Hi all,
Is there a way of knowing when process Init is completed, loading all
process and it’e related libraries? Can a driver be used for the same?
–
- Developer
Since a process can load libraries at anytime, and since there are runtime
options for delaying load of libraries till the first call, the answer is NO
since by your definition init may never complete.
What are you trying to determine?
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply
“Developer” wrote in message news:xxxxx@ntdev…
Hi all,
Is there a way of knowing when process Init is completed, loading all
process and it’e related libraries? Can a driver be used for the same?
–
- Developer
Don,
Thanks for the prompt reply. Yes, I know about the problems youa re
addressing, and that is specifically the reason there is no notification
event for the same.
Well, I want to monitor certain events that these processes might generate,
I want to generate logs of operations these processes might do, such as
open, close and modify files, etc.
amitrajit
I use as the crude measure, that process init is the time from when the
PsSetCreateProcessNotifyRoutine has its callback to the time the
PsSetLoadImageNotifyRoutine has its first callback for the process.
Basically, this is from when the kernel creates the EPROCESS structure to
when the executable file (but not any of the libraries) are run. This is
about all you can get, since there is nothing you can rely on after this.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply
“Developer” wrote in message news:xxxxx@ntdev…
Don,
Thanks for the prompt reply. Yes, I know about the problems youa re
addressing, and that is specifically the reason there is no notification
event for the same.
Well, I want to monitor certain events that these processes might generate,
I want to generate logs of operations these processes might do, such as
open, close and modify files, etc.
amitrajit
but how reliable is this time measurement? Not very much I guess.
A driver can substitute some or all system service table entries in order to
intercept certain system calls (i.e. NtCreateFile, NtMapViewOfSection and
others).
Mark Rusinovich at Sysinternals already have described the technique how it is
to be done.
Dmitry
On Tuesday 22 November 2005 17:15, Developer wrote:
Don,
Thanks for the prompt reply. Yes, I know about the problems youa re
addressing, and that is specifically the reason there is no notification
event for the same.Well, I want to monitor certain events that these processes might generate,
I want to generate logs of operations these processes might do, such as
open, close and modify files, etc.amitrajit
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256You are currently subscribed to ntdev as: unknown lmsubst tag argument: ''
To unsubscribe send a blank email to xxxxx@lists.osr.com
dimitry,
which article are you talking about, PMon? PMon uses API Hooking, doesn’t
it? I thought hooking is *not* the right way to get stuff done? Or is it the
only way in this case?
amitr0
Hooking is not the right way to track things like file operations which is
what you mentioned. Use a file system filter for this. Now on to your
question of timing reliability, the callbacks occur as part of the process
create and at the end of the image load, this is pretty reliable for timing
(given the crude measure of what “process init” is).
You started talking about tracking process init, then about monitoring file
system events, then raised timing issues. Give the group a good overview of
the capabilities you need, and I suspect we will be able to suggest
approaches.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply
“Developer” wrote in message news:xxxxx@ntdev…
dimitry,
which article are you talking about, PMon? PMon uses API Hooking, doesn’t
it? I thought hooking is not the right way to get stuff done? Or is it the
only way in this case?
amitr0
I, actually don't remember, but maybe it is PMon.
Maybe those functions as Don have written will give the best fit for you.
Can you tell the essence to track process initialization?
Dmitry
On Tuesday 22 November 2005 17:55, Developer wrote:
dimitry,
which article are you talking about, PMon? PMon uses API Hooking, doesn't
it? I thought hooking is *not* the right way to get stuff done? Or is it the
only way in this case?amitr0
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256You are currently subscribed to ntdev as: unknown lmsubst tag argument: ''
To unsubscribe send a blank email to xxxxx@lists.osr.com
Right Sir,
Here is what all is the client demand.
We need a way to track operations on certain files called “protected files”.
These files need to be monitored for copy/paste/Cut/email/zip and all other
sort of operations that can potentially lead to passing of protected data
outside the protected zone. (I had made a post about this project earlier
also, if you recall).
There is a prototype available with us, very badly made proof of concept,
those guys have hooked almost all the damned apis available in the system,
used MSAA, and even drivers to achieve a *very small subset* of features
expected, that too without guarentee of success.
We are required to find the feasability of the project, and if possible do
it.
I was suggested earlier ( and I know it is correct ) that making the system
work with the current approach is close to impossible.
The reason they want to know the ProcessInit completion notification is
because they want to inject their own dll into the process space which hooks
the apis like loadlibrary etc and changes the IATs.
My job is to…
a. Find a better way of getting the ProcessInit completion notification,
currently they poll it to see it is is complete (may be using a driver)
b. Suggest a better solution than injecting into the IAT.
I asked point ‘a’ here.
amitrajit
Can it be that user-mode debug APIs will help you out?
You will rely on having SE_DEBUG privilege, of course.
I wrote a thing I call superStart which starts procesess[es]
(or attaches to existing an one) and gets standard debug
notifications about everything. It was intended as a “tracer”,
not as a debugger, debug APIs just happen to give me what
I needed.
Sample log for a test app startMeU.exe when started through superStart
(you may ignore “one loop took” info):
. . .
pid/tid 2196/820: created a target process
superStart: one loop took 0.000448 secs
pid/tid 2196/820: loaded <ntdll.dll> at 0x7c900000
superStart: one loop took 0.003340 secs
pid/tid 2196/2888: created a thread
superStart: one loop took 0.000187 secs
pid 2196=0x894: module #0, full path <f:>
base address=0x400000 size=0x11000 entry point=0x401d46
pid 2196=0x894: module #1, full path <c:>
base address=0x7c900000 size=0xb0000 entry point=0x7c913156
pid/tid 2196/2888: loaded <c:> at 0x7c800000
superStart: one loop took 0.000479 secs
pid 2196=0x894: module #2, full path <c:>
base address=0x7c800000 size=0xf4000 entry point=0x7c80b436
pid/tid 2196/2888: loaded <f:> at 0x10000000
superStart: one loop took 0.002183 secs
pid 2196=0x894: module #3, full path <f:>
base address=0x10000000 size=0xc000 entry point=0x10001581
pid/tid 2196/2888: got a 1st chance continuable exception EXCEPTION_BREAKPOINT at address 0x7c901230
superStart: one loop took 0.002907 secs
pid/tid 2196/2888: loaded Unknown DLL, wait a little …
superStart: one loop took 0.000717 secs
pid 2196=0x894: module #4, full path <f:>
base address=0x470000 size=0x25000 entry point=0x474240
pid/tid 2196/2888: loaded <c:> at 0x77d40000
superStart: one loop took 0.000569 secs
pid 2196=0x894: module #5, full path <c:>
base address=0x77d40000 size=0x90000 entry point=0x77d50eb9
. . .
etc.
----- Original Message -----
From: Developer
To: Windows System Software Devs Interest List
Sent: Tuesday, November 22, 2005 8:58 AM
Subject: [ntdev] Initializing a process
Hi all,
Is there a way of knowing when process Init is completed, loading all process and it’e related libraries? Can a driver be used for the same?
–
- Developer — Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256 You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’ To unsubscribe send a blank email to xxxxx@lists.osr.com</c:></c:></f:></f:></f:></c:></c:></c:></f:></ntdll.dll>
Sorry, but you have basically an impossible job if you want to do this
correctly. I’ve turned down a few of these lately (and turning down work
hurts!), because the customer does not understand that this cannot reliably
be done.
A “protected file” still has to be readable, or otherwise deleting with a
mil-spec file deletion will protect it from access perfectly. Once an
application can read the file, there is nothing that you can do to stop
someone writing the data. Yes you can block some actions, but I can always
come up with an approach that is allowed. Unless you want to say that any
application that reads this info, cannot in any way write any data, which
makes the application basically worthless.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply
“Developer” wrote in message news:xxxxx@ntdev…
Right Sir,
Here is what all is the client demand.
We need a way to track operations on certain files called “protected files”.
These files need to be monitored for copy/paste/Cut/email/zip and all other
sort of operations that can potentially lead to passing of protected data
outside the protected zone. (I had made a post about this project earlier
also, if you recall).
There is a prototype available with us, very badly made proof of concept,
those guys have hooked almost all the damned apis available in the system,
used MSAA, and even drivers to achieve a very small subset of features
expected, that too without guarentee of success.
We are required to find the feasability of the project, and if possible do
it.
I was suggested earlier ( and I know it is correct ) that making the system
work with the current approach is close to impossible.
The reason they want to know the ProcessInit completion notification is
because they want to inject their own dll into the process space which hooks
the apis like loadlibrary etc and changes the IATs.
My job is to…
a. Find a better way of getting the ProcessInit completion notification,
currently they poll it to see it is is complete (may be using a driver)
b. Suggest a better solution than injecting into the IAT.
I asked point ‘a’ here.
amitrajit
don,
I absolutely agree with you, this approach has too many hole to plug 
But still we are *getting paid* for doing this research, so why not atleast
learn the intrinsics of the OS.
amitrajit
It depends on what your customer thinks they are getting. The number of
inquiries I get that start with “We had a firm (or consultant) developing a
product for us, the product is almost done, we just need a little help from
an expert, …” is scary. In almost every case, the consultant knew (at
some point along the way) that the approach would not work, but kept billing
the company.
The problem with this is, that firms start thinking all consultants are
crooks, which does not help those of us who are professional.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply
“Developer” wrote in message news:xxxxx@ntdev…
don,
I absolutely agree with you, this approach has too many hole to plug
But still we are getting paid for doing this research, so why not atleast
learn the intrinsics of the OS.
amitrajit
Which demonstrates the importance of having a good reputation. Somehow,
I suspect there are some execs at Sony right now that wish they hadn’t
gone with the lowest bidder. 
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Tuesday, November 22, 2005 11:06 AM
To: ntdev redirect
Subject: Re:[ntdev] Initializing a process
It depends on what your customer thinks they are getting. The number of
inquiries I get that start with “We had a firm (or consultant)
developing a
product for us, the product is almost done, we just need a little help
from
an expert, …” is scary. In almost every case, the consultant knew
(at
some point along the way) that the approach would not work, but kept
billing
the company.
The problem with this is, that firms start thinking all consultants are
crooks, which does not help those of us who are professional.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply
“Developer” wrote in message news:xxxxx@ntdev…
don,
I absolutely agree with you, this approach has too many hole to plug
But still we are getting paid for doing this research, so why not
atleast
learn the intrinsics of the OS.
amitrajit
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
don,
again you are correct. and i appretiate your views. here that is not the
case, we have been given a prototype, and a specific time frame to to some
research on it, and enhance it. If at the end of that we find that it is not
going to work, which, we have already found out to some expent and convered,
the project just terinates.
By the way sir, as you are an expert, may I ask you another question
(ofcourse, any one else who can answer is welcome also)…
The technique we use here to track a file on the client requires us to
create some sort of a table ( in a seperate file ) that keeps version info
about the files and upload them to servers. This table file exists in the
same folder as the protected doc and is modified every time some operations
are done on it, however these operations aare sent to the server as logs and
log entries corresponding to the unique id of the file is updated.
I find some serious flaws in this approach.
-
The table file is hidden away from the users not by attributes, but by
hooking the find first and find next functionalities. It is not only wrong
because hooking is not a good approach, but also because we are deliberately
hiding a named file! -
Creating a meta file to track another object is in itself tricky and
prone to errors. For example, when we move the protected file to another
folder, the table also needs to be moved. Also, when we zip the folder
containing hte protected doc this file gets zipped, thus in that case we
need to pathc find first and next again! Also if just the protected doc is
zipped then the table is lost and we are in a soup :). These were some of
the minor problems faced by us.
What I suggested was instead of this approach, why not use a FS filter that
appends this table to the file itself. In FS filters we can find out which
process made a call for the file, if it is the priviledged app, then we can
remove the table and show the file, in all other cases the entire file is
sent up, however since the header info was not expected by the third party
reader, they cannot read it. Zipping is also possible without patching
several places and jacking up half of the kernel.
Do you think this will work?
Please recomend and/or criticize this aproach of mine.
amitrajit
Your basic idea is fine, similar things have been done with encryption of
the file. The devil is in the details, changing the size of a file has all
kinds of fun implications, search the NTFSD archives for discussions of
this. What you want to do is basically doable, but it is a lot of work, and
it still means once the file is opened by “an approved application” all bets
are off. Say it is a MS-Word file, once opened, copy and paste can get the
data, saving to another file will get the data, saving as text will get the
data, …
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply
“Developer” wrote in message news:xxxxx@ntdev…
don,
again you are correct. and i appretiate your views. here that is not the
case, we have been given a prototype, and a specific time frame to to some
research on it, and enhance it. If at the end of that we find that it is not
going to work, which, we have already found out to some expent and convered,
the project just terinates.
By the way sir, as you are an expert, may I ask you another question
(ofcourse, any one else who can answer is welcome also)…
The technique we use here to track a file on the client requires us to
create some sort of a table ( in a seperate file ) that keeps version info
about the files and upload them to servers. This table file exists in the
same folder as the protected doc and is modified every time some operations
are done on it, however these operations aare sent to the server as logs and
log entries corresponding to the unique id of the file is updated.
I find some serious flaws in this approach.
1. The table file is hidden away from the users not by attributes, but by
hooking the find first and find next functionalities. It is not only wrong
because hooking is not a good approach, but also because we are deliberately
hiding a named file!
2. Creating a meta file to track another object is in itself tricky and
prone to errors. For example, when we move the protected file to another
folder, the table also needs to be moved. Also, when we zip the folder
containing hte protected doc this file gets zipped, thus in that case we
need to pathc find first and next again! Also if just the protected doc is
zipped then the table is lost and we are in a soup :). These were some of
the minor problems faced by us.
What I suggested was instead of this approach, why not use a FS filter that
appends this table to the file itself. In FS filters we can find out which
process made a call for the file, if it is the priviledged app, then we can
remove the table and show the file, in all other cases the entire file is
sent up, however since the header info was not expected by the third party
reader, they cannot read it. Zipping is also possible without patching
several places and jacking up half of the kernel.
Do you think this will work?
Please recomend and/or criticize this aproach of mine.
amitrajit
absolutely correct don,
after opening my module is helpless, but there are others working on
solutions on that, like MSAA etc. But I dont have hopes on those, after all
how big an app knowledge base can we keep!!! Word in itself has so many
versions with some of the menus customizeable!!!
Still it is safer in the sense that…
-
such apps as ours are run in environments where users are restricted not
to have install rights, thus only softwares preinstalled and tuned out for
tracer will be there. -
Even if the user manages to email himself his favourite word reader that
doesnt need installation, if I use the driver, then the additional header is
bound to confuse it. Infact, we can even write a small helper driver that
restricts processes which are not in the “safe” list. I know, I know it has
lots of problem, like even a simple compiled exe by a developer will run
into trouble… -
The fear of getting caught is also a great factor for people to stop
doing it. -
USBs etc will be disabled, no doubt CDRWs are not permissible, and as
somebody from panasonic suggested some time back, camera phones prohibited. -
I know I mught sound paranoid, but that is precisely what I will tell th
client, you want this stuff to work, do these, and hten some day you need to
install office 2003 over office 2K call us so that we can redo th code. I
don’t think there is any othe way to do it.
After all, as they say, “If you don’t trust your own peopl, who do you
trust”.
amitrajit
Tony,
A good reputation helps, but the low lifes are still hurting all of us.
I tell a tale of a company that wanted a file system, they contacted me and
I was suggesting they tighten up their specification and I would do it for a
fixed price bid of around $250K plus the cost of the OSR File system kit.
Instead they went overseas to a firm that had been written up in a number of
magazines talking about how good offshoring was. The firm offerred a low
hourly rate that got them the contract. The company spent over $1,000,000
with the consulting firm and got “toxic waste”, in the end the company
decided not to deal with consultants again!
The real kicker is I have told this story multiple times, and each
time someone comes to me and says “yeah I know about that contract, company
X really messed up”. So far, no one has gotten the correct name of the
company, they know of yet another company that has given up on consulting!
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply
“Tony Mason” wrote in message news:xxxxx@ntdev…
Which demonstrates the importance of having a good reputation. Somehow,
I suspect there are some execs at Sony right now that wish they hadn’t
gone with the lowest bidder.
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Tuesday, November 22, 2005 11:06 AM
To: ntdev redirect
Subject: Re:[ntdev] Initializing a process
It depends on what your customer thinks they are getting. The number of
inquiries I get that start with “We had a firm (or consultant)
developing a
product for us, the product is almost done, we just need a little help
from
an expert, …” is scary. In almost every case, the consultant knew
(at
some point along the way) that the approach would not work, but kept
billing
the company.
The problem with this is, that firms start thinking all consultants are
crooks, which does not help those of us who are professional.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply
“Developer” wrote in message news:xxxxx@ntdev…
don,
I absolutely agree with you, this approach has too many hole to plug
But still we are getting paid for doing this research, so why not
atleast
learn the intrinsics of the OS.
amitrajit
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
I wonder what you’re going to do when Word switches to entirely XML for
it’s file format :-), and anyone can read/write anything in the file
with something as simple as notepad…
I’m also guessing that you don’t care if they just read the information
off the screen and type it into some other app? The analog hole is
pretty much unpluggable.
Since you’re looking at something that’s inherently unpluggable, and
relying mostly on security through obscurity and intimidation, I’m
wondering why you don’t just use a windows message hook (and the
clipboard API) and look for the data being passed those ways. No, it
won’t catch all the possible routes, but nothing will and it’s a hell of
a lot easier to implement.
Developer wrote:
absolutely correct don,
after opening my module is helpless, but there are others working on
solutions on that, like MSAA etc. But I dont have hopes on those, after
all how big an app knowledge base can we keep!!! Word in itself has so
many versions with some of the menus customizeable!!!Still it is safer in the sense that…
such apps as ours are run in environments where users are restricted
not to have install rights, thus only softwares preinstalled and tuned
out for tracer will be there.Even if the user manages to email himself his favourite word reader
that doesnt need installation, if I use the driver, then the additional
header is bound to confuse it. Infact, we can even write a small helper
driver that restricts processes which are not in the “safe” list. I
know, I know it has lots of problem, like even a simple compiled exe by
a developer will run into trouble…The fear of getting caught is also a great factor for people to stop
doing it.USBs etc will be disabled, no doubt CDRWs are not permissible, and as
somebody from panasonic suggested some time back, camera phones prohibited.I know I mught sound paranoid, but that is precisely what I will tell
th client, you want this stuff to work, do these, and hten some day you
need to install office 2003 over office 2K call us so that we can redo
th code. I don’t think there is any othe way to do it.After all, as they say, “If you don’t trust your own peopl, who do you
trust”.amitrajit
–
Ray