Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Queue APC inPloadImageNotifyRoutine

muniateguimuniategui Member Posts: 12

Hi,

I need to writte a program entrypoint onwards when its loaded from disk to memory. In order to do that i use PsSetLoadImageNotifyRoutine to check when image is loaded. When i get that the .exe file is beeing loaded i get its addres entry point (base addres of the image that i get from Imager_INFO + reading the header to get the offset entry point).

The problem comes when i try to writte the memory as i get a STATUS_ACCESS_VIOLATION which i supoused that is happening due to the fact that the memory does not have write permission (correctme if wrong and is due to another thing). Then what i would like to do is to use MmProtectMdlSystemAddress to change permissions, writte it and restore permissions. In order to do that i use IoAllocateMdl+ MmProbeAndLockPages+... But it gets stuck on ProbeAndLock due to the fact that system handles a lock to it (Doc: To avoid deadlocks, load-image notify routines must not call system routines that map, allocate, query, free, or perform other operations on user-space virtual memory.).

In order to solve this i read this option https://stackoverflow.com/questions/50610741/windows-kernel-driver-zwallocatevirtualmemory-causing-thread-to-terminate but the instruction KeInitializeApc to insert the APC is not documented. What should i do? Should i use KeInitializeApc or is there another aproach to modify the memory without using it?

Thanks!

Comments

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,845

    Let me see... isn’t your question asking “please help me write malware”?

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • muniateguimuniategui Member Posts: 12

    No, that's not the purpose. I cut the entry point from an exe and exported it to another file, then if a process is authorized and in the path is where the modified exe resides (the entry point is all NOPs), i want to load the exe normally (Loading the entry point that is in another file and override the NOPs that I patched). I was thinking that maybe working with IO would be better since if the process is authorized and opens a handler to the file if i intercept the read request U would be able to modify the data that is reading adding the entry point there.
    However, I've already started using the method i said in this post and I don't know if it would be able to do it in that way (or with the IO way since I've didn't checked as I thought in that way yesterday and was waiting for answer here).

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,845
    edited January 18

    Hmmmmm.., if you just want to veto process creation, why not use PsSetCreateProcessNotifyRoutime (or friends) which is designed for this purpose?

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • muniateguimuniategui Member Posts: 12

    I've already used the PsSetCreateProcess to get the tree of parents to allow offspring to be authorized, the problem is that i want the exes to be encrypted on disk (for now i just cut it modifying it but the idea is to encrypt it).

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,845

    i want the exes to be encrypted on disk

    Oh! So, you want to write a file system Minifilter for that.

    Problem solved.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA