Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

Can a driver change a window title ?

gdias92gdias92 Member Posts: 2
edited November 19 in NTDEV

Hello all,

I know how to do that in user mode, now I want to do it in kernel mode.

My idea is to append the PID in a few process windows.

Is it possible to do that in kernel level ?

Thanks all :)

Comments

  • Doron_HolanDoron_Holan Member - All Emails Posts: 10,669
    Nope
    d
  • gdias92gdias92 Member Posts: 2

    @Doron_Holan said:
    Nope

    Just wanted to double check. Thanks buddy!

  • MBond2MBond2 Member Posts: 392

    That short answer is of course the correct way of thinking - this is something that you should never even think of attempting to do

    but if you are asking if it is something that can be done from KM, then the answer is yes. By clobbering memory that you don't own, breaking all of the security rules and destabilizing the system, it is theoretically possible to modify a window title.

  • Marcel_RuedingerMarcel_Ruedinger Member Posts: 173

    Remarkable and surprising statement! Even more so when coming from a person who doesn't hesitate to erroneously classify completely legitimate (though very limted) approaches as malware in other discussion threads here.

    Wrong and misleading in any way...

    1. Software developers (even more so kernel developers) know exactly that disastrous side effects can never be ruled out when "...clobbering memory that you don't own".

    2. "Breaking all security rules" is not always possible. E.g. do you happen to know how to reliably disable "Kernel Patch Protection" (aka PatchGuard)?

    1.+2. What immediately crosses my mind in this case are e.g. the PatchGuard protected GDI kernel mode entry points.

    Marcel Rüdinger
    datronicsoft

  • Phil_BarilaPhil_Barila Member - All Emails Posts: 155

    @Marcel_Ruedinger said:
    Remarkable and surprising statement! Even more so when coming from a person who doesn't hesitate to erroneously classify completely legitimate (though very limted) approaches as malware in other discussion threads here.

    I guess the PTP (Psychic Transfer Protocol) of the tags was interrupted on the way to you?

  • Marcel_RuedingerMarcel_Ruedinger Member Posts: 173

    Doesn't appear to me that you grasped what I was talking about. Otherwise your comment would probably look less silly.

    PS: "Psychic Transfer Protocol", tsk, tsk, tsk...
    At least you seem to have creative ideas...

    Marcel Rüdinger
    datronicsoft

  • MBond2MBond2 Member Posts: 392

    well lets take this point by point

    1) Software developers (even more so kernel developers) know exactly that disastrous side effects can never be ruled out when "...clobbering memory that you don't own".

    Do they? You are sure about that point right? Because I have reviewed lots of code where the authors seem blissfully unaware of any consequence of poking random addresses

    2) "Breaking all security rules" is not always possible. E.g. do you happen to know how to reliably disable "Kernel Patch Protection" (aka PatchGuard)?

    I'm sure that I don't know any reliable way to do it. But I am equally sure that I know some horribly unreliably ways to do it. And that's kind of the point - if I don't care about crashing the system, I can do a lot of stuff from ring 0 that appear to mostly work

    But the patch guard protected entry points weren't on my mind. I was not thinking of changing the GDI code, but thinking of clobbering the actual buffers themselves - under the assumption that usually string buffers contain extra unused bytes beyond the usual NULL terminators. This will cause crashes when that assumption is not true, but will appear to work in many cases. And it is a simple enough matter to trigger an invalidate event that will cause those protected routines to re-read data from the corrupted memory without altering them at all. I think it would be a bad idea to go into any more detail about how this might be achieved

    PS the Psychic Transfer Protocol is one of my favorites.

  • Marcel_RuedingerMarcel_Ruedinger Member Posts: 173
    edited November 26
    1. 100% agree. Thus my original statement should possibly be revised to either "Software developers SHOULD..." or "COMPETENT software developers...". Let's stick with the first one. The second option would probably trigger distracting comments again...

    2. 100% agree that it would be a bad idea to go into any more detail. How about also agree that the whole idea is not really feasible? Even if you successfully manage to clobber the actual buffers themselves (which you can't in all cases), without hooking you couldn't re-apply your change when the actual buffers are updated (e.g. using SetWindowText function).

    However, the point I actually tried to make was a different one: I was just wondering about your inconsistency with respect to pointing out malware. In our previous encounter you were insisting to point out malware in an approach discussed by other people. Here you yourself point out approaches that are definitely malware and not even working. Since I cannot detect any lack of competence on your side, I am wondering about your intention. This amused me a bit: Is it about contradicting to posts above? You did this here as well as in our previous encounter. Coincidence?

    Marcel Rüdinger
    datronicsoft

  • MBond2MBond2 Member Posts: 392

    I'm not sure that I have any policy about my posts. I read this forum for enjoyment and try to contribute when I can. If I have amused you, than that works too.

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,793

    You both should have let the thread stand with Doron’s “Nope.”

    Thread locked.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

This discussion has been closed.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 24 January 2022 Live, Online
Internals & Software Drivers 7 February 2022 Live, Online
Kernel Debugging 21 March 2022 Live, Online
Developing Minifilters 23 May 2022 Live, Online