Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Reparse the file (dll) to load is like be persistent in windows???

rsalvarez280rsalvarez280 Member Posts: 9

Hi All.
I'm trying to develop a Minifilter to not allow to load an specific dll directly.
The process description is:
1 - An application wants to use this dll so ejecutes LoadLibrary("original.dll").
2 - This LoadLibrary try generates a IRP_MJ_CREATE precreate callback in the Minifilter and it changes (reparse) this file name with another dll made by me (with the same interface than the original).
3 - Because the reparse has been done, another IRP_MJ_CREATE precreate callback is executed, now with my dll name, so the filter allow it and do nothing.
4 - The application loads my dll.
5 - The application executes the first dll function in my dll, and my dll try to load original one executing LoadLibrary but using an specific dll name (for example: abcde.dll; this name is known for my dll and in the minifilter).
6 - This LoadLibrary generates another IRP_MJ_CREATE precreate callback in the filter to load "abcde.dll". The filter changes this name to the original one.
7 - Because this reparse has been done, it generates another IRP_MJ_CREATE precreate callback, now with the original one. In the minifilter I have the code to recognize this situation an in this case it doens't made any file change name (I save the process ID and an status for each process in each load try to know if the load dlls process is as I expect).
8 - The result is the application loads my dll and my dll loads the original. I have total control of the original dll execution.

The problem is this: If I try to open another application instance (the same application that loads the same original dll) with or without closing the first one, the IRP_MJ_CREATE precreate callback received has got my dll filename in the first callback. This is complete impossible. The application doen't know anything about the name of my dll and my dll is loading when an specific dll exported funcition call and this call has not be executed yet). It only knows the original name. So, who are doing this call using my dll? It is like if I made a reparser for this original.dll one time, all future LoadLibrary("original.dll") are changed to my dll without executing anything in the Minifilter. Is it true? it works again if I restart the computer but only for the first time the application is executed. Any idea?

Regards.

Comments

  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,088

    I assume that the image code looks up the name of the opened DLL and saves it away to avoid (undisclosed) issues later. When it does the open again it asks for the saved name. Easy to test - watch a trce and look for it querying the name.

  • rsalvarez280rsalvarez280 Member Posts: 9

    @rod_widdowson said:
    I assume that the image code looks up the name of the opened DLL and saves it away to avoid (undisclosed) issues later. When it does the open again it asks for the saved name. Easy to test - watch a trce and look for it querying the name.

    What???? Sorry but I don't understand you.

  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,088
    1. Image execution opens c:\folder\my_evil_dll
    2. You reparse that to c:\nice_folder\my_nice.dll
    3. Things are looking good.
    4. Someone else comes along and opens the dll. Image activation goes "Hey I opened this image, what was its name"
    5. Image execution asks "What is the name of that file I opened"
    6. The filesystem says c:\nice_folder\my_nice.dll
    7. Image activation asks to openc:\nice_folder\my_nice.dll
  • Gabriel_BerceaGabriel_Bercea Member - All Emails Posts: 482

    1)
    Why don't you in step 7 instead of using the reparse technique in which you will not be able to identify between the 2 creates just do the create yourself.
    So from PRE-CREATE, you recognise your name pattern: "abcde.dll", now instead of doing the the reparse technique, you simply call FltCreateFileEx or whatever you want with the original DLL name and complete the original create with the result of your FltCreateFileEx and be done with it ?
    Could this work ?

    2)
    Of course, there is another way. If I am not mistaking the reparses come with a specific ECP which as payload has something like:
    Original File Name and Reparsed File Name.
    In theory you should be able to have user-mode ECP, but I am not sure how that works in practice as the user-mode callable APIs don't have a way of supplying these, despite the fact that these 2 routines exist in kernel: FsRtlIsEcpFromUserMode and FltIsEcpFromUserMode.
    BTW, could anyone shed some light here ? User-mode ECPs ?

    3)
    You could of course from your own dll you could try to load the library yourself without the help of LoadLibrary, this way your CreateFile could be accompanied by an EA parameter which would "inform" your filter that it is in fact your dll call that is doing the loading. This would take away the necessity of the name fuzzing/translating but would add the complexity of writing your own loader.

    Cheers,
    Gabriel

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Writing WDF Drivers 21 Oct 2019 OSR Seminar Space & ONLINE
Internals & Software Drivers 18 Nov 2019 Dulles, VA
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 27 Apr 2020 OSR Seminar Space & ONLINE