Hi,
I need to writte a program entrypoint onwards when its loaded from disk to memory. In order to do that i use PsSetLoadImageNotifyRoutine to check when image is loaded. When i get that the .exe file is beeing loaded i get its addres entry point (base addres of the image that i get from Imager_INFO + reading the header to get the offset entry point).
The problem comes when i try to writte the memory as i get a STATUS_ACCESS_VIOLATION which i supoused that is happening due to the fact that the memory does not have write permission (correctme if wrong and is due to another thing). Then what i would like to do is to use MmProtectMdlSystemAddress to change permissions, writte it and restore permissions. In order to do that i use IoAllocateMdl+ MmProbeAndLockPages+… But it gets stuck on ProbeAndLock due to the fact that system handles a lock to it (Doc: To avoid deadlocks, load-image notify routines must not call system routines that map, allocate, query, free, or perform other operations on user-space virtual memory.).
In order to solve this i read this option https://stackoverflow.com/questions/50610741/windows-kernel-driver-zwallocatevirtualmemory-causing-thread-to-terminate but the instruction KeInitializeApc to insert the APC is not documented. What should i do? Should i use KeInitializeApc or is there another aproach to modify the memory without using it?
Thanks!
1 Like
Let me see… isn’t your question asking “please help me write malware”?
Peter
No, that’s not the purpose. I cut the entry point from an exe and exported it to another file, then if a process is authorized and in the path is where the modified exe resides (the entry point is all NOPs), i want to load the exe normally (Loading the entry point that is in another file and override the NOPs that I patched). I was thinking that maybe working with IO would be better since if the process is authorized and opens a handler to the file if i intercept the read request U would be able to modify the data that is reading adding the entry point there.
However, I’ve already started using the method i said in this post and I don’t know if it would be able to do it in that way (or with the IO way since I’ve didn’t checked as I thought in that way yesterday and was waiting for answer here).
Hmmmmm…, if you just want to veto process creation, why not use PsSetCreateProcessNotifyRoutime (or friends) which is designed for this purpose?
Peter
I’ve already used the PsSetCreateProcess to get the tree of parents to allow offspring to be authorized, the problem is that i want the exes to be encrypted on disk (for now i just cut it modifying it but the idea is to encrypt it).
i want the exes to be encrypted on disk
Oh! So, you want to write a file system Minifilter for that.
Problem solved.
Peter