Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

Real time detecting of mutex objects

2»

Comments

  • MBond2MBond2 Member Posts: 330

    well, we have only to wait until the end of the year to see if I'm right ;)

    but there are some points to consider

    One of the most common ways that malware is discovered is when users notice that something isn't working as it should. As was the case with the recent SolarWinds problem, malware designed to minimize the disruptions that it causes is harder to detect because no one goes looking. This isn't something that someone determined to cause mischief worries about, but serious attackers will for sure

    A named mutex is one way to ensure that multiple instances of the same program don't run together. That might be a technique that is used by malware, but it is also used by many other programs including some versions of Office IIRC. But a named mutex is only one of a vast number of ways of preventing multiple instances of the same program from running together. Using the same idea, any named object could be used. A mutex, an event, a section - you could even use a named pipe endpoint. But there are many other ways too. Consider a socket bound to a local port. Or a file or a registry key opened with access and sharing attributes that prevent multiple concurrent handles. And those are only a few of the possible kinds that just rely on a single 'thing' - mechanisms that rely on multiple different 'gates' are possible as well. Serious malware writers will gravitate to the most obscure and convoluted protocols for mutual exclusion as they are the hardest to observe or understand. There is no effective way to surveil for all of them - even if you had effective heuristics to differentiate between the legitimate patterns and the malware patterns - because there are enough different 'degrees of freedom' so that the malware author can just invent a new one that you don't check for. So this is not an effective method to check for the kind of malware that you actually care about detecting

    The performance cost of allowing customization (notify routines) during object creation would not be inconsequential. These functions have a very direct impact on overall application performance and might happen hundreds of thousands of times per second. And any compromised system could have any of these notify routines circumvented anyways, so they would provide no effective protection anyways. The conclusion is that since this feature would be highly deleterious to performance as well as highly ineffective at detecting an 'infection', it is sound engineering judgement to omit them from the design of Windows

  • Prokash_SinhaProkash_Sinha Member - All Emails Posts: 218

    @Michal_Vodicka said:
    I wouldn't be surprised if they read this list and some can be even members. What makes a difference between black and white hats? Morale, not competence.

    Good point, there are already members tuned into it. They will find a solution one way or the other :-) This site , along with lot of sites are good in that area, not telling the solutions ( even if it is known to some people)...

    Difference between a black and white hat is --- White hatters tried to prove a theorem, black hatters need to find a counter example. When you write a code, that has buffer overflow and stack hijacking there is one prize for the black hatters, while white hatters tries to capture those even after release... White hatters works for money. Black hatters steals, that's all.

    -Pro

  • Prokash_SinhaProkash_Sinha Member - All Emails Posts: 218

    <>
    The performance cost of allowing customization (notify routines) during object creation would not be inconsequential. These functions have a very direct impact on overall application performance and might happen hundreds of thousands of times per second. And any compromised system could have any of these notify routines circumvented anyways, so they would provide no effective protection anyways. The conclusion is that since this feature would be highly deleterious to performance as well as highly ineffective at detecting an 'infection', it is sound engineering judgement to omit them from the design of Windows
    </>

    This has been solved many times before. Advanced Persistent Threats mostly works this way.

    For the worst side ---
    There are lot of state actors as well.
    Some sell their infrastructures to other criminal gangs.
    And of course, huge monetary loss of companies.
    There are companies, who can do Boeing compatible design in two months ...
    Child ?orn to drug, etc. etc...

    For the good side ---
    Some are being caught and/or under surveillance due to anti-dotes.

    Apps and or companies under watch.

    Anyways, peace !
    -Pro

  • anton_bassovanton_bassov Member MODERATED Posts: 5,253

    I wouldn't be surprised if they read this list and some can be even members.

    Well, sometimes they may even post their questions here. For example, what would you say about something along the following lines
    (please pay a special attention to the combination of grammar with the assumed name of the imaginary poster)

    I was assigned to the task of capturing passwords by my company. I'm having a understanding that I must hook SSDT, but it is not work. Please resolve my doubt in the same.

    James Smith

    Anton Bassov

  • Michal_VodickaMichal_Vodicka Member - All Emails Posts: 106

    Looks like a naive wannabe hacker to me :) Different kind than someone trying to use named mutexes to avoid collisions in his malware. I presume they'd ask completely different way so you can't detect them.

  • anton_bassovanton_bassov Member MODERATED Posts: 5,253

    Looks like a naive wannabe hacker to me

    .....with the grammar epitomising "English" that happens to be just a sort of a "fingerprint" of the certain part of the world, which, in turn, somehow implies that the whole "business" of malware design relies upon the outsourcing as much as its "legitimate" counterpart does.

    In other words, the "evil genius" image of a hacker becomes more and more of a myth these days, with the exploits getting chiefly designed by the security researchers who don't intend to make any actual use of them, and design them just as a "proof of concept" thing....

    Therefore, if our "James Smith" tries to use any of their NGs as a source of info, there is a good chance that he will get booed (and eventually gets a boot) down there as well

    Anton Bassov

  • Pavel_APavel_A Member Posts: 2,781
    edited June 12

    Well, well. Hats, evil geniuses... Anyone here seen this? https://github.com/everdox/InfinityHook
    (besides of Mr. Berkan of course)

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,486

    Quite clever. I’m impressed.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Michal_VodickaMichal_Vodicka Member - All Emails Posts: 106

    Anyone here seen this?

    Nice. Really creative way of using ETW :)

    .....with the grammar epitomising "English" that happens to be just a sort of a "fingerprint" of the certain part of the world

    Do you mean Russia? ;-)

    which, in turn, somehow implies that the whole "business" of malware design relies upon the outsourcing as much as its "legitimate" counterpart does.

    I don't think one random post implies anything general.

    In other words, the "evil genius" image of a hacker becomes more and more of a myth these days, with the exploits getting chiefly designed by the security researchers who don't intend to make any actual use of them, and design them just as a "proof of concept" thing....

    Do not underestimate enemies. I'd expect standard Gaussian curve with script kiddies and this one on the left side and who knows who is on the right side?

  • anton_bassovanton_bassov Member MODERATED Posts: 5,253

    Do you mean Russia? ;-)

    Nope.....

    Sure they've got their own "fingerprints" down there, but these are totally different ones. For example, if you come across something along the lines of "I wanted to ask" in the sense of "I would like to ask"; pearls like "feeling myself good"; missing articles or use of "very" all over the place (i.e "very cold" instead of "freezing","very funny" instead of hilarious",etc), then you may,indeed, have a good reason to suspect someone from that part of the world. However, if you come across "I'm having a doubt" in the sense of "I've got a question"; "same" in the sense of "it"; "guide on/in XYZ"(typically combined with the previously mentioned "fingerprint"), then you can be 100% sure that your "target" is located somewhere around 3K+ miles south-east of Moscow

    Furthermore, I don't see any reason why someone from Russia would want to pose as "James Smith" in a technical NG - AFAIK, they prefer
    the politics-oriented sites and NGs for this purpose.

    [enter OT mode]

    BTW, once we are at it, I just wonder if I may have had accidentally solved, by a mere serendipity,"the unsolved mystery" of our "Windows fanboy's" sudden disappearance from NTDEV. Probably, he just changed his"occupation", and now poses as some "Big Bad Max from New York" in some politics-oriented NGs, effectively sending the readers of the said NGs on the floor right on the spot? Taking into account his propensity to make the political speeches on NTDEV in few months preceding his mysterious "disappearance", this suggestion does not really seem to be as outlandish as may be deemed at the first glance. Taking into account his "productivity rate" that is comparable to that of a machine-gun, the readers of the target NGs must be having a truly enjoyable time indeed.....

    [leave OT mode]

    I don't think one random post implies anything general.

    As you may have guessed, "one random post" (and even dozen of them) is insufficient for even considering "Discovering the poster's origins and geographic location by means of analysing their English grammar" project, let alone actually implementing it (which holds true for both artificial neural networks and the "natural" ones). Therefore, we must be speaking about the "sufficiently large" dataset here, don't you think.....

    I'd expect standard Gaussian curve with script kiddies and this one on the left side and who knows who is on the right side?

    I think it simply does not make any sense to speak about this curve without mentioning percentiles. How many standard deviations away from the mean are those "in the know" located at in this particular case?

    Anton Bassov

  • Michal_VodickaMichal_Vodicka Member - All Emails Posts: 106

    However, if you come across "I'm having a doubt" in the sense of "I've got a question"; "same" in the sense of "it"; "guide on/in XYZ"(typically combined with the previously mentioned "fingerprint"), then you can be 100% sure that your "target" is located somewhere around 3K+ miles south-east of Moscow

    Sure. I just couldn't resist, sorry ;-)

    I think it simply does not make any sense to speak about this curve without mentioning percentiles.

    Why not? It can be applied to almost anything so why not here?

    How many standard deviations away from the mean are those "in the know" located at in this particular case?

    How can I know? We don't have sufficient data. I can only presume we see the dumb and incompetent side and in turn I presume there is also opposite side. The existence of successful malware indicates it.

  • anton_bassovanton_bassov Member MODERATED Posts: 5,253

    Why not? It can be applied to almost anything so why not here?

    Simply because speaking about the Gaussian curve in context of the statistical analysis without making any reference to the percentiles and standard deviations is pretty much the same thing as speaking about the results of temperature measurements without making any reference to either kelvins or degrees.....

    I can only presume we see the dumb and incompetent side and in turn I presume there is also opposite side.

    The very first thing that gets into my head is that those of the former type may be simply making the actual use of the tools and "methodologies" developed by those of the latter one, despite their "fairly limited", so to say, understanding of the underlying principles that make these tools and "methodologies" tick. Whenever they encounter a problem, they post their questions to the technical NGs so that we can have a good laugh.

    The existence of successful malware indicates it.

    At the risk of invoking "The Hanging Judge's" wrath I've got to point out that one does not really need any special technical talents in order to infect a computer that happens to be running Windows. The only thing you need is to trick a user into clicking on some file with a valid PE header and .exe extension, and the Windows Explorer will take care of the rest .......

    Anton Bassov

  • Michal_VodickaMichal_Vodicka Member - All Emails Posts: 106

    ... pretty much the same thing as speaking about the results of temperature measurements without making any reference to either kelvins or degrees.....

    What about low, lower, average, high, higher... ;-)

    At the risk of invoking "The Hanging Judge's" wrath

    Oh, I noticed you're moderated. Maybe we should stop here before you say something unwanted ;-)

    The only thing you need is to trick a user into clicking on some file with a valid PE header and .exe extension, and the Windows Explorer will take care of the rest .......

    That's partially right but even with it you need some skills. Look at encryption ransomware. It can infect the site as you said but then it needs to spread all over local network (it does), encrypt drives and pass keys to an attackers to they can sell a software which reverts the damage they did. Not a small task for incompetent people IMO.

  • anton_bassovanton_bassov Member MODERATED Posts: 5,253

    What about low, lower, average, high, higher... ;-)

    Well, if something can be expressed and presented in some intuitive and easy-to-understand colloquial terms......well, then it, apparently, simply defeats the very purpose of referring to more advanced ones like the bell curve, don't you think....

    Look at encryption ransomware. It can infect the site as you said but then it needs to spread all over local network (it does),
    encrypt drives and pass keys to an attackers to they can sell a software which reverts the damage they did.
    Not a small task for incompetent people IMO.

    The "only" question here is how much of the above gets done by those who actually pull off the attack. There is a good chance that they may be just using the tools and libraries that actually implement all the above mentioned stuff, without really understanding how these tools and libraries work and what they actually do....

    Anton Bassov

  • Michal_VodickaMichal_Vodicka Member - All Emails Posts: 106

    well, then it, apparently, simply defeats the very purpose of referring to more advanced ones like the bell curve, don't you think....

    No. Bell curve shows there is similar number of very competent and very incompetent people. Here we mainly see the latter and not former (or maybe we don't notice them). That was my original point. Plus there is much more average people so judging from these dumb cases doesn't show even the basic picture.

    There is a good chance that they may be just using the tools and libraries that actually implement all the above mentioned stuff, without really understanding how these tools and libraries work and what they actually do....

    Well, it is possible but still they'd need to put it all together to make it working and reasonably reliable. Non-trivial money depend on it.

  • MBond2MBond2 Member Posts: 330

    using a bell curve here seems to be inappropriate. Understanding all of the limitations of IQ scores, let's start there. Any kind of computer programming has a certain threshold below which one simply can't do it. A certain amount of abstract thought is required to understand the concepts of constants and variables along with flow of control. Incrementally harder is structured programming and systems programing - including the special topic of this forum - Windows KM programming. It seems clear then that assuming that the IQ points (however you like to count them) are normally distributed over the general population, the elect who participate here are all from the right hand side of that curve. That implies that the population of those who are eligible to participate on these topics is larger at the lower end of the spectrum and assuming some very tenuous connection that those who can and those who do participate do is somehow about the in same proportions, we see a curve with many at the bottom and few at the top. And none of us can ever really know where we are on it ;)

    what that also means is that there are relatively more questions that lead to humour and nonsense, some that have appropriate technical issues, and relatively few that contain deep technical insight and difficult problems from which we can all learn

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Developing Minifilters 24 May 2021 Live, Online
Writing WDF Drivers 14 June 2021 Live, Online
Internals & Software Drivers 27 September 2021 Live, Online
Kernel Debugging 15 November 2021 Live, Online