Is there a way for a driver to detect when and where code is being
generated on the fly? For example, a dll or driver may be generating some
run time code during the life of that process. Do some kernel APIs exist
or is there a way to track/trigger when this is happening in the system?
Thanks
Throwing out some ideas: For every loaded module, figure out where the
code sections are located in memory. For modules that you want to
monitor, hash the code sections every so often to detect changes. To
detect attempts to execute code outside the code sections, sample EIP at
a high rate. I can easily see this becoming computationally prohibitive,
but I don’t see an alternative. Certainly there is no way to protect
code from being modified using memory protection techniques, since an
attacker can always remap the physical pages.
David ‘T’ wrote:
Is there a way for a driver to detect when and where code is being
generated on the fly? For example, a dll or driver may be generating some
run time code during the life of that process. Do some kernel APIs exist
or is there a way to track/trigger when this is happening in the system?Thanks
–
Nick Ryan (MVP for DDK)
Impossible. The x86 machines are von-Neumann.
Some other machines have “execute allowed” PTE bit, which solves a huge lot of
problems including any buffer overruns.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: “David ‘T’”
To: “Windows System Software Devs Interest List”
Sent: Saturday, September 27, 2003 1:21 AM
Subject: [ntdev] How to capture or detect when JIT code is generated
> Is there a way for a driver to detect when and where code is being
> generated on the fly? For example, a dll or driver may be generating some
> run time code during the life of that process. Do some kernel APIs exist
> or is there a way to track/trigger when this is happening in the system?
>
> Thanks
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
David,
This is an age old problem. If I understand corretly, you are only
interested of JIT type code !!!, if so then I hope you are talking about
.NET managed code !!!.
For .net managed code you can find lot of infos along this line, IIRC, they
create some kind of cab file ( for the IL) and often compressed ( it also
has sign, at the load time the authentication and verification goes on befor
it is loaded and mapped onto some execution space).
For JIT of JVM, it is somewhat similar, but I would not vouch for it, since
I dont remember seeing such …
For non-managed code it is an age old problem !!!
So what is available and somewhat known (not exhaustive KB though).
Theory::: To know if a code has foreign instructions (virus etc) is
Unsolvable - by Fred Cohen and others.
To know when a module is loaded is not unsolvable but need works. From
krnlside you can have a notification mechnism to know when a module is being
loaded.
To know if the module being loaded is trusted (under unmanaged domain of
codes) code prehashing and loadtime hashing to compare with is already
existing technology.
To avoid redundant checking for code hashing, meaning once a module is
authenticated and loaded, enumeration using PSAPI (formerly pedump ) is one
alternative.
But for sure, at runtime, if a code is selfmodifying or someonelese
overwrite a part of one module is not easy to find !!! Some heuristics
needed !!!
-prokash
----- Original Message -----
From: “David ‘T’”
To: “Windows System Software Devs Interest List”
Sent: Friday, September 26, 2003 2:21 PM
Subject: [ntdev] How to capture or detect when JIT code is generated
> Is there a way for a driver to detect when and where code is being
> generated on the fly? For example, a dll or driver may be generating some
> run time code during the life of that process. Do some kernel APIs exist
> or is there a way to track/trigger when this is happening in the system?
>
> Thanks
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@garlic.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>