Real time detecting of mutex objects

would be nice if ObCallbacks notified for mutex objects

Nope. As we’ve said, I think, several times by now, they do not.

I apologize, but I find this whole notion laughable. Singling out Mutex objects is, from my limited point of view as a mere kernel dev and not any sort of security or malware researcher, simply ridiculous. These are not the only objects that can be named. So, why choose Mutex for special treatment? Asking for and/or expecting a callback for the instantiation of a simple kernel synchronization primitive is foolish. The callback can create more overhead overhead than the instantiation… for something that might be done frequently.

OK… I realize my editorializing on this has no real point behind satisfying myself.

Peter

1 Like

Very challenging indeed!

You want to know as and when a mutex gets created, then perhaps search
agains known hash for the name ??

It’s more like coming up with a debugger module that will insert exceptions
to interesting places, handle the exception!!!

Pro

I think that we can safely decide that this is the most ridiculous objective of the year - with half of the year ahead.

Because this is both totally useless in the objectives and so impractical in the proposed means it is outlandish enough to qualify as one of the most ridiculous things I have ever heard proposed.

To the OP, it is certainly possible that you have a legitimate objective, and I am sure that if you do, and can articulate it, me and the rest of the community will certainly try to help you. But the problem is that as stated you can’t achieve anything with this approach i think

The whole notion that malware trolls are conscientious enough to do ANYTHING to avoid multiple infections is totally laughable.

What about the scenario when two separate instances of the same malware “title” are potentially getting at odds with one another, effectively rendering one another unfunctional (in a sense that they are both unable to exercise their intended malicious functionalities)?
In this particular case malware writers may,indeed, want to avoid multiple reinfections, and the purpose of the whole exercise is protecting the malware itself, rather than the target machine/OS installation that it attempts to subvert. It never occurred to you to think this way, by any chance?

Anton Bassov

Again, I am amused to no end that anyone thinks these bastards expend any energy at all worrying about how their software fits into a malware “ecosystem”.

Wow, trying to complete a project, makes someone ?astered. and it is already won the prize for the most ridiculous post of the year…

This is the slippery slop or fools paradise… Go to any credible security company and find out what kinda hack the do to support as much as they can for APT. And ask them what and how they handle those things…

From OS, protocol, device nothing is as safe as we wish to think. So people trying to do whatever they can … Otherwise we will all have to soak our systems in salt water for a day, then give to recycling …

pro

Any credible hacker worth a salt never going to ask a question as straight as this one !
Pro

Again, I am amused to no end that anyone thinks these bastards expend any energy at all worrying about how their software
fits into a malware “ecosystem”.

I am speaking not about an “ecosystem” (i.e. different malware “titles” peacefully coexisting on the same machine") but about the scenario when two separate instances of the same “title” are installed on it.

I know you may get surprised to no end, but If you don’t mind “expending your energy” on writing a program you may, probably, want to “expend some energy” on making it work, at least from time to time,as well. Taking into account the malicious nature of the program in question, in this particular case it may mean taking some steps to avoid the detection and/or removal.

Another point to consider is that two separate instances of the same malware “title” that are installed on the target machine are going to compete for exactly the same resources. Taking,again, into account the malicious nature of the program in question and its lack of concern for anybody else, this may result in some “funny” situations (like, for example, the instance A removing a hook installed by the instance B, and vice versa, effectively resulting in a ridiculous scenario of a malware rendering itself harmless by its own actions).

In order to avoid this unfortunate (from the malware writer’s perspective,of course), scenario, they may want to avoid installing multiple instances of it on the same machine

Anton Bassov

If I scanned and remember the linked report correctly, I think the malware is using the named mutex to store some information… so not necessarily as a serialization primitive?

Regardless…

Peter

I think the malware is using the named mutex to store some information… so not necessarily as a serialization primitive?

At this point, the original question that Marion branded as “the most ridiculous post of the year - with half of the year ahead” starts,once it a sudden, making a perfect sense . If mutexes are used this way quite a few of them may potentially be required to store all the info, right. Therefore, if you notice the surge of named mutex creation once it a sudden, it may, indeed, raise some suspicions.Certainly, it is not up to a driver to decide upon anything, but logging mutex creation events for the subsequent analysis may be, reasonable indeed…

Anton Bassov

If it is inside kernel space, we call it rootlet, otherwise an user level hook… Both are bad. I know for fact that some driver ( Kernel mod) does some techniques for persistence, and avoid duplications. Its more like Covid vaccines… :-). I, personally would not go that far to call most ridiculous post.

I personally subverted lots of apparent OS securities . so I shut my f* mouth :-).

Pro

Not a serialization primitive but mutual exclusion in broader sense. Indicates malware already took over this machine and another copy shouldn’t bother to avoid conflicts. That’s one reason why the original request is strange, any named object would serve this purpose so guarding just mutexes doesn’t make sense.

Again, I am amused to no end that anyone thinks these bastards expend any energy at all worrying about how their software fits into a malware “ecosystem”.

These bastards are trying to make money nowadays. Ransom, crypto mining, botnets… You can see it as a business however weird. They may not care about customers’ machines and data but they care about their profits and don’t want to shoot themselves to their knees. Anton already explained it.

@Michal_Vodicka said:

These bastards are trying to make money nowadays. Ransom, crypto mining, botnets… You can see it as a business however weird. They may not care about customers’ machines and data but they care about their profits and don’t want to shoot themselves to their knees. Anton already explained it.

Well, those ?astards will not show up here or any other forum for sure ! And they don’t mind calling them out as ?astards …

Now they are there, HOW DO YOU FIX (EVEN A SMALL PART ) ??? Hitting the walls with our heads does not seem to work …

-Pro

I wouldn’t be surprised if they read this list and some can be even members. What makes a difference between black and white hats? Morale, not competence.

well, we have only to wait until the end of the year to see if I’m right :wink:

but there are some points to consider

One of the most common ways that malware is discovered is when users notice that something isn’t working as it should. As was the case with the recent SolarWinds problem, malware designed to minimize the disruptions that it causes is harder to detect because no one goes looking. This isn’t something that someone determined to cause mischief worries about, but serious attackers will for sure

A named mutex is one way to ensure that multiple instances of the same program don’t run together. That might be a technique that is used by malware, but it is also used by many other programs including some versions of Office IIRC. But a named mutex is only one of a vast number of ways of preventing multiple instances of the same program from running together. Using the same idea, any named object could be used. A mutex, an event, a section - you could even use a named pipe endpoint. But there are many other ways too. Consider a socket bound to a local port. Or a file or a registry key opened with access and sharing attributes that prevent multiple concurrent handles. And those are only a few of the possible kinds that just rely on a single ‘thing’ - mechanisms that rely on multiple different ‘gates’ are possible as well. Serious malware writers will gravitate to the most obscure and convoluted protocols for mutual exclusion as they are the hardest to observe or understand. There is no effective way to surveil for all of them - even if you had effective heuristics to differentiate between the legitimate patterns and the malware patterns - because there are enough different ‘degrees of freedom’ so that the malware author can just invent a new one that you don’t check for. So this is not an effective method to check for the kind of malware that you actually care about detecting

The performance cost of allowing customization (notify routines) during object creation would not be inconsequential. These functions have a very direct impact on overall application performance and might happen hundreds of thousands of times per second. And any compromised system could have any of these notify routines circumvented anyways, so they would provide no effective protection anyways. The conclusion is that since this feature would be highly deleterious to performance as well as highly ineffective at detecting an ‘infection’, it is sound engineering judgement to omit them from the design of Windows

1 Like

@Michal_Vodicka said:
I wouldn’t be surprised if they read this list and some can be even members. What makes a difference between black and white hats? Morale, not competence.

Good point, there are already members tuned into it. They will find a solution one way or the other :slight_smile: This site , along with lot of sites are good in that area, not telling the solutions ( even if it is known to some people)…

Difference between a black and white hat is — White hatters tried to prove a theorem, black hatters need to find a counter example. When you write a code, that has buffer overflow and stack hijacking there is one prize for the black hatters, while white hatters tries to capture those even after release… White hatters works for money. Black hatters steals, that’s all.

-Pro

<>
The performance cost of allowing customization (notify routines) during object creation would not be inconsequential. These functions have a very direct impact on overall application performance and might happen hundreds of thousands of times per second. And any compromised system could have any of these notify routines circumvented anyways, so they would provide no effective protection anyways. The conclusion is that since this feature would be highly deleterious to performance as well as highly ineffective at detecting an ‘infection’, it is sound engineering judgement to omit them from the design of Windows
</>

This has been solved many times before. Advanced Persistent Threats mostly works this way.

For the worst side —
There are lot of state actors as well.
Some sell their infrastructures to other criminal gangs.
And of course, huge monetary loss of companies.
There are companies, who can do Boeing compatible design in two months …
Child ?orn to drug, etc. etc…

For the good side —
Some are being caught and/or under surveillance due to anti-dotes.

Apps and or companies under watch.

Anyways, peace !
-Pro

I wouldn’t be surprised if they read this list and some can be even members.

Well, sometimes they may even post their questions here. For example, what would you say about something along the following lines
(please pay a special attention to the combination of grammar with the assumed name of the imaginary poster)

I was assigned to the task of capturing passwords by my company. I’m having a understanding that I must hook SSDT, but it is not work. Please resolve my doubt in the same.

James Smith

Anton Bassov

Looks like a naive wannabe hacker to me :slight_smile: Different kind than someone trying to use named mutexes to avoid collisions in his malware. I presume they’d ask completely different way so you can’t detect them.

Looks like a naive wannabe hacker to me

…with the grammar epitomising “English” that happens to be just a sort of a “fingerprint” of the certain part of the world, which, in turn, somehow implies that the whole “business” of malware design relies upon the outsourcing as much as its “legitimate” counterpart does.

In other words, the “evil genius” image of a hacker becomes more and more of a myth these days, with the exploits getting chiefly designed by the security researchers who don’t intend to make any actual use of them, and design them just as a “proof of concept” thing…

Therefore, if our “James Smith” tries to use any of their NGs as a source of info, there is a good chance that he will get booed (and eventually gets a boot) down there as well

Anton Bassov