, my Manager resumes the execution.
    Very legit, very headache-giving and very urgent (first delivery is on this thursday :) ).
    --
    Another thread I opened here "Create Suspended Process" (from kernel) - http://www.osronline.com/showthread.cfm?link=286958

    I didn't get the answer there. So I thought maybe if I get the entry point of my process from the first thread, I could write an infinite loop in the beginning and this way I would be able to attach to the untrusted process before it executes other code. (Also, I want to "suspend" only 32-bit processes which means I need to check the Optional Header in PE).
  • Mark_RoddyMark_Roddy Posts: 4,269
    The process is effectively suspended while in your process notify handler.
    I don't quite see what you are going to gain by whacking its code, although
    that is do-able, see Detours and related libraries. Why not attach your
    debugger/inspector to the process while you have it suspended in the
    callback?

    Mark Roddy

    On Tue, Dec 26, 2017 at 10:34 AM, xxxxx@gmail.com <
    xxxxx@lists.osr.com> wrote:

    > > Sounds a bit like a procedure that could aid one in circumventing
    > anti-piracy protection? Seriously though, what legitimate need do you have
    > for what you're asking?
    >
    > Well, not exactly.
    > I'm doing a project in the university (final, hopefully) which is
    > basically a malware protection system (sort of).
    > In my driver (which is 64 bit) I want to catch any 32 bit process that is
    > created, pass it to my usermode Manager, and if the process is not
    > whitelisted - he is opened under the inspection of another process that
    > attaches to it. Otherwise, my Manager resumes the execution.
    > Very legit, very headache-giving and very urgent (first delivery is on
    > this thursday :) ).
    > --
    > Another thread I opened here "Create Suspended Process" (from kernel) -
    > http://www.osronline.com/showthread.cfm?link=286958
    >
    > I didn't get the answer there. So I thought maybe if I get the entry point
    > of my process from the first thread, I could write an infinite loop in the
    > beginning and this way I would be able to attach to the untrusted process
    > before it executes other code. (Also, I want to "suspend" only 32-bit
    > processes which means I need to check the Optional Header in PE).
    >
    > ---
    > NTDEV is sponsored by OSR
    >
    > Visit the list online at: showlists.cfm?list=ntdev>
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > software drivers!
    > Details at
    >
    > To unsubscribe, visit the List Server section of OSR Online at <
    > http://www.osronline.com/page.cfm?name=ListServer>;
    >
  • Tim_RobertsTim_Roberts Posts: 12,622
    xxxxx@gmail.com wrote:
    >> Not hard, since every process's address space is accessible from the kernel.
    > Well, what API should I use? Haven't found anything relevant and documented.

    No, it's not going to be documented.  VirtualProtect calls
    NtProtectVirtualMemory/ZwProtectVirtualMemory, which you can also call,
    if you can figure out how.

    --
    Tim Roberts, xxxxx@probo.com
    Providenza & Boekelheide, Inc.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • > The process is effectively suspended while in your process notify handler. I don't quite see what you are going to gain by whacking its code, although that is do-able, see Detours and related libraries. Why not attach your debugger/inspector to the process while you have it suspended in the callback?

    Thought about that, though I faced a few problems:
    1. Using KeDelayExecutionThread in order to sleep and stay within the callback and try to attach manually with a debugger didn't work. The thread wasn't suspended but in a "Wait:DelayedExecution" state. Trying to attach with windbg resulted in a failure and a message: "The debugging session could not be started: FAILURE HR=0x80070002: Failed to DebugConnect". I'm guessing either I can't attach to a process with one thread in a "Wait" state, or the callback for thread's creation has been called while the process' DebugPort has not been yet initialized. Either way, KeDelayExecutionThread - both UserMode and KernelMode modes - failed.

    2. When I used Process Explorer to check on the new process that has been created, procexp crashed when I tried to get the thread's Stack. Maybe callback has been called before the thread's Usermode stack has been yet initialized.
  • Another problem: (Relevant to writing to memory)
    I tried using 3 callbacks:
    PsSetCreateProcessNotifyRoutine - to get callback for process creation.
    PsSetCreateThreadNotifyRoutineEx - to get callback for thread creation - in the new therad's context.
    PsSetLoadImageNotifyRoutine - to get callback for mapped memories.

    The chronological order of callbacks is: CreateProcess -> Map (some, partial) Images -> Create first thread.

    The relevant data from the process' binary itself (blabla.exe) is not fully mapped at the Thread's callback point. What I have is only 1 page from the exe base (first page, contains headers etc.) and it's permissions are READ_EXECUTE (maybe because of the DOS stub there to print that it cannot run in DOS mode...). Other sections and such - are not mapped at this point.
    So anything related to changing the memory is not relevant now, because this page will become READONLY right after continuing execution and other section will be mapped later on - so nowhere to put my infinite loop to simulate a "Suspend" state.
  • I think image mapped completely, many pages just not paged-in yet. So you
    can read the pages you interested in and mm will place them in memory.

    why do you think READ_EXECUTE is strange? It is how it should be. Debuggers
    change page protection when they need to place breakpoint.

    On Wed, 27 Dec 2017 at 04:15, xxxxx@gmail.com
    wrote:

    > Another problem: (Relevant to writing to memory)
    > I tried using 3 callbacks:
    > PsSetCreateProcessNotifyRoutine - to get callback for process creation.
    > PsSetCreateThreadNotifyRoutineEx - to get callback for thread creation -
    > in the new therad's context.
    > PsSetLoadImageNotifyRoutine - to get callback for mapped memories.
    >
    > The chronological order of callbacks is: CreateProcess -> Map (some,
    > partial) Images -> Create first thread.
    >
    > The relevant data from the process' binary itself (blabla.exe) is not
    > fully mapped at the Thread's callback point. What I have is only 1 page
    > from the exe base (first page, contains headers etc.) and it's permissions
    > are READ_EXECUTE (maybe because of the DOS stub there to print that it
    > cannot run in DOS mode...). Other sections and such - are not mapped at
    > this point.
    > So anything related to changing the memory is not relevant now, because
    > this page will become READONLY right after continuing execution and other
    > section will be mapped later on - so nowhere to put my infinite loop to
    > simulate a "Suspend" state.
    >
    > ---
    > NTDEV is sponsored by OSR
    >
    > Visit the list online at: <
    > http://www.osronline.com/showlists.cfm?list=ntdev>;
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > software drivers!
    > Details at
    >
    > To unsubscribe, visit the List Server section of OSR Online at <
    > http://www.osronline.com/page.cfm?name=ListServer>;
    >
  • > I think image mapped completely, many pages just not paged-in yet. So you can read the pages you interested in and mm will place them in memory.

    How to do that exactly? I think its my only option to "pseudo-suspend" the thread from the callback.
    I see that the "*.exe" image has been loaded, the first 0x1000 bytes are mapped (running "!vad" and then the specific "!vad vadAddress 1" will output me the image base. Running "dc imageBase" gives me the PE header, first 0x1000 bytes. After them - memory is not mapped, see question marks instead of bytes).

    > why do you think READ_EXECUTE is strange? It is how it should be. Debuggers change page protection when they need to place breakpoint.

    Didn't put breakpoint there, therefore I didn't change the permissions. The READ_EXECUTE is on the first 0x1000 bytes from the image base (Don't remember "MZ" being executable opcodes).
  • Tim_RobertsTim_Roberts Posts: 12,622
    xxxxx@gmail.com wrote:
    >> I think image mapped completely, many pages just not paged-in yet. So you can read the pages you interested in and mm will place them in memory.
    > How to do that exactly?

        ULONG fetch = *ptr;

    That will trigger a page fault.  As long as you are at a passive IRQL,
    the memory manager will handle that page fault by reading the page from
    disk.

    --
    Tim Roberts, xxxxx@probo.com
    Providenza & Boekelheide, Inc.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • What I meant is that without debugger read execute is what you should
    expect. Debugger add write protection before setting breakpoint.

    I don’t see the problem. So page with magic number mz has read execute
    protection. So what ? Mz is not the only thing this page contains

    On Thu, 28 Dec 2017 at 02:36, xxxxx@probo.com wrote:

    > xxxxx@gmail.com wrote:
    > >> I think image mapped completely, many pages just not paged-in yet. So
    > you can read the pages you interested in and mm will place them in memory.
    > > How to do that exactly?
    >
    > ULONG fetch = *ptr;
    >
    > That will trigger a page fault. As long as you are at a passive IRQL,
    > the memory manager will handle that page fault by reading the page from
    > disk.
    >
    > --
    > Tim Roberts, xxxxx@probo.com
    > Providenza & Boekelheide, Inc.
    >
    >
    > ---
    > NTDEV is sponsored by OSR
    >
    > Visit the list online at: <
    > http://www.osronline.com/showlists.cfm?list=ntdev>;
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > software drivers!
    > Details at
    >
    > To unsubscribe, visit the List Server section of OSR Online at <
    > http://www.osronline.com/page.cfm?name=ListServer>;
    >
  • Or rather mapped executable page is copy on write

    On Thu, 28 Dec 2017 at 03:07, Sergey Pisarev
    wrote:

    > What I meant is that without debugger read execute is what you should
    > expect. Debugger add write protection before setting breakpoint.
    >
    > I don’t see the problem. So page with magic number mz has read execute
    > protection. So what ? Mz is not the only thing this page contains
    >
    > On Thu, 28 Dec 2017 at 02:36, xxxxx@probo.com wrote:
    >
    >> xxxxx@gmail.com wrote:
    >> >> I think image mapped completely, many pages just not paged-in yet. So
    >> you can read the pages you interested in and mm will place them in memory.
    >> > How to do that exactly?
    >>
    >> ULONG fetch = *ptr;
    >>
    >> That will trigger a page fault. As long as you are at a passive IRQL,
    >> the memory manager will handle that page fault by reading the page from
    >> disk.
    >>
    >> --
    >> Tim Roberts, xxxxx@probo.com
    >> Providenza & Boekelheide, Inc.
    >>
    >>
    >> ---
    >> NTDEV is sponsored by OSR
    >>
    >> Visit the list online at: <
    >> http://www.osronline.com/showlists.cfm?list=ntdev>;
    >>
    >> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    >> software drivers!
    >> Details at
    >>
    >> To unsubscribe, visit the List Server section of OSR Online at <
    >> http://www.osronline.com/page.cfm?name=ListServer>;
    >>
    >
  • R0b0t1R0b0t1 Posts: 130
    On Tue, Dec 26, 2017 at 8:59 AM, xxxxx@gmail.com
    <xxxxx@lists.osr.com> wrote:
    > Sounds a bit like a procedure that could aid one in circumventing
    > anti-piracy protection? Seriously though, what legitimate need do you have
    > for what you're asking?
    >

    This train of thought is pointless. Get off your high horse. Computers
    are used for breaking the law, so why don't you chuck yours in a
    dumpster?

    > On Tue, Dec 26, 2017 at 4:42 AM, xxxxx@gmail.com
    > <xxxxx@lists.osr.com> wrote:
    >>
    >> >Not hard, since every process's address space is accessible from the
    >> > kernel.
    >> Well, what API should I use? Haven't found anything relevant and
    >> documented.
    >> I want to either change the permissions of an existing page (where the
    >> entry point resides) to RWX and write infinite loop in the beginning, or
    >> create a new page which can be accessed from usermode, and change the
    >> entrypoint to that page.
    >>
    >>
    >> >Do you think it's not going to noticeable that every process goes into a
    >> > tight CPU loop for a period before it starts?
    >>
    >> I don't mind if its noticed or not, just so that my whole process won't
    >> take to long.
    >> What I do is pass the PID of the newly created process, put the process'
    >> thread in an infinite loop and then attach with a debugger to that process,
    >> and continue its execution in other place.
    >>
    >> ---
    >> NTDEV is sponsored by OSR
    >>
    >> Visit the list online at:
    >> <http://www.osronline.com/showlists.cfm?list=ntdev>;
    >>
    >> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    >> software drivers!
    >> Details at <http://www.osr.com/seminars>;
    >>
    >> To unsubscribe, visit the List Server section of OSR Online at
    >> <http://www.osronline.com/page.cfm?name=ListServer>;
    >
    >
    >
    >
    > --
    > Wade Dawson
    > DT Multimedia
    > --- NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars on
    > crash dump analysis, WDF, Windows internals and software drivers! Details at
    > To unsubscribe, visit the List Server section of OSR Online at
  • Tim_RobertsTim_Roberts Posts: 12,622
    xxxxx@gmail.com wrote:
    > On Tue, Dec 26, 2017 at 8:59 AM, xxxxx@gmail.com
    > <xxxxx@lists.osr.com> wrote:
    >> Sounds a bit like a procedure that could aid one in circumventing
    >> anti-piracy protection? Seriously though, what legitimate need do you have
    >> for what you're asking?
    >>
    > This train of thought is pointless. Get off your high horse. Computers
    > are used for breaking the law, so why don't you chuck yours in a
    > dumpster?

    Of course it's not pointless.  What you say may be true, but the members
    of this mailing list do not intend to be accessories to the crime.

    --
    Tim Roberts, xxxxx@probo.com
    Providenza & Boekelheide, Inc.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • R0b0t1R0b0t1 Posts: 130
    On Wed, Dec 27, 2017 at 7:26 PM, xxxxx@probo.com <xxxxx@lists.osr.com> wrote:
    > xxxxx@gmail.com wrote:
    >> On Tue, Dec 26, 2017 at 8:59 AM, xxxxx@gmail.com
    >> <xxxxx@lists.osr.com> wrote:
    >>> Sounds a bit like a procedure that could aid one in circumventing
    >>> anti-piracy protection? Seriously though, what legitimate need do you have
    >>> for what you're asking?
    >>>
    >> This train of thought is pointless. Get off your high horse. Computers
    >> are used for breaking the law, so why don't you chuck yours in a
    >> dumpster?
    >
    > Of course it's not pointless. What you say may be true, but the members
    > of this mailing list do not intend to be accessories to the crime.
    >

    If all you look for in the world is ugliness, then that is all you will find.

    If they would be accessories without knowing about the crime, then
    certainly you are an accessory to many crimes simply by virtue of
    using your computer?

    I apologize leon.berlin101 and list, as I really did not mean to
    derail your thread. But I felt I should comment as this is part of the
    mindset that keeps Windows development closed to "outsiders." I
    experienced much the same thing when I took up an interest in
    locksmithing. My ability to be a thief does not hinge on my ability to
    pick a lock; I could simply kick the door in. Likewise, anyone's
    answer here is not going to change whether or not the OP actually does
    anything illegal.

    I probably shouldn't have said anything since he was helped. Sorry.

    > --
    > Tim Roberts, xxxxx@probo.com
    > Providenza & Boekelheide, Inc.
    >
    >
    > ---
    > NTDEV is sponsored by OSR
    >
    > Visit the list online at: <http://www.osronline.com/showlists.cfm?list=ntdev>;
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
    > Details at <http://www.osr.com/seminars>;
    >
    > To unsubscribe, visit the List Server section of OSR Online at <http://www.osronline.com/page.cfm?name=ListServer>;
  • > ULONG fetch = *ptr; That will trigger a page fault.? As long as you are at a passive IRQL, the memory manager will handle that page fault by reading the page from disk.

    Well, Access violation.
    Running !vad resulted in this line among the others:
    ffff8c09a062c830 4 400 5bd 17 Mapped Exe EXECUTE_WRITECOPY \Program Files (x86)\HxD\HxD.exe

    Base address is 0x400000.
    Only the first page of the image is loaded to the memory, as follows:

    kd>
    00000000`00400f80 00000000 00000000 00000000 00000000 ................
    00000000`00400f90 00000000 00000000 00000000 00000000 ................
    00000000`00400fa0 00000000 00000000 00000000 00000000 ................
    00000000`00400fb0 00000000 00000000 00000000 00000000 ................
    00000000`00400fc0 00000000 00000000 00000000 00000000 ................
    00000000`00400fd0 00000000 00000000 00000000 00000000 ................
    00000000`00400fe0 00000000 00000000 00000000 00000000 ................
    00000000`00400ff0 00000000 00000000 00000000 00000000 ................
    kd>
    00000000`00401000 ???????? ???????? ???????? ???????? ????????????????
    00000000`00401010 ???????? ???????? ???????? ???????? ????????????????
    00000000`00401020 ???????? ???????? ???????? ???????? ????????????????
    00000000`00401030 ???????? ???????? ???????? ???????? ????????????????
    00000000`00401040 ???????? ???????? ???????? ???????? ????????????????
    00000000`00401050 ???????? ???????? ???????? ???????? ????????????????
    00000000`00401060 ???????? ???????? ???????? ???????? ????????????????
    00000000`00401070 ???????? ???????? ???????? ???????? ????????????????

    The instruction in the driver:
    USHORT twoBytes = *(PUSHORT)EntryPointRawOffset;
    resulted in Access Violation.

    Any idea on how can I map the rest of the pages from the ThreadNotifyRoutineEx callback? (I'm in the Called Thread's context, using Extended API).

    >No, it's not going to be documented.? VirtualProtect calls NtProtectVirtualMemory/ZwProtectVirtualMemory, which you can also call, if you can figure out how.

    Also, I guess that getting "ZwProtectVirtualMemory" using MmGetSystemRoutineAddress will do the job, if just I would be able to solve the previous problem.
    Thanks :)
  • Tim_RobertsTim_Roberts Posts: 12,622
    xxxxx@gmail.com wrote:
    > On Wed, Dec 27, 2017 at 7:26 PM, xxxxx@probo.com <xxxxx@lists.osr.com> wrote:
    >> Of course it's not pointless. What you say may be true, but the members
    >> of this mailing list do not intend to be accessories to the crime.
    > If they would be accessories without knowing about the crime, then
    > certainly you are an accessory to many crimes simply by virtue of
    > using your computer?

    No, that's stupid, as you well know.

    The major contributors to this list are all professional driver
    developers and trainers with decades of computing experience.  This is
    our living, our passion, our reputation.  We have all wasted countless
    hours dealing with infections and rootkits, and it pisses us off.  Most
    of us have a pretty good understanding of how these things are
    implemented.  Because of that, we have learned to recognize lines of
    questioning that arise from nefarious intent.

    Are there places on the internet where you can learn the criminal
    skills?  Sure there are, but most of them are deeply technical and
    difficult to understand.  If you come here asking for help in honing
    those skills, we're going to refuse.  If you went to a locksmith and
    said "I need help breaking into the vault at US Bank", that locksmith is
    going to refuse to help you.  If you went to Home Depot and said "I need
    help disabling the electrical grid near me", the crew is going to refuse
    to help you.  This is exactly the same.


    > But I felt I should comment as this is part of the
    > mindset that keeps Windows development closed to "outsiders."

    Nonsense, and I have two opposing responses to that.

    Windows development is not closed to outsiders.  There are billions of
    Windows computers in the world, all of them running applications of all
    kinds and all levels of sophistication.  The Windows development
    landscape is wide, varied, and well-documented.

    Now, the situation is a bit different when you talk about Windows
    internal development, and that's true for a damned good reason.  Windows
    is not a playground.  It used to be, decades ago.  I disassembled and
    single stepped through Windows 3.1 extensively enough that I actually
    understood what it was doing, and that meant I could tweak it to make it
    stand up and bark.  But today, Windows is an industrial-strength
    operating system.  It is mission-critical in the business world.  We
    don't want experimenters and hobbyists poking around in the ugly
    underside, destabilizing the infrastructure.  That time has passed.  If
    you want to do that, go load Linux.

    So, yes, the barriers to entry have been raised, at least at the kernel
    level.  And that's a Good Thing.


    > I experienced much the same thing when I took up an interest in
    > locksmithing. My ability to be a thief does not hinge on my ability to
    > pick a lock; I could simply kick the door in.

    True, but that's a lot easier to detect, and a lot more dangerous for
    you.  The locksmith didn't want to make it easy for you.  Same here.


    > Likewise, anyone's answer here is not going to change whether or not
    > the OP actually does anything illegal.

    Maybe not, but it can keep the honest man honest.  If we don't help
    them, the hobbyist script kiddie is going to get frustrated and go find
    something else to do.

    --
    Tim Roberts, xxxxx@probo.com
    Providenza & Boekelheide, Inc.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • There is (almost) no security product of any kind you cannot write now with
    the provided MSFT infrastructure for filtering and the respective
    documentation.
    There is a reason what you are trying to do is dangerous and instead of
    resisting you would be better off understanding why. Going through this
    process of learning why, will not only
    suppress some of the ignorance, but will give you actual good ideas of how
    to implement the next best security product in Windows.

    Good luck,
    Gabriel
    www.kasardia.com


    On Thu, Dec 28, 2017 at 7:19 PM, xxxxx@probo.com wrote:

    > xxxxx@gmail.com wrote:
    > > On Wed, Dec 27, 2017 at 7:26 PM, xxxxx@probo.com
    > wrote:
    > >> Of course it's not pointless. What you say may be true, but the members
    > >> of this mailing list do not intend to be accessories to the crime.
    > > If they would be accessories without knowing about the crime, then
    > > certainly you are an accessory to many crimes simply by virtue of
    > > using your computer?
    >
    > No, that's stupid, as you well know.
    >
    > The major contributors to this list are all professional driver
    > developers and trainers with decades of computing experience. This is
    > our living, our passion, our reputation. We have all wasted countless
    > hours dealing with infections and rootkits, and it pisses us off. Most
    > of us have a pretty good understanding of how these things are
    > implemented. Because of that, we have learned to recognize lines of
    > questioning that arise from nefarious intent.
    >
    > Are there places on the internet where you can learn the criminal
    > skills? Sure there are, but most of them are deeply technical and
    > difficult to understand. If you come here asking for help in honing
    > those skills, we're going to refuse. If you went to a locksmith and
    > said "I need help breaking into the vault at US Bank", that locksmith is
    > going to refuse to help you. If you went to Home Depot and said "I need
    > help disabling the electrical grid near me", the crew is going to refuse
    > to help you. This is exactly the same.
    >
    >
    > > But I felt I should comment as this is part of the
    > > mindset that keeps Windows development closed to "outsiders."
    >
    > Nonsense, and I have two opposing responses to that.
    >
    > Windows development is not closed to outsiders. There are billions of
    > Windows computers in the world, all of them running applications of all
    > kinds and all levels of sophistication. The Windows development
    > landscape is wide, varied, and well-documented.
    >
    > Now, the situation is a bit different when you talk about Windows
    > internal development, and that's true for a damned good reason. Windows
    > is not a playground. It used to be, decades ago. I disassembled and
    > single stepped through Windows 3.1 extensively enough that I actually
    > understood what it was doing, and that meant I could tweak it to make it
    > stand up and bark. But today, Windows is an industrial-strength
    > operating system. It is mission-critical in the business world. We
    > don't want experimenters and hobbyists poking around in the ugly
    > underside, destabilizing the infrastructure. That time has passed. If
    > you want to do that, go load Linux.
    >
    > So, yes, the barriers to entry have been raised, at least at the kernel
    > level. And that's a Good Thing.
    >
    >
    > > I experienced much the same thing when I took up an interest in
    > > locksmithing. My ability to be a thief does not hinge on my ability to
    > > pick a lock; I could simply kick the door in.
    >
    > True, but that's a lot easier to detect, and a lot more dangerous for
    > you. The locksmith didn't want to make it easy for you. Same here.
    >
    >
    > > Likewise, anyone's answer here is not going to change whether or not
    > > the OP actually does anything illegal.
    >
    > Maybe not, but it can keep the honest man honest. If we don't help
    > them, the hobbyist script kiddie is going to get frustrated and go find
    > something else to do.
    >
    > --
    > Tim Roberts, xxxxx@probo.com
    > Providenza & Boekelheide, Inc.
    >
    >
    > ---
    > NTDEV is sponsored by OSR
    >
    > Visit the list online at: showlists.cfm?list=ntdev>
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > software drivers!
    > Details at
    >
    > To unsubscribe, visit the List Server section of OSR Online at <
    > http://www.osronline.com/page.cfm?name=ListServer>;
    >



    --
    Bercea. G.

    Cheers,
    Gabriel

  • wdwd Posts: 25
    Oh yeah? I bet my high horse could beat up your low horse any day!

    Sent from my iPhone

    > On Dec 27, 2017, at 20:26, xxxxx@probo.com <xxxxx@lists.osr.com> wrote:
    >
    > xxxxx@gmail.com wrote:
    >> On Tue, Dec 26, 2017 at 8:59 AM, xxxxx@gmail.com
    >> <xxxxx@lists.osr.com> wrote:
    >>> Sounds a bit like a procedure that could aid one in circumventing
    >>> anti-piracy protection? Seriously though, what legitimate need do you have
    >>> for what you're asking?
    >>>
    >> This train of thought is pointless. Get off your high horse. Computers
    >> are used for breaking the law, so why don't you chuck yours in a
    >> dumpster?
    >
    > Of course it's not pointless. What you say may be true, but the members
    > of this mailing list do not intend to be accessories to the crime.
    >
    > --
    > Tim Roberts, xxxxx@probo.com
    > Providenza & Boekelheide, Inc.
    >
    >
    > ---
    > NTDEV is sponsored by OSR
    >
    > Visit the list online at: <http://www.osronline.com/showlists.cfm?list=ntdev>;
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
    > Details at <http://www.osr.com/seminars>;
    >
    > To unsubscribe, visit the List Server section of OSR Online at <http://www.osronline.com/page.cfm?name=ListServer>;
  • For an NtWriteVirtualMemory alternate, you can use KeStackAttachProcess to attach to a process and then use memcpy, or you can use MmCopyVirtualMemory. Remember to detach with KeUnstackDetachProcess if you use the former method.

    For an NtProtectVirtualMemory solution, simply find the address with the System Service Descriptor Table. Note it won't be 100% "stable" for 64-bit environments but it can easily be found on 64-bit environments (where the kernel does not export it) for Windows 7 - Windows 10 without a code-base change. Simply find the address of KiSystemCall64, then find KiSystemServiceRepeat, and then extract the address (it is referenced by KiSystemServiceRepeat). IA32_LSTAR points to KiSystemCall64 so it is a simple task.

    May I ask, why not just have a Windows Service call NtProtectVirtualMemory for you? You can even pass down the HANDLE from kernel-mode as long as it isn't a kernel-mode only handle. This would be a lot more stable and reliable.

    I've been using NtWriteVirtualMemory and NtProtectVirtualMemory for educational purposes in kernel-mode through testing for many years now and it has always been just as reliable as in user-mode for me, but that doesn't mean it is a "good" thing to do.

    It isn't my job to care if you are taking a bad approach or not. You're a programmer, and you are in-charge of your own project. You asked a question and I answered it, whether you should re-assess your options is down to you - I personally think you should. However, let me make one thing very clear... If you start messing with the System Service Descriptor Table (especially for 64-bit systems) and go down a path of unstable, undocumented and officially unsupported mechanisms, you're going to land yourself in a heap of trouble when the time comes and it could be anything from losing customers over bug-checking their systems after a Windows patch update, to not understanding how to update something efficiently or properly.
  • Keep in mind that Windows 8.1 and later have a new code integrity policies that prohibits
    using of dynamic memory. For example, ZwAllocateVirtualMemory and ZwProtectVirtualMemory
    may return an error 0xC0000604 (STATUS_DYNAMIC_CODE_BLOCKED) if the
    corresponding policy was enabled for a process.

    See SetProcessMitigationPolicy for more information.

    By default, this policy enabled for the services.exe, smss.exe and some other system processes.
  • Aleh is correct, there is indeed a new protection mechanism and it's related to the security policies for processes; it has actually existed for a very long time however was not documented or available via a documented interface.

    SetProcessMitigationPolicy will call NtSetInformationProcess, and the NtSetInformationProcess call for changing the policy information will change data under the KPROCESS kernel-mode structure for the desired process. However, features such as enabling Data Execution Prevention (DEP) on-the-go cannot be done "permanently" from user-mode via NtSetInformationProcess I believe, but can from kernel-mode. Of course, modifying the KPROCESS structure (or even accessing it for that matter) would be highly unstable and unrecommended since it's an opaque structure and the offsets regularly change.

    Google have been using NtSetInformationProcess since Windows 7 to enforce features like DEP if it wasn't already enabled (even though they compile with it enabled and their 64-bit compilation will always have it enabled of course due to 64-bit security benefits with the 64-bit Windows Kernel).

    You can still inject a DLL just fine though as long as it doesn't require a manual map shell-code loader (which would require additional memory to be executable and done remotely - and thus blocked - whereas standard DLL injection methods via remote thread creation, handle hijacking or APC with routines like LoadLibraryA/W would not require you to change the protection of memory, nor allocate memory with execute flags but only read/write).
  • I'd like to just quickly add that services.exe, smss.exe, csrss.exe and a few others are all protected processes by default since Windows 8. Therefore, attempting to attack them with or without security policies would be a waste of time. Even from kernel-mode, it is not so straight-forward like a call to ZwOpenProcess; that simply won't be enough to get a handle to such processes and those processes don't have user32.dll loaded/a UI at all so there's less exploitation attack vectors available. You'd have to either go deep enough to bypass the checks for the process protection status built-in to the Windows Kernel, or patch the KPROCESS structure so the Windows Kernel doesn't believe the process is actually protected. There's also Protected Process Light, of course it can be beaten but none of these activities are documented, stable nor reliable and should especially not be used in a professional environment because data corruption from a BSOD can cause many issues.

    To be honest, I am glad Microsoft made these processes protected. It strengthens the OS environment a bit against malicious software. Sadly they left lsass.exe unprotected at default configuration (it can be enabled for process protection via a registry hack) and svchost.exe can be exploited the same way lsass.exe can (to obtain process handles because lsass.exe and svchost.exe have opened handles by default - prevents passing through kernel-mode callbacks or triggering hooks) but maybe they will change that some-day by default which would be good.
  • Leon_BerLeon_Ber Posts: 17
    Few points for the last comments:
    - KeAttachStack will throw BSOD if run inside the PsSetThreadCreateNotifyRoutine's routine.
    - I don't mind if the driver is stable in other versions of windows. In fact, I take in the assumption it runs only under Windows 10, so even manipulating the E/K-PROCESS/THREAD - is "ok" for me.

    Now I'm stuck in a point where I've allocated UserMode buffer, which is RWX, and wrote there my infinite loop. What I want to do now is to set the thread to start running in the allocated address.
    * Changing entry point inside PE header didn't work.
    * Changing Win32StartAddress inside ETHREAD structure didn't work.

    Any clues on how can I do it? All I want is for the thread to run my code (the infinite loop) when I return from the Notify Routine callback.
    Thanks
  • Don_BurnDon_Burn Posts: 1,623
    " manipulating the E/K-PROCESS/THREAD - is "ok" for me" Well it should not
    be, in multiple other versions of Windows those structures have changes with
    Windows Update or Service Packs. When you consider that Windows 10 is
    supposed to be the version for a very long time, your plans is very stupid.


    Don Burn
    Windows Driver Consulting
    Website: http://www.windrvr.com



    -----Original Message-----
    From: xxxxx@lists.osr.com
    [mailto:xxxxx@lists.osr.com] On Behalf Of
    xxxxx@gmail.com
    Sent: Tuesday, January 02, 2018 4:35 PM
    To: Windows System Software Devs Interest List <xxxxx@lists.osr.com>
    Subject: RE:[ntdev] Write Current Process Memory From Kernel

    Few points for the last comments:
    - KeAttachStack will throw BSOD if run inside the
    PsSetThreadCreateNotifyRoutine's routine.
    - I don't mind if the driver is stable in other versions of windows. In
    fact, I take in the assumption it runs only under Windows 10, so even
    manipulating the E/K-PROCESS/THREAD - is "ok" for me.

    Now I'm stuck in a point where I've allocated UserMode buffer, which is RWX,
    and wrote there my infinite loop. What I want to do now is to set the thread
    to start running in the allocated address.
    * Changing entry point inside PE header didn't work.
    * Changing Win32StartAddress inside ETHREAD structure didn't work.

    Any clues on how can I do it? All I want is for the thread to run my code
    (the infinite loop) when I return from the Notify Routine callback.
    Thanks

    ---
    NTDEV is sponsored by OSR

    Visit the list online at:
    <http://www.osronline.com/showlists.cfm?list=ntdev>;

    MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
    drivers!
    Details at <http://www.osr.com/seminars>;

    To unsubscribe, visit the List Server section of OSR Online at
    <http://www.osronline.com/page.cfm?name=ListServer>;
  • Leon_BerLeon_Ber Posts: 17
    > When you consider that Windows 10 is supposed to be the version for a very long time, your plans is very stupid.

    Like I said before, its a university project, not a product. As far as I know, these structure usually change between different NT versions (mostly), I can be more strict and take in the assumption that its a specific build of Windows 10.

    Another important note, I do this stuff in a 64 bit OS but only for 32 bit processes (therefore I looked up for Win32StartAddress previously).
  • Don_BurnDon_Burn Posts: 1,623
    The thing about CRAPPY UNIVERSITY PROJECT'S LIKE YOURS is that some idiot
    takes it as an example of how to do things, and goes running off to try to
    make a product. I've had multiple queries for consults with startups which
    told me "we just have a little problem" when in reality they took someone's
    piece of junk project and based their whole product on it. Things don't go
    well when I suggest they throw everything out and start over.


    Don Burn
    Windows Driver Consulting
    Website: http://www.windrvr.com




    -----Original Message-----
    From: xxxxx@lists.osr.com
    [mailto:xxxxx@lists.osr.com] On Behalf Of
    xxxxx@gmail.com
    Sent: Tuesday, January 02, 2018 4:58 PM
    To: Windows System Software Devs Interest List <xxxxx@lists.osr.com>
    Subject: RE:[ntdev] Write Current Process Memory From Kernel

    > When you consider that Windows 10 is supposed to be the version for a very
    long time, your plans is very stupid.

    Like I said before, its a university project, not a product. As far as I
    know, these structure usually change between different NT versions (mostly),
    I can be more strict and take in the assumption that its a specific build of
    Windows 10.

    Another important note, I do this stuff in a 64 bit OS but only for 32 bit
    processes (therefore I looked up for Win32StartAddress previously).

    ---
    NTDEV is sponsored by OSR

    Visit the list online at:
    <http://www.osronline.com/showlists.cfm?list=ntdev>;

    MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
    drivers!
    Details at <http://www.osr.com/seminars>;

    To unsubscribe, visit the List Server section of OSR Online at
    <http://www.osronline.com/page.cfm?name=ListServer>;
  • > "Like I said before, its a university project"

    University is there for people to study (learn more) and gain experience. You say you are working on a 'malware protection system (sort of)' but you aren't going to gain much useful experience for such a project if you're developing buggy, unstable and extremely unreliable source code, or using the same from someone else.

    I doubt your University would ask you to do what you are trying to do because it is a bit silly. Try coming up with a project idea which can be followed properly and help you learn skills for a professional environment, such as taking a good and documented/stable approach. That will help you a lot... Trying to put the main thread of a newly starting process in a never-ending infinite loop is beyond stupid.
  • Tim_RobertsTim_Roberts Posts: 12,622
    xxxxx@gmail.com wrote:
    > Now I'm stuck in a point where I've allocated UserMode buffer, which is RWX, and wrote there my infinite loop. What I want to do now is to set the thread to start running in the allocated address.
    > * Changing entry point inside PE header didn't work.
    > * Changing Win32StartAddress inside ETHREAD structure didn't work.
    >
    > Any clues on how can I do it? All I want is for the thread to run my code (the infinite loop) when I return from the Notify Routine callback.

    It's possible the nascent thread's register state has already been set
    up in a CONTEXT structure.  Have you traces the stack all the way back
    to user-mode?

    --
    Tim Roberts, xxxxx@probo.com
    Providenza & Boekelheide, Inc.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!