Hi guyz,
I want to hook ZwCreateRemoteThread. I searched and i got that i need to hook
ZwCreateThread. I am not getting how exactly i should proceed.
Can anyone tell me how to hook ZwCreateRemoteThread ?
Any explanation will be helpful for my knowledge…
Thank in advance …
What are you really trying to do? First hooking is considered incredibly
bad practice, and will not work on 64-bit systems so you are in trouble to
start wirh. Second, at least on older systems (i.e. pre-Vista) AFAIK there
is no ZwCreateRemoteThread so you can’t hook what is not there.
So tell us what you are attempting to do?
–
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
wrote in message news:xxxxx@ntfsd…
>
> Hi guyz,
>
> I want to hook ZwCreateRemoteThread. I searched and i got that i
> need to hook
> ZwCreateThread. I am not getting how exactly i should proceed.
>
> Can anyone tell me how to hook ZwCreateRemoteThread ?
>
> Any explanation will be helpful for my knowledge…
>
> Thank in advance …
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 5366 (20100814)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
Information from ESET NOD32 Antivirus, version of virus signature database 5366 (20100814)
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
>> Hi guyz,
> I want to hook ZwCreateRemoteThread. I searched and i got that i need to hook
> ZwCreateThread. I am not getting how exactly i should proceed.
> Can anyone tell me how to hook ZwCreateRemoteThread ?
> Any explanation will be helpful for my knowledge…
> Thank in advance …
ZwXXX functions are system services, which are list in SSDT table. Based on the the index of the hooked function in SSDT, You can easily get an entry for the service. Change function address stored in the entry and set your own function address.
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Of course when you do what you suggest, on a 64-bit system PatchGuard will
stop you. On a 32-bit system you have to worry about the fact that the
table indices have changed at times. And for all systems you have to
realize that most anti-virus programs will tag your driver as a virus and
work dilligently to elimintate it.
Hooking is only something that should be used as a last resort, by
developers who really know what they are doing. Most of the hooking
implementations are crap and open security holes in systems.
–
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“changpei1982” wrote in message news:xxxxx@ntfsd…
>>> Hi guyz,
>>> I want to hook ZwCreateRemoteThread. I searched and i got
>>> that i need to hook
>>> ZwCreateThread. I am not getting how exactly i should proceed.
>>> Can anyone tell me how to hook ZwCreateRemoteThread ?
>>> Any explanation will be helpful for my knowledge…
>>> Thank in advance …
>
> ZwXXX functions are system services, which are list in SSDT table. Based
> on the the index of the hooked function in SSDT, You can easily get an
> entry for the service. Change function address stored in the entry and set
> your own function address.
>
> —
> NTFSD is sponsored by OSR
> For our schedule of debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 5366 (20100814)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
Information from ESET NOD32 Antivirus, version of virus signature database 5366 (20100814)
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
And as Don said earlier, there may be a way to accomplish what you want
without hooking, but that will be hard to determine until you tell us what
you want to do.
mm
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Saturday, August 14, 2010 9:52 AM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] Hook ZwCreateRemoteThread
Of course when you do what you suggest, on a 64-bit system PatchGuard will
stop you. On a 32-bit system you have to worry about the fact that the
table indices have changed at times. And for all systems you have to
realize that most anti-virus programs will tag your driver as a virus and
work dilligently to elimintate it.
Hooking is only something that should be used as a last resort, by
developers who really know what they are doing. Most of the hooking
implementations are crap and open security holes in systems.
–
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“changpei1982” wrote in message news:xxxxx@ntfsd…
>>> Hi guyz,
>>> I want to hook ZwCreateRemoteThread. I searched and i got
>>> that i need to hook
>>> ZwCreateThread. I am not getting how exactly i should proceed.
>>> Can anyone tell me how to hook ZwCreateRemoteThread ?
>>> Any explanation will be helpful for my knowledge…
>>> Thank in advance …
>
> ZwXXX functions are system services, which are list in SSDT table. Based
> on the the index of the hooked function in SSDT, You can easily get an
> entry for the service. Change function address stored in the entry and set
> your own function address.
>
> —
> NTFSD is sponsored by OSR
> For our schedule of debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 5366 (20100814)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
Information from ESET NOD32 Antivirus, version of virus signature
database 5366 (20100814)
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
—
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
I just give the opproach Guyz wanted.
Of cource, Don you are right :). So, Guys, you must answer the question what you attemp to do? And may be you can get a better approach
>> Of course when you do what you suggest, on a 64-bit system PatchGuard will
>> stop you. On a 32-bit system you have to worry about the fact that the
>> table indices have changed at times. And for all systems you have to
>> realize that most anti-virus programs will tag your driver as a virus and
>> work dilligently to elimintate it.
>> Hooking is only something that should be used as a last resort, by
>> developers who really know what they are doing. Most of the hooking
>> implementations are crap and open security holes in systems.
–
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“changpei1982” wrote in message news:xxxxx@ntfsd…
>>> Hi guyz,
>>> I want to hook ZwCreateRemoteThread. I searched and i got
>>> that i need to hook
>>> ZwCreateThread. I am not getting how exactly i should proceed.
>>> Can anyone tell me how to hook ZwCreateRemoteThread ?
>>> Any explanation will be helpful for my knowledge…
>>> Thank in advance …
>
> ZwXXX functions are system services, which are list in SSDT table. Based
> on the the index of the hooked function in SSDT, You can easily get an
> entry for the service. Change function address stored in the entry and set
> your own function address.
>
> —
> NTFSD is sponsored by OSR
> For our schedule of debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 5366 (20100814)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
Information from ESET NOD32 Antivirus, version of virus signature database 5366 (20100814)
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
—
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>>ZwXXX functions are system services, which are list in SSDT table
Zw are kernel mode exported function to access system services. I think you meant NT api ? As its not ZW address inside SSDT, its Nt APIs instead.
@Don
>AFAIK there is no ZwCreateRemoteThread so you can’t hook what is not there.
So do we have this API exported now on vista +? I am curious as I checked my ntoskrnl (win7) exports and did not found it to be exported.
Also considering NtCreatedThread takes a hProcess paramaeter, it is sufficient to create a thread in any process address space, why at all is a separate API required for duplicate functionality.
I always though CreateRemoteThread is a Win32 specific function.
Aditya
P.S.: looks suitable for ntdev
i want to deny the process, if one process is creating remote thread into other process and try into inject dll into other thread.
So if i hook ZwCreateThread then 4th parameter of it is process handle, if process handle is of my process then i will deny not allow to create thread.
Is my approach of anyone injecting dll into my process is right?
i want to block dll injection. So if i hook ZwCreatethread, is this possible i will control createremotethread too. ?
Your approach is totally wrong here and you start on the wrong way of the
rope.
You know that microsoft supports PE (portable executables) format and you
can map a file, and executable that is and modify its executing behaviour
without calling createaremotethread.
Even is that malware is trying with the create remote thread technique you
are not doing much to stop it by hooking this service.
I belive what you want to do is not allow another thread to open a handle or
to create an executive process object to your protected process. In other
words, the object manager should not allow a certain access mask to be
applied to the process objects that point to your process. I would suggest
you lookup the ObCallbacks in this case.
You should also consider the SetWindowsHooks function which can also be used
for code injection. How do you stop that from not corrupting your process ?
(of course if your process has any graphical interface what so ever). But
what if it did, how would you block SetWindowsHooks to not load a dll in
your process ?
I believe SetWindowsHooks is using the KeAttachProcess function to attach to
the target process address space and place the injected code there, not
using handles at all. I am not sure though…
On Wed, Aug 18, 2010 at 8:54 AM, wrote:
> i want to block dll injection. So if i hook ZwCreatethread, is this
> possible i will control createremotethread too. ?
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>I believe SetWindowsHooks is using the KeAttachProcess function to attach to the target process
No for sure. SetWindowsHooks uses an internal WM_xxx message. It can only inject something in a process with a message loop.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
>i want to deny the process, if one process is creating remote thread into other process and try into
inject dll into other thread.
Then block OpenProcess call by assigning proper ACL to the process object, more tight then Windows assigns itself.
No hackery needed.
Also note that Ctrl-C in Windows command prompt is implemented using thread injection (not DLL injection though).
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
>
No for sure. SetWindowsHooks uses an internal WM_xxx message. It can only inject something in a >process with a message loop.
I know I once looked up the NtUserSetWindowsHookEx dissable with windbg and I saw KeAttachProcess, and not OpenProcess, or other related, this is why I presumed this.
> I know I once looked up the NtUserSetWindowsHookEx dissable with windbg and I saw
KeAttachProcess
This is probably the internals of WM_xxx delivery.
The hooker DLL load in the target process is surely done in the WM_xxx handler of some internal message code, I saw this in the debugger.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
So without hooking, if you have a GUI application how can you not allow an
application to run code, if not OpenProcess occurs, and
win32k!NtUserSetWindowsHookEx uses the WM_XX technique and KeAttach ?
On Wed, Aug 18, 2010 at 1:29 PM, Maxim S. Shatskih
wrote:
> > I know I once looked up the NtUserSetWindowsHookEx dissable with windbg
> and I saw
> >KeAttachProcess
>
> This is probably the internals of WM_xxx delivery.
>
> The hooker DLL load in the target process is surely done in the WM_xxx
> handler of some internal message code, I saw this in the debugger.
>
> –
> Maxim S. Shatskih
> Windows DDK MVP
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
You can also in some cases just mess with import resolution order.
mm
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Gabriel Bercea
Sent: Wednesday, August 18, 2010 3:13 AM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] Hook ZwCreateRemoteThread
Your approach is totally wrong here and you start on the wrong way of the
rope.
You know that microsoft supports PE (portable executables) format and you
can map a file, and executable that is and modify its executing behaviour
without calling createaremotethread.
Even is that malware is trying with the create remote thread technique you
are not doing much to stop it by hooking this service.
I belive what you want to do is not allow another thread to open a handle or
to create an executive process object to your protected process. In other
words, the object manager should not allow a certain access mask to be
applied to the process objects that point to your process. I would suggest
you lookup the ObCallbacks in this case.
You should also consider the SetWindowsHooks function which can also be used
for code injection. How do you stop that from not corrupting your process ?
(of course if your process has any graphical interface what so ever). But
what if it did, how would you block SetWindowsHooks to not load a dll in
your process ?
I believe SetWindowsHooks is using the KeAttachProcess function to attach to
the target process address space and place the injected code there, not
using handles at all. I am not sure though…
On Wed, Aug 18, 2010 at 8:54 AM, wrote:
i want to block dll injection. So if i hook ZwCreatethread, is this possible
i will control createremotethread too. ?
—
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
— NTFSD is sponsored by OSR For our schedule of debugging and file system
seminars (including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars To unsubscribe, visit the List Server section of
OSR Online at http://www.osronline.com/page.cfm?name=ListServer
As usually, you cannot reliably protect from administrator, or from the code running in the same security context as yours.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
“Gabriel Bercea” wrote in message news:xxxxx@ntfsd…
So without hooking, if you have a GUI application how can you not allow an application to run code, if not OpenProcess occurs, and win32k!NtUserSetWindowsHookEx uses the WM_XX technique and KeAttach ?
On Wed, Aug 18, 2010 at 1:29 PM, Maxim S. Shatskih wrote:
> I know I once looked up the NtUserSetWindowsHookEx dissable with windbg and I saw
>KeAttachProcess
This is probably the internals of WM_xxx delivery.
The hooker DLL load in the target process is surely done in the WM_xxx handler of some internal message code, I saw this in the debugger.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
—
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer