Write Current Process Memory From Kernel

xxxxx@gmail.com wrote:

On Tue, Dec 26, 2017 at 8:59 AM, xxxxx@gmail.com
wrote:
>> Sounds a bit like a procedure that could aid one in circumventing
>> anti-piracy protection? Seriously though, what legitimate need do you have
>> for what you’re asking?
>>
> This train of thought is pointless. Get off your high horse. Computers
> are used for breaking the law, so why don’t you chuck yours in a
> dumpster?

Of course it’s not pointless. What you say may be true, but the members
of this mailing list do not intend to be accessories to the crime.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

On Wed, Dec 27, 2017 at 7:26 PM, xxxxx@probo.com wrote:
> xxxxx@gmail.com wrote:
>> On Tue, Dec 26, 2017 at 8:59 AM, xxxxx@gmail.com
>> wrote:
>>> Sounds a bit like a procedure that could aid one in circumventing
>>> anti-piracy protection? Seriously though, what legitimate need do you have
>>> for what you’re asking?
>>>
>> This train of thought is pointless. Get off your high horse. Computers
>> are used for breaking the law, so why don’t you chuck yours in a
>> dumpster?
>
> Of course it’s not pointless. What you say may be true, but the members
> of this mailing list do not intend to be accessories to the crime.
>

If all you look for in the world is ugliness, then that is all you will find.

If they would be accessories without knowing about the crime, then
certainly you are an accessory to many crimes simply by virtue of
using your computer?

I apologize leon.berlin101 and list, as I really did not mean to
derail your thread. But I felt I should comment as this is part of the
mindset that keeps Windows development closed to “outsiders.” I
experienced much the same thing when I took up an interest in
locksmithing. My ability to be a thief does not hinge on my ability to
pick a lock; I could simply kick the door in. Likewise, anyone’s
answer here is not going to change whether or not the OP actually does
anything illegal.

I probably shouldn’t have said anything since he was helped. Sorry.

> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:>

> ULONG fetch = *ptr; That will trigger a page fault.? As long as you are at a passive IRQL, the memory manager will handle that page fault by reading the page from disk.

Well, Access violation.
Running !vad resulted in this line among the others:
ffff8c09a062c830 4 400 5bd 17 Mapped Exe EXECUTE_WRITECOPY \Program Files (x86)\HxD\HxD.exe

Base address is 0x400000.
Only the first page of the image is loaded to the memory, as follows:

kd>
0000000000400f80 00000000 00000000 00000000 00000000 ................ 0000000000400f90 00000000 00000000 00000000 00000000 …
0000000000400fa0 00000000 00000000 00000000 00000000 ................ 0000000000400fb0 00000000 00000000 00000000 00000000 …
0000000000400fc0 00000000 00000000 00000000 00000000 ................ 0000000000400fd0 00000000 00000000 00000000 00000000 …
0000000000400fe0 00000000 00000000 00000000 00000000 ................ 0000000000400ff0 00000000 00000000 00000000 00000000 …
kd>
0000000000401000 ???????? ???????? ???????? ???????? ???????????????? 0000000000401010 ??? ??? ??? ??? ???
0000000000401020 ???????? ???????? ???????? ???????? ???????????????? 0000000000401030 ??? ??? ??? ??? ???
0000000000401040 ???????? ???????? ???????? ???????? ???????????????? 0000000000401050 ??? ??? ??? ??? ???
0000000000401060 ???????? ???????? ???????? ???????? ???????????????? 0000000000401070 ??? ??? ??? ??? ???

The instruction in the driver:
USHORT twoBytes = *(PUSHORT)EntryPointRawOffset;
resulted in Access Violation.

Any idea on how can I map the rest of the pages from the ThreadNotifyRoutineEx callback? (I’m in the Called Thread’s context, using Extended API).

No, it’s not going to be documented.? VirtualProtect calls NtProtectVirtualMemory/ZwProtectVirtualMemory, which you can also call, if you can figure out how.

Also, I guess that getting “ZwProtectVirtualMemory” using MmGetSystemRoutineAddress will do the job, if just I would be able to solve the previous problem.
Thanks :slight_smile:

xxxxx@gmail.com wrote:

On Wed, Dec 27, 2017 at 7:26 PM, xxxxx@probo.com wrote:
>> Of course it’s not pointless. What you say may be true, but the members
>> of this mailing list do not intend to be accessories to the crime.
> If they would be accessories without knowing about the crime, then
> certainly you are an accessory to many crimes simply by virtue of
> using your computer?

No, that’s stupid, as you well know.

The major contributors to this list are all professional driver
developers and trainers with decades of computing experience. This is
our living, our passion, our reputation. We have all wasted countless
hours dealing with infections and rootkits, and it pisses us off. Most
of us have a pretty good understanding of how these things are
implemented. Because of that, we have learned to recognize lines of
questioning that arise from nefarious intent.

Are there places on the internet where you can learn the criminal
skills? Sure there are, but most of them are deeply technical and
difficult to understand. If you come here asking for help in honing
those skills, we’re going to refuse. If you went to a locksmith and
said “I need help breaking into the vault at US Bank”, that locksmith is
going to refuse to help you. If you went to Home Depot and said “I need
help disabling the electrical grid near me”, the crew is going to refuse
to help you. This is exactly the same.

> But I felt I should comment as this is part of the
> mindset that keeps Windows development closed to “outsiders.”

Nonsense, and I have two opposing responses to that.

Windows development is not closed to outsiders. There are billions of
Windows computers in the world, all of them running applications of all
kinds and all levels of sophistication. The Windows development
landscape is wide, varied, and well-documented.

Now, the situation is a bit different when you talk about Windows
internal development, and that’s true for a damned good reason. Windows
is not a playground. It used to be, decades ago. I disassembled and
single stepped through Windows 3.1 extensively enough that I actually
understood what it was doing, and that meant I could tweak it to make it
stand up and bark. But today, Windows is an industrial-strength
operating system. It is mission-critical in the business world. We
don’t want experimenters and hobbyists poking around in the ugly
underside, destabilizing the infrastructure. That time has passed. If
you want to do that, go load Linux.

So, yes, the barriers to entry have been raised, at least at the kernel
level. And that’s a Good Thing.

> I experienced much the same thing when I took up an interest in
> locksmithing. My ability to be a thief does not hinge on my ability to
> pick a lock; I could simply kick the door in.

True, but that’s a lot easier to detect, and a lot more dangerous for
you. The locksmith didn’t want to make it easy for you. Same here.

> Likewise, anyone’s answer here is not going to change whether or not
> the OP actually does anything illegal.

Maybe not, but it can keep the honest man honest. If we don’t help
them, the hobbyist script kiddie is going to get frustrated and go find
something else to do.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

There is (almost) no security product of any kind you cannot write now with
the provided MSFT infrastructure for filtering and the respective
documentation.
There is a reason what you are trying to do is dangerous and instead of
resisting you would be better off understanding why. Going through this
process of learning why, will not only
suppress some of the ignorance, but will give you actual good ideas of how
to implement the next best security product in Windows.

Good luck,
Gabriel
www.kasardia.com

On Thu, Dec 28, 2017 at 7:19 PM, xxxxx@probo.com wrote:

> xxxxx@gmail.com wrote:
> > On Wed, Dec 27, 2017 at 7:26 PM, xxxxx@probo.com
> wrote:
> >> Of course it’s not pointless. What you say may be true, but the members
> >> of this mailing list do not intend to be accessories to the crime.
> > If they would be accessories without knowing about the crime, then
> > certainly you are an accessory to many crimes simply by virtue of
> > using your computer?
>
> No, that’s stupid, as you well know.
>
> The major contributors to this list are all professional driver
> developers and trainers with decades of computing experience. This is
> our living, our passion, our reputation. We have all wasted countless
> hours dealing with infections and rootkits, and it pisses us off. Most
> of us have a pretty good understanding of how these things are
> implemented. Because of that, we have learned to recognize lines of
> questioning that arise from nefarious intent.
>
> Are there places on the internet where you can learn the criminal
> skills? Sure there are, but most of them are deeply technical and
> difficult to understand. If you come here asking for help in honing
> those skills, we’re going to refuse. If you went to a locksmith and
> said “I need help breaking into the vault at US Bank”, that locksmith is
> going to refuse to help you. If you went to Home Depot and said “I need
> help disabling the electrical grid near me”, the crew is going to refuse
> to help you. This is exactly the same.
>
>
> > But I felt I should comment as this is part of the
> > mindset that keeps Windows development closed to “outsiders.”
>
> Nonsense, and I have two opposing responses to that.
>
> Windows development is not closed to outsiders. There are billions of
> Windows computers in the world, all of them running applications of all
> kinds and all levels of sophistication. The Windows development
> landscape is wide, varied, and well-documented.
>
> Now, the situation is a bit different when you talk about Windows
> internal development, and that’s true for a damned good reason. Windows
> is not a playground. It used to be, decades ago. I disassembled and
> single stepped through Windows 3.1 extensively enough that I actually
> understood what it was doing, and that meant I could tweak it to make it
> stand up and bark. But today, Windows is an industrial-strength
> operating system. It is mission-critical in the business world. We
> don’t want experimenters and hobbyists poking around in the ugly
> underside, destabilizing the infrastructure. That time has passed. If
> you want to do that, go load Linux.
>
> So, yes, the barriers to entry have been raised, at least at the kernel
> level. And that’s a Good Thing.
>
>
> > I experienced much the same thing when I took up an interest in
> > locksmithing. My ability to be a thief does not hinge on my ability to
> > pick a lock; I could simply kick the door in.
>
> True, but that’s a lot easier to detect, and a lot more dangerous for
> you. The locksmith didn’t want to make it easy for you. Same here.
>
>
> > Likewise, anyone’s answer here is not going to change whether or not
> > the OP actually does anything illegal.
>
> Maybe not, but it can keep the honest man honest. If we don’t help
> them, the hobbyist script kiddie is going to get frustrated and go find
> something else to do.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
>


Bercea. G.</http:></http:>

Oh yeah? I bet my high horse could beat up your low horse any day!

Sent from my iPhone

On Dec 27, 2017, at 20:26, xxxxx@probo.com wrote:
>
> xxxxx@gmail.com wrote:
>> On Tue, Dec 26, 2017 at 8:59 AM, xxxxx@gmail.com
>> wrote:
>>> Sounds a bit like a procedure that could aid one in circumventing
>>> anti-piracy protection? Seriously though, what legitimate need do you have
>>> for what you’re asking?
>>>
>> This train of thought is pointless. Get off your high horse. Computers
>> are used for breaking the law, so why don’t you chuck yours in a
>> dumpster?
>
> Of course it’s not pointless. What you say may be true, but the members
> of this mailing list do not intend to be accessories to the crime.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:>

For an NtWriteVirtualMemory alternate, you can use KeStackAttachProcess to attach to a process and then use memcpy, or you can use MmCopyVirtualMemory. Remember to detach with KeUnstackDetachProcess if you use the former method.

For an NtProtectVirtualMemory solution, simply find the address with the System Service Descriptor Table. Note it won’t be 100% “stable” for 64-bit environments but it can easily be found on 64-bit environments (where the kernel does not export it) for Windows 7 - Windows 10 without a code-base change. Simply find the address of KiSystemCall64, then find KiSystemServiceRepeat, and then extract the address (it is referenced by KiSystemServiceRepeat). IA32_LSTAR points to KiSystemCall64 so it is a simple task.

May I ask, why not just have a Windows Service call NtProtectVirtualMemory for you? You can even pass down the HANDLE from kernel-mode as long as it isn’t a kernel-mode only handle. This would be a lot more stable and reliable.

I’ve been using NtWriteVirtualMemory and NtProtectVirtualMemory for educational purposes in kernel-mode through testing for many years now and it has always been just as reliable as in user-mode for me, but that doesn’t mean it is a “good” thing to do.

It isn’t my job to care if you are taking a bad approach or not. You’re a programmer, and you are in-charge of your own project. You asked a question and I answered it, whether you should re-assess your options is down to you - I personally think you should. However, let me make one thing very clear… If you start messing with the System Service Descriptor Table (especially for 64-bit systems) and go down a path of unstable, undocumented and officially unsupported mechanisms, you’re going to land yourself in a heap of trouble when the time comes and it could be anything from losing customers over bug-checking their systems after a Windows patch update, to not understanding how to update something efficiently or properly.

Keep in mind that Windows 8.1 and later have a new code integrity policies that prohibits
using of dynamic memory. For example, ZwAllocateVirtualMemory and ZwProtectVirtualMemory
may return an error 0xC0000604 (STATUS_DYNAMIC_CODE_BLOCKED) if the
corresponding policy was enabled for a process.

See SetProcessMitigationPolicy for more information.

By default, this policy enabled for the services.exe, smss.exe and some other system processes.

Aleh is correct, there is indeed a new protection mechanism and it’s related to the security policies for processes; it has actually existed for a very long time however was not documented or available via a documented interface.

SetProcessMitigationPolicy will call NtSetInformationProcess, and the NtSetInformationProcess call for changing the policy information will change data under the KPROCESS kernel-mode structure for the desired process. However, features such as enabling Data Execution Prevention (DEP) on-the-go cannot be done “permanently” from user-mode via NtSetInformationProcess I believe, but can from kernel-mode. Of course, modifying the KPROCESS structure (or even accessing it for that matter) would be highly unstable and unrecommended since it’s an opaque structure and the offsets regularly change.

Google have been using NtSetInformationProcess since Windows 7 to enforce features like DEP if it wasn’t already enabled (even though they compile with it enabled and their 64-bit compilation will always have it enabled of course due to 64-bit security benefits with the 64-bit Windows Kernel).

You can still inject a DLL just fine though as long as it doesn’t require a manual map shell-code loader (which would require additional memory to be executable and done remotely - and thus blocked - whereas standard DLL injection methods via remote thread creation, handle hijacking or APC with routines like LoadLibraryA/W would not require you to change the protection of memory, nor allocate memory with execute flags but only read/write).

I’d like to just quickly add that services.exe, smss.exe, csrss.exe and a few others are all protected processes by default since Windows 8. Therefore, attempting to attack them with or without security policies would be a waste of time. Even from kernel-mode, it is not so straight-forward like a call to ZwOpenProcess; that simply won’t be enough to get a handle to such processes and those processes don’t have user32.dll loaded/a UI at all so there’s less exploitation attack vectors available. You’d have to either go deep enough to bypass the checks for the process protection status built-in to the Windows Kernel, or patch the KPROCESS structure so the Windows Kernel doesn’t believe the process is actually protected. There’s also Protected Process Light, of course it can be beaten but none of these activities are documented, stable nor reliable and should especially not be used in a professional environment because data corruption from a BSOD can cause many issues.

To be honest, I am glad Microsoft made these processes protected. It strengthens the OS environment a bit against malicious software. Sadly they left lsass.exe unprotected at default configuration (it can be enabled for process protection via a registry hack) and svchost.exe can be exploited the same way lsass.exe can (to obtain process handles because lsass.exe and svchost.exe have opened handles by default - prevents passing through kernel-mode callbacks or triggering hooks) but maybe they will change that some-day by default which would be good.

Few points for the last comments:

  • KeAttachStack will throw BSOD if run inside the PsSetThreadCreateNotifyRoutine’s routine.
  • I don’t mind if the driver is stable in other versions of windows. In fact, I take in the assumption it runs only under Windows 10, so even manipulating the E/K-PROCESS/THREAD - is “ok” for me.

Now I’m stuck in a point where I’ve allocated UserMode buffer, which is RWX, and wrote there my infinite loop. What I want to do now is to set the thread to start running in the allocated address.
* Changing entry point inside PE header didn’t work.
* Changing Win32StartAddress inside ETHREAD structure didn’t work.

Any clues on how can I do it? All I want is for the thread to run my code (the infinite loop) when I return from the Notify Routine callback.
Thanks

" manipulating the E/K-PROCESS/THREAD - is “ok” for me" Well it should not
be, in multiple other versions of Windows those structures have changes with
Windows Update or Service Packs. When you consider that Windows 10 is
supposed to be the version for a very long time, your plans is very stupid.

Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Tuesday, January 02, 2018 4:35 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Write Current Process Memory From Kernel

Few points for the last comments:
- KeAttachStack will throw BSOD if run inside the
PsSetThreadCreateNotifyRoutine’s routine.
- I don’t mind if the driver is stable in other versions of windows. In
fact, I take in the assumption it runs only under Windows 10, so even
manipulating the E/K-PROCESS/THREAD - is “ok” for me.

Now I’m stuck in a point where I’ve allocated UserMode buffer, which is RWX,
and wrote there my infinite loop. What I want to do now is to set the thread
to start running in the allocated address.
* Changing entry point inside PE header didn’t work.
* Changing Win32StartAddress inside ETHREAD structure didn’t work.

Any clues on how can I do it? All I want is for the thread to run my code
(the infinite loop) when I return from the Notify Routine callback.
Thanks


NTDEV is sponsored by OSR

Visit the list online at:
http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at
http:</http:></http:></http:>

> When you consider that Windows 10 is supposed to be the version for a very long time, your plans is very stupid.

Like I said before, its a university project, not a product. As far as I know, these structure usually change between different NT versions (mostly), I can be more strict and take in the assumption that its a specific build of Windows 10.

Another important note, I do this stuff in a 64 bit OS but only for 32 bit processes (therefore I looked up for Win32StartAddress previously).

The thing about CRAPPY UNIVERSITY PROJECT’S LIKE YOURS is that some idiot
takes it as an example of how to do things, and goes running off to try to
make a product. I’ve had multiple queries for consults with startups which
told me “we just have a little problem” when in reality they took someone’s
piece of junk project and based their whole product on it. Things don’t go
well when I suggest they throw everything out and start over.

Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Tuesday, January 02, 2018 4:58 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Write Current Process Memory From Kernel

> When you consider that Windows 10 is supposed to be the version for a very
long time, your plans is very stupid.

Like I said before, its a university project, not a product. As far as I
know, these structure usually change between different NT versions (mostly),
I can be more strict and take in the assumption that its a specific build of
Windows 10.

Another important note, I do this stuff in a 64 bit OS but only for 32 bit
processes (therefore I looked up for Win32StartAddress previously).


NTDEV is sponsored by OSR

Visit the list online at:
http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at
http:</http:></http:></http:>

> “Like I said before, its a university project”

University is there for people to study (learn more) and gain experience. You say you are working on a ‘malware protection system (sort of)’ but you aren’t going to gain much useful experience for such a project if you’re developing buggy, unstable and extremely unreliable source code, or using the same from someone else.

I doubt your University would ask you to do what you are trying to do because it is a bit silly. Try coming up with a project idea which can be followed properly and help you learn skills for a professional environment, such as taking a good and documented/stable approach. That will help you a lot… Trying to put the main thread of a newly starting process in a never-ending infinite loop is beyond stupid.

xxxxx@gmail.com wrote:

Now I’m stuck in a point where I’ve allocated UserMode buffer, which is RWX, and wrote there my infinite loop. What I want to do now is to set the thread to start running in the allocated address.
* Changing entry point inside PE header didn’t work.
* Changing Win32StartAddress inside ETHREAD structure didn’t work.

Any clues on how can I do it? All I want is for the thread to run my code (the infinite loop) when I return from the Notify Routine callback.

It’s possible the nascent thread’s register state has already been set
up in a CONTEXT structure.  Have you traces the stack all the way back
to user-mode?


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

I would bet everything that is not a university project :slight_smile:
I graduated a university where we did Windows kernel. There were no such
nonsense tasks.
In University you learn operating system basics and filesystem basics not
much beyond that.
We also did Windows research kernel part of Microsoft which is anything but
this.
I’m surprised this thread hasn’t died yet here. This is obvious malware.
You may not be aware that it is, I give you that at most, but it is.

Gabriel
www.kasardia.com

On Jan 3, 2018 01:54, “xxxxx@gmail.com” wrote:

> > “Like I said before, its a university project”
>
> University is there for people to study (learn more) and gain experience.
> You say you are working on a ‘malware protection system (sort of)’ but you
> aren’t going to gain much useful experience for such a project if you’re
> developing buggy, unstable and extremely unreliable source code, or using
> the same from someone else.
>
> I doubt your University would ask you to do what you are trying to do
> because it is a bit silly. Try coming up with a project idea which can be
> followed properly and help you learn skills for a professional environment,
> such as taking a good and documented/stable approach. That will help you a
> lot… Trying to put the main thread of a newly starting process in a
> never-ending infinite loop is beyond stupid.
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:></http:>

> I would bet everything that is not a university project :slight_smile: I graduated a university where we did Windows kernel. There were no such nonsense tasks. In University you learn operating system basics and filesystem basics not much beyond that. We also did Windows research kernel part of Microsoft which is anything but this. I’m surprised this thread hasn’t died yet here. This is obvious malware. You may not be aware that it is, I give you that at most, but it is.

More than happy to answer this one :slight_smile:
I’m a fourth year software engineering student, whereas my final project (as for the diplomma, not for a specific course) is a system which monitors “Untrusted Processes” and treats them in a supervised environment as needed (some kind of “catching any untrusted (== not whitelisted) process and open in under our special sandbox”. By special sandbox, I mean it’s different from any other sandbox solution in the open-source, therefore we require to use a driver which catches these processes for us.

I answered this before, but many people skip some of the comments. What I do is catch any new process, prevent it from running it’s code until I attach to it as a debugger. How? Well, I can’t put in on suspend for some reason, so I write an infinite loop in it’s beginning. After I attach to it - everything is back to normal.

It’s good that you put quotes around “untrusted process”.
You might first why to identify WHAT if your criteria for a process to be
untrusted. Ask yourself that.
In order to do this you might want to analyze it begins execution, as a
file. Why wait for it to become a process. At the execution stage you
should already “know” if your to-be process is trusted or not. So instead
of focusing on doing all the undocumented and not recommended strategy in
the book you should focus on looking at your problem in a different way.
One that is documented. The undocumented methods and structures are
undocumented for a reason and that reason is not to piss off developers and
make their lives miserable. That’s why you have registry callbacks,
minifilter model, Ob callbacks, ndis, wfp, process/thread/module callbacks
and many many other models callbacks and documented ways to change the OS
behavior in a way that is consistent with the OS.
It’s like you want to implement a filesystem encryption functionality and
instead of using a minifilter you try to hook NTFS’s reads/writes and do
your dirty work there. Not OK.
So, what is an “untrusted process” ? Is it the same as untrusted executable
file ? Is it a combination of untrusted source process and target
executable file ? Is it more ? Answer all these questions and there will
answers where your implementation will not have to depend on hacks.

Gabriel
www.kasardia.com

On Jan 5, 2018 20:47, “xxxxx@gmail.com
wrote:

> > I would bet everything that is not a university project :slight_smile: I graduated a
> university where we did Windows kernel. There were no such nonsense tasks.
> In University you learn operating system basics and filesystem basics not
> much beyond that. We also did Windows research kernel part of Microsoft
> which is anything but this. I’m surprised this thread hasn’t died yet here.
> This is obvious malware. You may not be aware that it is, I give you that
> at most, but it is.
>
> More than happy to answer this one :slight_smile:
> I’m a fourth year software engineering student, whereas my final project
> (as for the diplomma, not for a specific course) is a system which monitors
> “Untrusted Processes” and treats them in a supervised environment as needed
> (some kind of “catching any untrusted (== not whitelisted) process and open
> in under our special sandbox”. By special sandbox, I mean it’s different
> from any other sandbox solution in the open-source, therefore we require to
> use a driver which catches these processes for us.
>
> I answered this before, but many people skip some of the comments. What I
> do is catch any new process, prevent it from running it’s code until I
> attach to it as a debugger. How? Well, I can’t put in on suspend for some
> reason, so I write an infinite loop in it’s beginning. After I attach to it
> - everything is back to normal.
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:></http:>

Well, any 32-bit process which is not whitelisted - for me it’s an “untrusted” one.
My project is a prevention system for malwares - during execution.
My grade for this don’t take in to account whether this is a good security design, if this is “smart” plan or any of this stuff. Its a university project, not a business product. My driver is not going to be signed or proceed further than the university bounds.
If the project succeeds, for educational purposes maybe I’ll post all the code for the project on Github or something.
I DO understand your concerns though, because all of my intentions and “playing around with the kernel” could be easily circumvented to malicious purposes - but in todays world I mean, what couldn’t?
Same as any simple pen could be used for stabbing, any piece of code could be used for malicious purposes.

Anyway, back to technical. I managed to catch any new process, and for each 32 bit process I replace the main code with infinite loop (if someone knows how to suspend it inside "PsSetCreateThreadNotifyRoutineEx’s routine - and it worked for him, I’ll be more than happy to know and change my code :slight_smile: ). I get all the new PIDs to a array and synchronize it with a UM “Manager process”. The synchronization is simply done by setting an event, the Manager asks for the newly created PIDs and for more info. (I use an array of PIDs because maybe more than one process is created during this period of setting the event->getting the PIDs).
I DO have synchronization problems right now (between the cores and between User-Kernel space), so untill it’s not solved I’ll be glad to post more problems here and get the help I need.

Thank you all very much! :slight_smile: