Hi,
I’m a bit new to the driver development, and trying to do APC Injection. The ultimate goal to inject some of my code into winlogon.exe.
What I’m trying to do - (Note: OS is windows 7)
-
is to find out winlogon.exe using ZwSystemInformation process to get list of process which are running, and finding PID of the Winlogon.exe
-
- using PsGetProcessByProcessID to get EPROCESS(eWinLogonprocess pointer used to point to this) for the Winlogon.exe
-
Using eWinLogonProcess->ThreadListHead to go through all the ETHREADs to findout alterable thread
-
Injecting APC to thread which I found in step 3.
The following is the code which causes blue screen, not sure what I’m doing wrong here…
pThNextEntry = pSystemProcess->ThreadListHead.Flink;
//Now we loop through it’s threads, seeking an alertable thread
while(pThNextEntry != &pSystemProcess->ThreadListHead)
{
pTempThread = CONTAINING_RECORD(pThNextEntry,ETHREAD,ThreadListEntry);
if(pTempThread->Tcb.Alertable)
{
//Good, an alertable thread was found.
pTargetThread = &pTempThread->Tcb;
DbgPrint(“KernelExec -> Found alertable thread”);
//We will be using this one, so break now
break;
}
else
{
//Didn’t find an alertable thread yet, so we’ll keep this one
//just in case we won’t find ANY alertable threads
pNotAlertableThread = &pTempThread->Tcb;
}
pThNextEntry = pThNextEntry->Flink; //check next thread
}
when this code is executing I simply get a blue screen: Can any one help.
Thanks in anticipation!
Munir Ahmed
Where are you getting the EPROCESS structure definition from? You do
realize this changes from revision to revision and in the past was
changed in a service pack even. Basically you are doing something very
unsafe with kernel data structures.
Then there is the question of why you would want to put an APC into
WinLogin. I do know of a piece of software that did this, it was
malware to collect logon credential.
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“xxxxx@gmail.com” wrote in message
news:xxxxx@ntfsd:
> Hi,
>
> I’m a bit new to the driver development, and trying to do APC Injection. The ultimate goal to inject some of my code into winlogon.exe.
>
> What I’m trying to do - (Note: OS is windows 7)
>
> 1. is to find out winlogon.exe using ZwSystemInformation process to get list of process which are running, and finding PID of the Winlogon.exe
>
> 2. - using PsGetProcessByProcessID to get EPROCESS(eWinLogonprocess pointer used to point to this) for the Winlogon.exe
>
> 3. Using eWinLogonProcess->ThreadListHead to go through all the ETHREADs to findout alterable thread
>
> 4. Injecting APC to thread which I found in step 3.
>
> The following is the code which causes blue screen, not sure what I’m doing wrong here…
>
> pThNextEntry = pSystemProcess->ThreadListHead.Flink;
>
> //Now we loop through it’s threads, seeking an alertable thread
> while(pThNextEntry != &pSystemProcess->ThreadListHead)
> {
> pTempThread = CONTAINING_RECORD(pThNextEntry,ETHREAD,ThreadListEntry);
> if(pTempThread->Tcb.Alertable)
> {
> //Good, an alertable thread was found.
> pTargetThread = &pTempThread->Tcb;
>
> DbgPrint(“KernelExec -> Found alertable thread”);
> //We will be using this one, so break now
> break;
> }
> else
> {
> //Didn’t find an alertable thread yet, so we’ll keep this one
> //just in case we won’t find ANY alertable threads
> pNotAlertableThread = &pTempThread->Tcb;
> }
>
> pThNextEntry = pThNextEntry->Flink; //check next thread
> }
>
> when this code is executing I simply get a blue screen: Can any one help.
>
> Thanks in anticipation!
>
> Munir Ahmed
Thanks for your reply Don!
EPROCESS Definition
http://www.nirsoft.net/kernel_struct/vista/EPROCESS.html
My Aim: – Infact, the aim is to inject code into every process that has loaded user32.dll and requirement for Winlogon is 100%. This produce is for watching employee activity.
As you told me this is very unsafe way working with kernel data; could you please suggest how could I do the APC Injection ?
I’ve registered PsProcessCreationNotify callback to get notification for each process that is created, and then want to inject APC so that I could inject my code to it for execution. What would you like to suggest in order to achieve it?
Thanks in anticipation.
Munir Ahmed
Ahh! We have found the grave yard of obsolete rootkit technology. The
definition for EPROCESS has changed for Windows 7 as compared to Windows
Vista. Learn how to use the kernel debugger: dt nt!_EPROCESS.
Regards,
George.
And expect it to change again, and again and again. Software not from
Microsoft that uses EPROCESS is a great way of crashing the system.
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“George M. Garner Jr.” wrote in message
news:xxxxx@ntfsd:
> Ahh! We have found the grave yard of obsolete rootkit technology. The
> definition for EPROCESS has changed for Windows 7 as compared to Windows
> Vista. Learn how to use the kernel debugger: dt nt!_EPROCESS.
>
> Regards,
>
> George.
>>Infact, the aim is to inject code into every process that has loaded user32.dll
How about App init dlls ?(The official way of doing it), or do you need your code to execute at Kernel.
> I’m a bit new to the driver development, and trying to do APC Injection. The ultimate goal to inject
some of my code into winlogon.exe.
Writing malware? 
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
> My Aim: – Infact, the aim is to inject code into every process that has loaded user32.dll and
requirement for Winlogon is 100%. This produce is for watching employee activity.
Google for AppInit_DLLs
WinLogon is not a must, you can listen for logon/logoff events by other means.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
-
I’m not writing a malware - doing a project for someone
-
AppInit_DLLs - I’m not sure if that would work in Win7
-
The requirement of the project is to inject a DLL into Winlogon.exe - I learnt that using APC, I can do that; I need to findout an alterable thread within Winlogon.exe, and that’s why I
-
Retrieved EPROCESS using PsGetProcessByProcessID
-
Trying to traverse the ThreadListHead of EPROCESS to get an ETHREAD with Alterable flag set to
but unfortunately while I start traversing ThreadList, I get BSOD - Anyone got idea what is a way to get an alterable thread using EPROCESS?
Thanks
Munir
Why is there a requirement to inject a DLL into WinLogon.exe what are
you trying to record? For that matter what is the goal of the DLL
inject in other processes? There may be ways to get the data you need
without DLL injection but since we have no idea what data is needed.
You have presented a set of “design requirements” that are actually “we
have a design and it doesn’t work” requirements. You are not ever going
to make the Thread List traverse work reliably, first the EPROECESS
structure can change, second you have no coordination of your traverse
with the kernel modifying the list.
Your choices are go with AppInit DLL’s or do the monitoring in a
different way. What you are trying to do is MALWARE since it will
always crash systems!
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“xxxxx@gmail.com” wrote in message
news:xxxxx@ntfsd:
> 1. I’m not writing a malware - doing a project for someone
>
> 2. AppInit_DLLs - I’m not sure if that would work in Win7
>
> 3. The requirement of the project is to inject a DLL into Winlogon.exe - I learnt that using APC, I can do that; I need to findout an alterable thread within Winlogon.exe, and that’s why I
>
> 1. Retrieved EPROCESS using PsGetProcessByProcessID
> 2. Trying to traverse the ThreadListHead of EPROCESS to get an ETHREAD with Alterable flag set to
>
> but unfortunately while I start traversing ThreadList, I get BSOD - Anyone got idea what is a way to get an alterable thread using EPROCESS?
>
> Thanks
>
> Munir
> 2. AppInit_DLLs - I’m not sure if that would work in Win7
Try it.
- The requirement of the project is to inject a DLL into Winlogon.exe - I learnt that using APC, I can
do that; I need to findout an alterable thread within Winlogon.exe, and that’s why I
Google for “logon notify packages”, which are the documented way of injecting the component which will filter logons.
Filtering logons is all documented.
but unfortunately while I start traversing ThreadList, I get BSOD
That’s absolutely normal, since there are no product-grade reliable ways of doing this.
Do you want to write a product which will cause, say, 1 crash per 8.000 hours? in an organization with 1000 machines, you will have a crash per day, and your product will be to blame.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com