Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.More Info on Driver Writing and Debugging
The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
From Jose - tracking process writes to memory
Jose_Morales
Member - All Emails Posts: 24
in NTDEV
Hi all, I am searching for a way to track when a process writes to the
memory of another process.
currently I use notification call backs when a process requests a process
handle and check the disposition. I also use callback when a dll is loaded
into a process (runs in context of loaded process so pids are of this
process and not the loader). thanks to don burn for these two suggestions.
using the above I can claim a process's memory has been loaded with a dll
but can only guess which process may have initiated the task by reviewing
handle requests.
what I want is an equivalent to hookng ZwWriteVirtualMemory, a windows
support approach to tell me process A is/has/about to write to the memory
of process B.
thanks, Jose.
--
Yours in Success,
Jose Andre Morales, Ph.D.
www.josemorales.org
memory of another process.
currently I use notification call backs when a process requests a process
handle and check the disposition. I also use callback when a dll is loaded
into a process (runs in context of loaded process so pids are of this
process and not the loader). thanks to don burn for these two suggestions.
using the above I can claim a process's memory has been loaded with a dll
but can only guess which process may have initiated the task by reviewing
handle requests.
what I want is an equivalent to hookng ZwWriteVirtualMemory, a windows
support approach to tell me process A is/has/about to write to the memory
of process B.
thanks, Jose.
--
Yours in Success,
Jose Andre Morales, Ph.D.
www.josemorales.org
Howdy, Stranger!
| Upcoming OSR Seminars | ||
|---|---|---|
| OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead! | ||
| Internals & Software Drivers | 19-23 June 2023 | Live, Online |
| Writing WDF Drivers | 10-14 July 2023 | Live, Online |
| Kernel Debugging | 16-20 October 2023 | Live, Online |
| Developing Minifilters | 13-17 November 2023 | Live, Online |
Comments
Microsoft-Windows-Threat-Intelligence").
However, in order to get access to them you need to enable tracing for each
process (see PROCESS_READWRITEVM_LOGGING_INFORMATION) and be an anti-malware
protected process. Practically speaking, it's not clear to me if these are
available to anyone other than Defender.
Without access to these trace points all you can do is build heuristics
based on the documented Ob/Ps callbacks. Alternatively you can hook this
operation in user mode (not ideal, but a kernel mode hook isn't
happening...).
-scott
OSR
@OSRDrivers
-scott
OSR
I use to gather more evidence that process a is writing to memory of
process b. The Ob already provide evidnce for permission request of write
to the mem of proc b by proc a
On Fri, Mar 23, 2018 at 12:56 PM Scott Noone <
[email protected]> wrote:
> Starting in Win10 1709 there are ETW trace points for this (run "wevtutil
> gp
> Microsoft-Windows-Threat-Intelligence").
>
> However, in order to get access to them you need to enable tracing for each
> process (see PROCESS_READWRITEVM_LOGGING_INFORMATION) and be an
> anti-malware
> protected process. Practically speaking, it's not clear to me if these are
> available to anyone other than Defender.
>
> Without access to these trace points all you can do is build heuristics
> based on the documented Ob/Ps callbacks. Alternatively you can hook this
> operation in user mode (not ideal, but a kernel mode hook isn't
> happening...).
>
> -scott
> OSR
> @OSRDrivers
>
>
>
> ---
> NTDEV is sponsored by OSR
>
> Visit the list online at: <
> http://www.osronline.com/showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
>
--
Yours in Success,
Jose Andre Morales, Ph.D.
www.josemorales.org