Real time detecting of mutex objects

Hi all, after some extensive research, I cannot find a way to detect creation or access of a mutex (createmutex, createmutexA, opnemutex) etc… I’m wondering if any of you know of a way to do so. I I am using callback notifications in kmexts which has callbacks for creation of processes and threads, creations of process and thread handles, all teh registry events, etc… Is there a filed I can check, or an object i should query during a pre-callback that can hint or id a mutex creation? This is for my project of collecting runtime events. Thanks.

circling back on this question, hoping for some good insight.

Honestly, maybe you should consider trying to implement actual detection methods in your anticheat other than hooking every single things the NT kernel allows you to. That said, there is one way that I know but it is undocumented. There aren’t any documented ways to hook mutex objects creation.

I cannot find a way to detect creation or access of a mutex

Let’s think about this for a minute: Why WOULD there be? What possible reason would somebody have for wanting to detect the creation/deletion of a fundamental synchronization primitive? And why Mutex? Why not, say… SpinLocks? Or Semaphores?

So, no… there’s no documented way to do this, because it’s not something anybody needs to do. Well, apart from you, and I’m sure you have very good reasons.

Peter

Thanks for the input, malware uses mutexes a lot to avoid re-infecting the same machine, for my class on detecting malware during runtime, i felt it important to show how to detect mutex creation. There are many ways to list mutexes in windows, so i thought for sure there must be some hint in realtime that a mutex is being created.

malware uses mutexes a lot to avoid re-infecting the same machine

Eh? Are we talking about the same thing? You know that a Mutex is an object, and it’s instance goes away when the owning process exits or (in the case of the system process) when the system is rebooted.

It seems that a Mutex, specifically, would be ill-suited to the job you’re describing. Maybe an Event would be better.

I’m confused to the point where I wonder if we’re talking about the same thing.

Peter

Hi thanks, here is a post of what I am talking about: https://isc.sans.edu/diary/How+Malware+Generates+Mutex+Names+to+Evade+Detection/19429/
If any on this list have an idea, please let me know, thanks.

wouldn’t that be enough to scan object manager directories with ZwOpenDirectoryObject and friends and check for existence of the name you interested in ?

that is a good approach, the key question is when during the execution to do it? since i have a bunch of callback notifications, and a minifilter at what point should the query occur? if we knew a mutex was being created we could query the dirobj at that point, since that does not exists in a documented fashion, its leaves the question open of when to do it. any insights on that is appreciated.

as an additional thought, deciding which directory to query is critical since its inefficient to have multiple queries of all directories.

also I’m not searching for specific mutex names, so a name search is not usable here, but searching for teh existence of any mutex object is.

Actually, I like the way how the malware generates mutex names based on product ID >:) It is creative.

also I’m not searching for specific mutex names, so a name search is not usable here, but searching for teh existence of any mutex object is.
OK but you should take into account creating named mutexes is something not specific to malware and any software can do it for honest reasons. I probably never used mutexes this way but I used named events. They can be used by malware the same way.

You can search object space periodically and detect changes against previous state. For example once per minute, 10 minutes or or. Still I’m not sure what do you want to do with it. Alert! Somebody created named mutex! What is user expected to do then?

thanks michal, I save all these execution events to a log file resulting in a large data set for win exe malware on virushsare.com teh data set is meant for researchers, adding mutex is, in my opinion, important for malware defense research. Periodic checks of obj space is good and the thread would benefit hearing other approaches as well, hope others provide.

For logging and research it looks OK. But there should be no need for real time approach, maybe not even for periodic checks, just scan and create log.

The whole notion that malware trolls are conscientious enough to do ANYTHING to avoid multiple infections is totally laughable. “Well, sure, he mugged me, but at least he was polite.”

Im thinking in my minifilter i can check for directory access adn query that object, i can relate pids to those im interested in.

it would be nice if ObCallbacks notified for mutex objects, as far as i know, they don’t.

would be nice if ObCallbacks notified for mutex objects

Nope. As we’ve said, I think, several times by now, they do not.

I apologize, but I find this whole notion laughable. Singling out Mutex objects is, from my limited point of view as a mere kernel dev and not any sort of security or malware researcher, simply ridiculous. These are not the only objects that can be named. So, why choose Mutex for special treatment? Asking for and/or expecting a callback for the instantiation of a simple kernel synchronization primitive is foolish. The callback can create more overhead overhead than the instantiation… for something that might be done frequently.

OK… I realize my editorializing on this has no real point behind satisfying myself.

Peter

1 Like

Very challenging indeed!

You want to know as and when a mutex gets created, then perhaps search
agains known hash for the name ??

It’s more like coming up with a debugger module that will insert exceptions
to interesting places, handle the exception!!!

Pro

I think that we can safely decide that this is the most ridiculous objective of the year - with half of the year ahead.

Because this is both totally useless in the objectives and so impractical in the proposed means it is outlandish enough to qualify as one of the most ridiculous things I have ever heard proposed.

To the OP, it is certainly possible that you have a legitimate objective, and I am sure that if you do, and can articulate it, me and the rest of the community will certainly try to help you. But the problem is that as stated you can’t achieve anything with this approach i think