Hello, I think this is the best place to ask this question. Is it possible to hook/detour MmCopyVirtualMemory globally or for a specific process ? The intention is to prevent unwanted process to write to your own. Please advise. Thank you
I think this is the best place to ask this question.
If you are desperate to provoke a public outrage (or just want to see a"funny" reaction from the usual suspects), this is, indeed, the right place to go with such a question. Otherwise, I would suggest asking it elsewhere…
The intention is to prevent unwanted process to write to your own.
Well, any process that runs under the same user account with yours is in a position to modify the address space of your process, as well as to create,kill and otherwise control its threads. This is the security model that Windows NT is based upon, and there is nothing that you can do here. Therefore, assuming that you are not a malware writer and just want to enhance the security of your process (which, may, indeed, have perfectly legitimate applications like protecting the sensitive data) , don’t waste your time on trying to meet the requirements that cannot be met…
Anton Bassov
Dear Anton Bassov,
If you are desperate to provoke a public outrage (or just want to see a"funny" reaction from the usual suspects), this is, indeed, the right place to go with such a question. Otherwise, I would suggest asking it elsewhere…
Well that was not the intention… what I meant was something along the lines: “These guys know what they are doing… therefore best to ask this here”.
Well, any process that runs under the same user account with yours is in a position to modify the address space of your process, as well as to create,kill and otherwise control its threads. This is the security model that Windows NT is based upon, and there is nothing that you can do here. Therefore, assuming that you are not a malware writer and just want to enhance the security of your process (which, may, indeed, have perfectly legitimate applications like protecting the sensitive data) , don’t waste your time on trying to meet the requirements that cannot be met…
Well I am in no way any “malware” writer. In fact I am a security software designer and developer. The “security model” of Windows NT is so bad, that I have reached my limits in trying to limit what/who/when/why can write to my process.
Callbacks have been exhausted, hooks from user-mode and kernel for functions likes “Zw/NtWriteVirtualMemory”, “Zw/NtReadVirtualMemory”, have been exhausted.
Hackers have found that using directly MmCopyVirtualMemory they can “just” write to the process avoiding everything, I mean everything.
This is the reason why I am asking this question, as stupid as it may sound… is there really nothing that can be done with MmCopyVirtualMemory ?
Thank you
Hackers have found that using directly MmCopyVirtualMemory they can “just” write to the process avoiding everything, I mean everything.
Well, they don’t really need to resort to kernel-level hackery ( which is more complicated because of driver signing,PatchGuarg et all) if they can simply open a handle to your process in the userland, and do whatever they want with it. However, if their module gets loaded into the kernel, you are unable to do ABSOLUTELY anything about it. The only thing that can be done is preventing this"unfortunate scenario", but if the malicious module is loaded, all the bets are off…
Therefore, as I told you already, don’t waste your time on trying to meet the requirements that cannot be met…
Anton Bassov
Well, they don’t really need to resort to kernel-level hackery ( which is more complicated because of driver signing,PatchGuarg et all) if they can simply open a handle to your process in the userland, and do whatever they want with it. However, if their module gets loaded into the kernel, you are unable to do ABSOLUTELY anything about it. The only thing that can be done is preventing this"unfortunate scenario", but if the malicious module is loaded, all the bets are off…
Therefore, as I told you already, don’t waste your time on trying to meet the requirements that cannot be met…
Getting a handle from userland is not a problem, the problem is when they are in the kernel. I spent a considerable amount of time to try and prevent them from loading modules into the kernel, but… with all the dsefix, kernel bridges, etc - it’s a cat/mouse game.
the problem is when they are in the kernel
Seriously? Once the attacker is in kernel-mode, it’s already game over. Why on earth would you worry about the security of one specific Memory Manager interface?
Peter
Seriously? Once the attacker is in kernel-mode, it’s already game over. Why on earth would you worry about the security of one specific Memory Manager interface?
Well I disagree here, it’s not “game-over”. There are so many tricks you can do to prevent certain things from happening… it’s amazing. The only problem is left (I have left) is with MmCopyVirtualMemory because it literally just writes into any process… like you would melt butter or cheese T_T
And to answer your question, there are many reasons… In this scenario I am worried because it does not account for anything like OBcallbacks, etc.
Mecanik wrote:
> Seriously? Once the attacker is in kernel-mode, it’s already game over. Why on earth would you worry about the security of one specific Memory Manager interface?
Well I disagree here, it’s not “game-over”. There are so many tricks you can do to prevent certain things from happening… it’s amazing.
No. Once the kernel is infected, anything you can do, they can undo.
Any tricks you know, they know. They are smarter than you are.
Seriously, you need to understand this. If the kernel is compromised,
it literally is “game over”. You cannot hide. You may fool yourself
into thinking you’ve patched things, but the attackers might just have
set up a “honey pot” interface to let you THINK you are winning.
As a research project, what you’re investigating has value. As a
commercial product, not a chance.
I spent a considerable amount of time to try and prevent them from loading modules into the kernel,
but… with all the dsefix, kernel bridges, etc - it’s a cat/mouse game.
What happened to driver signing? Look- if a signed driver is properly installed on the target system and the admin user wants it to be loaded, preventing it from loading is none of your business ( unless you are writing malware, of course)…
Well I disagree here, it’s not “game-over”. There are so many tricks you can do to prevent certain things from happening… it’s amazing.
Once you and the attacker are in the same address space both of you are in exactly the same position - everything that you do can be undone by the attacker, and vice versa. Therefore, no matter what you do, you simply cannot win here. Full stop.
Anton Bassov
@Tim_Roberts said:
Mecanik wrote:Seriously? Once the attacker is in kernel-mode, it’s already game over. Why on earth would you worry about the security of one specific Memory Manager interface?
Well I disagree here, it’s not “game-over”. There are so many tricks you can do to prevent certain things from happening… it’s amazing.No. Once the kernel is infected, anything you can do, they can undo.
Any tricks you know, they know. They are smarter than you are.
Seriously, you need to understand this. If the kernel is compromised,
it literally is “game over”. You cannot hide. You may fool yourself
into thinking you’ve patched things, but the attackers might just have
set up a “honey pot” interface to let you THINK you are winning.As a research project, what you’re investigating has value. As a
commercial product, not a chance.
Well thanks… that’s really reassuring -_-.
@anton_bassov said:
I spent a considerable amount of time to try and prevent them from loading modules into the kernel,
but… with all the dsefix, kernel bridges, etc - it’s a cat/mouse game.What happened to driver signing? Look- if a signed driver is properly installed on the target system and the admin user wants it to be loaded, preventing it from loading is none of your business ( unless you are writing malware, of course)…
Well I disagree here, it’s not “game-over”. There are so many tricks you can do to prevent certain things from happening… it’s amazing.
Once you and the attacker are in the same address space both of you are in exactly the same position - everything that you do can be undone by the attacker, and vice versa. Therefore, no matter what you do, you simply cannot win here. Full stop.
Anton Bassov
Driver signing ? You can check if the certificate is from a legit company or some Chinese expired cert bought for 50$, among other things.
And again… thanks, again that’s really reassuring -_-.
As a research project, what you’re investigating has value. As a commercial product, not a chance.
I would say that it may have a research value only as long as you look at the things from the attacker’s perspective. However, from the defender’s one the whole thing is not worth even a thought for the reasons that we had stated on this thread - you simply cannot neutralise someone who has an access to all resources that you do…
Concerning the commercial product…well, the security is a rather specific area. You may find quite a few products that are commercially successful , although if you look at them from the technical side, their value is at least questionable…
Anton Bassov
>However, from the defender’s one the whole thing is not worth even a thought for the reasons that we had stated on this thread - you simply cannot neutralise someone who has an access to all resources that you do… > Actually, you can - if you take those resources first. I feel like we really deviated from the original question… can this function be intercepted or not ? Thank you
Mecanik wrote:
I feel like we really deviated from the original question…
Well, that’s what we’re best at.
can this function be intercepted or not ?
Legitimately? No, but if you can figure out how to override the page
protection, you can always overwrite the entry point to trampoline it to
your own code. You’ll go to hell for that, of course, but we’re already
driving you there. 
> @Tim_Roberts said: > Mecanik wrote: > > I feel like we really deviated from the original question… > > Well, that’s what we’re best at. > > > > can this function be intercepted or not ? > > Legitimately? No, but if you can figure out how to override the page > protection, you can always overwrite the entry point to trampoline it to > your own code. You’ll go to hell for that, of course, but we’re already > driving you there. But, but, I came here for your expertise not to drive me to hell :neutral: Cam you even trampoline a function like this !?
Look… I’m all for not letting the perfect be the enemy of the possible, and all that shite.
But worrying amount MmCopyVirtualMemory, when a kernel-mode entity can quite literally map any page in physical memory and write to it? MmCopyVirtualMemory Is there to make what it does convenient and easy… not to make it possible.
Returning to first principles:
The “security model” of Windows NT is so bad, that I have reached my limits in trying to limit what/who/when/why can write to my process.
I call bullshit. You’re trying to enforce security on something that’s PART of the Trusted Computing Base. By architecture, kernel mode entities are part of the TCB and trust other kernel mode entities in Windows (unless they are explicitly asked not to).
Anyhow… good luck hooking.
Peter
Actually, you can - if you take those resources first.
…and another KM component may take them away from you without ever asking your permission if it chooses to do so. The best analogy here is two kids who are fighting for a toy that they have found in the playground…
can this function be intercepted or not ?
Well, do not seem to have any interest in reasonable argumentation,do you…
All that you know about is MmCopyVirtualMemory() that you believe has to be hooked in order to provide a protection to your process.
OK, let’s say you have hooked it. Do you really think it is going to solve your problem? If you do… well, then think again.
You just don’t seem to realise that ANY KM module is potentially capable of writing to ANY location in ANY address space without ever calling this function if it chooses to do so, do you. As I can see, all the attempts to explain it to you are doomed to failure
Good luck anyway
Anton Bassov
The user and all related content has been deleted.
Let’s just set this aside for the moment, as I got everyone’s point. This is like a wild goose chase and I will not get anywhere, for now.
Thank you all for your time regarding this.