Hello again all. I am sorry to bother you all again. I hope my question doesn’t bring me as much flak as last time, but I am at a loss. I am working on the same binary analysis system as before and I need to intercept service creation to see who initiated it and what process was started as a service. So I have gone through several variations. First I wrote a proxy DLL for advapi32.dll. It worked in practice, but clearly Windows wouldn’t accept it when it rebooted. I am currently trying to do Detour Patching. I know what the address of the CreateServiceW function is (since it resides in shared memory as part of the Windows Sub system), but I can’t read from or write to the address in my driver. What do I have to do to be able to access protected memory in the kernel? I thought that since the kernel was running at ring 0, that it didn’t have access restrictions to memory.
First you have to be in the context of the process that has the memory
or have mapped the memory into the kernel, so yes there is a restriction
to the memory in the sense you need to find afvapi32.dll at least once.
Secondly why do you think you need this? The CmRegisterCallback
functions will allow you to determine who is creating the service,
without the need of the hack.
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“xxxxx@gmail.com” wrote in message
news:xxxxx@ntdev:
> Hello again all. I am sorry to bother you all again. I hope my question doesn’t bring me as much flak as last time, but I am at a loss. I am working on the same binary analysis system as before and I need to intercept service creation to see who initiated it and what process was started as a service. So I have gone through several variations. First I wrote a proxy DLL for advapi32.dll. It worked in practice, but clearly Windows wouldn’t accept it when it rebooted. I am currently trying to do Detour Patching. I know what the address of the CreateServiceW function is (since it resides in shared memory as part of the Windows Sub system), but I can’t read from or write to the address in my driver. What do I have to do to be able to access protected memory in the kernel? I thought that since the kernel was running at ring 0, that it didn’t have access restrictions to memory.
So what you are saying is that since Registry Keys are modified in the creation of a service, I can use this function to see who is modifying those keys? But I thought Services.exe was the one responsible for modifying those keys. That’s why I have gone this long route to get the information I need. I need to see what process invoked CreateService. I know you are an important individual, so I apologize for my questions.
Sorry for double posting, but in our system, we already hook the Zw functions that deal with registry modification. Do these functions do the same thing, but instead set a callback function that deals with the registry mods?
As far as I know, CreateService directly calls into the kernel for
creating the registry keys. Note: there is nothing stopping someone
from using registry calls to create a service.
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“xxxxx@gmail.com” wrote in message
news:xxxxx@ntdev:
> So what you are saying is that since Registry Keys are modified in the creation of a service, I can use this function to see who is modifying those keys? But I thought Services.exe was the one responsible for modifying those keys. That’s why I have gone this long route to get the information I need. I need to see what process invoked CreateService. I know you are an important individual, so I apologize for my questions.
Yes, the CmRegisterCallback function is available from XP on and will
allow you to see who is modifying the registry. Only for systems prior
to XP do you need hooking.
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“xxxxx@gmail.com” wrote in message
news:xxxxx@ntdev:
> Sorry for double posting, but in our system, we already hook the Zw functions that deal with registry modification. Do these functions do the same thing, but instead set a callback function that deals with the registry mods?
I know that a malware sample could do the registry mods itself. We already have a component that monitors registry activities, but if they call CreateService, it shows up as services.exe being the creator. The only way we can correlate the two is by inference (i.e. sampleA replicated into fileB, services.exe started fileB as a service).
Michael,
Once you have malware that runs with enough privileges to modify system configuration (like creating services, etc), the game is essentially over. Can go home. Reinstall the OS.
The sooner people understand that, the sooner they will start to use proper secure configuration for their OS deployment, instead of broken default Windows XP “an user is admin by default” configuration. Which is still broken in Windows Vista/7 client, though not that drastically.
Yes, very true. We don’t plan on using this system in real-time however. It is run in a VM to record all the characteristics of a malware sample as possible before reverting the image to a clean state.
And the default Windows “a user is admin by default” is very sad. Considering that would allow a malware to do everything from shutting down your detection system to installing itself just a little lower than you to undermine your hooks. Personally I don’t like Windows (I’m more of a Red Hat man myself), but it’s a living you know. We can’t always develop for the OS we like best.
So I guess the only question that remains is…when CreateService and StartService are called from an arbitrary process…is it the process that makes the modifications to the registry, or is it services.exe? If I recall correctly…the scmanger parameter of the CreateService and StartService API functions is referring to services.exe unless you have your own SCManager (I imagine). And the CreateService and StartService communicate with the scmanager via LPC. So ultimately services.exe is the middle man that handles all services starting and stopping…am I correct?
It depends whether you want to analyze behavior of a live system infected with malware, or just find out what modifications the malware sample did to it.
To find out the modifications, you could simply mount the system disk to a healthy host, and analyze changes in the files and in the registry. If it’s a VM, you can mount the VHD or its snapshot.
Very true, but it’s more than just that. We don’t just want to know the modifications it did, we want to know what processes and child processes of the malware sample did what and to whom. We already capture code injection, replication, file modification, registry modification, etc. But we need to be able to capture service creation. Right now we get that services.exe created a new process, but not that the malware sample asked for the service to be created. That is the edge we need. But I can’t find any answers on how to do it. And I feel like I’ve tried so many ways of doing it. The last resort is to use inference. Essentially if services.exe started malware_child_process.exe, then the sample started the service. But we…well…my boss wants to know exactly what child process of the malware sample started the service.