Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

Real time detecting of mutex objects

Jose_MoralesJose_Morales Member - All Emails Posts: 24

Hi all, after some extensive research, I cannot find a way to detect creation or access of a mutex (createmutex, createmutexA, opnemutex) etc.... I'm wondering if any of you know of a way to do so. I I am using callback notifications in kmexts which has callbacks for creation of processes and threads, creations of process and thread handles, all teh registry events, etc.... Is there a filed I can check, or an object i should query during a pre-callback that can hint or id a mutex creation? This is for my project of collecting runtime events. Thanks.

«1

Comments

  • Jose_MoralesJose_Morales Member - All Emails Posts: 24

    circling back on this question, hoping for some good insight.

  • ThatsBerkanThatsBerkan Member Posts: 57
    edited June 3

    Honestly, maybe you should consider trying to implement actual detection methods in your anticheat other than hooking every single things the NT kernel allows you to. That said, there is one way that I know but it is undocumented. There aren't any documented ways to hook mutex objects creation.

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,493

    I cannot find a way to detect creation or access of a mutex

    Let's think about this for a minute: Why WOULD there be? What possible reason would somebody have for wanting to detect the creation/deletion of a fundamental synchronization primitive? And why Mutex? Why not, say... SpinLocks? Or Semaphores?

    So, no... there's no documented way to do this, because it's not something anybody needs to do. Well, apart from you, and I'm sure you have very good reasons.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Jose_MoralesJose_Morales Member - All Emails Posts: 24

    Thanks for the input, malware uses mutexes a lot to avoid re-infecting the same machine, for my class on detecting malware during runtime, i felt it important to show how to detect mutex creation. There are many ways to list mutexes in windows, so i thought for sure there must be some hint in realtime that a mutex is being created.

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,493

    malware uses mutexes a lot to avoid re-infecting the same machine

    Eh? Are we talking about the same thing? You know that a Mutex is an object, and it’s instance goes away when the owning process exits or (in the case of the system process) when the system is rebooted.

    It seems that a Mutex, specifically, would be ill-suited to the job you’re describing. Maybe an Event would be better.

    I’m confused to the point where I wonder if we’re talking about the same thing.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Jose_MoralesJose_Morales Member - All Emails Posts: 24

    Hi thanks, here is a post of what I am talking about: https://isc.sans.edu/diary/How+Malware+Generates+Mutex+Names+to+Evade+Detection/19429/
    If any on this list have an idea, please let me know, thanks.

  • Sergey_PisarevSergey_Pisarev Member - All Emails Posts: 276

    wouldn't that be enough to scan object manager directories with ZwOpenDirectoryObject and friends and check for existence of the name you interested in ?

  • Jose_MoralesJose_Morales Member - All Emails Posts: 24

    that is a good approach, the key question is when during the execution to do it? since i have a bunch of callback notifications, and a minifilter at what point should the query occur? if we knew a mutex was being created we could query the dirobj at that point, since that does not exists in a documented fashion, its leaves the question open of when to do it. any insights on that is appreciated.

  • Jose_MoralesJose_Morales Member - All Emails Posts: 24

    as an additional thought, deciding which directory to query is critical since its inefficient to have multiple queries of all directories.

  • Jose_MoralesJose_Morales Member - All Emails Posts: 24

    also I'm not searching for specific mutex names, so a name search is not usable here, but searching for teh existence of any mutex object is.

  • Michal_VodickaMichal_Vodicka Member - All Emails Posts: 109

    Actually, I like the way how the malware generates mutex names based on product ID >:) It is creative.

    also I'm not searching for specific mutex names, so a name search is not usable here, but searching for teh existence of any mutex object is.

    OK but you should take into account creating named mutexes is something not specific to malware and any software can do it for honest reasons. I probably never used mutexes this way but I used named events. They can be used by malware the same way.

    You can search object space periodically and detect changes against previous state. For example once per minute, 10 minutes or or. Still I'm not sure what do you want to do with it. Alert! Somebody created named mutex! What is user expected to do then?

  • Jose_MoralesJose_Morales Member - All Emails Posts: 24

    thanks michal, I save all these execution events to a log file resulting in a large data set for win exe malware on virushsare.com teh data set is meant for researchers, adding mutex is, in my opinion, important for malware defense research. Periodic checks of obj space is good and the thread would benefit hearing other approaches as well, hope others provide.

  • Michal_VodickaMichal_Vodicka Member - All Emails Posts: 109

    For logging and research it looks OK. But there should be no need for real time approach, maybe not even for periodic checks, just scan and create log.

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,970

    The whole notion that malware trolls are conscientious enough to do ANYTHING to avoid multiple infections is totally laughable. "Well, sure, he mugged me, but at least he was polite."

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Jose_MoralesJose_Morales Member - All Emails Posts: 24

    Im thinking in my minifilter i can check for directory access adn query that object, i can relate pids to those im interested in.

  • Jose_MoralesJose_Morales Member - All Emails Posts: 24

    it would be nice if ObCallbacks notified for mutex objects, as far as i know, they don't.

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,493

    would be nice if ObCallbacks notified for mutex objects

    Nope. As we’ve said, I think, several times by now, they do not.

    I apologize, but I find this whole notion laughable. Singling out Mutex objects is, from my limited point of view as a mere kernel dev and not any sort of security or malware researcher, simply ridiculous. These are not the only objects that can be named. So, why choose Mutex for special treatment? Asking for and/or expecting a callback for the instantiation of a simple kernel synchronization primitive is foolish. The callback can create more overhead overhead than the instantiation... for something that might be done frequently.

    OK... I realize my editorializing on this has no real point behind satisfying myself.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Prokash_SinhaProkash_Sinha Member - All Emails Posts: 221
    via Email
    Very challenging indeed!

    You want to know as and when a mutex gets created, then perhaps search
    agains known hash for the name ??

    It’s more like coming up with a debugger module that will insert exceptions
    to interesting places, handle the exception!!!

    Pro
  • MBond2MBond2 Member Posts: 331

    I think that we can safely decide that this is the most ridiculous objective of the year - with half of the year ahead.

    Because this is both totally useless in the objectives and so impractical in the proposed means it is outlandish enough to qualify as one of the most ridiculous things I have ever heard proposed.

    To the OP, it is certainly possible that you have a legitimate objective, and I am sure that if you do, and can articulate it, me and the rest of the community will certainly try to help you. But the problem is that as stated you can't achieve anything with this approach i think

  • anton_bassovanton_bassov Member MODERATED Posts: 5,258

    The whole notion that malware trolls are conscientious enough to do ANYTHING to avoid multiple infections is totally laughable.

    What about the scenario when two separate instances of the same malware "title" are potentially getting at odds with one another, effectively rendering one another unfunctional (in a sense that they are both unable to exercise their intended malicious functionalities)?
    In this particular case malware writers may,indeed, want to avoid multiple reinfections, and the purpose of the whole exercise is protecting the malware itself, rather than the target machine/OS installation that it attempts to subvert. It never occurred to you to think this way, by any chance?

    Anton Bassov

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,970

    Again, I am amused to no end that anyone thinks these bastards expend any energy at all worrying about how their software fits into a malware "ecosystem".

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Prokash_SinhaProkash_Sinha Member - All Emails Posts: 221

    Wow, trying to complete a project, makes someone ?astered. and it is already won the prize for the most ridiculous post of the year....

    This is the slippery slop or fools paradise... Go to any credible security company and find out what kinda hack the do to support as much as they can for APT. And ask them what and how they handle those things...

    From OS, protocol, device nothing is as safe as we wish to think. So people trying to do whatever they can ... Otherwise we will all have to soak our systems in salt water for a day, then give to recycling ...

    pro

  • Prokash_SinhaProkash_Sinha Member - All Emails Posts: 221

    Any credible hacker worth a salt never going to ask a question as straight as this one !
    Pro

  • anton_bassovanton_bassov Member MODERATED Posts: 5,258

    Again, I am amused to no end that anyone thinks these bastards expend any energy at all worrying about how their software
    fits into a malware "ecosystem".

    I am speaking not about an "ecosystem" (i.e. different malware "titles" peacefully coexisting on the same machine") but about the scenario when two separate instances of the same "title" are installed on it.

    I know you may get surprised to no end, but If you don't mind "expending your energy" on writing a program you may, probably, want to "expend some energy" on making it work, at least from time to time,as well. Taking into account the malicious nature of the program in question, in this particular case it may mean taking some steps to avoid the detection and/or removal.

    Another point to consider is that two separate instances of the same malware "title" that are installed on the target machine are going to compete for exactly the same resources. Taking,again, into account the malicious nature of the program in question and its lack of concern for anybody else, this may result in some "funny" situations (like, for example, the instance A removing a hook installed by the instance B, and vice versa, effectively resulting in a ridiculous scenario of a malware rendering itself harmless by its own actions).

    In order to avoid this unfortunate (from the malware writer's perspective,of course), scenario, they may want to avoid installing multiple instances of it on the same machine

    Anton Bassov

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,493

    If I scanned and remember the linked report correctly, I think the malware is using the named mutex to store some information... so not necessarily as a serialization primitive?

    Regardless...

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • anton_bassovanton_bassov Member MODERATED Posts: 5,258

    I think the malware is using the named mutex to store some information... so not necessarily as a serialization primitive?

    At this point, the original question that Marion branded as "the most ridiculous post of the year - with half of the year ahead" starts,once it a sudden, making a perfect sense . If mutexes are used this way quite a few of them may potentially be required to store all the info, right. Therefore, if you notice the surge of named mutex creation once it a sudden, it may, indeed, raise some suspicions.Certainly, it is not up to a driver to decide upon anything, but logging mutex creation events for the subsequent analysis may be, reasonable indeed....

    Anton Bassov

  • Prokash_SinhaProkash_Sinha Member - All Emails Posts: 221

    If it is inside kernel space, we call it rootlet, otherwise an user level hook... Both are bad. I know for fact that some driver ( Kernel mod) does some techniques for persistence, and avoid duplications. Its more like Covid vaccines... :-). I, personally would not go that far to call most ridiculous post.

    I personally subverted lots of apparent OS securities . so I shut my f* mouth :-).

    Pro

  • Michal_VodickaMichal_Vodicka Member - All Emails Posts: 109

    Not a serialization primitive but mutual exclusion in broader sense. Indicates malware already took over this machine and another copy shouldn't bother to avoid conflicts. That's one reason why the original request is strange, any named object would serve this purpose so guarding just mutexes doesn't make sense.

    Again, I am amused to no end that anyone thinks these bastards expend any energy at all worrying about how their software fits into a malware "ecosystem".

    These bastards are trying to make money nowadays. Ransom, crypto mining, botnets... You can see it as a business however weird. They may not care about customers' machines and data but they care about their profits and don't want to shoot themselves to their knees. Anton already explained it.

  • Prokash_SinhaProkash_Sinha Member - All Emails Posts: 221

    @Michal_Vodicka said:

    These bastards are trying to make money nowadays. Ransom, crypto mining, botnets... You can see it as a business however weird. They may not care about customers' machines and data but they care about their profits and don't want to shoot themselves to their knees. Anton already explained it.

    Well, those ?astards will not show up here or any other forum for sure ! And they don't mind calling them out as ?astards ...

    Now they are there, HOW DO YOU FIX (EVEN A SMALL PART ) ??? Hitting the walls with our heads does not seem to work ...

    -Pro

  • Michal_VodickaMichal_Vodicka Member - All Emails Posts: 109

    I wouldn't be surprised if they read this list and some can be even members. What makes a difference between black and white hats? Morale, not competence.

This discussion has been closed.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Developing Minifilters 24 May 2021 Live, Online
Writing WDF Drivers 14 June 2021 Live, Online
Internals & Software Drivers 27 September 2021 Live, Online
Kernel Debugging 15 November 2021 Live, Online