I want to hide a program (which perform HTTP request) from Windows’s task
manager, and I am thinking whether it is possible to embed it in a WDM
driver. Is it feasible?
For what? To write a trojan? 
Surely HTTP is possible to implement in the driver, but prepare to have difficult times with TDI or purchase one of the kernel mode
socket libraries on the market.
Max
----- Original Message -----
From:
To: “NT Developers Interest List”
Sent: Saturday, March 23, 2002 6:42 PM
Subject: [ntdev] Embedding a user mode program in the driver
> I want to hide a program (which perform HTTP request) from Windows’s task
> manager, and I am thinking whether it is possible to embed it in a WDM
> driver. Is it feasible?
>
> —
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to %%email.unsub%%
>
> For what? To write a trojan?
Yup…it’s the final stage of my final year project…my final year
project is about spyware implementation, detection and removal…
Surely HTTP is possible to implement in the driver, but prepare to have difficult times with TDI or purchase one of the kernel mode
socket libraries on the market.
Are there any easier solutions?
> > Surely HTTP is possible to implement in the driver, but prepare to have difficult times with
TDI or purchase one of the kernel mode
> socket libraries on the market.
Are there any easier solutions?
Doing all TCP/IP work from user app is one.
Max
> Surely HTTP is possible to implement in the driver, but prepare to
have difficult times with TDI or purchase one of the kernel mode
socketlibraries on the market.
> Are there any easier solutions?
> > Doing all TCP/IP work from user app is one.
The user application is ready, but if I want to hide this program in the
driver, I must deal with TDI in the driver?
If you just want to hide the program from the Task Manager but still
accept doing your things in user mode, you might try to research
possibilities of making your program a part of some another,
well-known, process, such as EXPLORER or WINLOGON. I heard that
EXPLORER allows third-party extensions which come in form of DLLs.
WINLOGON, too, supports some third-party authentication DLLs.
— Sherman wrote:
> > Surely HTTP is possible to implement in the driver, but prepare to
> > have difficult times with TDI or purchase one of the kernel mode
> > socketlibraries on the market.
>
> > > Are there any easier solutions?
>
> > > > Doing all TCP/IP work from user app is one.
>
> The user application is ready, but if I want to hide this program in the
> driver, I must deal with TDI in the driver?
>
> —
> You are currently subscribed to ntdev as: xxxxx@yahoo.com
> To unsubscribe send a blank email to %%email.unsub%%
__________________________________________________
Do You Yahoo!?
Yahoo! Movies - coverage of the 74th Academy Awards®
http://movies.yahoo.com/
Hmm, what about creating a service instead?
Best regards,
Michal Vodicka
STMicroelectronics Design and Application s.r.o.
[michal.vodicka@st.com, http:://www.st.com]
From: xxxxx@yahoo.com[SMTP:xxxxx@yahoo.com]
Reply To: xxxxx@lists.osr.com
Sent: Monday, March 25, 2002 6:17 AM
To: xxxxx@lists.osr.com
Subject: [ntdev] Re: Embedding a user mode program in the driverIf you just want to hide the program from the Task Manager but still
accept doing your things in user mode, you might try to research
possibilities of making your program a part of some another,
well-known, process, such as EXPLORER or WINLOGON. I heard that
EXPLORER allows third-party extensions which come in form of DLLs.
WINLOGON, too, supports some third-party authentication DLLs.— Sherman wrote:
> > > Surely HTTP is possible to implement in the driver, but prepare to
> > > have difficult times with TDI or purchase one of the kernel mode
> > > socketlibraries on the market.
> >
> > > > Are there any easier solutions?
> >
> > > > > Doing all TCP/IP work from user app is one.
> >
> > The user application is ready, but if I want to hide this program in the
> > driver, I must deal with TDI in the driver?
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@yahoo.com
> > To unsubscribe send a blank email to %%email.unsub%%
>
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Movies - coverage of the 74th Academy Awards?
> http://movies.yahoo.com/
>
> —
> You are currently subscribed to ntdev as: michal.vodicka@st.com
> To unsubscribe send a blank email to %%email.unsub%%
>
> If you just want to hide the program from the Task Manager but still
accept doing your things in user mode, you might try to research
possibilities of making your program a part of some another,
well-known, process, such as EXPLORER or WINLOGON. I heard that
EXPLORER allows third-party extensions which come in form of DLLs.
WINLOGON, too, supports some third-party authentication DLLs.
Thank you for your suggestion.
But I failed to find the info about third-party extension on the web.
Do you know where can I find some related web sites?
At 10.45 24/03/2002, you wrote:
> For what? To write a trojan?
Yup…it’s the final stage of my final year project…my final year
project is about spyware implementation, detection and removal…
> Surely HTTP is possible to implement in the driver, but prepare to have
difficult times with TDI or purchase one of the kernel mode
> socket libraries on the market.
Are there any easier solutions?
Create a thread in the System special process (I don’t remember what
function does this), and execute the program by loading it with ZwOpenFile
- ZwCreateSection (or with ZwOpenFile + ZwAllocateVirtualMemory +
ZwReadFile to copy it completely in memory: it won’t appear in the global
module list, the disk file will be deletable: even more stealth and
jumping to its entry point (you get the address to it with ZwQuerySection,
or by directly overlaying the PE format structures on the memory image if
you use the “stealth loading”), kind of like the Unix exec() system call.
Be warned, though:
- only a device driver can start a system thread. And a device driver
*will* have an entry in the global module list (not that it’s likely that
any normal human being will be able to find out - you will have to manually relocate the image at whatever address you
actually load it, if you use the stealth loading. And remember that the
process image must be loaded at an address below 2 GB (I don’t know if this
restriction applies to the System process, but it’s better not to risk), so
set the ZwAllocateVirtualMemory address mask accordingly - you will have to manually resolve DLL dependencies in any case (I
suggest you to use only functions from NTDLL in your program, if possible -
all the TCP stuff will have to be done with I/O calls, it won’t be easy),
and believe me, it’s a pain. At least, the most common DLLs will be already
loaded as named image sections, you will find them in the object directory
\KnownDlls - personal firewalls will catch your attempt anyway (System, after all,
is a process like any other), provided that you don’t rewrite the network
stack (as personal firewalls hook only the default packet driver, not the
actual network device - after all, this is what they’re meant to do). I
know because I verified personally that AtGuard and ZoneAlarm do. This
doesn’t mean that the user will have a clue on what the connection attempt
means
You will find a complete (almost - it doesn’t do debug symbols yet) and
working implementation of a NT-based user mode PE loader, and some other
stuff that can help you, including a(n almost) working NT-compatible
kernel, a fairly complete Win32-on-NT implementation and a preliminar
POSIX-on-NT implementation, in the ReactOS source code:
http:</http:>
(the code is under the GPL license, so if you use it in your app, you must
re-release it under the same license)