Hello,
i must write a driver which hooked the function “ZwTerminateProcess”. Thus it is prevented that our archiving software cannot be closed(Or only if certain conditions are given). Could someone explain to me, how to hook the SSDT Table? A small code example would be great.
greets
p.s.: Translated with Babel fish 
You can protected in a better way than hooking.
How about implementing a small minifilter that has specific security for your exe file, thus only your main exe will have access to it or only your driver.
The minifilter will intercept any create requests to your exe, and you will only let specific applications access your exe.
PS: I don’t think anyone here will provide you with give you a small example of how to hook SSDT. Even with that, you cannot use hooking in x64 so why bother.
Hey,
thanks for your fast answer. Thus if it is not made with Hooks, then I am open for each alternative. It should be only as clean a solution as possible .I trust you experts:-P. I am first time in the Kernel; -)
Could you supply a little code to me with?
Hmm first time in kernel…
First of all be sure you understand at least the basics of the Windows OS internal architecture, before stepping forward. Kernel is not as easy as you think and might not be your friend, as for a beginner you can open security holes in the system very easily.
There are sample in the WDK src\filesys\minifilter, you could start with the samples from there to see how a minifilter works, but I suggest reading a lot of documentation first.
I would suggest you search this list about hooking, since hooking is
discouraged here. What exactly is it that you want to do? You want to keep
you archiving software from being closed, is that it?
Gary G. Little
H (952) 223-1349
C (952) 454-4629
xxxxx@comcast.net
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmx.de
Sent: Monday, July 26, 2010 6:15 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Hook SSDT
Hello,
i must write a driver which hooked the function “ZwTerminateProcess”. Thus
it is prevented that our archiving software cannot be closed(Or only if
certain conditions are given). Could someone explain to me, how to hook the
SSDT Table? A small code example would be great.
greets
p.s.: Translated with Babel fish
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Apparently yes, as I understand from the first post, but this actually does
not make a lot of sense since archiving software should work on demand and
be terminated on demand by the user if it freezes working on huge data or if
you’re archiving some big content which you want to cancela
I believe that there is more than an archiving software or better yet it is
not an archiving software. I did hear about an archiving software having a
device driver for protection :-???
Anyway I think you should post more about what exactly are you doing with
your software and does it need kernel intervention.
On Mon, Jul 26, 2010 at 5:24 PM, Gary G. Little wrote:
> I would suggest you search this list about hooking, since hooking is
> discouraged here. What exactly is it that you want to do? You want to keep
> you archiving software from being closed, is that it?
>
> Gary G. Little
> H (952) 223-1349
> C (952) 454-4629
> xxxxx@comcast.net
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmx.de
> Sent: Monday, July 26, 2010 6:15 AM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] Hook SSDT
>
> Hello,
>
> i must write a driver which hooked the function “ZwTerminateProcess”. Thus
> it is prevented that our archiving software cannot be closed(Or only if
> certain conditions are given). Could someone explain to me, how to hook the
> SSDT Table? A small code example would be great.
>
> greets
>
> p.s.: Translated with Babel fish
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
xxxxx@gmx.de wrote:
Hello,
i must write a driver which hooked the function “ZwTerminateProcess”. Thus it is prevented that our archiving software cannot be closed(Or only if certain conditions are given). Could someone explain to me, how to hook the SSDT Table? A small code example would be great.
My personal philosophy is that you think your software is a lot more
important than it really is.
The computer I’m using belongs to ME, not to YOU. If I want to
terminate your process, it is my right as a human being to do that,
regardless of whether you like it or not. If that trashes my archive,
then so be it. I asked for it.
Your code is not perfect. As long as it is not perfect, there are going
to be scenarios you could not possibly anticipate that will cause your
software to hang. In that case, I NEED to have the ability to kill your
software. Otherwise, I’m just going to pull the plug and then
immediately uninstall your software.
If I come across a computer running your software, and it has hooks that
prevent its process from being unloaded, I will most certainly be
recommended other products to my client.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Besides all the comments so far, you are missing a base problem with
your approach. If I have the right to terminate your program, I
probably have the right to modify it with the debugging commands, so I
can still terminate the program by corrupting the in memory executable.
If your goal is to protect against stupid errors, then using Windows
permissions will do a lot. If you really need more, make your archiving
program use a transactional model to know when a part of the archive is
started and when it is completed. If you are really paranoid, have the
archive program launch a program to monitor it so if it is terminated
the monitor restarts it. The archive program can track the monitor
program and restart if it is terminated.
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
-----Original Message-----
From: xxxxx@gmx.de [mailto:xxxxx@gmx.de]
Posted At: Monday, July 26, 2010 7:15 AM
Posted To: ntdev
Conversation: Hook SSDT
Subject: Hook SSDTHello,
i must write a driver which hooked the function “ZwTerminateProcess”.
Thus it
is prevented that our archiving software cannot be closed(Or only if
certain
conditions are given). Could someone explain to me, how to hook the
SSDT
Table? A small code example would be great.greets
p.s.: Translated with Babel fish
__________ Information from ESET Smart Security, version of virus
signature
database 5313 (20100726) __________The message was checked by ESET Smart Security.
>Your code is not perfect. As long as it is not perfect, there are going to
be scenarios you could not possibly anticipate that will cause your software
to hang. In that case, I NEED to have the ability to kill your software.
Otherwise, I’m just going to pull the >plug and then immediately uninstall
your software.
And if he can’t uninstall your software easily and obviously, that would be
considered a virus in some scenarios.
mm
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tim Roberts
Sent: Monday, July 26, 2010 1:01 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Hook SSDT
xxxxx@gmx.de wrote:
Hello,
i must write a driver which hooked the function “ZwTerminateProcess”. Thus
it is prevented that our archiving software cannot be closed(Or only if
certain conditions are given). Could someone explain to me, how to hook the
SSDT Table? A small code example would be great.
My personal philosophy is that you think your software is a lot more
important than it really is.
The computer I’m using belongs to ME, not to YOU. If I want to terminate
your process, it is my right as a human being to do that, regardless of
whether you like it or not. If that trashes my archive, then so be it. I
asked for it.
Your code is not perfect. As long as it is not perfect, there are going to
be scenarios you could not possibly anticipate that will cause your software
to hang. In that case, I NEED to have the ability to kill your software.
Otherwise, I’m just going to pull the plug and then immediately uninstall
your software.
If I come across a computer running your software, and it has hooks that
prevent its process from being unloaded, I will most certainly be
recommended other products to my client.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
> i must write a driver which hooked the function “ZwTerminateProcess”. Thus it is prevented that our
archiving software cannot be closed(Or only if certain conditions are given).
Please tell me the name of your archiving software, so I will never use it myself, and un-recommend to any people I know.
Sorry.
The software which does stupid things by enforcing its will on users (is it uncancellable?), and doing this by hooking (and probably even unhooking later, providing a potential for crashes) - is really evil.
Well, being uncancellable is enough to hold some distance between myself and such software.
SSDT hooking, BTW, is impossible on x64.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
> And if he can’t uninstall your software easily and obviously, that would be
considered a virus in some scenarios.
Most antivirus titles are such 
Kaspersky, who openly declared that his product cannot coexist with any other competitor’s product on the same machine, has a great knowledge base on how to really uninstall the popular antivirus titles - Trend Micro, Norton etc.
Modern Kaspersky’s products are trivially uninstalled.
Good product. It has an abysmal Linux-based bootable recovery disc though - no Promise SATA/SAS controller, no Ethernet on my laptop, no Dynamic Disk, no onboard Intel video, no fallback to VGA on unknown video chips, and the antivirus scanner there seems to lack multi-threading (say “top” in their Linux and enjoy) and thus works times slower then the one in the installed Windows product.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
> Kaspersky, who openly declared that his product _cannot coexist with any other competitor’s product
on the same machine_, …
…somehow has not-so-small customer base, and when it comes to interops, quite a few users choose Kaspersky AV, rather than “properly- written” filter driver that fails solely because of KAV’s presense. I don’t really know what stands behind it, but that’s the way it is…
Anton Bassov
There are many anti-virus softwares avaliable in the market , which doesn’t
allow them, getting uninstalled or killed …
In a way this is a positive feature as many viruses try to kill the
antivirus softwares first and then spread their menace.
But this feature has its negative side also , as even the sys admin of the
system cant kill or uninstall the process/software even if it is behaving
erraneously.
On Tue, Jul 27, 2010 at 5:21 AM, wrote:
> > Kaspersky, who openly declared that his product cannot coexist with any
> other competitor’s product
> > on the same machine, …
>
>
> …somehow has not-so-small customer base, and when it comes to interops,
> quite a few users choose Kaspersky AV, rather than “properly- written”
> filter driver that fails solely because of KAV’s presense. I don’t really
> know what stands behind it, but that’s the way it is…
>
> Anton Bassov
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
–
Thanks
Anshul Makkar
www.justkernel.com
xxxxx@justkernel.com
>
There are many anti-virus softwares avaliable in the market , which
doesn’t
allow them, getting uninstalled or killed …In a way this is a positive feature as many viruses try to kill the
antivirus
softwares first and then spread their menace.
But this feature has its negative side also , as even the sys admin of
the
system cant kill or uninstall the process/software even if it is
behaving
erraneously.
The company I work for does computer repairs, both warranty and out of
warranty hardware repairs and software fixes for end users. It’s not
really my area of the business but I do get called in for particularly
tricky software problems and in at least 80% of those cases the problem
is caused directly by antivirus software, normally by installing
competing products together or by something going wrong during an
uninstallation. Seriously, most malware is simple to clean up in
comparison.
I’m not sure product advertising is allowed on this list, but Symantec
have a fantastic product called something like “Norton Removal Tool”
which completely uninstalls any version of their software from your
system. It’s my favourite product of theirs
James