Help in Design - DLL injection from Kernel

Hi,

I am part of a new start-up in a security domain, my goal is to protect specific processes ( generally speaking all processes ) by changing the process memory snapshot in a specific way ( i can’t reveal how the snapshot will be changed, sorry).

I have two main issues, i need (1) catch the process after it is created and loaded but before it runs -> all modules should be already loaded. (2) executing my code which should change the process memory snapshot before it starts to run.

My General idea was :

(1) Kernel driver that tracks pscreateprocess routine, sees that this is one of my goal processes, register the handle in my homemade list, tracking psloadimage routine only for the relevant process handles.

(2) when psloadimage sees ntdll , i find the address of LdrLoadDll ( i actually can use kernel32 and find the address of loadlibraryEx function which is documented ),

(3) i register APC that instructs the main thread to inject my dll when the thread will return to user mode.

(4) in user mode, my dll will be injected by APC and my dllmain function will be executed -> there i do the magic.

Questions:

I read a lot about different techniques of injecting Dll’s , including from kernel mode, even in this forum i read critics about APC ( since it is undocumented )
There is additional option of hooking the crss but this is also undocumented.
I am familiar with users32 registry option but i need to support also processes that do not use user32.
Additionally i am forbidden to change the PE or the dll files statically ( everything must be in runtime).

Additionally i am not sure that dll injection is the best way to do it, what are the alternatives?

Generally speaking, i really want to create a generic framework which uses documented api, works for both 64 bit and 32 bit Windows, this framework will allow me to gradually develop more and more components that will work with the process memory snapshot.

CAN YOU RECOMMEND ON THE BEST DESIGN ?

>CAN YOU RECOMMEND ON THE BEST DESIGN ?

Best design is not to design “security” solutions. There are security policies in Windows, and access control lists on files and objects. Until you know you can do better, don’t go implementing hacks and kludges.

> Best design is not to design “security” solutions. There are security policies

in Windows, and access control lists on files and objects. Until you know you
can do better, don’t go implementing hacks and kludges.

I would not argue with you, but i do know better, and i am familiar with all the security policies, and our patented idea did win first place in one of the highest cyber security contests. So if you do not have an answer or recommendation based on what i asked, please try to be more politically correct when you write such things.

Again i will not elaborate on what exactly my solution is , and i don’t ask how to protect processes , i do ask only specific question , of what is the best and documented way to inject my code in a process after it is mapped to memory and before it starts to run, that’s all

As Peter pointed out this could easily be a “multi-week consulting” job, so
part of the reason you may not get a lot of info is some of us make a living
by helping people do this stuff, and your questions are asking a whole lot
for free. As Mr Grigora indicated, this group see’s a lot of “great ideas”
that show that the originator does not understand what Windows can do.

Now, personally I am wondering if you really have a clue because you state
your main issue as “catch the process after it is created and loaded but
before it runs -> all modules should be already loaded” Might help if you
define that, between Delay-Loaded DLL’s and LoadLibrary most of the
application can run, before your condition as written is met.

Second, thing that strikes me is your concentration on doing the DLL
injection in kernel mode. You are immediately dipping into a ton of
undocumented features, because of this requirement. You might want to
explain why you cannot do the DLL injection in user mode, from a service
with one of the well documented and approved API’s.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Saturday, August 23, 2014 8:56 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Help in Design - DLL injection from Kernel

Hi,

I am part of a new start-up in a security domain, my goal is to protect
specific processes ( generally speaking all processes ) by changing the
process memory snapshot in a specific way ( i can’t reveal how the snapshot
will be changed, sorry).

I have two main issues, i need (1) catch the process after it is created and
loaded but before it runs -> all modules should be already loaded. (2)
executing my code which should change the process memory snapshot before it
starts to run.

My General idea was :

(1) Kernel driver that tracks pscreateprocess routine, sees that this is one
of my goal processes, register the handle in my homemade list, tracking
psloadimage routine only for the relevant process handles.

(2) when psloadimage sees ntdll , i find the address of LdrLoadDll ( i
actually can use kernel32 and find the address of loadlibraryEx function
which is documented ),

(3) i register APC that instructs the main thread to inject my dll when the
thread will return to user mode.

(4) in user mode, my dll will be injected by APC and my dllmain function
will be executed -> there i do the magic.

Questions:

I read a lot about different techniques of injecting Dll’s , including from
kernel mode, even in this forum i read critics about APC ( since it is
undocumented ) There is additional option of hooking the crss but this is
also undocumented.
I am familiar with users32 registry option but i need to support also
processes that do not use user32.
Additionally i am forbidden to change the PE or the dll files statically (
everything must be in runtime).

Additionally i am not sure that dll injection is the best way to do it, what
are the alternatives?

Generally speaking, i really want to create a generic framework which uses
documented api, works for both 64 bit and 32 bit Windows, this framework
will allow me to gradually develop more and more components that will work
with the process memory snapshot.

CAN YOU RECOMMEND ON THE BEST DESIGN ?

NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

What you’re asking for is quite often abused by “black hats” to create malware. Don’t expect “politically correct” replies to such inquiries because 1) your query is dangerous and 2) this is NOT a politically correct list. Having said that, I find the superiority of your “new idea” highly questionable if you are having trouble with the most basic part of it.

— xxxxx@gmail.com wrote:

From: xxxxx@gmail.com
To: “Windows System Software Devs Interest List”
Subject: RE:[ntdev] Help in Design - DLL injection from Kernel
Date: Sat, 23 Aug 2014 10:47:15 -0400 (EDT)

> Best design is not to design “security” solutions. There are security policies
> in Windows, and access control lists on files and objects. Until you know you
> can do better, don’t go implementing hacks and kludges.

I would not argue with you, but i do know better, and i am familiar with all the security policies, and our patented idea did win first place in one of the highest cyber security contests. So if you do not have an answer or recommendation based on what i asked, please try to be more politically correct when you write such things.

Again i will not elaborate on what exactly my solution is , and i don’t ask how to protect processes , i do ask only specific question , of what is the best and documented way to inject my code in a process after it is mapped to memory and before it starts to run, that’s all

—
NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Thanks Don for a well constructed note, i’ll try to answer you.

(1) I want to do my stuff before the code (starting from entry point) will run - this means also before any additional threads will be created -> this means also that all the static dependent dlls have been loaded.

(2) As regard to the kernel mode, i still trying to design the best solution, i am really tend to some user mode solution but the problem is that i do not see documented user mode solution that allows me to be notified when any new process is created and when all its modules are loaded. -> all the user mode solutions i am familiar with are based on the fact that you know your process or at least your parent process ( there for example you can hook createProcess ), additional solutions are enum processes ( processes are already running ), Csrss hooking is an option ( but not documented and not sure how it will work with existing AVs ).

I also understand that consulting is your work, and i thought few times before i decided to post here a thread, so really you can at least guide me where i could find the solution by my self . i’ll appreciate any direction.

Gregory,

(1) I do understand that it can be abused, so i only ask for some direction.

(2) and this is not a part of the “new idea” , this is only a tool that will help me to deliverer my idea to the process , i can do it manually ( by creating the process it self ) , but i do need to think of how to automatize it.

On point #1 you have a problem once you go beyond the loading of the
executable (i.e. the first module load), since anything after that implies
trying to read the PE to know what are the static DLL’s. You will know the
process in kernel mode and can pass that to user mode with an inverted call.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Saturday, August 23, 2014 11:27 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Help in Design - DLL injection from Kernel

Thanks Don for a well constructed note, i’ll try to answer you.

(1) I want to do my stuff before the code (starting from entry point) will
run - this means also before any additional threads will be created -> this
means also that all the static dependent dlls have been loaded.

(2) As regard to the kernel mode, i still trying to design the best
solution, i am really tend to some user mode solution but the problem is
that i do not see documented user mode solution that allows me to be
notified when any new process is created and when all its modules are
loaded. -> all the user mode solutions i am familiar with are based on the
fact that you know your process or at least your parent process ( there for
example you can hook createProcess ), additional solutions are enum
processes ( processes are already running ), Csrss hooking is an option (
but not documented and not sure how it will work with existing AVs ).

I also understand that consulting is your work, and i thought few times
before i decided to post here a thread, so really you can at least guide me
where i could find the solution by my self . i’ll appreciate any direction.

NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

In the end it doesn’t really matter what option you choose - its a start
up. Keep it in the front of your mind that the whole point of a start up
is to demo something long enough that somebody with deep pockets will buy
you up without knowing or caring if the product you have produced is
sustainable or not. At that point you will be laid off and your product
will either be cancelled after an attempt to produce a version 3.0 under
the new ownership, or will be given to some nice .net developers, but you
won’t care either way since you will also be receiving a check.

I don’t think you need to ask this list how to do this. This falls in the
area of if you are clever enough to implement it, you are also clever
enough to figure out how all other existing security products do this and
choose the best option for yourself.

t.

On Sat, Aug 23, 2014 at 8:30 AM, wrote:

> Gregory,
>
> (1) I do understand that it can be abused, so i only ask for some
> direction.
>
> (2) and this is not a part of the “new idea” , this is only a tool that
> will help me to deliverer my idea to the process , i can do it manually (
> by creating the process it self ) , but i do need to think of how to
> automatize it.
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Don,

Thanks for the direction, it was helpful, inverted call looks as a good direction, i will read more about it, currently i only afraid that until the notification comes to the usermode, the process could already be started running ( and this will be than a problem ), i will not continue with additional questions before i check by myself how the synchronization will work.

BIG THANKS.

Tracy,

People are already interested in a proof of concept, and i am interested to not do any mistakes from start.

But you are right the most important is that it will work.

Thanks for your help guys and girls.

>Again i will not elaborate on what exactly my solution is
If it’s patented idea, it’s known to the public already and you could at least refer us to the patent #

Can you explain what you mean by “process memory snapshot” ?

Is it what we usually call the process’s address space ?

So just to echo a few things. 1) going undocumented is wrong. 2) you are
asking for a lot (this particular problem took me a few months to get it
right and *stable* to play nicely with the OS). 3) memory opcode
modification has plenty of prior art so I’m highly suspect on the validity
of the patent. (trust me I know, refer to point #2) 4) adverting an
“unbreakable
security layer” is only destined to make you look bad when it’s broken.

For everyone else,
http://in.bgu.ac.il/en/Pages/news/jvp_award.aspx
http://www.globes.co.il/en/article-cyber-co-titanium-core-wins-1m-jvp-prize-1000920743

On Sat, Aug 23, 2014 at 3:16 PM, wrote:

> >Again i will not elaborate on what exactly my solution is
> If it’s patented idea, it’s known to the public already and you could at
> least refer us to the patent #
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

> I am part of a new start-up in a security domain, my goal is to protect specific processes

( generally speaking all processes ) by changing the process memory snapshot in a specific way
( i can’t reveal how the snapshot will be changed, sorry).

This is simply a silly requirement…

What you are trying to do is basically introducing the concepts of jails/zones(i.e. light-weight process virtualization mechanisms as they are known under respectively FreeBSD and Solaris), to Windows. However, Windows security model is based upon the notion of users and access rights. All processes that run under the same user account may open handles to one another with ALL_ACCESS rights. Therefore, any process that runs under the same user account may open handle to your process and modify its address space in any way it wishes, including screwing up all your modifications. You mayor may not like it, but this is how Windows works - there is nothing you can do about it without subverting the kernel…

Anton Bassov

On 8/24/2014 4:39 AM, xxxxx@hotmail.com wrote:

What you are trying to do is basically introducing the concepts of
jails/zones(i.e. light-weight process virtualization mechanisms as
they are known under respectively FreeBSD and Solaris), to Windows.
However, Windows security model is based upon the notion of users and
access rights. All processes that run under the same user account may
open handles to one another with ALL_ACCESS rights. Therefore, any
process that runs under the same user account may open handle to your
process and modify its address space in any way it wishes, including
screwing up all your modifications. You mayor may not like it, but
this is how Windows works - there is nothing you can do about it
without subverting the kernel… Anton Bassov

One quick comment on the above, it is actually quite easy to control the
specific scenario you mention above by registering callbacks with the
Object Mgr via ObRegisterCallbacks(). You can easily prevent one process
from opening another process and having it modify the process address space.

But I think this is getting off topic …

Pete

–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295

> One quick comment on the above, it is actually quite easy to control the specific scenario

you mention above by registering callbacks with the Object Mgr via ObRegisterCallbacks().

It looks like my knowledge of Windows becomes more and more outdated…

Probably, it is the right time for me to stop posting here…

Anton Bassov

> I have two main issues, i need (1) catch the process after it is created and loaded but before it runs -

all modules should be already loaded.

This means that Thread 0 have already executed the APC of ntdll!LdrInitializeThunk (or how it is called in modern Windows?), but have not returned to EXE entry point yet.

It is ntdll!LdrInitializeThunk who loads the dependency imported DLLs.

So, probably a user APC to the thread is a solution.

–
Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com

>do ask only specific question , of what is the best and documented way to inject my code in a

process after it is mapped to memory and before it starts to run, that’s all

Filter the paging reads on binaries to substitute your own data instead of the header patch the image entry point address this way

Virus writers will be glad on this thread.

–
Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com