The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
As you all probably know, some attackers clear the WP bit in cr0 in order to patch some OS kernel codes in runtime.
My question is, can we somehow monitor this change and stop it? Or at least just get notified when such change happens?
I assume the OS itself doesn't suddenly clear this bit, and changing this bit is most likely only done by malicious actors, right?
The reason i need this is because i am given a sandbox development project where i need to write a driver that monitors a specific driver and records any malicious activity, and this includes clearing the WP bit.
So if the solution to this is hacky, is fine by me, considering that this is just for a sandbox.
And obviously one simple solution is to read cr0 in a loop, but this is not efficient and can be bypassed as well. Note that i mostly want to record the change to this register, but if there is also a way to block this change as well, i am interested to know.
|Upcoming OSR Seminars|
|OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!|
|Writing WDF Drivers||24 January 2022||Live, Online|
|Internals & Software Drivers||7 February 2022||Live, Online|
|Kernel Debugging||21 March 2022||Live, Online|
|Developing Minifilters||23 May 2022||Live, Online|