Inspiration

Recent questions (and ANSWERS!) about hooking (etc…) made me think there should be
a new utility from OSR/SysInternals.
This new utility should try to find all hooked api’s in the system.
Naming the driver/module that has hooked something. This would allow
us to look what is going on in kernel land. We then can decide to ban
that driver from the system.

Hmm, it is x-mas time and trolls are lurking around these days.

Norbert.
“I like you, but I wouldn’t want to see you working with subatomic
particles.”

Bah. Just use Windbg :stuck_out_tongue:

----- Original Message -----
From: “Norbert Kawulski”
To: “Windows System Software Devs Interest List”
Sent: Wednesday, December 15, 2004 7:03 PM
Subject: [ntdev] Inspiration

> Recent questions (and ANSWERS!) about hooking (etc…) made me think there
should be
> a new utility from OSR/SysInternals.
> This new utility should try to find all hooked api’s in the system.
> Naming the driver/module that has hooked something. This would allow
> us to look what is going on in kernel land. We then can decide to ban
> that driver from the system.
>
> Hmm, it is x-mas time and trolls are lurking around these days.
>
> Norbert.
> “I like you, but I wouldn’t want to see you working with subatomic
> particles.”
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to xxxxx@lists.osr.com

Too laborious :wink: Maybe for checking system service table but do you really want to examine all possibly hooked functions by hand?

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]


From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Dan Partelly[SMTP:xxxxx@rdsor.ro]
Reply To: Windows System Software Devs Interest List
Sent: Wednesday, December 15, 2004 7:05 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Inspiration

Bah. Just use Windbg :stuck_out_tongue:

----- Original Message -----
From: “Norbert Kawulski”
> To: “Windows System Software Devs Interest List”
> Sent: Wednesday, December 15, 2004 7:03 PM
> Subject: [ntdev] Inspiration
>
>
> > Recent questions (and ANSWERS!) about hooking (etc…) made me think there
> should be
> > a new utility from OSR/SysInternals.
> > This new utility should try to find all hooked api’s in the system.
> > Naming the driver/module that has hooked something. This would allow
> > us to look what is going on in kernel land. We then can decide to ban
> > that driver from the system.
> >
> > Hmm, it is x-mas time and trolls are lurking around these days.
> >
> > Norbert.
> > “I like you, but I wouldn’t want to see you working with subatomic
> > particles.”
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@upek.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

Heh, I bet I would have a pretty good ideea as what is hooking what even
before I fire up a debugger.

Dan

----- Original Message -----
From: “Michal Vodicka”
To: “Windows System Software Devs Interest List”
Sent: Wednesday, December 15, 2004 11:19 PM
Subject: RE: [ntdev] Inspiration

Too laborious :wink: Maybe for checking system service table but do you really
want to examine all possibly hooked functions by hand?

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

> ----------
> From:
xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on
behalf of Dan Partelly[SMTP:xxxxx@rdsor.ro]
> Reply To: Windows System Software Devs Interest List
> Sent: Wednesday, December 15, 2004 7:05 PM
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] Inspiration
>
> Bah. Just use Windbg :stuck_out_tongue:
>
> ----- Original Message -----
> From: “Norbert Kawulski”
> To: “Windows System Software Devs Interest List”
> Sent: Wednesday, December 15, 2004 7:03 PM
> Subject: [ntdev] Inspiration
>
>
> > Recent questions (and ANSWERS!) about hooking (etc…) made me think
there
> should be
> > a new utility from OSR/SysInternals.
> > This new utility should try to find all hooked api’s in the system.
> > Naming the driver/module that has hooked something. This would allow
> > us to look what is going on in kernel land. We then can decide to ban
> > that driver from the system.
> >
> > Hmm, it is x-mas time and trolls are lurking around these days.
> >
> > Norbert.
> > “I like you, but I wouldn’t want to see you working with subatomic
> > particles.”
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@upek.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

Maybe. I’m affraid you expect “hookers” behave reasonably, their effort makes sense and assumptions can be made according to their goals. It should be the case but after reading some questions in this list I doubt. Never underestimate fools’ invention :wink:

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]


From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Dan Partelly[SMTP:xxxxx@rdsor.ro]
Reply To: Windows System Software Devs Interest List
Sent: Wednesday, December 15, 2004 10:50 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Inspiration

Heh, I bet I would have a pretty good ideea as what is hooking what even
before I fire up a debugger.

Dan

----- Original Message -----
From: “Michal Vodicka”
> To: “Windows System Software Devs Interest List”
> Sent: Wednesday, December 15, 2004 11:19 PM
> Subject: RE: [ntdev] Inspiration
>
>
> Too laborious :wink: Maybe for checking system service table but do you really
> want to examine all possibly hooked functions by hand?
>
> Best regards,
>
> Michal Vodicka
> UPEK, Inc.
> [xxxxx@upek.com, http://www.upek.com]
>
> > ----------
> > From:
> xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on
> behalf of Dan Partelly[SMTP:xxxxx@rdsor.ro]
> > Reply To: Windows System Software Devs Interest List
> > Sent: Wednesday, December 15, 2004 7:05 PM
> > To: Windows System Software Devs Interest List
> > Subject: Re: [ntdev] Inspiration
> >
> > Bah. Just use Windbg :stuck_out_tongue:
> >
> > ----- Original Message -----
> > From: “Norbert Kawulski”
> > To: “Windows System Software Devs Interest List”
> > Sent: Wednesday, December 15, 2004 7:03 PM
> > Subject: [ntdev] Inspiration
> >
> >
> > > Recent questions (and ANSWERS!) about hooking (etc…) made me think
> there
> > should be
> > > a new utility from OSR/SysInternals.
> > > This new utility should try to find all hooked api’s in the system.
> > > Naming the driver/module that has hooked something. This would allow
> > > us to look what is going on in kernel land. We then can decide to ban
> > > that driver from the system.
> > >
> > > Hmm, it is x-mas time and trolls are lurking around these days.
> > >
> > > Norbert.
> > > “I like you, but I wouldn’t want to see you working with subatomic
> > > particles.”
> > >
> > >
> > > —
> > > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> > >
> > > You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> > > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@upek.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@upek.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

Norbert Kawulski wrote:

Recent questions (and ANSWERS!) about hooking (etc…) made me think there should be
a new utility from OSR/SysInternals.
This new utility should try to find all hooked api’s in the system.
Naming the driver/module that has hooked something. This would allow
us to look what is going on in kernel land. We then can decide to ban
that driver from the system.

Hmm, it is x-mas time and trolls are lurking around these days.

Norbert.
“I like you, but I wouldn’t want to see you working with subatomic
particles.”


Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@adelphia.net
To unsubscribe send a blank email to xxxxx@lists.osr.com

Try VICE…

http://www.rootkit.com/project.php?id=20

From the project description…

VICE is a tool to find hooks.
Features include:

  1. Looks for people hooking IAT’s.
  2. Looks for people hooking functions in-line aka detouring.
  3. Looks for hooks in the System Call Table. Thanks to Tan perhaps it
    will fix the table in the future.
  4. Looks for detour hooks in the System Call Table functions themselves.
  5. Looks for people hooking IRP_MJ table in drivers. This is
    configurable by driver.ini.

John Alderson

> Norbert Kawulski wrote:

> This new utility should try to find all hooked api’s in the system.
>

John Alderson wrote:

Try VICE…

http://www.rootkit.com/project.php?id=20

Pretty cool (and available in executable-form only).

Thanks, John, for the pointer. Some scary shit on that site. “How to
hide a driver from the Object Manager” was one of my favorites (when
“Removing the driver from the PsLoadedModuleList is not good enough”).
Yikes!!

Peter
OSR

Norbert,

check out SDTRestore: http://www.security.org.sg/code/sdtrestore.html

source code is included.


Marco [www.neovalens.com]

“Norbert Kawulski” wrote in message news:xxxxx@ntdev…
> Recent questions (and ANSWERS!) about hooking (etc…) made me think there
> should be
> a new utility from OSR/SysInternals.
> This new utility should try to find all hooked api’s in the system.
> Naming the driver/module that has hooked something. This would allow
> us to look what is going on in kernel land. We then can decide to ban
> that driver from the system.
>
> Hmm, it is x-mas time and trolls are lurking around these days.
>
> Norbert.
> “I like you, but I wouldn’t want to see you working with subatomic
> particles.”
>
>

Thanks to John Alderson and Marco Peretti
for pointing out these sites.
Yes Peter, it is scary. My paranoia grows…
But because modifying the SDT is only one form of hooking and there
are many more forms of patching at runtime my proposed utility seems
to be impossible (imperfect).
Norbert.

“A professor is one who talks in someone else’s sleep.”
---- snip ----

There are other potentially very dangerous techniques, such as determining
the addresses of internal kernel synhronization objects
and using them in your code to accomplish black magic. I had to use
such techniques in past

On the other hands, there are cases in which you simply cant accomplish
what you want whithout performing dangerous things. My position on
this is that you always should use the less instrusive technique, and
always inform your customer about what you did to make their request
possible. Debugging and analysis tools are just a example. There are others.

About such identifying, I maintain my statement that a debugger is your best
friend. You should be able with minimal effort to determine most used
method of hooking, if you know where you should look for them.
As for the product which so far to my knowledge has the biggest number of
hooks installed, it;s Numega NTICE.

Use educated guesses to determine whatever a third party driver you
installed uses hooking, and a debugger and a minimal analysis will reveal
more than you think.

Norbert, dont grow paranoid. Its futile =)

Dan

----- Original Message -----
From: “Norbert Kawulski”
To: “Windows System Software Devs Interest List”
Sent: Friday, December 17, 2004 12:30 PM
Subject: Re:[ntdev] Inspiration

> Thanks to John Alderson and Marco Peretti
> for pointing out these sites.
> Yes Peter, it is scary. My paranoia grows…
> But because modifying the SDT is only one form of hooking and there
> are many more forms of patching at runtime my proposed utility seems
> to be impossible (imperfect).
> Norbert.
> --------
> “A professor is one who talks in someone else’s sleep.”
> ---- snip ----
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to xxxxx@lists.osr.com