Can a driver change a window title ?

Hello all,

I know how to do that in user mode, now I want to do it in kernel mode.

My idea is to append the PID in a few process windows.

Is it possible to do that in kernel level ?

Thanks all :slight_smile:

Nope

2 Likes

@Doron_Holan said:
Nope

Just wanted to double check. Thanks buddy!

That short answer is of course the correct way of thinking - this is something that you should never even think of attempting to do

but if you are asking if it is something that can be done from KM, then the answer is yes. By clobbering memory that you don’t own, breaking all of the security rules and destabilizing the system, it is theoretically possible to modify a window title.

Remarkable and surprising statement! Even more so when coming from a person who doesn’t hesitate to erroneously classify completely legitimate (though very limted) approaches as malware in other discussion threads here.

Wrong and misleading in any way…

  1. Software developers (even more so kernel developers) know exactly that disastrous side effects can never be ruled out when “…clobbering memory that you don’t own”.

  2. “Breaking all security rules” is not always possible. E.g. do you happen to know how to reliably disable “Kernel Patch Protection” (aka PatchGuard)?

1.+2. What immediately crosses my mind in this case are e.g. the PatchGuard protected GDI kernel mode entry points.

Marcel Rüdinger
datronicsoft

@Marcel_Ruedinger said:
Remarkable and surprising statement! Even more so when coming from a person who doesn’t hesitate to erroneously classify completely legitimate (though very limted) approaches as malware in other discussion threads here.

I guess the PTP (Psychic Transfer Protocol) of the tags was interrupted on the way to you?

Doesn’t appear to me that you grasped what I was talking about. Otherwise your comment would probably look less silly.

PS: “Psychic Transfer Protocol”, tsk, tsk, tsk…
At least you seem to have creative ideas…

Marcel Rüdinger
datronicsoft

well lets take this point by point

  1. Software developers (even more so kernel developers) know exactly that disastrous side effects can never be ruled out when “…clobbering memory that you don’t own”.

Do they? You are sure about that point right? Because I have reviewed lots of code where the authors seem blissfully unaware of any consequence of poking random addresses

  1. “Breaking all security rules” is not always possible. E.g. do you happen to know how to reliably disable “Kernel Patch Protection” (aka PatchGuard)?

I’m sure that I don’t know any reliable way to do it. But I am equally sure that I know some horribly unreliably ways to do it. And that’s kind of the point - if I don’t care about crashing the system, I can do a lot of stuff from ring 0 that appear to mostly work

But the patch guard protected entry points weren’t on my mind. I was not thinking of changing the GDI code, but thinking of clobbering the actual buffers themselves - under the assumption that usually string buffers contain extra unused bytes beyond the usual NULL terminators. This will cause crashes when that assumption is not true, but will appear to work in many cases. And it is a simple enough matter to trigger an invalidate event that will cause those protected routines to re-read data from the corrupted memory without altering them at all. I think it would be a bad idea to go into any more detail about how this might be achieved

PS the Psychic Transfer Protocol is one of my favorites.

  1. 100% agree. Thus my original statement should possibly be revised to either “Software developers SHOULD…” or “COMPETENT software developers…”. Let’s stick with the first one. The second option would probably trigger distracting comments again…

  2. 100% agree that it would be a bad idea to go into any more detail. How about also agree that the whole idea is not really feasible? Even if you successfully manage to clobber the actual buffers themselves (which you can’t in all cases), without hooking you couldn’t re-apply your change when the actual buffers are updated (e.g. using SetWindowText function).

However, the point I actually tried to make was a different one: I was just wondering about your inconsistency with respect to pointing out malware. In our previous encounter you were insisting to point out malware in an approach discussed by other people. Here you yourself point out approaches that are definitely malware and not even working. Since I cannot detect any lack of competence on your side, I am wondering about your intention. This amused me a bit: Is it about contradicting to posts above? You did this here as well as in our previous encounter. Coincidence?

Marcel Rüdinger
datronicsoft

I’m not sure that I have any policy about my posts. I read this forum for enjoyment and try to contribute when I can. If I have amused you, than that works too.

You both should have let the thread stand with Doron’s “Nope.”

Thread locked.

Peter