Hi All,
Is it really possible to track WriteProcessMemory user mode call at driver level???
Thanks
this exact topic was discussed 11 days ago…do a search
On Tue, Dec 13, 2016 at 2:29 AM, wrote:
> Hi All,
>
> Is it really possible to track WriteProcessMemory user mode call at driver
> level???
>
> Thanks
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
></http:></http:>
The only feasible solution is a user mode hooking from a driver.
You don’t have access to internals of memory and process management and are not allowed to place hooks in the kernel. The much-discussed solution with a hypervisor has a compatibility issue, your driver should either provide a nested virtualization for other products that require access to CPU virtualization or be compatible with nested virtualization from other providers ( like Hyper-V ). There are a number of antiviruses that employ hardware virtualization which would possibly conflict with yours implementation.
>The much-discussed solution with a hypervisor has a compatibility issue,
so does user mode hooking
On Tue, Dec 13, 2016 at 11:09 PM, wrote:
> The only feasible solution is a user mode hooking from a driver.
>
> You don’t have access to internals of memory and process management and
> are not allowed to place hooks in the kernel. The much-discussed solution
> with a hypervisor has a compatibility issue, your driver should either
> provide a nested virtualization for other products that require access to
> CPU virtualization or be compatible with nested virtualization from other
> providers ( like Hyper-V ). There are a number of antiviruses that employ
> hardware virtualization which would possibly conflict with yours
> implementation.
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
></http:></http:>
> so does user mode hooking
The man-time required to solve them is orders of magnitude less for user mode hooks.
It is useless because there is a very easy way to circomvent the protection:
WriteProcessMemory call the system service ZwWriteVirtualMemory. This is a system call so its assembler code is just a few instructions. All you need to know about a system call is its number.
Provided that you have the prototype of the function and the number of the system call than you can add the system call to your binary (.exe) via inline assembler (x86) or with a .asm file (x64) and then make the system call without using NTDLL.DLL.
Hooking WriteProcessMemory or NTDLL.DLL is just useless here.
I think the OP wanted to just track WriteProcessMemory() call. Not sure if
he is building some protection mechanism out of it.
On Fri, Dec 16, 2016 at 5:16 AM, wrote:
> It is useless because there is a very easy way to circomvent the
> protection:
>
> WriteProcessMemory call the system service ZwWriteVirtualMemory. This is
> a system call so its assembler code is just a few instructions. All you
> need to know about a system call is its number.
>
> Provided that you have the prototype of the function and the number of the
> system call than you can add the system call to your binary (.exe) via
> inline assembler (x86) or with a .asm file (x64) and then make the system
> call without using NTDLL.DLL.
>
> Hooking WriteProcessMemory or NTDLL.DLL is just useless here.
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
></http:></http:>
There is also the case where kernel mode code uses KeStackAttachProcess to write directly to the process’s address space.
This is roughly what NtWriteVirtualMemory does.