Write Current Process Memory From Kernel

>Not hard, since every process’s address space is accessible from the kernel.
Well, what API should I use? Haven’t found anything relevant and documented.
I want to either change the permissions of an existing page (where the entry point resides) to RWX and write infinite loop in the beginning, or create a new page which can be accessed from usermode, and change the entrypoint to that page.

Do you think it’s not going to noticeable that every process goes into a tight CPU loop for a period before it starts?

I don’t mind if its noticed or not, just so that my whole process won’t take to long.
What I do is pass the PID of the newly created process, put the process’ thread in an infinite loop and then attach with a debugger to that process, and continue its execution in other place.

Sounds a bit like a procedure that could aid one in circumventing
anti-piracy protection? Seriously though, what legitimate need do you have
for what you’re asking?

On Tue, Dec 26, 2017 at 4:42 AM, xxxxx@gmail.com <
xxxxx@lists.osr.com> wrote:

>Not hard, since every process’s address space is accessible from the
kernel.
Well, what API should I use? Haven’t found anything relevant and
documented.
I want to either change the permissions of an existing page (where the
entry point resides) to RWX and write infinite loop in the beginning, or
create a new page which can be accessed from usermode, and change the
entrypoint to that page.

>Do you think it’s not going to noticeable that every process goes into a
tight CPU loop for a period before it starts?

I don’t mind if its noticed or not, just so that my whole process won’t
take to long.
What I do is pass the PID of the newly created process, put the process’
thread in an infinite loop and then attach with a debugger to that process,
and continue its execution in other place.


NTDEV is sponsored by OSR

Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
>


Wade Dawson
DT Multimedia</http:></http:>

> Sounds a bit like a procedure that could aid one in circumventing anti-piracy protection? Seriously though, what legitimate need do you have for what you’re asking?

Well, not exactly.
I’m doing a project in the university (final, hopefully) which is basically a malware protection system (sort of).
In my driver (which is 64 bit) I want to catch any 32 bit process that is created, pass it to my usermode Manager, and if the process is not whitelisted - he is opened under the inspection of another process that attaches to it. Otherwise, my Manager resumes the execution.
Very legit, very headache-giving and very urgent (first delivery is on this thursday :slight_smile: ).

Another thread I opened here “Create Suspended Process” (from kernel) - http://www.osronline.com/showthread.cfm?link=286958

I didn’t get the answer there. So I thought maybe if I get the entry point of my process from the first thread, I could write an infinite loop in the beginning and this way I would be able to attach to the untrusted process before it executes other code. (Also, I want to “suspend” only 32-bit processes which means I need to check the Optional Header in PE).

The process is effectively suspended while in your process notify handler.
I don’t quite see what you are going to gain by whacking its code, although
that is do-able, see Detours and related libraries. Why not attach your
debugger/inspector to the process while you have it suspended in the
callback?

Mark Roddy

On Tue, Dec 26, 2017 at 10:34 AM, xxxxx@gmail.com <
xxxxx@lists.osr.com> wrote:

> Sounds a bit like a procedure that could aid one in circumventing
anti-piracy protection? Seriously though, what legitimate need do you have
for what you’re asking?

Well, not exactly.
I’m doing a project in the university (final, hopefully) which is
basically a malware protection system (sort of).
In my driver (which is 64 bit) I want to catch any 32 bit process that is
created, pass it to my usermode Manager, and if the process is not
whitelisted - he is opened under the inspection of another process that
attaches to it. Otherwise, my Manager resumes the execution.
Very legit, very headache-giving and very urgent (first delivery is on
this thursday :slight_smile: ).

Another thread I opened here “Create Suspended Process” (from kernel) -
http://www.osronline.com/showthread.cfm?link=286958

I didn’t get the answer there. So I thought maybe if I get the entry point
of my process from the first thread, I could write an infinite loop in the
beginning and this way I would be able to attach to the untrusted process
before it executes other code. (Also, I want to “suspend” only 32-bit
processes which means I need to check the Optional Header in PE).


NTDEV is sponsored by OSR

Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:></http:>

xxxxx@gmail.com wrote:

> Not hard, since every process’s address space is accessible from the kernel.
Well, what API should I use? Haven’t found anything relevant and documented.

No, it’s not going to be documented.  VirtualProtect calls
NtProtectVirtualMemory/ZwProtectVirtualMemory, which you can also call,
if you can figure out how.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

> The process is effectively suspended while in your process notify handler. I don’t quite see what you are going to gain by whacking its code, although that is do-able, see Detours and related libraries. Why not attach your debugger/inspector to the process while you have it suspended in the callback?

Thought about that, though I faced a few problems:

  1. Using KeDelayExecutionThread in order to sleep and stay within the callback and try to attach manually with a debugger didn’t work. The thread wasn’t suspended but in a “Wait:DelayedExecution” state. Trying to attach with windbg resulted in a failure and a message: “The debugging session could not be started: FAILURE HR=0x80070002: Failed to DebugConnect”. I’m guessing either I can’t attach to a process with one thread in a “Wait” state, or the callback for thread’s creation has been called while the process’ DebugPort has not been yet initialized. Either way, KeDelayExecutionThread - both UserMode and KernelMode modes - failed.

  2. When I used Process Explorer to check on the new process that has been created, procexp crashed when I tried to get the thread’s Stack. Maybe callback has been called before the thread’s Usermode stack has been yet initialized.

Another problem: (Relevant to writing to memory)
I tried using 3 callbacks:
PsSetCreateProcessNotifyRoutine - to get callback for process creation.
PsSetCreateThreadNotifyRoutineEx - to get callback for thread creation - in the new therad’s context.
PsSetLoadImageNotifyRoutine - to get callback for mapped memories.

The chronological order of callbacks is: CreateProcess -> Map (some, partial) Images -> Create first thread.

The relevant data from the process’ binary itself (blabla.exe) is not fully mapped at the Thread’s callback point. What I have is only 1 page from the exe base (first page, contains headers etc.) and it’s permissions are READ_EXECUTE (maybe because of the DOS stub there to print that it cannot run in DOS mode…). Other sections and such - are not mapped at this point.
So anything related to changing the memory is not relevant now, because this page will become READONLY right after continuing execution and other section will be mapped later on - so nowhere to put my infinite loop to simulate a “Suspend” state.

I think image mapped completely, many pages just not paged-in yet. So you
can read the pages you interested in and mm will place them in memory.

why do you think READ_EXECUTE is strange? It is how it should be. Debuggers
change page protection when they need to place breakpoint.

On Wed, 27 Dec 2017 at 04:15, xxxxx@gmail.com
wrote:

> Another problem: (Relevant to writing to memory)
> I tried using 3 callbacks:
> PsSetCreateProcessNotifyRoutine - to get callback for process creation.
> PsSetCreateThreadNotifyRoutineEx - to get callback for thread creation -
> in the new therad’s context.
> PsSetLoadImageNotifyRoutine - to get callback for mapped memories.
>
> The chronological order of callbacks is: CreateProcess -> Map (some,
> partial) Images -> Create first thread.
>
> The relevant data from the process’ binary itself (blabla.exe) is not
> fully mapped at the Thread’s callback point. What I have is only 1 page
> from the exe base (first page, contains headers etc.) and it’s permissions
> are READ_EXECUTE (maybe because of the DOS stub there to print that it
> cannot run in DOS mode…). Other sections and such - are not mapped at
> this point.
> So anything related to changing the memory is not relevant now, because
> this page will become READONLY right after continuing execution and other
> section will be mapped later on - so nowhere to put my infinite loop to
> simulate a “Suspend” state.
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: <
> http://www.osronline.com/showlists.cfm?list=ntdev&gt;
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:>

> I think image mapped completely, many pages just not paged-in yet. So you can read the pages you interested in and mm will place them in memory.

How to do that exactly? I think its my only option to “pseudo-suspend” the thread from the callback.
I see that the “*.exe” image has been loaded, the first 0x1000 bytes are mapped (running “!vad” and then the specific “!vad vadAddress 1” will output me the image base. Running “dc imageBase” gives me the PE header, first 0x1000 bytes. After them - memory is not mapped, see question marks instead of bytes).

why do you think READ_EXECUTE is strange? It is how it should be. Debuggers change page protection when they need to place breakpoint.

Didn’t put breakpoint there, therefore I didn’t change the permissions. The READ_EXECUTE is on the first 0x1000 bytes from the image base (Don’t remember “MZ” being executable opcodes).

xxxxx@gmail.com wrote:

> I think image mapped completely, many pages just not paged-in yet. So you can read the pages you interested in and mm will place them in memory.
How to do that exactly?

    ULONG fetch = *ptr;

That will trigger a page fault.  As long as you are at a passive IRQL,
the memory manager will handle that page fault by reading the page from
disk.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

What I meant is that without debugger read execute is what you should
expect. Debugger add write protection before setting breakpoint.

I don’t see the problem. So page with magic number mz has read execute
protection. So what ? Mz is not the only thing this page contains

On Thu, 28 Dec 2017 at 02:36, xxxxx@probo.com wrote:

> xxxxx@gmail.com wrote:
> >> I think image mapped completely, many pages just not paged-in yet. So
> you can read the pages you interested in and mm will place them in memory.
> > How to do that exactly?
>
> ULONG fetch = *ptr;
>
> That will trigger a page fault. As long as you are at a passive IRQL,
> the memory manager will handle that page fault by reading the page from
> disk.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: <
> http://www.osronline.com/showlists.cfm?list=ntdev&gt;
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:>

Or rather mapped executable page is copy on write

On Thu, 28 Dec 2017 at 03:07, Sergey Pisarev
wrote:

> What I meant is that without debugger read execute is what you should
> expect. Debugger add write protection before setting breakpoint.
>
> I don’t see the problem. So page with magic number mz has read execute
> protection. So what ? Mz is not the only thing this page contains
>
> On Thu, 28 Dec 2017 at 02:36, xxxxx@probo.com wrote:
>
>> xxxxx@gmail.com wrote:
>> >> I think image mapped completely, many pages just not paged-in yet. So
>> you can read the pages you interested in and mm will place them in memory.
>> > How to do that exactly?
>>
>> ULONG fetch = *ptr;
>>
>> That will trigger a page fault. As long as you are at a passive IRQL,
>> the memory manager will handle that page fault by reading the page from
>> disk.
>>
>> –
>> Tim Roberts, xxxxx@probo.com
>> Providenza & Boekelheide, Inc.
>>
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> Visit the list online at: <
>> http://www.osronline.com/showlists.cfm?list=ntdev&gt;
>>
>> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>> software drivers!
>> Details at http:
>>
>> To unsubscribe, visit the List Server section of OSR Online at <
>> http://www.osronline.com/page.cfm?name=ListServer&gt;
>>
></http:>

On Tue, Dec 26, 2017 at 8:59 AM, xxxxx@gmail.com
wrote:
> Sounds a bit like a procedure that could aid one in circumventing
> anti-piracy protection? Seriously though, what legitimate need do you have
> for what you’re asking?
>

This train of thought is pointless. Get off your high horse. Computers
are used for breaking the law, so why don’t you chuck yours in a
dumpster?

> On Tue, Dec 26, 2017 at 4:42 AM, xxxxx@gmail.com
> wrote:
>>
>> >Not hard, since every process’s address space is accessible from the
>> > kernel.
>> Well, what API should I use? Haven’t found anything relevant and
>> documented.
>> I want to either change the permissions of an existing page (where the
>> entry point resides) to RWX and write infinite loop in the beginning, or
>> create a new page which can be accessed from usermode, and change the
>> entrypoint to that page.
>>
>>
>> >Do you think it’s not going to noticeable that every process goes into a
>> > tight CPU loop for a period before it starts?
>>
>> I don’t mind if its noticed or not, just so that my whole process won’t
>> take to long.
>> What I do is pass the PID of the newly created process, put the process’
>> thread in an infinite loop and then attach with a debugger to that process,
>> and continue its execution in other place.
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> Visit the list online at:
>> http:
>>
>> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>> software drivers!
>> Details at http:
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http:
>
>
>
>
> –
> Wade Dawson
> DT Multimedia
> — NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars on
> crash dump analysis, WDF, Windows internals and software drivers! Details at
> To unsubscribe, visit the List Server section of OSR Online at</http:></http:></http:>

xxxxx@gmail.com wrote:

On Tue, Dec 26, 2017 at 8:59 AM, xxxxx@gmail.com
wrote:
>> Sounds a bit like a procedure that could aid one in circumventing
>> anti-piracy protection? Seriously though, what legitimate need do you have
>> for what you’re asking?
>>
> This train of thought is pointless. Get off your high horse. Computers
> are used for breaking the law, so why don’t you chuck yours in a
> dumpster?

Of course it’s not pointless. What you say may be true, but the members
of this mailing list do not intend to be accessories to the crime.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

On Wed, Dec 27, 2017 at 7:26 PM, xxxxx@probo.com wrote:
> xxxxx@gmail.com wrote:
>> On Tue, Dec 26, 2017 at 8:59 AM, xxxxx@gmail.com
>> wrote:
>>> Sounds a bit like a procedure that could aid one in circumventing
>>> anti-piracy protection? Seriously though, what legitimate need do you have
>>> for what you’re asking?
>>>
>> This train of thought is pointless. Get off your high horse. Computers
>> are used for breaking the law, so why don’t you chuck yours in a
>> dumpster?
>
> Of course it’s not pointless. What you say may be true, but the members
> of this mailing list do not intend to be accessories to the crime.
>

If all you look for in the world is ugliness, then that is all you will find.

If they would be accessories without knowing about the crime, then
certainly you are an accessory to many crimes simply by virtue of
using your computer?

I apologize leon.berlin101 and list, as I really did not mean to
derail your thread. But I felt I should comment as this is part of the
mindset that keeps Windows development closed to “outsiders.” I
experienced much the same thing when I took up an interest in
locksmithing. My ability to be a thief does not hinge on my ability to
pick a lock; I could simply kick the door in. Likewise, anyone’s
answer here is not going to change whether or not the OP actually does
anything illegal.

I probably shouldn’t have said anything since he was helped. Sorry.

> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:>

> ULONG fetch = *ptr; That will trigger a page fault.? As long as you are at a passive IRQL, the memory manager will handle that page fault by reading the page from disk.

Well, Access violation.
Running !vad resulted in this line among the others:
ffff8c09a062c830 4 400 5bd 17 Mapped Exe EXECUTE_WRITECOPY \Program Files (x86)\HxD\HxD.exe

Base address is 0x400000.
Only the first page of the image is loaded to the memory, as follows:

kd>
0000000000400f80 00000000 00000000 00000000 00000000 ................ 0000000000400f90 00000000 00000000 00000000 00000000 …
0000000000400fa0 00000000 00000000 00000000 00000000 ................ 0000000000400fb0 00000000 00000000 00000000 00000000 …
0000000000400fc0 00000000 00000000 00000000 00000000 ................ 0000000000400fd0 00000000 00000000 00000000 00000000 …
0000000000400fe0 00000000 00000000 00000000 00000000 ................ 0000000000400ff0 00000000 00000000 00000000 00000000 …
kd>
0000000000401000 ???????? ???????? ???????? ???????? ???????????????? 0000000000401010 ??? ??? ??? ??? ???
0000000000401020 ???????? ???????? ???????? ???????? ???????????????? 0000000000401030 ??? ??? ??? ??? ???
0000000000401040 ???????? ???????? ???????? ???????? ???????????????? 0000000000401050 ??? ??? ??? ??? ???
0000000000401060 ???????? ???????? ???????? ???????? ???????????????? 0000000000401070 ??? ??? ??? ??? ???

The instruction in the driver:
USHORT twoBytes = *(PUSHORT)EntryPointRawOffset;
resulted in Access Violation.

Any idea on how can I map the rest of the pages from the ThreadNotifyRoutineEx callback? (I’m in the Called Thread’s context, using Extended API).

No, it’s not going to be documented.? VirtualProtect calls NtProtectVirtualMemory/ZwProtectVirtualMemory, which you can also call, if you can figure out how.

Also, I guess that getting “ZwProtectVirtualMemory” using MmGetSystemRoutineAddress will do the job, if just I would be able to solve the previous problem.
Thanks :slight_smile:

xxxxx@gmail.com wrote:

On Wed, Dec 27, 2017 at 7:26 PM, xxxxx@probo.com wrote:
>> Of course it’s not pointless. What you say may be true, but the members
>> of this mailing list do not intend to be accessories to the crime.
> If they would be accessories without knowing about the crime, then
> certainly you are an accessory to many crimes simply by virtue of
> using your computer?

No, that’s stupid, as you well know.

The major contributors to this list are all professional driver
developers and trainers with decades of computing experience. This is
our living, our passion, our reputation. We have all wasted countless
hours dealing with infections and rootkits, and it pisses us off. Most
of us have a pretty good understanding of how these things are
implemented. Because of that, we have learned to recognize lines of
questioning that arise from nefarious intent.

Are there places on the internet where you can learn the criminal
skills? Sure there are, but most of them are deeply technical and
difficult to understand. If you come here asking for help in honing
those skills, we’re going to refuse. If you went to a locksmith and
said “I need help breaking into the vault at US Bank”, that locksmith is
going to refuse to help you. If you went to Home Depot and said “I need
help disabling the electrical grid near me”, the crew is going to refuse
to help you. This is exactly the same.

> But I felt I should comment as this is part of the
> mindset that keeps Windows development closed to “outsiders.”

Nonsense, and I have two opposing responses to that.

Windows development is not closed to outsiders. There are billions of
Windows computers in the world, all of them running applications of all
kinds and all levels of sophistication. The Windows development
landscape is wide, varied, and well-documented.

Now, the situation is a bit different when you talk about Windows
internal development, and that’s true for a damned good reason. Windows
is not a playground. It used to be, decades ago. I disassembled and
single stepped through Windows 3.1 extensively enough that I actually
understood what it was doing, and that meant I could tweak it to make it
stand up and bark. But today, Windows is an industrial-strength
operating system. It is mission-critical in the business world. We
don’t want experimenters and hobbyists poking around in the ugly
underside, destabilizing the infrastructure. That time has passed. If
you want to do that, go load Linux.

So, yes, the barriers to entry have been raised, at least at the kernel
level. And that’s a Good Thing.

> I experienced much the same thing when I took up an interest in
> locksmithing. My ability to be a thief does not hinge on my ability to
> pick a lock; I could simply kick the door in.

True, but that’s a lot easier to detect, and a lot more dangerous for
you. The locksmith didn’t want to make it easy for you. Same here.

> Likewise, anyone’s answer here is not going to change whether or not
> the OP actually does anything illegal.

Maybe not, but it can keep the honest man honest. If we don’t help
them, the hobbyist script kiddie is going to get frustrated and go find
something else to do.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

There is (almost) no security product of any kind you cannot write now with
the provided MSFT infrastructure for filtering and the respective
documentation.
There is a reason what you are trying to do is dangerous and instead of
resisting you would be better off understanding why. Going through this
process of learning why, will not only
suppress some of the ignorance, but will give you actual good ideas of how
to implement the next best security product in Windows.

Good luck,
Gabriel
www.kasardia.com

On Thu, Dec 28, 2017 at 7:19 PM, xxxxx@probo.com wrote:

> xxxxx@gmail.com wrote:
> > On Wed, Dec 27, 2017 at 7:26 PM, xxxxx@probo.com
> wrote:
> >> Of course it’s not pointless. What you say may be true, but the members
> >> of this mailing list do not intend to be accessories to the crime.
> > If they would be accessories without knowing about the crime, then
> > certainly you are an accessory to many crimes simply by virtue of
> > using your computer?
>
> No, that’s stupid, as you well know.
>
> The major contributors to this list are all professional driver
> developers and trainers with decades of computing experience. This is
> our living, our passion, our reputation. We have all wasted countless
> hours dealing with infections and rootkits, and it pisses us off. Most
> of us have a pretty good understanding of how these things are
> implemented. Because of that, we have learned to recognize lines of
> questioning that arise from nefarious intent.
>
> Are there places on the internet where you can learn the criminal
> skills? Sure there are, but most of them are deeply technical and
> difficult to understand. If you come here asking for help in honing
> those skills, we’re going to refuse. If you went to a locksmith and
> said “I need help breaking into the vault at US Bank”, that locksmith is
> going to refuse to help you. If you went to Home Depot and said “I need
> help disabling the electrical grid near me”, the crew is going to refuse
> to help you. This is exactly the same.
>
>
> > But I felt I should comment as this is part of the
> > mindset that keeps Windows development closed to “outsiders.”
>
> Nonsense, and I have two opposing responses to that.
>
> Windows development is not closed to outsiders. There are billions of
> Windows computers in the world, all of them running applications of all
> kinds and all levels of sophistication. The Windows development
> landscape is wide, varied, and well-documented.
>
> Now, the situation is a bit different when you talk about Windows
> internal development, and that’s true for a damned good reason. Windows
> is not a playground. It used to be, decades ago. I disassembled and
> single stepped through Windows 3.1 extensively enough that I actually
> understood what it was doing, and that meant I could tweak it to make it
> stand up and bark. But today, Windows is an industrial-strength
> operating system. It is mission-critical in the business world. We
> don’t want experimenters and hobbyists poking around in the ugly
> underside, destabilizing the infrastructure. That time has passed. If
> you want to do that, go load Linux.
>
> So, yes, the barriers to entry have been raised, at least at the kernel
> level. And that’s a Good Thing.
>
>
> > I experienced much the same thing when I took up an interest in
> > locksmithing. My ability to be a thief does not hinge on my ability to
> > pick a lock; I could simply kick the door in.
>
> True, but that’s a lot easier to detect, and a lot more dangerous for
> you. The locksmith didn’t want to make it easy for you. Same here.
>
>
> > Likewise, anyone’s answer here is not going to change whether or not
> > the OP actually does anything illegal.
>
> Maybe not, but it can keep the honest man honest. If we don’t help
> them, the hobbyist script kiddie is going to get frustrated and go find
> something else to do.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
>


Bercea. G.</http:></http:>

Oh yeah? I bet my high horse could beat up your low horse any day!

Sent from my iPhone

On Dec 27, 2017, at 20:26, xxxxx@probo.com wrote:
>
> xxxxx@gmail.com wrote:
>> On Tue, Dec 26, 2017 at 8:59 AM, xxxxx@gmail.com
>> wrote:
>>> Sounds a bit like a procedure that could aid one in circumventing
>>> anti-piracy protection? Seriously though, what legitimate need do you have
>>> for what you’re asking?
>>>
>> This train of thought is pointless. Get off your high horse. Computers
>> are used for breaking the law, so why don’t you chuck yours in a
>> dumpster?
>
> Of course it’s not pointless. What you say may be true, but the members
> of this mailing list do not intend to be accessories to the crime.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:>

For an NtWriteVirtualMemory alternate, you can use KeStackAttachProcess to attach to a process and then use memcpy, or you can use MmCopyVirtualMemory. Remember to detach with KeUnstackDetachProcess if you use the former method.

For an NtProtectVirtualMemory solution, simply find the address with the System Service Descriptor Table. Note it won’t be 100% “stable” for 64-bit environments but it can easily be found on 64-bit environments (where the kernel does not export it) for Windows 7 - Windows 10 without a code-base change. Simply find the address of KiSystemCall64, then find KiSystemServiceRepeat, and then extract the address (it is referenced by KiSystemServiceRepeat). IA32_LSTAR points to KiSystemCall64 so it is a simple task.

May I ask, why not just have a Windows Service call NtProtectVirtualMemory for you? You can even pass down the HANDLE from kernel-mode as long as it isn’t a kernel-mode only handle. This would be a lot more stable and reliable.

I’ve been using NtWriteVirtualMemory and NtProtectVirtualMemory for educational purposes in kernel-mode through testing for many years now and it has always been just as reliable as in user-mode for me, but that doesn’t mean it is a “good” thing to do.

It isn’t my job to care if you are taking a bad approach or not. You’re a programmer, and you are in-charge of your own project. You asked a question and I answered it, whether you should re-assess your options is down to you - I personally think you should. However, let me make one thing very clear… If you start messing with the System Service Descriptor Table (especially for 64-bit systems) and go down a path of unstable, undocumented and officially unsupported mechanisms, you’re going to land yourself in a heap of trouble when the time comes and it could be anything from losing customers over bug-checking their systems after a Windows patch update, to not understanding how to update something efficiently or properly.