How to set other threads to the alertable state

Hello,

A thread must be in an alertable state to run a user-mode APC.
For the current we can enter in the alertable state when we call the KeWaitForSingleObject function.

But how do we can set another thread to the alertable state.
For example we get the thread with the function PsLookupThreadByThreadId(TargetThreadID, &TargetThread) or if we open the thread and have the thread handle. How do we can put this thread to the alertable state?
Maybe with the function ZwSetInformationThread?
Or it is possible to attach to the Target Tread and then call KeWaitForSingleObject?

I have found out that it is possible to set the alertable state of a thread by settings BOOLEAN Alertable value in the KTHREAD structure.
But there is no official documentation about this structure and this structure change form windows version to windows version.

If someone known how to set a thread (not the current) to the alertable state it will help a lot.

Thanks

Regards michi

You don’t do this, the developer who wrote the code that did not put the
thread into an alertable state had a reason to do this. What you are
proposing is to force a contract violation between the OS and the driver
which did not want to have the thread alertable. Basically you are
removing the ability from the OS.

All this will do is make drivers you don’t own crash. This is a great
way to hurt the windows ecosystem, and make your company a target of a
lawsuit.

Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

“xxxxx@hotmail.com” wrote in message
news:xxxxx@ntdev:

> Hello,
>
> A thread must be in an alertable state to run a user-mode APC.
> For the current we can enter in the alertable state when we call the KeWaitForSingleObject function.
>
> But how do we can set another thread to the alertable state.
> For example we get the thread with the function PsLookupThreadByThreadId(TargetThreadID, &TargetThread) or if we open the thread and have the thread handle. How do we can put this thread to the alertable state?
> Maybe with the function ZwSetInformationThread?
> Or it is possible to attach to the Target Tread and then call KeWaitForSingleObject?
>
> I have found out that it is possible to set the alertable state of a thread by settings BOOLEAN Alertable value in the KTHREAD structure.
> But there is no official documentation about this structure and this structure change form windows version to windows version.
>
> If someone known how to set a thread (not the current) to the alertable state it will help a lot.
>
> Thanks
>
> Regards michi

Also, why do you want to do that? What do you think you will achieve with that?

Hello,

I understand that putting a thread without reason to the alertable state makes no sense.

I need it for Asynchronous Procedure Calls as described here:
http://www.microsoft.com/msj/0799/nerd/nerd0799.aspx

void KeInitializeApc(PKAPC Apc,
PKTHREAD Thread,
CCHAR ApcStateIndex,
PKKERNEL_ROUTINE KernelRoutine,
PKRUNDOWN_ROUTINE RundownRoutine,
PKNORMAL_ROUTINE NormalRoutine,
KPROCESSOR_MODE ApcMode,
PVOID NormalContext);

void KeInsertQueueApc(PKAPC Apc,
PVOID SystemArgument1,
PVOID SystemArgument2,
UCHAR unknown);

// Force the thread into being alertable
KeInitializeEvent(&event, SynchronizationEvent, FALSE);
KeWaitForSingleObject(&event, Executive, UserMode, TRUE, &Timeout);

regards
michi

If the other thread is running your software you can make it alertable
using documented interfaces. If the other thread is not executing your
software, clobbering a field in the thread object is probably not a
good idea. It is not sufficient for you to have a ‘reason’ for doing
this, you have violated the assumptions of another piece of software
and that will have unintended consequences.

Perhaps you might want to step back and explain why you have arrived
at a design that requires you to inject APCs into random threads. That
in itself appears to be of dubious merit.

Mark Roddy

On Thu, Mar 31, 2011 at 11:03 AM, wrote:
> Hello,
>
> I understand that putting a thread without reason to the alertable state makes no sense.
>
> I need it for Asynchronous Procedure Calls as described here:
> http://www.microsoft.com/msj/0799/nerd/nerd0799.aspx
>
>
> ?void KeInitializeApc(PKAPC Apc,
> ? ? ? ? ? ? ? ? ? ? ?PKTHREAD Thread,
> ? ? ? ? ? ? ? ? ? ? ?CCHAR ApcStateIndex,
> ? ? ? ? ? ? ? ? ? ? ?PKKERNEL_ROUTINE KernelRoutine,
> ? ? ? ? ? ? ? ? ? ? ?PKRUNDOWN_ROUTINE RundownRoutine,
> ? ? ? ? ? ? ? ? ? ? ?PKNORMAL_ROUTINE NormalRoutine,
> ? ? ? ? ? ? ? ? ? ? ?KPROCESSOR_MODE ApcMode,
> ? ? ? ? ? ? ? ? ? ? ?PVOID NormalContext);
>
> ?void KeInsertQueueApc(PKAPC Apc,
> ? ? ? ? ? ? ? ? ? ? ? PVOID SystemArgument1,
> ? ? ? ? ? ? ? ? ? ? ? PVOID SystemArgument2,
> ? ? ? ? ? ? ? ? ? ? ? UCHAR unknown);
>
> // Force the thread into being alertable
> ?KeInitializeEvent(&event, SynchronizationEvent, FALSE);
> ?KeWaitForSingleObject(&event, Executive, UserMode, TRUE, &Timeout);
>
> regards
> michi
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>

Hello,

I can not understand why every time I?m asking a no standard question I get an answer of something link “this code is malicious” or “you are trying to hurt other software” or something link this. There are also none malicious use of a lot of technique.

The driver is for Windows 64Bit and so it is necessary to sign the driver. I don’t think someone will create malicious code or virus code in its own signed driver.

I’m thinking about the following design:

• we have a service and a driver
• sometime it is necessary that the service will capture some user events or do something else on the user account
• For this I’m thinking about to create a simple dll that will be loaded with the explorer. It is not necessary to create a process, a simple dll is enough.
  The problem is that from user mode I have found no way to load and unload the dll in the explorer so I’m searching a way to load the dll from the kernel mode.
  I can also understand that it is not secure giving the possibility to load and unload dll?s from the user mode.
  BTW the dll is also signed! Other software uses for example hook to load a dll in the explorer but I don?t want to use hooks or some other strange hacking technique.
  I’m searching for a simple solution to load a dll on another process. I know that there is the possibility to create an ATL DLL and register it to the explorer, but this DLL will only be loaded when it is necessary.

So my question: Is there a way to load a NO malicious signed dll in the explorer from a windows driver? If someone think it is not a good idea to load a signed dll in the explorer, please explain why.

regards
michi

On Thu, Mar 31, 2011 at 12:50 PM, wrote:
> sometime it is necessary that the service will capture some user events or do something else on the user account

This is done all the time by simply running a background process in
the user’s context, and the mechanisms are fully documented in the
win32 api.

You asked what would happen if you did something unsupported to the
state of a kernel thread object and you were told “bad things will
happen”. Would you rather we said “oh go ahead and clobber the thread
state, what could possibly go wrong?”

A thread waiting in a non-alertable state most likely does not have
logic to handle a return from that wait due to an alert, i.e. it
probably will not handle STATUS_ALERTED correctly, so that thread’s
execution will be problematic. You have broken that other software.
What part of that are we supposed to approve?

p.s. I rather doubt what you are doing will have the desired effect
anyway, at least not reliably.

Mark Roddy

xxxxx@hotmail.com wrote:

I can not understand why every time I?m asking a no standard question I get an answer of something link “this code is malicious” or “you are trying to hurt other software” or something link this. There are also none malicious use of a lot of technique.

When someone asks a question about a technique that we KNOW to be
dangerous, are you saying we should just keep quiet about it?

Here is the problem that causes this to happen. When people come here
with questions, they have a problem to solve. But when they ask their
question, they don’t say “I need to solve X problem. What are some good
ways to do that?” Instead, less experienced people will often have done
just a bunch of misguided web searching to come up with proposed
solutions that are completely wrong. They will focus with laser-like
intensity on these wrong approaches, and ask us “I need to implement
proposed solution Y. How do I do that?” They are looking at the tree,
not at the forest.

When someone comes to us and asks, “I need to get plutonium for a
nuclear reactor, where can I do that?”, it behooves us to dig in a bit,
in case they are trying to create a power supply for a nuclear-powered
fly swatter. There are better ways to solve that problem.

Those of us who have been in the business a long time recognize that
“solution Y” is almost always a naive attempt to solve some other
problem. What we are TRYING to do is get you to describe the PROBLEM
you are trying to solve, not the solution you think you have come up with.

Fortunately, you did exactly that in this email, and that’s a Good Thing.

The driver is for Windows 64Bit and so it is necessary to sign the driver. I don’t think someone will create malicious code or virus code in its own signed driver.

Malicious and and dangerous are two very different things.

I’m thinking about the following design:

• we have a service and a driver
• sometime it is necessary that the service will capture some user events or do something else on the user account
• For this I’m thinking about to create a simple dll that will be loaded with the explorer. It is not necessary to create a process, a simple dll is enough.
  The problem is that from user mode I have found no way to load and unload the dll in the explorer so I’m searching a way to load the dll from the kernel mode.

Explorer extensions are trivially easy to write. You just register a
COM object and put it in the right location. Explorer will happily load
your DLL. Once it is loaded, you can do whatever you need.

I’m searching for a simple solution to load a dll on another process. I know that there is the possibility to create an ATL DLL and register it to the explorer, but this DLL will only be loaded when it is necessary.

Why? A DLL that sits idle has no impact performance. That seems like
the perfect solution to your problem. What’s the point in having the
DLL come and go?

So my question: Is there a way to load a NO malicious signed dll in the explorer from a windows driver? If someone think it is not a good idea to load a signed dll in the explorer, please explain why.

There is no good way to load a user-mode DLL into a user-mode process
from a kernel-mode driver. However, you can certainly inject a DLL into
another process from user mode. That’s exactly how Windows hooks work.
Perhaps you should investigate Windows hooks some more.

In the end, I believe there are a number of very good user-mode
solutions to your problem.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Hello,

Thank you very much for all the information and possible solutions.

I will check for a solution in the user mode.

But there is a reason why I wanted to load the dll from the Kernel and not from the user mode:
It should be also possible to install the dll if the service is not running and the user is on a restricted user account. The driver runs all the time but the service can but must not run. So only the driver has enough privileges to load or unload the dll.

regards
michi

And if you looked at the archives things like creating a process or
loading a DLL from the kernel have been discussed many times and the
final answer is always “A crash waiting to happen”. There is nothing
wrong with having a service that always is running, but it blocked in
the kernel waiting for the driver to complete a request, this has been
the model for most of this type of interaction since Windows NT 3.1

In general when you come up with an approach, if you cannot find it in
the archives of this list you are probably going into an area that is
not supported. Note the APC calls you listed are not officially
documented so you are using undocumented code that is likely to break
when there are well known and safe alternate methods.

Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

“xxxxx@hotmail.com” wrote in message
news:xxxxx@ntdev:

> Hello,
>
> Thank you very much for all the information and possible solutions.
>
> I will check for a solution in the user mode.
>
> But there is a reason why I wanted to load the dll from the Kernel and not from the user mode:
> It should be also possible to install the dll if the service is not running and the user is on a restricted user account. The driver runs all the time but the service can but must not run. So only the driver has enough privileges to load or unload the dll.
>
> regards
> michi

> I can not understand why every time I?m asking a no standard question I get an answer of something link "this code

is malicious" or “you are trying to hurt other software” or something link this. There are also none malicious use of a
lot of technique.

Please use documented way of doing things, and not hacks. Hacks are unstable. By definition.

And, your alertable trick will crash the target app with a large probability.

Just forget about KeXxxApc. They are not to be called by drivers. They are internal implementation details of the kernel.

The problem is that from user mode I have found no way to load and unload the dll in the explorer

Why? I think shell extensions are well-documented.

ATL DLL and register it to the explorer, but this DLL will only be loaded when it is necessary.

Solutions:

a) Forget this idea. You will save, say, 10K of virtual memory in Explorer.exe, and lose lots of development time and product stability.
b) Your service can open Explorer.exe via OpenProcess, create a chunk of code on the fly in it using WriteProcessMemory, then SetThreadContext any thread to execute this code, and the code will do LoadLibrary. A good old DLL injection stuff. But, if your software will be blocked by antivirus/security tools, you should not complain

I would go the a) way in any case. The permanent Explorer add-on can be tiny and load another real DLL only when being signaled by the service.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

> It should be also possible to install the dll if the service is not running and the user is on a restricted user account.

So, you need to bypass Windows security, correct?

The driver runs all the time but the service can but must not run.

Usually, the things are done in reverse way - the service is the product core, i.e. no service - no functionality.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

> So, you need to bypass Windows security, correct?
No, this is not a bypass, the user must install the driver with admin rights (the installer install the driver) If the next time the user starts in a restricted user account then the driver will be also loaded and is available for some DeviceIOControls.

But I will not use the kernel method anyway because there is no official way to load the user mode dll. I don’t want to use some unsafe code. That’s also the reason because I have opened the tread and asked for an official solution. But there is no good solution to load the user mode dll in a kernel driver and so I have to find another way in the user mode ;@

p.s. I have already a working solution for the kernel mode to load the dll in user mode; it works. The only restriction is that I have no solution to set the value KAPC_STATE.UserApcPending of the PKTHREAD structure in a known and safe way.

regards
michi

Here is the source if someone is interested. I have found it on the net and modified it to my requirements.
I have spend/waste already to much time with this code
Don?t use it!

(ugly and semi-dangerous code removed by moderator, based on the consensus
of the group in the following posts)

>> I can not understand why every time I?m asking a no standard question I

> get an answer of something link “this code
>is malicious” or “you are trying to hurt other software” or something
> link this. There are also none malicious use of a
>lot of technique.

Please use documented way of doing things, and not hacks. Hacks are
unstable. By definition.

And, your alertable trick will crash the target app with a large
probability.

Just forget about KeXxxApc. They are not to be called by drivers. They are
internal implementation details of the kernel.

There is a term for it - Einstein’s theory of insanity

-pro

Does anyone other than me think this code example doesn’t belong on this site?

I grant you, it’s a slippery slope once we start deleting posts from people… I usually reserve it for only the most egregious violations. But I don’t like this “inject some code from kernel mode and change the APC state of the target thread” thing one bit.

If I’m the only one who thinks this example is nasty, I’ll leave it in the thread. If enough people agree, I’ll remove the text (and leave the post) using my magic powers.

Peter
OSR

I expect if it kept we will see people using it which is not going to
help anyone. Dump it.

Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

“xxxxx@osr.com” wrote in message news:xxxxx@ntdev:

> Does anyone other than me think this code example doesn’t belong on this site?
>
> I grant you, it’s a slippery slope once we start deleting posts from people… I usually reserve it for only the most egregious violations. But I don’t like this “inject some code from kernel mode and change the APC state of the target thread” thing one bit.
>
> If I’m the only one who thinks this example is nasty, I’ll leave it in the thread. If enough people agree, I’ll remove the text (and leave the post) using my magic powers.
>
> Peter
> OSR

No you are not the only one …

-pro

Does anyone other than me think this code example doesn’t belong on this
site?

I grant you, it’s a slippery slope once we start deleting posts from
people… I usually reserve it for only the most egregious violations.
But I don’t like this “inject some code from kernel mode and change the
APC state of the target thread” thing one bit.

If I’m the only one who thinks this example is nasty, I’ll leave it in the
thread. If enough people agree, I’ll remove the text (and leave the post)
using my magic powers.

Peter
OSR

---

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Hello,

remove the code if you want and think other people will use it in a malicious way.

regards
michi

I’d disappear it. Then again disappearing ANYTHING from the internets
is pretty much impossible. The contents have already been snarfed and
archived.

Mark Roddy

On Thu, Mar 31, 2011 at 5:45 PM, Don Burn wrote:
> I expect if it kept we will see people using it which is not going to help
> anyone. ?Dump it.
>
>
> Don Burn (MVP, Windows DKD)
> Windows Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/WinDrvr
>
>
>
>
> “xxxxx@osr.com” wrote in message news:xxxxx@ntdev:
>
>> Does anyone other than me think this code example doesn’t belong on this
>> site?
>>
>> I grant you, it’s a slippery slope once we start deleting posts from
>> people… I usually reserve it for only the most egregious violations. ?But
>> I don’t like this “inject some code from kernel mode and change the APC
>> state of the target thread” thing one bit.
>>
>> If I’m the only one who thinks this example is nasty, I’ll leave it in the
>> thread. ?If enough people agree, I’ll remove the text (and leave the post)
>> using my magic powers.
>>
>> Peter
>> OSR
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>