filemon

NTFSD
21

well that is *cheating* :slight_smile: :slight_smile: I asked for a way to do it withoiut a driver
:slight_smile: :slight_smile: :slight_smile:

22

Hello,

Iā€™m interested in IAT patching using PsSetLoadImageNotifyRoutine:
Iā€™ve tried to write on the base address of the executableā€™s image, but I canā€™t.
Itā€™s read only? Or Iā€™ve to do something in order to obtain write access permission?
Or Iā€™ve to call some function that gives me a memory pointer (Mdl & co)?
Thankā€™s

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Faraz Ahmed
Sent: venerd? 23 dicembre 2005 11.25
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] filemon

Yes thats right;
dont hook, if you just want to see monitor a single process
then you can just patch its import table :).

using the following fucntions.

PsSetLoadImageNotifyRoutine
In the call back
Patch the needed functions like ZwCreateFile etc.

AFAIK the code to do this availabe somewhere.

Hope it helps

Regards
Faraz.

On 12/23/05, Bedanto wrote:
> HI all,
>
> almost all of us know about filemon. I have a question, is it not possible
> to replicate this tool without an FSFD? If I need to display file names
> being opened, closed, deleted etc, is there no other way of achieving this?
>
> Bedanto
>
> ā€”
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ā€˜ā€™
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

ā€”
Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ā€˜ā€™
To unsubscribe send a blank email to xxxxx@lists.osr.com

23

Use VirtualProtectEx, VirtualLock and WriteProcessMemory, in kernel the
functions are not documented (ZwProtectVirtualMemory, ZwLockVirtualMemory
and ZwWriteProcessMemory). For samples there is the Microsoft detours
package, Jeffrey Richterā€™s book, Matt Pietrekā€™s articles in MSJ and many
others. Once the detours package was part of the Platform SDK but they have
withdrawn it immediately and now you have to contact them privately to
discuss the licensing terms.

/Daniel

ā€œGian-luca Tentiā€ wrote in message
news:xxxxx@ntfsdā€¦
Iā€™m interested in IAT patching using PsSetLoadImageNotifyRoutine:
Iā€™ve tried to write on the base address of the executableā€™s image, but I
canā€™t.
Itā€™s read only? Or Iā€™ve to do something in order to obtain write access
permission?
Or Iā€™ve to call some function that gives me a memory pointer (Mdl & co)?
Thankā€™s

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Faraz Ahmed
Sent: venerdƬ 23 dicembre 2005 11.25
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] filemon

Yes thats right;
dont hook, if you just want to see monitor a single process
then you can just patch its import table :).

using the following fucntions.

PsSetLoadImageNotifyRoutine
In the call back
Patch the needed functions like ZwCreateFile etc.

AFAIK the code to do this availabe somewhere.

Hope it helps

Regards
Faraz.

On 12/23/05, Bedanto wrote:
> HI all,
>
> almost all of us know about filemon. I have a question, is it not possible
> to replicate this tool without an FSFD? If I need to display file names
> being opened, closed, deleted etc, is there no other way of achieving
> this?
>
> Bedanto
>
> ā€”
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ā€˜ā€™
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

ā€”
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ā€˜ā€™
To unsubscribe send a blank email to xxxxx@lists.osr.com

24

Thanksā€™ Daniel, Now Iā€™m able to write on a processā€™s memory image, but You know if PsSetLoadImageNotifyRoutine is synchronous or not?
In my driver (a minifilter) :

  1. I trap the loading of an exe image
  2. I notify to a service that a exe is being loaded at base address x
  3. if necessary, the service patch the memory image in order to load some dll.
  4. when the service have finished, return a code to the minifilter driver (the PsSetLoadImageNotifyRoutine callback routine is waiting for a response from the service)

If the PsSetLoadImageNotifyRoutine is Syncronous, than if I donā€™t send the response to the driver, the new app should be in a suspended state but the app start normally even if the service donā€™t end the response.

My project is to get a dll injection system based on device driver use and for all app (the reg key method is valid only for user32.dll dependent module, and so it donā€™t work for old dos app or some console app)

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Daniel Terhell
Sent: marted? 27 dicembre 2005 16.06
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] filemon

Use VirtualProtectEx, VirtualLock and WriteProcessMemory, in kernel the
functions are not documented (ZwProtectVirtualMemory, ZwLockVirtualMemory
and ZwWriteProcessMemory). For samples there is the Microsoft detours
package, Jeffrey Richterā€™s book, Matt Pietrekā€™s articles in MSJ and many
others. Once the detours package was part of the Platform SDK but they have
withdrawn it immediately and now you have to contact them privately to
discuss the licensing terms.

/Daniel

ā€œGian-luca Tentiā€ wrote in message
news:xxxxx@ntfsdā€¦
Iā€™m interested in IAT patching using PsSetLoadImageNotifyRoutine:
Iā€™ve tried to write on the base address of the executableā€™s image, but I
canā€™t.
Itā€™s read only? Or Iā€™ve to do something in order to obtain write access
permission?
Or Iā€™ve to call some function that gives me a memory pointer (Mdl & co)?
Thankā€™s

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Faraz Ahmed
Sent: venerd? 23 dicembre 2005 11.25
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] filemon

Yes thats right;
dont hook, if you just want to see monitor a single process
then you can just patch its import table :).

using the following fucntions.

PsSetLoadImageNotifyRoutine
In the call back
Patch the needed functions like ZwCreateFile etc.

AFAIK the code to do this availabe somewhere.

Hope it helps

Regards
Faraz.

On 12/23/05, Bedanto wrote:
> HI all,
>
> almost all of us know about filemon. I have a question, is it not possible
> to replicate this tool without an FSFD? If I need to display file names
> being opened, closed, deleted etc, is there no other way of achieving
> this?
>
> Bedanto
>
> ā€”
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ā€˜ā€™
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

ā€”
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ā€˜ā€™
To unsubscribe send a blank email to xxxxx@lists.osr.com

ā€”
Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@ibsnetwork.it
To unsubscribe send a blank email to xxxxx@lists.osr.com

25

Yes, this is called synchronously. I suggest you give your service a
reasonable amount of time to respond.

/Daniel

ā€œGian-luca Tentiā€ wrote in message
news:xxxxx@ntfsdā€¦
Thanksā€™ Daniel, Now Iā€™m able to write on a processā€™s memory image, but You
know if PsSetLoadImageNotifyRoutine is synchronous or not?
In my driver (a minifilter) :
1) I trap the loading of an exe image
2) I notify to a service that a exe is being loaded at base address x
3) if necessary, the service patch the memory image in order to load some
dll.
4) when the service have finished, return a code to the minifilter driver
(the PsSetLoadImageNotifyRoutine callback routine is waiting for a response
from the service)

If the PsSetLoadImageNotifyRoutine is Syncronous, than if I donā€™t send the
response to the driver, the new app should be in a suspended state but the
app start normally even if the service donā€™t end the response.

My project is to get a dll injection system based on device driver use and
for all app (the reg key method is valid only for user32.dll dependent
module, and so it donā€™t work for old dos app or some console app)

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Daniel Terhell
Sent: martedƬ 27 dicembre 2005 16.06
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] filemon

Use VirtualProtectEx, VirtualLock and WriteProcessMemory, in kernel the
functions are not documented (ZwProtectVirtualMemory, ZwLockVirtualMemory
and ZwWriteProcessMemory). For samples there is the Microsoft detours
package, Jeffrey Richterā€™s book, Matt Pietrekā€™s articles in MSJ and many
others. Once the detours package was part of the Platform SDK but they have
withdrawn it immediately and now you have to contact them privately to
discuss the licensing terms.

/Daniel

ā€œGian-luca Tentiā€ wrote in message
news:xxxxx@ntfsdā€¦
Iā€™m interested in IAT patching using PsSetLoadImageNotifyRoutine:
Iā€™ve tried to write on the base address of the executableā€™s image, but I
canā€™t.
Itā€™s read only? Or Iā€™ve to do something in order to obtain write access
permission?
Or Iā€™ve to call some function that gives me a memory pointer (Mdl & co)?
Thankā€™s

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Faraz Ahmed
Sent: venerdƬ 23 dicembre 2005 11.25
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] filemon

Yes thats right;
dont hook, if you just want to see monitor a single process
then you can just patch its import table :).

using the following fucntions.

PsSetLoadImageNotifyRoutine
In the call back
Patch the needed functions like ZwCreateFile etc.

AFAIK the code to do this availabe somewhere.

Hope it helps

Regards
Faraz.

On 12/23/05, Bedanto wrote:
> HI all,
>
> almost all of us know about filemon. I have a question, is it not possible
> to replicate this tool without an FSFD? If I need to display file names
> being opened, closed, deleted etc, is there no other way of achieving
> this?
>
> Bedanto
>
> ā€”
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ā€˜ā€™
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

ā€”
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ā€˜ā€™
To unsubscribe send a blank email to xxxxx@lists.osr.com

ā€”
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@ibsnetwork.it
To unsubscribe send a blank email to xxxxx@lists.osr.com