Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Queue APC inPloadImageNotifyRoutine

muniateguimuniategui Member Posts: 12

Hi,

I need to writte a program entrypoint onwards when its loaded from disk to memory. In order to do that i use PsSetLoadImageNotifyRoutine to check when image is loaded. When i get that the .exe file is beeing loaded i get its addres entry point (base addres of the image that i get from Imager_INFO + reading the header to get the offset entry point).

The problem comes when i try to writte the memory as i get a STATUS_ACCESS_VIOLATION which i supoused that is happening due to the fact that the memory does not have write permission (correctme if wrong and is due to another thing). Then what i would like to do is to use MmProtectMdlSystemAddress to change permissions, writte it and restore permissions. In order to do that i use IoAllocateMdl+ MmProbeAndLockPages+... But it gets stuck on ProbeAndLock due to the fact that system handles a lock to it (Doc: To avoid deadlocks, load-image notify routines must not call system routines that map, allocate, query, free, or perform other operations on user-space virtual memory.).

In order to solve this i read this option https://stackoverflow.com/questions/50610741/windows-kernel-driver-zwallocatevirtualmemory-causing-thread-to-terminate but the instruction KeInitializeApc to insert the APC is not documented. What should i do? Should i use KeInitializeApc or is there another aproach to modify the memory without using it?

Thanks!

Comments

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,583

    Let me see... isn’t your question asking “please help me write malware”?

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • muniateguimuniategui Member Posts: 12

    No, that's not the purpose. I cut the entry point from an exe and exported it to another file, then if a process is authorized and in the path is where the modified exe resides (the entry point is all NOPs), i want to load the exe normally (Loading the entry point that is in another file and override the NOPs that I patched). I was thinking that maybe working with IO would be better since if the process is authorized and opens a handler to the file if i intercept the read request U would be able to modify the data that is reading adding the entry point there.
    However, I've already started using the method i said in this post and I don't know if it would be able to do it in that way (or with the IO way since I've didn't checked as I thought in that way yesterday and was waiting for answer here).

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,583
    edited January 18

    Hmmmmm.., if you just want to veto process creation, why not use PsSetCreateProcessNotifyRoutime (or friends) which is designed for this purpose?

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • muniateguimuniategui Member Posts: 12

    I've already used the PsSetCreateProcess to get the tree of parents to allow offspring to be authorized, the problem is that i want the exes to be encrypted on disk (for now i just cut it modifying it but the idea is to encrypt it).

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,583

    i want the exes to be encrypted on disk

    Oh! So, you want to write a file system Minifilter for that.

    Problem solved.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Writing WDF Drivers 21 Oct 2019 OSR Seminar Space & ONLINE
Internals & Software Drivers 18 Nov 2019 Dulles, VA
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 27 Apr 2020 OSR Seminar Space & ONLINE