How to hook IoCompleteRequest

> "You have referred to absolutely all MVPs in derogatory terms, based solely upon the fact

that they hold MVP status. Furthermore, if you read this NG on regular basis,
you would have noticed that some MVPs t

The above is quotation of my own post on another thread that does not apply here whatsoever - unlike you, I don’t refer in derogatory terms to anyone, apart from some certain (ex) SDK MVP who implemented an advanced technique without even understanding how it actually works, effectively introducing a bug into his product…

What are you are basically saying is that MVPs are not honest and do not speak the truth.

And the above is just the result of your ill imagination - after all, everyone understands things the way he wants them to be understood. In actuality, the only thing I say here is that MVPs have to be careful with what they say in public, especially if they happen to be in Peter’s position, which is perfectly understandable - after all, it is obvious that some “not-so-conventional” scheme that gets implemented by Mr.Viscarola or Mr.Divine is going to produce the results that are very different from the ones produced by the same scheme but implemented by Mr.Terhell or Mr.Xu. Therefore, MVPs would not advise Mr.Terhell or Mr.Xu to do anything “not-so-conventional” - Peter would tell them to forget the whole thing without providing any further explanations; Don and Mark would make respectively curmudgeonly and ironical posts; and Thomas and Tim would explain to them that they just haven’t got the knowledge that is required for implementing such scheme successfully…

However, you seem to understand things differently, which is hardly surprising, especially taking into account your post on another thread…

Anton Bassov

You are turning around the facts. Unlike you, without talking about anyone
in particular I have only said that generally the value of their status has
tarnished somewhat which provoked all that anger from you. Then it is
surprising in the least that few days later you say the all MVPs cannot not
speak the truth because of their status.

/Daniel

wrote in message news:xxxxx@ntdev…
>> “You have referred to absolutely all MVPs in derogatory terms, based
>> solely upon the fact
>> that they hold MVP status.”
>
> The above is quotation of my own post on another thread that does not
> apply here whatsoever - unlike you, I don’t refer in derogatory terms to
> anyone
> …
>He cannot really afford to express his true opinion due to his position and
>reputation" (actually, this is true for all MVPs)
> Anton Bassov
>

Who is missing here in this story is you. Unlike you I am not like you
grabbing bits of pieces of old hooking samples from Russinovich et al and
posting those things as mine, admittedly containing bugs and for concept
only. Instead I am releasing software to actually allow you to test these
things so you can see if you did proper usermode parameter validation
checking and find multithreading issues such as those discussed in this
thread.

/Daniel

wrote in message news:xxxxx@ntdev…
Therefore, MVPs would not advise Mr.Terhell. …to do anything
“not-so-conventional” … and Thomas and Tim would explain to them that they
just haven’t got the knowledge that is required for implementing such scheme
successfully.

> Who is missing here in this story is you.

What about me???

Unlike you I am not like you grabbing bits of pieces of old hooking samples from
Russinovich et al and posting those things as mine,

Actually, I have never seen Russinovich’s samples - at the time he wrote about SSDT hooking (i.e.1997) I was learning VBA, so that I would not have had a chance to understand anything even if I was told about Sysinternals, and by the time I learned about Sysinternals they were long gone. Therefore, I heard about them only from third-party sources (BTW, I learned about the concept of SSDT hooking from rootkit.com). When it comes to IAT hooking, it has been introduced to the Windows community not by Russinovich but by Pietrek . Concerning direct hooking with INT1/INT3, this is 100% my own “know-how”. Concerning entering the kernel without a driver, the idea of using a call gate is, again, Pietrek’s, rather than Russinovich’s, and the trick with locating a page directory from the user mode, is, again, 100% my own “know-how” that is based purely on disassembling MmGetPhysicalAddress() and figuring out how it works…

Instead I am releasing software to actually allow you to test these things

Now I see where the suggestion about Russinovich’s samples is rooted. I checked your website,
and all tools (apart from RootkitRevealer - more on it below) that are listed there look pretty
much like the ones that were available from Sysinternals.

Concerning RootkitRevealer … sorry, but it is really pathetic - it can get fooled simply by putting
the address of a buffer with JMP instruction into SSDT. If rootkit takes the above approach, your “revealer” in its current implementation implementation will have no chance to “name and shame” it - the maximal thing it can do is to tell you that SSDT is hooked (I assume the target rootkit is very simplistic so that it does not try to hide itself properly).

In general, I came to the conclusion that detecting a presence of well-written rootkit from within the OS is plainly infeasible task. Roootkit can infect a boot sector and get loaded before the OS. At this point it can do whatever it likes - it can put itself into a memory that the OS is just unaware of (it will hook real-mode INT 0x15 and make the OS believe that a given physical range is absent/reserved by BIOS - it will modify the physical memory map when the OS queries it); *actual* IDT and GDT may be made different from the ones that the OS loads with LIDT and LSGT; ntoskrnl.exe’s code may get modified when it gets loaded into RAM ; etc,etc,etc. The only possible way to detect a rootkit like that is to extract a hard disk, insert it as a second disk into another machine, and read a boot sector (reading a boot sector on the target machine itself after it gets booted will not reveal a rootkit, because it will take care of that).

All the above can be done even on the system that does not support VT, and introduction of VT simplifies the task quite a lot - ironically, by adding VT support Intel made life of rootkit developers easier. …

Do you still believe someone may need your RootkitRevealer???

Anton Bassov

I’m working on a version which assembles an inventory of kernel objects from
many different perspectivies using many different techniques. This way,
every way a rootkit which tries to hide any type of object logically also
introduces a way of betraying itself. The best bet they have is to
immediately defeat my software, which I admit is not a difficult task but it
means the rootkit must be tailored to deal with my software. I admit any
such a tool is always some sort of compromise and theoretically speaking
it’s a lost battle but this counts for any antivirus or security product.
This doesn’t mean we can’t do a very good job and create a very useful
product which catches over let’s say 99% of the rootkits. BTW Rootkit
Revealer is not my product but Sysinternals.

I want to apologize for some of my comments because you deserve more respect
than me if it comes to giving useful and interesting answers in this group.

/Daniel

wrote in message news:xxxxx@ntdev…
> Actually, I have never seen Russinovich’s samples - at the time he wrote
> about SSDT hooking (i.e.1997) I was learning VBA, so that I would not have
> had a chance to understand anything even if I was told about
> Sysinternals, and by the time I learned about Sysinternals they were long
> gone. Therefore, I heard about them only from third-party sources (BTW, I
> learned about the concept of SSDT hooking from rootkit.com). When it comes
> to IAT hooking, it has been introduced to the Windows community not by
> Russinovich but by Pietrek . Concerning direct hooking with INT1/INT3,
> this is 100% my own “know-how”. Concerning entering the kernel without a
> driver, the idea of using a call gate is, again, Pietrek’s, rather than
> Russinovich’s, and the trick with locating a page directory from the user
> mode, is, again, 100% my own “know-how” that is based purely on
> disassembling MmGetPhysicalAddress() and figuring out how it works…
>
>> Instead I am releasing software to actually allow you to test these
>> things
>
> Now I see where the suggestion about Russinovich’s samples is rooted. I
> checked your website,
> and all tools (apart from RootkitRevealer - more on it below) that are
> listed there look pretty
> much like the ones that were available from Sysinternals.
>
> Concerning RootkitRevealer … sorry, but it is really pathetic - it can
> get fooled simply by putting
> the address of a buffer with JMP instruction into SSDT. If rootkit takes
> the above approach, your “revealer” in its current implementation
> implementation will have no chance to “name and shame” it - the maximal
> thing it can do is to tell you that SSDT is hooked (I assume the target
> rootkit is very simplistic so that it does not try to hide itself
> properly).
>
> In general, I came to the conclusion that detecting a presence of
> well-written rootkit from within the OS is plainly infeasible task.
> Roootkit can infect a boot sector and get loaded before the OS. At this
> point it can do whatever it likes - it can put itself into a memory that
> the OS is just unaware of (it will hook real-mode INT 0x15 and make the
> OS believe that a given physical range is absent/reserved by BIOS - it
> will modify the physical memory map when the OS queries it); actual IDT
> and GDT may be made different from the ones that the OS loads with LIDT
> and LSGT; ntoskrnl.exe’s code may get modified when it gets loaded into
> RAM ; etc,etc,etc. The only possible way to detect a rootkit like that is
> to extract a hard disk, insert it as a second disk into another machine,
> and read a boot sector (reading a boot sector on the target machine itself
> after it gets booted will not reveal a rootkit, because it will take
> care of that).
>
> All the above can be done even on the system that does not support VT,
> and introduction of VT simplifies the task quite a lot - ironically, by
> adding VT support Intel made life of rootkit developers easier. …
>
> Do you still believe someone may need your RootkitRevealer???
>
>
> Anton Bassov
>
>
>

wrote in message news:xxxxx@ntdev…
> > As to remarks about Peter, did you look him up on the internet also?
>> Did you notice that he teaches driver development to Microsoft?
>> Did you notice that he and his firm consult regularily for Microsoft and
>> most
>> of the biggies in the industry?
>
> Actually, the above argument is not as strong as it seems to be - this is
> just the other way of saying “He cannot really afford to express his true
> opinion due to his position and reputation”
> (actually, this is true for all MVPs). One of the posts on this thread
> mentions some certain product that directly hooks kernel code in
> Detours-like fashion, i.e. via JMP instruction. The funniest thing here is
> that the person who actually architectured this “masterpiece” used to be
> SDK MVP who made quite a few anti-hooking posts in ‘kernel’ MSFT NG .
> Probably, it would be a better idea for him to learn how to hook
> “properly”, instead of slagging off this technique in a NG - if he did it
> this way, his product would cause much less BSODs than it (apparently)
> does, don’t you think???
>

Anton,

What makes you think MVP’s do not state their true opinion? Sorry
most of us are very honest on this, go back through the archives, Peter is
the one lead the latest call for source for WDF, I have hammerred on how bad
DTM/WHQL is for years. A number of MVP have expressed their disdain for
the “solutions” offerred by Microsoft for many thnings.

By the same token many of us also have been in the industry a very
long time, so evaluate things with perhaps a different perspective. No, we
are not thrilled by the half way solutions that Microsoft provides for many
things, but we may look at them and realize they get us 80% of the way to
what is desired, and reflect on whether 80% can be good enough.

The other thing about MVP’s is we go to events and interact with
Microsoft in many ways. So yes that means at times we express our dismay in
private conversations, but it also means through public and private means we
sometimes understand where Microsoft is going and why things act the way
they do (even if they seem irrational to some people).


Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply

Don:

Excellent post.

Anton:

I agree with what Don said, and personally, off the top of my head, I
beat on WinDbg on a regular basis, WPP and DTM back before they became
non issues/something we have to deal with, and in general say plenty of
less than charming things about the way Microsoft pushes in a really
insulting manner all sorts of things for the kernel that are robust,
object oriented, virtual, internet aware technologies meeting the needs
of mission critical drivers while lowering tco, et. c., instead of
fixing things that would actually make some difference, like improving
WinDbg. In the specific case of Peter, in my opinion, the argument that
he is constrained by his MVP status makes no sense, as whether he is an
MVP or not will not impact his bottom line, as he is also a founder of
OSR, and basically no one knows what an MVP is, and it sounds like a
certification that one pays $1000 to get. In the specific case of me, I
don’t feel constrained, because I am very comfortable with the fact that
no one really cares what I think, and as I have only been one for about
six months, whatever I did before is apparently OK so I’m still doing
it, and I really don’t think anyone would ever say that I give blatantly
party line advice. Nor would they probably say that my opinions are
radical, because I’m not looking to make the sort of spectacle of
himself that Daniel seems to like to, although I nevertheless manage to
still do it from time to time. I think an excellent point that Don made
is that we also interact privately with Microsoft. In my case, at this
point in time, this is a minor point, other than my regular
communication with my MVP lead, but for someone like Don it isn’t. I’ve
sat in a few conference calls with Microsoft and Don, and I can assure
you that he let’s them know how he feels in no uncertain terms.

In general, Anton, most of the things that you see going on in this area
that you do not like, I don’t much care for myself either. I can not
extend that opinion to include Daniel; I think an MVP did something bad
to him when he was a small child or something like that, because this
seems to come up a lot, and it’s always paranoid and just profoundly
self-centered, and can basically be summarized as “why isn’t Microsoft
doing everything I want?” What I don’t understand is what it is that
you expect us to do it about it. All twenty (or so) of us can complain
publicly all we want, but that’s not going to change anything, and I
personally get very, very tired of hearing shit about how bad and evil
Microsoft is, and whether I like what they are doing or not in any
specific case, beating on Microsoft is among the most pedestrian of
activities. There are also Microsoft employees on this list who are
phenominal, who don’t generally subject us to anything shamelessly pro
Microsoft, so I feel like there is no reason they should be rewarded for
their considerable efforts by hearing a bunch of complaining about the
company that indirectly pays our bills.

mm

Don Burn wrote:

wrote in message news:xxxxx@ntdev…
>>> As to remarks about Peter, did you look him up on the internet also?
>>> Did you notice that he teaches driver development to Microsoft?
>>> Did you notice that he and his firm consult regularily for Microsoft and
>>> most
>>> of the biggies in the industry?
>> Actually, the above argument is not as strong as it seems to be - this is
>> just the other way of saying “He cannot really afford to express his true
>> opinion due to his position and reputation”
>> (actually, this is true for all MVPs). One of the posts on this thread
>> mentions some certain product that directly hooks kernel code in
>> Detours-like fashion, i.e. via JMP instruction. The funniest thing here is
>> that the person who actually architectured this “masterpiece” used to be
>> SDK MVP who made quite a few anti-hooking posts in ‘kernel’ MSFT NG .
>> Probably, it would be a better idea for him to learn how to hook
>> “properly”, instead of slagging off this technique in a NG - if he did it
>> this way, his product would cause much less BSODs than it (apparently)
>> does, don’t you think???
>>
>
> Anton,
>
> What makes you think MVP’s do not state their true opinion? Sorry
> most of us are very honest on this, go back through the archives, Peter is
> the one lead the latest call for source for WDF, I have hammerred on how bad
> DTM/WHQL is for years. A number of MVP have expressed their disdain for
> the “solutions” offerred by Microsoft for many thnings.
>
> By the same token many of us also have been in the industry a very
> long time, so evaluate things with perhaps a different perspective. No, we
> are not thrilled by the half way solutions that Microsoft provides for many
> things, but we may look at them and realize they get us 80% of the way to
> what is desired, and reflect on whether 80% can be good enough.
>
> The other thing about MVP’s is we go to events and interact with
> Microsoft in many ways. So yes that means at times we express our dismay in
> private conversations, but it also means through public and private means we
> sometimes understand where Microsoft is going and why things act the way
> they do (even if they seem irrational to some people).
>
>

I don’t know who threw the first stone at the MVP’s, but they do speak their
minds.

To single one out, Don (sorry guy) has be rather vocal about the
limitations of fltmgr. However, the differnce between his objections and
others here is this: His words mean something and could result in a product
improvement - he is listened to by the powers that be. (and of course, he’s
right on the money regarding the issues with ftlmgr)

Never-the-less, saying that MVP’s like Don are dishonest, or are ‘owned’ by
Microsoft is a bunch of crap. The truth is, Microsoft needs reputable
‘wildmen’ like Don
on the outside to tell them where they need improvement (not every
circumstance will arrise in house). With regards to fltmgr, he has been
clear and succint with regards to the area’s that need improvement.

(Don, I apologize for invoking your name here, these are only my opinions
and views and don’t mean much. My point is simple, MVP’s such as yourself
do speak out when needed)

Regards,

Matt

“Matthew Martin” wrote in message
news:xxxxx@ntdev…
> (Don, I apologize for invoking your name here, these are only my opinions
> and views and don’t mean much. My point is simple, MVP’s such as yourself
> do speak out when needed)
>

Matt,

No problem with invoking my name. There seems to be a lot of confusion
about MVP’s as being everything from paid shills for Microsoft, to paying
Microsoft for the title. If you look at the MVP Program website
(http://mvp.support.microsoft.com/) you will see in the overview:

“The Microsoft MVP Award Program recognizes and thanks outstanding members
of technical communities for their community participation and willingness
to help others. The MVP Award is given to exceptional technical community
leaders who foster the FREE and objective exchange of knowledge by actively
sharing their real-world expertise with technology users.”

I capitalized the FREE above since it does not mean “no charge” but free of
interferance. Microsoft chooses people who help people, whether it be
teaching classes, writing papers, doing talks, or answering questions on
newsgroups. The Microsoft support people out there spot people who meet the
criteria and they run the names by product groups to check the quality of
the material that is how someone is nominated to be an MVP.

As far as the wildman, at the last WinHEC I was sought out by a senior
manager about my comments on DTM. I spent a very enjoyable two hours
explaining things that are desirable in the testing world to several people
from Redmond. I don’t know what will come of it, or when, but if I was a
shill for Microsoft I don’t think my statements like “DTM is the worst thing
for driver quality to ever happen” would have led to such a discussion. I
do feel confident that we will see a push for significant improvements in
the testing area in the comming years.


Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply

Martin,

I feel like there is no reason they should be rewarded for their considerable
efforts by hearing a bunch of complaining about the company that
indirectly pays our bills.

I just really don’t know how to react to the above statement…

Is it a typing mistake??? Did you mean something else, or you just got too emotional and, as a result, accidentally gave away the secret??? What are the bills that you talking about??? I have never been contacted by MSFT with any proposal concerning either direct or indirect payment of my bills of any description , but, after all, I am not MVP. Does it work differently for MVPs???

Anton Bassov

You’re right; I wasn’t very clear. Nor was I talking about anyone
specifically in that part, which also wasn’t very clear. All I mean is,
while there are lots of features of Windows I don’t like, and there are
lots of things Microsoft does that I don’t like, Windows - especially
some of it’s features that are considered difficult or unsavory, like
that it isn’t open source - has and continues to provide me a nice
living, so I think it would be a little disingenious for me to go on and
on about how terrible it is, and what a burded the whole process is, how
it’s unfair, et. c. Working with it is a choice.

Sorry about the confusion,

mm

xxxxx@hotmail.com wrote:

Martin,

> I feel like there is no reason they should be rewarded for their considerable
> efforts by hearing a bunch of complaining about the company that
> indirectly pays our bills.

I just really don’t know how to react to the above statement…

Is it a typing mistake??? Did you mean something else, or you just got too emotional and, as a result, accidentally gave away the secret??? What are the bills that you talking about??? I have never been contacted by MSFT with any proposal concerning either direct or indirect payment of my bills of any description , but, after all, I am not MVP. Does it work differently for MVPs???

Anton Bassov

> especially some of it’s features that are considered difficult or unsavory,

like that it isn’t open source - has and continues to provide me a nice living,

I am afraid it is not to last that long, again, only because eliminating these complex issues seems to be MSFT’s major objective. This is what KMDF that you, guys, seem to promote so much, is for…

Just to give you an idea, in one of his posts Peter said that they teach complete newbies how to write drivers in KMDF just in THREE DAYS(!!!). Can you imagine how many “driver developers” they are going to produce this way??? Therefore, I am afraid your fees will go down pretty shortly, because there will be nothing exceptional about being a Windows driver writer - this job is going to be taken more or less the same way the one of VB developer is taken (and paid for accordingly)…

BTW, what does it have to do with the availability of sources??? If you have a kernel sources, do you really think it is going to help you when it comes to traditionally complex kernel-level issues (for example, synchronization) if you have no idea about the kernel mechanics and there is no KMDF to take care of everything???

Anton Bassov

I think that there is some truth to what you say for developer’s of
conventional drivers, which I am not. Although I think KMDF looks
really pretty nice for the appropriate uses, I’ve only used it a couple
of times, because I almost never write drivers that deal with power
management/pnp, or for that matter, my encounters with physical devices
are rare but not totally uncommon. The ‘appropriate uses’ part is
important - the idea of using it to write non pnp drivers is, in my
opinion, beyond silly - and all my feelings about it are relative to
those on WDM, which hurts to even consider. I’ve also said a number of
occasions that I think requiring it’s use is a totally pointless
exercise that really sucks, especially since one can work outside of the
framework anytime one wishes. I believe that Peter also went on to say
that the purpose of this course was to give developer’s a jumpstart,
which it does, and a tremendous one at that, and that KMDF makes it
possible for them to be reasonably productive more quickly, but it does
not mean that they will go on to ‘become Jake Oshins,’ as he puts it
with exaggeration. If you look at the number of courses OSR offers a
year, I think your fear is kind of silly. Ironically, you are buying in
to the Microsoft propaganda, the same that they used for Visual Basic.
It’s going to be object-oriented, internet aware, et. c., and of course
easy, which is all total nonsense. In my opinion, the more they push
this idea, the more shitty developers they pick up, so I agree with you
to a point about more developers. Where I totally disagree with you is
that this will continue. It won’t, because most of these people will
suck and will not be able to get away with the low rent, uninspired
bullshit that that people who like VB do in user mode, where it’s much,
much more forgiving. Sure companies will buy in to this at first, as
they do with outsourcing, and they will stop right after their first
project done this way fails abjectly, just as most do with outsourcing.
this wasn’t clear, but I wasn’t really talking about KMDF sources.
I would prefer it if they did, and I think would be a good decision,
because it would make debugging complex problems easier for people who
knew what they were doing, sometimes, but for the most part I don’t
really care either way.

As far as how this impacts me, this first thing is that I’m not a
consultant in the private sector, so fees don’t figure in to it, as they
can not really down. I spend my time implementing off the beaten path
things, largely based on reverse engineering, mostly for the purpose of
security evaluation, threat scenarios, implementation of things some of
which I am not always convinced are terribly useful or safe, but clients
feel otherwise, and some of which are perfectly legitimate but for
whatever reason undocumented/unsupported, as well as analysis and
implementation of custom tools and diagnostics, so things like
PatchGuard, Driver Signing, et. c. and the closed nature of Windows in
particular make my life more interesting, and things that make this
process more obscure, undocumented, difficult and mostly inconvenient
will probably provide me with more interesting work. This is what I was
talking about with regards to source code; I don’t want it open source,
and in point of fact, I could get through the MVP program but have not
done so nor will do so for a number of reasons.

mm

xxxxx@hotmail.com wrote:

> especially some of it’s features that are considered difficult or unsavory,
> like that it isn’t open source - has and continues to provide me a nice living,

I am afraid it is not to last that long, again, only because eliminating these complex issues seems to be MSFT’s major objective. This is what KMDF that you, guys, seem to promote so much, is for…

Just to give you an idea, in one of his posts Peter said that they teach complete newbies how to write drivers in KMDF just in THREE DAYS(!!!). Can you imagine how many “driver developers” they are going to produce this way??? Therefore, I am afraid your fees will go down pretty shortly, because there will be nothing exceptional about being a Windows driver writer - this job is going to be taken more or less the same way the one of VB developer is taken (and paid for accordingly)…

BTW, what does it have to do with the availability of sources??? If you have a kernel sources, do you really think it is going to help you when it comes to traditionally complex kernel-level issues (for example, synchronization) if you have no idea about the kernel mechanics and there is no KMDF to take care of everything???

Anton Bassov

wrote in message news:xxxxx@ntdev…
>> Who is missing here in this story is you.
>
> What about me???
>
>> Unlike you I am not like you grabbing bits of pieces of old hooking samples from
>> Russinovich et al and posting those things as mine,
>
> Actually, I have never seen Russinovich’s samples - at the time he wrote about SSDT hooking (i.e.1997) I was learning VBA, so
> that I would not have had a chance to understand anything even if I was told about Sysinternals, and by the time I learned
> about Sysinternals they were long gone. Therefore, I heard about them only from third-party sources (BTW, I learned about the
> concept of SSDT hooking from rootkit.com). When it comes to IAT hooking, it has been introduced to the Windows community not
> by Russinovich but by Pietrek . Concerning direct hooking with INT1/INT3, this is 100% my own “know-how”. Concerning entering
> the kernel without a driver, the idea of using a call gate is, again, Pietrek’s, rather than Russinovich’s, and the trick
> with locating a page directory from the user mode, is, again, 100% my own “know-how” that is based purely on disassembling
> MmGetPhysicalAddress() and figuring out how it works…
>
>> Instead I am releasing software to actually allow you to test these things
>
> Now I see where the suggestion about Russinovich’s samples is rooted. I checked your website,
> and all tools (apart from RootkitRevealer - more on it below) that are listed there look pretty
> much like the ones that were available from Sysinternals.
>
> Concerning RootkitRevealer … sorry, but it is really pathetic - it can get fooled simply by putting
> the address of a buffer with JMP instruction into SSDT. If rootkit takes the above approach, your “revealer” in its current
> implementation implementation will have no chance to “name and shame” it - the maximal thing it can do is to tell you that
> SSDT is hooked (I assume the target rootkit is very simplistic so that it does not try to hide itself properly).
>
> In general, I came to the conclusion that detecting a presence of well-written rootkit from within the OS is plainly
> infeasible task. Roootkit can infect a boot sector and get loaded before the OS. At this point it can do whatever it likes -
> it can put itself into a memory that the OS is just unaware of (it will hook real-mode INT 0x15 and make the OS believe that
> a given physical range is absent/reserved by BIOS - it will modify the physical memory map when the OS queries it); actual
> IDT and GDT may be made different from the ones that the OS loads with LIDT and LSGT; ntoskrnl.exe’s code may get modified
> when it gets loaded into RAM ; etc,etc,etc. The only possible way to detect a rootkit like that is to extract a hard disk,
> insert it as a second disk into another machine, and read a boot sector (reading a boot sector on the target machine itself
> after it gets booted will not reveal a rootkit, because it will take care of that).
>
> All the above can be done even on the system that does not support VT, and introduction of VT simplifies the task quite a
> lot - ironically, by adding VT support Intel made life of rootkit developers easier. …
>
> Do you still believe someone may need your RootkitRevealer???
>
>
> Anton Bassov
>
>
>

wrote in message news:xxxxx@ntdev…

> In general, I came to the conclusion that detecting a presence of well-written rootkit from within the OS is plainly
> infeasible task. Roootkit can infect a boot sector and get loaded before the OS. At this point it can do whatever it likes -
> it can put itself into a memory that the OS is just unaware of (it will hook real-mode INT 0x15 and make the OS believe that
> a given physical range is absent/reserved by BIOS - it will modify the physical memory map when the OS queries it); actual
> IDT and GDT may be made different from the ones that the OS loads with LIDT and LSGT; ntoskrnl.exe’s code may get modified
> when it gets loaded into RAM ; etc,etc,etc. The only possible way to detect a rootkit like that is to extract a hard disk,
> insert it as a second disk into another machine, and read a boot sector (reading a boot sector on the target machine itself
> after it gets booted will not reveal a rootkit, because it will take care of that).
>
> All the above can be done even on the system that does not support VT, and introduction of VT simplifies the task quite a
> lot - ironically, by adding VT support Intel made life of rootkit developers easier.

But Intel also makes AMT - and it leaves rootkits absolutely no chance, a user even doesn’t have to open the machine.

http://www.intel.com/technology/platform-technology/intel-amt/

Regards,
–PA

> it does not mean that they will go on to ‘become Jake Oshins,’

I am afraid you just misunderstand something - the point of the whole exercise is to make sure
that he never ever become another Jake Oshins ( or, which is even worse for MSFT, Matt Pietrek). The easiest way to achieve this goal is to stupify him by giving him some easy-to-use framework so that he has just no incentive to start his own investigations and find out what makes it all tick. This is good for MSFT (because there is no one to compete with their products, at least the ones that are meant to work under Windows); this is good for hardware designers
( because finding el-cheapo driver writer who can write workable Windows drivers becomes easy); but this is bad for *YOU*, because the market demand for developers with in-depth understanding of Windows kernel is going to drop dramatically, which is going to push *YOUR* rates down. This is what KMDF is for, and MSFT wants *YOU* to promote it. In other words, you are supposed to shoot yourself in a foot, and, according to my observations, quite a few guys down here do it quite successfully…

As far as how this impacts me, this first thing is that I’m not a consultant
in the private sector, so fees don’t figure in to it, as they can not really down.
I spend my time implementing off the beaten path things, largely based on reverse engineering, mostly for the purpose of security evaluation, threat scenarios,
implementation of things some of which I am not always convinced are
terribly useful or safe, but clients feel otherwise,

Great!!! However, the above statement fully confirms my suggestion that MVPs cannot really afford to say what they want. You don’t really seem to be promoting your techniques in a NG, do you -instead, you seem to attack them whenever you can. Why??? The only explanation that gets into my head is that MSFT just does not want you to promote them. In actuality, these days I don’t promote hooking either, but for the totally different reason. I think this technique is just outdated -there are more efficient ways to do what you want . More on it below…

things like PatchGuard, Driver Signing, et. c. and the closed nature of Windows
in particular make my life more interesting,

Sure - they lead me to ideas that are not as simplistic as SSDT hooking…

For example, you can write your own small OS and run Windows under it . This OS does not really have to be complex, because it will delegate a job to Windows 99.999…9% of the time.
However, when you want to examine/intercept something, you will be able to do it without a slightest problem, and leave Windows blissfully ignorant of the whole thing ( in actuality, this is what the theoretical rootkit that I have mentioned earlier on this thread is all about). In order to simplify things, you can also write your “agent 007”, i.e a Windows driver that will be the only component who is aware that there is something in between Windows and the actual hardware, and know where to look for instructions (it is understandable that most tasks, apart from interception, are easier done from within Windows). The only thing that is left for MSFT is to grit their teeth - the whole thing is totally transparent to all its stupid PatchGuards and other “innovations”, and your driver is fully “supported”, and, hence, gets signed…

Anton Bassov

All this leads me to think MVP is merely a country club of some sort which
rewards members for good conduct only. There is a growing number of people
with superior knowledge and they are not rewarded MVP status, they all seem
to have one thing in common: they are engaged in reverse engineering,
undocumented techniques and highly critical of MS.

Rest assured that now that, as an exceptional technical community leader
people do care about what you say. They may follow you blindly because that
three letter signature gives you a high status of authority, you are
responsible for shaping the evolution of technology and mankind. This means
there will be people listening to you and caring about what you say, whether
you like it or not. And I will take pleasure in listening and scrutinizing
you guys, correcting you and asking questions wherever I can. It will keep
you aware and sharpened.

/Daniel

“Martin O’Brien” wrote in message
news:xxxxx@ntdev…
> …I am very comfortable with the fact that no one really cares what I
> think, and as I have only been one for about six months, whatever I did
> before is apparently OK so I’m still doing it, and I really don’t think
> anyone would ever say that I give blatantly party line advice. …
> In general, Anton, most of the things that you see going on in this area
> that you do not like, I don’t much care for myself either. I can not
> extend that opinion to include Daniel; I think an MVP did something bad to
> him when he was a small child or something like that, because this seems
> to come up a lot, and it’s always paranoid and just profoundly
> self-centered, and can basically be summarized as “why isn’t Microsoft
> doing everything I want?” What I don’t understand is what it is that you
> expect us to do it about it. All twenty (or so) of us can complain
> publicly all we want, but that’s not going to change anything, and I
> personally get very, very tired of hearing shit about how bad and evil
> Microsoft is, and whether I like what they are doing or not in any
> specific case, beating on Microsoft is among the most pedestrian of
> activities. There are also Microsoft employees on this list who are
> phenominal, who don’t generally subject us to anything shamelessly pro
> Microsoft, so I feel like there is no reason they should be rewarded for
> their considerable efforts by hearing a bunch of complaining about the
> company that indirectly pays our bills.

Daniel,

I would have to disagree with some of your points here along with a
paragraph that Don posted off of the MVP website. I don’t view the MVP
program necessarily as a system of rewarding people; although that is indeed
a component.

Keep in mind that Microsoft is nothing more than a corporate entity with no
central nervous system and anything ANY company does is to increase sales,
reduce overhead, or improve product quality. Generally in that order and
with no other motivation.

With that said, I believe it’s rather evident that the DDK MVP program was
created not to reward people, but instead to increase the reliability of the
OS. Usually, when a system panics and takes a dive, from the consumers point
of view it’s always Microsoft’s fault albeit 85% of bug checks come from
third party drivers.

Point in short, developers new to driver development often need to be
steered in a correct and a documented direction that is guaranteed to work
and I’m sure Microsoft recognized this long ago at the program’s conception.
This right here is at the core of system stability since any kernel mode
component can bring the system down.

Regards,

Matt

----- Original Message -----
From:
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”
Sent: Sunday, January 06, 2008 4:03 AM
Subject: Re:[ntdev] How to hook IoCompleteRequest

> All this leads me to think MVP is merely a country club of some sort which
> rewards members for good conduct only. There is a growing number of people
> with superior knowledge and they are not rewarded MVP status, they all
> seem to have one thing in common: they are engaged in reverse engineering,
> undocumented techniques and highly critical of MS.
>
> Rest assured that now that, as an exceptional technical community leader
> people do care about what you say. They may follow you blindly because
> that three letter signature gives you a high status of authority, you are
> responsible for shaping the evolution of technology and mankind. This
> means there will be people listening to you and caring about what you say,
> whether you like it or not. And I will take pleasure in listening and
> scrutinizing you guys, correcting you and asking questions wherever I can.
> It will keep you aware and sharpened.
>
> /Daniel
>
>
>
> “Martin O’Brien” wrote in message
> news:xxxxx@ntdev…
>> …I am very comfortable with the fact that no one really cares what I
>> think, and as I have only been one for about six months, whatever I did
>> before is apparently OK so I’m still doing it, and I really don’t think
>> anyone would ever say that I give blatantly party line advice. …
>> In general, Anton, most of the things that you see going on in this area
>> that you do not like, I don’t much care for myself either. I can not
>> extend that opinion to include Daniel; I think an MVP did something bad
>> to him when he was a small child or something like that, because this
>> seems to come up a lot, and it’s always paranoid and just profoundly
>> self-centered, and can basically be summarized as “why isn’t Microsoft
>> doing everything I want?” What I don’t understand is what it is that you
>> expect us to do it about it. All twenty (or so) of us can complain
>> publicly all we want, but that’s not going to change anything, and I
>> personally get very, very tired of hearing shit about how bad and evil
>> Microsoft is, and whether I like what they are doing or not in any
>> specific case, beating on Microsoft is among the most pedestrian of
>> activities. There are also Microsoft employees on this list who are
>> phenominal, who don’t generally subject us to anything shamelessly pro
>> Microsoft, so I feel like there is no reason they should be rewarded for
>> their considerable efforts by hearing a bunch of complaining about the
>> company that indirectly pays our bills.
>
>
>
>
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Good and honest point but what I believe is that MVPs could help MS in this
regard a great deal in much better ways than embracing whatever is imposed
upon them. We have a saying in Dutch which says that blood will crawl
wherever it cannot flow freely. If developers do not have the means at their
disposal to achieve their very often simple goals, they will be looking
wherever for undocumented ways and apply them. An ever more restrictive set
of documented APIs, policies and the unavailability of sources are just not
going to help build a more reliable operating system in any way but rather
the opposite. According to me, those with lots of undocumented knowledge
generally have the best potential of improving the reliability of the
operating system. I’m not foreseeing much good in terms of security for the
future of windows.

/Daniel

“Matthew Martin” wrote in message
news:xxxxx@ntdev…
> Point in short, developers new to driver development often need to be
> steered in a correct and a documented direction that is guaranteed to work
> and I’m sure Microsoft recognized this long ago at the program’s
> conception. This right here is at the core of system stability since any
> kernel mode component can bring the system down.
>

> All this leads me to think MVP is merely a country club of some sort which

rewards members for good conduct only.

Well, MSFT does not even seem to deny it . It does not really follow from the quotation below, does it???

[begin quote]

“The Microsoft MVP Award Program recognizes and thanks outstanding members of technical communities for their community participation and willingness to help others. The MVP Award is given to exceptional technical community leaders who foster the FREE and objective exchange of knowledge by actively sharing their real-world expertise with technology users.”

[end quote]

Never mind - this is just the very first 2 sentences. Let’s keep on reading (get ready to laugh):

[sentence 3]

Microsoft MVPs are a highly select group of experts that represents the technical community’s best and brightest, and they share a deep commitment to community and a willingness to help others.

[end sentence 3]

Therefore, they are all experts - the technical community’s best and brightest. Nothing funny. However, let’s keep on reading

[sentences 4 and 5]

MVPs represent a broad spectrum of Microsoft product users. They occupy many different professions including accountants, teachers, artists, engineers and technologists. MVPs reside in over 90 countries, represent 30 different languages, and cover more than 90 Microsoft technologies.

[end quote]

Therefore, accountants, teachers, artists, and other product users are members of this club as well, and they are all experts on MSFT technology, best and brightest … despite being of totally non-techical professions . Have you got any more questions what one has to do in order to become an expert on MSFT technology ( in MSFT’s understanding of this term, of course)
who is recognized as best and brightest by MSFT???

The only sad thing here is that all DDK MVPs without any exception who post to this list
are *actually* bright and knowledgeable. I think MSFT just let you down, guys - they just diluted your status…

Anton Bassov