KPEB

Reading the loaded module list from the kernel is quite possible but not
SAFE :

typedef struct _PEB_LDR_DATA

{

ULONG Length;

BOOLEAN Initialized;

PVOID SsHandle;

LIST_ENTRY InLoadOrderModuleList;

LIST_ENTRY InMemoryOrderModuleList;

LIST_ENTRY InInitializationOrderModuleList;

PVOID EntryInProgress;

} PEB_LDR_DATA, *PPEB_LDR_DATA;

typedef struct _LDR_DATA_TABLE_ENTRY

{

LIST_ENTRY InLoadOrderLinks;

LIST_ENTRY InMemoryOrderLinks;

LIST_ENTRY InInitializationOrderLinks;

PVOID DllBase;

PVOID EntryPoint;

ULONG SizeOfImage;

UNICODE_STRING FullDllName;

UNICODE_STRING BaseDllName;

…

}

typedef struct _PEB

{

unsigned char _pad[0x00c]; //XP SP2 offset

PEB_LDR_DATA Ldr;

…

}

After you obtain the address of the PEB of the process, you can obtain the
address of the loader data encapsulated as

struct_PEB_LDR_DATA . Within this structure there are InXXXOrderModuleLists
links which links the module information in _LDR_DATA_TABLE_ENTRY

strucures.

I have not tested this but the strategy must work.

However, this method is not thread SAFE. The driver must ensure serial
access to these links and ensure that that data is valid!

When you look at the PEB structure, you see a member called LoaderLock which
is used by nt loader thorugh RTlXXXCriticalSection native api functions to
syncronize loader related operations on the PEB.

Indeed from the security point of view, PEB of a process is accessible from
the user mode so accessing and basing the operations on the user
manipulatable data from the driver is conceptually unsafe.

What if a rootkit changes the links in these data structure which may lead
to an infinite loop at the driver level or something else?

It is better to face such conditions at the user level.

Look at the documentation of PsSetLoadImageNotifyRoutine in DDK help. it may
be useful.

Good luck,

Egemen Tas

-------Original Message-------

From: xxxxx@wipro.com

Date: 01/18/05 10:40:52

To: Windows System Software Devs Interest List

Subject: [ntdev] KPEB

Hi,

I wanted to implement a hooking function same like Regmon. I could able to
hook to registry and could able to read the process information block (KPEB)
I want to know some of the clarifications and pointers.

Is it possible to read what are the modules(dll) that are loaded by the user
application from kernel mode ? If it is can we know which is the present
module that is running in the user space ?

Presently I have hooked to registry call. Any call to registry will invoke
my function first and from my function I will call the actual registry
function. The registry call from user application may be done from listed
dlls of a particular process. Is it possible to know which module has called
my registry function.

Any suggestions will be helpful.

Thanks and Regards,

Abhiman.

Questions? First check the Kernel Driver FAQ at http://www.osronline
com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’

To unsubscribe send a blank email to xxxxx@lists.osr.com

ACTUALLY, the last idiot who said that looking at the loaded module list was
safe was trying to justify to one of my customers why their system crashed
thanks to his CRAP. Big deal you have the undocumented structures, unless
you can coordinate with the rest of the kernel on access to this list you
are likely to crash.

This is really stupid to do this since you can either use
PsSetLoadImageNotifyRoutine and build the list yourself, this is completely
safe and documented.

To the original poster, don’t look up KPEB in the archives, look up hooking
and understand you are producing something that is a very bad idea.

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

“Egemen Tas” wrote in message news:xxxxx@ntdev…
> Reading the loaded module list from the kernel is quite possible but not
> SAFE :
>
>
>
> typedef struct _PEB_LDR_DATA
>
> {
>
> ULONG Length;
>
> BOOLEAN Initialized;
>
> PVOID SsHandle;
>
> LIST_ENTRY InLoadOrderModuleList;
>
> LIST_ENTRY InMemoryOrderModuleList;
>
> LIST_ENTRY InInitializationOrderModuleList;
>
> PVOID EntryInProgress;
>
> } PEB_LDR_DATA, *PPEB_LDR_DATA;
>
>
>
> typedef struct _LDR_DATA_TABLE_ENTRY
>
> {
>
> LIST_ENTRY InLoadOrderLinks;
>
> LIST_ENTRY InMemoryOrderLinks;
>
> LIST_ENTRY InInitializationOrderLinks;
>
> PVOID DllBase;
>
> PVOID EntryPoint;
>
> ULONG SizeOfImage;
>
> UNICODE_STRING FullDllName;
>
> UNICODE_STRING BaseDllName;
>
> …
>
> }
>
>
>
> typedef struct _PEB
>
> {
>
> unsigned char _pad[0x00c]; //XP SP2 offset
>
> PEB_LDR_DATA Ldr;
>
> …
>
> }
>
>
>
> After you obtain the address of the PEB of the process, you can obtain the
> address of the loader data encapsulated as
>
> struct_PEB_LDR_DATA . Within this structure there are
InXXXOrderModuleLists
> links which links the module information in _LDR_DATA_TABLE_ENTRY
>
> strucures.
>
>
>
> I have not tested this but the strategy must work.
>
>
>
> However, this method is not thread SAFE. The driver must ensure serial
> access to these links and ensure that that data is valid!
>
> When you look at the PEB structure, you see a member called LoaderLock
which
> is used by nt loader thorugh RTlXXXCriticalSection native api functions to
> syncronize loader related operations on the PEB.
>
>
>
> Indeed from the security point of view, PEB of a process is accessible
from
> the user mode so accessing and basing the operations on the user
> manipulatable data from the driver is conceptually unsafe.
>
> What if a rootkit changes the links in these data structure which may lead
> to an infinite loop at the driver level or something else?
>
> It is better to face such conditions at the user level.
>
>
>
> Look at the documentation of PsSetLoadImageNotifyRoutine in DDK help. it
may
> be useful.
>
>
>
> Good luck,
>
>
>
> Egemen Tas
>
>
>
>
>
>
>
>
>
> -------Original Message-------
>
>
>
> From: xxxxx@wipro.com
>
> Date: 01/18/05 10:40:52
>
> To: Windows System Software Devs Interest List
>
> Subject: [ntdev] KPEB
>
>
>
> Hi,
>
> I wanted to implement a hooking function same like Regmon. I could able to
> hook to registry and could able to read the process information block
(KPEB)
> I want to know some of the clarifications and pointers.
>
> Is it possible to read what are the modules(dll) that are loaded by the
user
> application from kernel mode ? If it is can we know which is the present
> module that is running in the user space ?
>
> Presently I have hooked to registry call. Any call to registry will invoke
> my function first and from my function I will call the actual registry
> function. The registry call from user application may be done from listed
> dlls of a particular process. Is it possible to know which module has
called
> my registry function.
>
> Any suggestions will be helpful.
>
>
>
> Thanks and Regards,
>
> Abhiman.
>
>
>
> —
>
> Questions? First check the Kernel Driver FAQ at http://www.osronline
> com/article.cfm?id=256
>
>
>
> You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
>
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>

maybe, but sometimes you need to load driver after some processes
already started. Process explorer (procexp) and listDll tools (both
sysinternals) shows
that it is safe.

Maxim

----- Original Message -----
From: “Don Burn”
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”
Sent: Tuesday, January 18, 2005 3:24 PM
Subject: Re:[ntdev] KPEB

> ACTUALLY, the last idiot who said that looking at the loaded module list
> was
> safe was trying to justify to one of my customers why their system crashed
> thanks to his CRAP. Big deal you have the undocumented structures, unless
> you can coordinate with the rest of the kernel on access to this list you
> are likely to crash.
>
> This is really stupid to do this since you can either use
> PsSetLoadImageNotifyRoutine and build the list yourself, this is
> completely
> safe and documented.
>
> To the original poster, don’t look up KPEB in the archives, look up
> hooking
> and understand you are producing something that is a very bad idea.
>
>
> –
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> Remove StopSpam from the email to reply
>
>
> “Egemen Tas” wrote in message news:xxxxx@ntdev…
>> Reading the loaded module list from the kernel is quite possible but not
>> SAFE :
>>
>>
>>
>> typedef struct _PEB_LDR_DATA
>>
>> {
>>
>> ULONG Length;
>>
>> BOOLEAN Initialized;
>>
>> PVOID SsHandle;
>>
>> LIST_ENTRY InLoadOrderModuleList;
>>
>> LIST_ENTRY InMemoryOrderModuleList;
>>
>> LIST_ENTRY InInitializationOrderModuleList;
>>
>> PVOID EntryInProgress;
>>
>> } PEB_LDR_DATA, *PPEB_LDR_DATA;
>>
>>
>>
>> typedef struct _LDR_DATA_TABLE_ENTRY
>>
>> {
>>
>> LIST_ENTRY InLoadOrderLinks;
>>
>> LIST_ENTRY InMemoryOrderLinks;
>>
>> LIST_ENTRY InInitializationOrderLinks;
>>
>> PVOID DllBase;
>>
>> PVOID EntryPoint;
>>
>> ULONG SizeOfImage;
>>
>> UNICODE_STRING FullDllName;
>>
>> UNICODE_STRING BaseDllName;
>>
>> …
>>
>> }
>>
>>
>>
>> typedef struct _PEB
>>
>> {
>>
>> unsigned char _pad[0x00c]; //XP SP2 offset
>>
>> PEB_LDR_DATA Ldr;
>>
>> …
>>
>> }
>>
>>
>>
>> After you obtain the address of the PEB of the process, you can obtain
>> the
>> address of the loader data encapsulated as
>>
>> struct_PEB_LDR_DATA . Within this structure there are
> InXXXOrderModuleLists
>> links which links the module information in _LDR_DATA_TABLE_ENTRY
>>
>> strucures.
>>
>>
>>
>> I have not tested this but the strategy must work.
>>
>>
>>
>> However, this method is not thread SAFE. The driver must ensure serial
>> access to these links and ensure that that data is valid!
>>
>> When you look at the PEB structure, you see a member called LoaderLock
> which
>> is used by nt loader thorugh RTlXXXCriticalSection native api functions
>> to
>> syncronize loader related operations on the PEB.
>>
>>
>>
>> Indeed from the security point of view, PEB of a process is accessible
> from
>> the user mode so accessing and basing the operations on the user
>> manipulatable data from the driver is conceptually unsafe.
>>
>> What if a rootkit changes the links in these data structure which may
>> lead
>> to an infinite loop at the driver level or something else?
>>
>> It is better to face such conditions at the user level.
>>
>>
>>
>> Look at the documentation of PsSetLoadImageNotifyRoutine in DDK help. it
> may
>> be useful.
>>
>>
>>
>> Good luck,
>>
>>
>>
>> Egemen Tas
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> -------Original Message-------
>>
>>
>>
>> From: xxxxx@wipro.com
>>
>> Date: 01/18/05 10:40:52
>>
>> To: Windows System Software Devs Interest List
>>
>> Subject: [ntdev] KPEB
>>
>>
>>
>> Hi,
>>
>> I wanted to implement a hooking function same like Regmon. I could able
>> to
>> hook to registry and could able to read the process information block
> (KPEB)
>> I want to know some of the clarifications and pointers.
>>
>> Is it possible to read what are the modules(dll) that are loaded by the
> user
>> application from kernel mode ? If it is can we know which is the present
>> module that is running in the user space ?
>>
>> Presently I have hooked to registry call. Any call to registry will
>> invoke
>> my function first and from my function I will call the actual registry
>> function. The registry call from user application may be done from listed
>> dlls of a particular process. Is it possible to know which module has
> called
>> my registry function.
>>
>> Any suggestions will be helpful.
>>
>>
>>
>> Thanks and Regards,
>>
>> Abhiman.
>>
>>
>>
>> —
>>
>> Questions? First check the Kernel Driver FAQ at http://www.osronline
>> com/article.cfm?id=256
>>
>>
>>
>> You are currently subscribed to ntdev as: unknown lmsubst tag argument:
>> ‘’
>>
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>>
>>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@secureol.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

Are you sure that these tools get their data in the kernel? There are
perfectly adequate ways off accessing this from user space that are safe.
Also, if your driver is trying to track stuff like this, then you should be
able to load it early, if it hooks it sure should not be dynamically loading
and unloading!

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

“Maxim” wrote in message news:xxxxx@ntdev…
> maybe, but sometimes you need to load driver after some processes
> already started. Process explorer (procexp) and listDll tools (both
> sysinternals) shows
> that it is safe.
>
> Maxim
>
> ----- Original Message -----
> From: “Don Burn”
> Newsgroups: ntdev
> To: “Windows System Software Devs Interest List”
> Sent: Tuesday, January 18, 2005 3:24 PM
> Subject: Re:[ntdev] KPEB
>
>
> > ACTUALLY, the last idiot who said that looking at the loaded module list
> > was
> > safe was trying to justify to one of my customers why their system
crashed
> > thanks to his CRAP. Big deal you have the undocumented structures,
unless
> > you can coordinate with the rest of the kernel on access to this list
you
> > are likely to crash.
> >
> > This is really stupid to do this since you can either use
> > PsSetLoadImageNotifyRoutine and build the list yourself, this is
> > completely
> > safe and documented.
> >
> > To the original poster, don’t look up KPEB in the archives, look up
> > hooking
> > and understand you are producing something that is a very bad idea.
> >
> >
> > –
> > Don Burn (MVP, Windows DDK)
> > Windows 2k/XP/2k3 Filesystem and Driver Consulting
> > Remove StopSpam from the email to reply
> >
> >
> > “Egemen Tas” wrote in message news:xxxxx@ntdev…
> >> Reading the loaded module list from the kernel is quite possible but
not
> >> SAFE :
> >>
> >>
> >>
> >> typedef struct _PEB_LDR_DATA
> >>
> >> {
> >>
> >> ULONG Length;
> >>
> >> BOOLEAN Initialized;
> >>
> >> PVOID SsHandle;
> >>
> >> LIST_ENTRY InLoadOrderModuleList;
> >>
> >> LIST_ENTRY InMemoryOrderModuleList;
> >>
> >> LIST_ENTRY InInitializationOrderModuleList;
> >>
> >> PVOID EntryInProgress;
> >>
> >> } PEB_LDR_DATA, *PPEB_LDR_DATA;
> >>
> >>
> >>
> >> typedef struct _LDR_DATA_TABLE_ENTRY
> >>
> >> {
> >>
> >> LIST_ENTRY InLoadOrderLinks;
> >>
> >> LIST_ENTRY InMemoryOrderLinks;
> >>
> >> LIST_ENTRY InInitializationOrderLinks;
> >>
> >> PVOID DllBase;
> >>
> >> PVOID EntryPoint;
> >>
> >> ULONG SizeOfImage;
> >>
> >> UNICODE_STRING FullDllName;
> >>
> >> UNICODE_STRING BaseDllName;
> >>
> >> …
> >>
> >> }
> >>
> >>
> >>
> >> typedef struct _PEB
> >>
> >> {
> >>
> >> unsigned char _pad[0x00c]; //XP SP2 offset
> >>
> >> PEB_LDR_DATA Ldr;
> >>
> >> …
> >>
> >> }
> >>
> >>
> >>
> >> After you obtain the address of the PEB of the process, you can obtain
> >> the
> >> address of the loader data encapsulated as
> >>
> >> struct_PEB_LDR_DATA . Within this structure there are
> > InXXXOrderModuleLists
> >> links which links the module information in _LDR_DATA_TABLE_ENTRY
> >>
> >> strucures.
> >>
> >>
> >>
> >> I have not tested this but the strategy must work.
> >>
> >>
> >>
> >> However, this method is not thread SAFE. The driver must ensure serial
> >> access to these links and ensure that that data is valid!
> >>
> >> When you look at the PEB structure, you see a member called LoaderLock
> > which
> >> is used by nt loader thorugh RTlXXXCriticalSection native api functions
> >> to
> >> syncronize loader related operations on the PEB.
> >>
> >>
> >>
> >> Indeed from the security point of view, PEB of a process is accessible
> > from
> >> the user mode so accessing and basing the operations on the user
> >> manipulatable data from the driver is conceptually unsafe.
> >>
> >> What if a rootkit changes the links in these data structure which may
> >> lead
> >> to an infinite loop at the driver level or something else?
> >>
> >> It is better to face such conditions at the user level.
> >>
> >>
> >>
> >> Look at the documentation of PsSetLoadImageNotifyRoutine in DDK help.
it
> > may
> >> be useful.
> >>
> >>
> >>
> >> Good luck,
> >>
> >>
> >>
> >> Egemen Tas
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> -------Original Message-------
> >>
> >>
> >>
> >> From: xxxxx@wipro.com
> >>
> >> Date: 01/18/05 10:40:52
> >>
> >> To: Windows System Software Devs Interest List
> >>
> >> Subject: [ntdev] KPEB
> >>
> >>
> >>
> >> Hi,
> >>
> >> I wanted to implement a hooking function same like Regmon. I could able
> >> to
> >> hook to registry and could able to read the process information block
> > (KPEB)
> >> I want to know some of the clarifications and pointers.
> >>
> >> Is it possible to read what are the modules(dll) that are loaded by the
> > user
> >> application from kernel mode ? If it is can we know which is the
present
> >> module that is running in the user space ?
> >>
> >> Presently I have hooked to registry call. Any call to registry will
> >> invoke
> >> my function first and from my function I will call the actual registry
> >> function. The registry call from user application may be done from
listed
> >> dlls of a particular process. Is it possible to know which module has
> > called
> >> my registry function.
> >>
> >> Any suggestions will be helpful.
> >>
> >>
> >>
> >> Thanks and Regards,
> >>
> >> Abhiman.
> >>
> >>
> >>
> >> —
> >>
> >> Questions? First check the Kernel Driver FAQ at http://www.osronline
> >> com/article.cfm?id=256
> >>
> >>
> >>
> >> You are currently subscribed to ntdev as: unknown lmsubst tag argument:
> >> ‘’
> >>
> >> To unsubscribe send a blank email to xxxxx@lists.osr.com
> >>
> >>
> >>
> >
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@secureol.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>

I don’t think anything Sysinternals does is actually “documented and safe”.
They show things that CAN BE DONE, but I’m pretty sure that none of it is
safe from a new version of Windows that changes one or more of the internal
structures that aren’t documented.

Let’s make an example. There’s a motorcycle stunt rider called Gary
Rothwell (do a search on the web if you want to learn more about him). He’s
able to do things with a motorcycle that I can only dream of doing. Does
that make the things he does safe? No.

The guys at Sysinternals are like Gary Rothwell. They have a lot of
experience in trying to do “the impossible”. They are the Gary Rothwells of
the Windows system. They do difficult things that aren’t safe and make it
look easy.

Also, Sysinternals do not charge money for the products you talk about, and
they do come with a disclaimer saying that ‘if it doesn’t work. your
problem’. Now, for everyone on this list, what that means is quite clear.

However, if someone is writing a filter-driver of some sort, that is
supposed to go out to a variety of skill-level people that are going to
install this driver, then it needs to be known to work even if the user
installs “Service Pack 3”, and even when the user runs the “XYZ”
application that some rather dodgy coder wrote to do something magical, it
should also not allow the Virus writes free passages into the kernel space
to wreak havoc.

All of these things have to be considered when writing a driver. Suggesting
that just because someone did something, it’s also safe and secur thing to
do, isn’t the best way to get secure, safe and reliable windows systems out
there.

–
Mats

xxxxx@lists.osr.com wrote on 01/18/2005 01:38:41 PM:

maybe, but sometimes you need to load driver after some processes
already started. Process explorer (procexp) and listDll tools (both
sysinternals) shows
that it is safe.

Maxim

----- Original Message -----
From: “Don Burn”
> Newsgroups: ntdev
> To: “Windows System Software Devs Interest List”
> Sent: Tuesday, January 18, 2005 3:24 PM
> Subject: Re:[ntdev] KPEB
>
>
> > ACTUALLY, the last idiot who said that looking at the loaded module
list
> > was
> > safe was trying to justify to one of my customers why their system
crashed
> > thanks to his CRAP. Big deal you have the undocumented structures,
unless
> > you can coordinate with the rest of the kernel on access to this list
you
> > are likely to crash.
> >
> > This is really stupid to do this since you can either use
> > PsSetLoadImageNotifyRoutine and build the list yourself, this is
> > completely
> > safe and documented.
> >
> > To the original poster, don’t look up KPEB in the archives, look up
> > hooking
> > and understand you are producing something that is a very bad idea.
> >
> >
> > –
> > Don Burn (MVP, Windows DDK)
> > Windows 2k/XP/2k3 Filesystem and Driver Consulting
> > Remove StopSpam from the email to reply
> >
> >
> > “Egemen Tas” wrote in message
news:xxxxx@ntdev…
> >> Reading the loaded module list from the kernel is quite possible but
not
> >> SAFE :
> >>
> >>
> >>
> >> typedef struct _PEB_LDR_DATA
> >>
> >> {
> >>
> >> ULONG Length;
> >>
> >> BOOLEAN Initialized;
> >>
> >> PVOID SsHandle;
> >>
> >> LIST_ENTRY InLoadOrderModuleList;
> >>
> >> LIST_ENTRY InMemoryOrderModuleList;
> >>
> >> LIST_ENTRY InInitializationOrderModuleList;
> >>
> >> PVOID EntryInProgress;
> >>
> >> } PEB_LDR_DATA, *PPEB_LDR_DATA;
> >>
> >>
> >>
> >> typedef struct _LDR_DATA_TABLE_ENTRY
> >>
> >> {
> >>
> >> LIST_ENTRY InLoadOrderLinks;
> >>
> >> LIST_ENTRY InMemoryOrderLinks;
> >>
> >> LIST_ENTRY InInitializationOrderLinks;
> >>
> >> PVOID DllBase;
> >>
> >> PVOID EntryPoint;
> >>
> >> ULONG SizeOfImage;
> >>
> >> UNICODE_STRING FullDllName;
> >>
> >> UNICODE_STRING BaseDllName;
> >>
> >> …
> >>
> >> }
> >>
> >>
> >>
> >> typedef struct _PEB
> >>
> >> {
> >>
> >> unsigned char _pad[0x00c]; //XP SP2 offset
> >>
> >> PEB_LDR_DATA Ldr;
> >>
> >> …
> >>
> >> }
> >>
> >>
> >>
> >> After you obtain the address of the PEB of the process, you can obtain

> >> the
> >> address of the loader data encapsulated as
> >>
> >> struct_PEB_LDR_DATA . Within this structure there are
> > InXXXOrderModuleLists
> >> links which links the module information in _LDR_DATA_TABLE_ENTRY
> >>
> >> strucures.
> >>
> >>
> >>
> >> I have not tested this but the strategy must work.
> >>
> >>
> >>
> >> However, this method is not thread SAFE. The driver must ensure serial
> >> access to these links and ensure that that data is valid!
> >>
> >> When you look at the PEB structure, you see a member called LoaderLock
> > which
> >> is used by nt loader thorugh RTlXXXCriticalSection native api
functions
> >> to
> >> syncronize loader related operations on the PEB.
> >>
> >>
> >>
> >> Indeed from the security point of view, PEB of a process is accessible
> > from
> >> the user mode so accessing and basing the operations on the user
> >> manipulatable data from the driver is conceptually unsafe.
> >>
> >> What if a rootkit changes the links in these data structure which may
> >> lead
> >> to an infinite loop at the driver level or something else?
> >>
> >> It is better to face such conditions at the user level.
> >>
> >>
> >>
> >> Look at the documentation of PsSetLoadImageNotifyRoutine in DDK help.
it
> > may
> >> be useful.
> >>
> >>
> >>
> >> Good luck,
> >>
> >>
> >>
> >> Egemen Tas
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> -------Original Message-------
> >>
> >>
> >>
> >> From: xxxxx@wipro.com
> >>
> >> Date: 01/18/05 10:40:52
> >>
> >> To: Windows System Software Devs Interest List
> >>
> >> Subject: [ntdev] KPEB
> >>
> >>
> >>
> >> Hi,
> >>
> >> I wanted to implement a hooking function same like Regmon. I could
able
> >> to
> >> hook to registry and could able to read the process information block
> > (KPEB)
> >> I want to know some of the clarifications and pointers.
> >>
> >> Is it possible to read what are the modules(dll) that are loaded by
the
> > user
> >> application from kernel mode ? If it is can we know which is the
present
> >> module that is running in the user space ?
> >>
> >> Presently I have hooked to registry call. Any call to registry will
> >> invoke
> >> my function first and from my function I will call the actual registry
> >> function. The registry call from user application may be done from
listed
> >> dlls of a particular process. Is it possible to know which module has
> > called
> >> my registry function.
> >>
> >> Any suggestions will be helpful.
> >>
> >>
> >>
> >> Thanks and Regards,
> >>
> >> Abhiman.
> >>
> >>
> >>
> >> —
> >>
> >> Questions? First check the Kernel Driver FAQ at http://www.osronline
> >> com/article.cfm?id=256
> >>
> >>
> >>
> >> You are currently subscribed to ntdev as: unknown lmsubst tag
argument:
> >> ‘’
> >>
> >> To unsubscribe send a blank email to xxxxx@lists.osr.com
> >>
> >>
> >>
> >
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@secureol.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.
> osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@3dlabs.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

> ForwardSourceID:NT0000B172

I do not think it is safe.I do not know how the tools you mention work but
what if I change some of the links in the loaded module list

and cause an unepexted cycle? Or direct them to a bad memory location?These
are theoretically possible.

Those links are easily manipulated from the user level by rootkits to hide
themselves.

Am I wrong?

-------Original Message-------

From: Maxim

Date: 01/18/05 15:40:41

To: Windows System Software Devs Interest List

Subject: Re: Re:[ntdev] KPEB

maybe, but sometimes you need to load driver after some processes

already started. Process explorer (procexp) and listDll tools (both

sysinternals) shows

that it is safe.

Maxim

----- Original Message -----

From: “Don Burn”

Newsgroups: ntdev

To: “Windows System Software Devs Interest List”

Sent: Tuesday, January 18, 2005 3:24 PM

Subject: Re:[ntdev] KPEB

> ACTUALLY, the last idiot who said that looking at the loaded module list

> was

> safe was trying to justify to one of my customers why their system crashed

> thanks to his CRAP. Big deal you have the undocumented structures, unless

> you can coordinate with the rest of the kernel on access to this list you

> are likely to crash.

>

> This is really stupid to do this since you can either use

> PsSetLoadImageNotifyRoutine and build the list yourself, this is

> completely

> safe and documented.

>

> To the original poster, don’t look up KPEB in the archives, look up

> hooking

> and understand you are producing something that is a very bad idea.

>

>

> –

> Don Burn (MVP, Windows DDK)

> Windows 2k/XP/2k3 Filesystem and Driver Consulting

> Remove StopSpam from the email to reply

>

>

> “Egemen Tas” wrote in message news:xxxxx@ntdev…

>> Reading the loaded module list from the kernel is quite possible but not

>> SAFE :

>>

>>

>>

>> typedef struct _PEB_LDR_DATA

>>

>> {

>>

>> ULONG Length;

>>

>> BOOLEAN Initialized;

>>

>> PVOID SsHandle;

>>

>> LIST_ENTRY InLoadOrderModuleList;

>>

>> LIST_ENTRY InMemoryOrderModuleList;

>>

>> LIST_ENTRY InInitializationOrderModuleList;

>>

>> PVOID EntryInProgress;

>>

>> } PEB_LDR_DATA, *PPEB_LDR_DATA;

>>

>>

>>

>> typedef struct _LDR_DATA_TABLE_ENTRY

>>

>> {

>>

>> LIST_ENTRY InLoadOrderLinks;

>>

>> LIST_ENTRY InMemoryOrderLinks;

>>

>> LIST_ENTRY InInitializationOrderLinks;

>>

>> PVOID DllBase;

>>

>> PVOID EntryPoint;

>>

>> ULONG SizeOfImage;

>>

>> UNICODE_STRING FullDllName;

>>

>> UNICODE_STRING BaseDllName;

>>

>> …

>>

>> }

>>

>>

>>

>> typedef struct _PEB

>>

>> {

>>

>> unsigned char _pad[0x00c]; //XP SP2 offset

>>

>> PEB_LDR_DATA Ldr;

>>

>> …

>>

>> }

>>

>>

>>

>> After you obtain the address of the PEB of the process, you can obtain

>> the

>> address of the loader data encapsulated as

>>

>> struct_PEB_LDR_DATA . Within this structure there are

> InXXXOrderModuleLists

>> links which links the module information in _LDR_DATA_TABLE_ENTRY

>>

>> strucures.

>>

>>

>>

>> I have not tested this but the strategy must work.

>>

>>

>>

>> However, this method is not thread SAFE. The driver must ensure serial

>> access to these links and ensure that that data is valid!

>>

>> When you look at the PEB structure, you see a member called LoaderLock

> which

>> is used by nt loader thorugh RTlXXXCriticalSection native api functions

>> to

>> syncronize loader related operations on the PEB.

>>

>>

>>

>> Indeed from the security point of view, PEB of a process is accessible

> from

>> the user mode so accessing and basing the operations on the user

>> manipulatable data from the driver is conceptually unsafe.

>>

>> What if a rootkit changes the links in these data structure which may

>> lead

>> to an infinite loop at the driver level or something else?

>>

>> It is better to face such conditions at the user level.

>>

>>

>>

>> Look at the documentation of PsSetLoadImageNotifyRoutine in DDK help. it

> may

>> be useful.

>>

>>

>>

>> Good luck,

>>

>>

>>

>> Egemen Tas

>>

>>

>>

>>

>>

>>

>>

>>

>>

>> -------Original Message-------

>>

>>

>>

>> From: xxxxx@wipro.com

>>

>> Date: 01/18/05 10:40:52

>>

>> To: Windows System Software Devs Interest List

>>

>> Subject: [ntdev] KPEB

>>

>>

>>

>> Hi,

>>

>> I wanted to implement a hooking function same like Regmon. I could able

>> to

>> hook to registry and could able to read the process information block

> (KPEB)

>> I want to know some of the clarifications and pointers.

>>

>> Is it possible to read what are the modules(dll) that are loaded by the

> user

>> application from kernel mode ? If it is can we know which is the present

>> module that is running in the user space ?

>>

>> Presently I have hooked to registry call. Any call to registry will

>> invoke

>> my function first and from my function I will call the actual registry

>> function. The registry call from user application may be done from listed

>> dlls of a particular process. Is it possible to know which module has

> called

>> my registry function.

>>

>> Any suggestions will be helpful.

>>

>>

>>

>> Thanks and Regards,

>>

>> Abhiman.

>>

>>

>>

>> —

>>

>> Questions? First check the Kernel Driver FAQ at http://www.osronline

>> com/article.cfm?id=256

>>

>>

>>

>> You are currently subscribed to ntdev as: unknown lmsubst tag argument:

>> ‘’

>>

>> To unsubscribe send a blank email to xxxxx@lists.osr.com

>>

>>

>>

>

>

>

> —

> Questions? First check the Kernel Driver FAQ at

> http://www.osronline.com/article.cfm?id=256

>

> You are currently subscribed to ntdev as: xxxxx@secureol.com

> To unsubscribe send a blank email to xxxxx@lists.osr.com

—

Questions? First check the Kernel Driver FAQ at http://www.osronline
com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@gmail.com

To unsubscribe send a blank email to xxxxx@lists.osr.com

Looking up the process name in the environment block only goes wrong because
some programmers use hard coded offsets instead of scanning for it. For the
alternatives of obtaining the process name, PsSetLoadImageNotifyRoutine
allows registration of only 8 callbacks and if you use it your driver MUST
remain loaded until the system reboots.

About hooking … the real question is of course why do we have to write a
kernel mode device driver if we want to do something simple like registry
monitoring. Until Microsoft is going to provide some normal APIs to simple
problems, they are not going to have much chance removing the possibility of
hooking the kernel descriptor table on 64bit Windows. And it’s really better
because the real nighmare has yet to start when application writers suddenly
have to develop filter driver en masse or developers start injecting user
mode DLLs into all processes on a big scale. MS arguments for system
security are purely theoretical but do not hit much ground in reality
because the alternatives are lacking.

Regards,

Daniel Terhell
Resplendence Software Projects Sp
xxxxx@resplendence.com
http://www.resplendence.com

“Mats PETERSSON” wrote in message
news:xxxxx@ntdev…
> I don’t think anything Sysinternals does is actually “documented and
> safe”.
> They show things that CAN BE DONE, but I’m pretty sure that none of it is
> safe from a new version of Windows that changes one or more of the
> internal
> structures that aren’t documented.
>
> Let’s make an example. There’s a motorcycle stunt rider called Gary
> Rothwell (do a search on the web if you want to learn more about him).
> He’s
> able to do things with a motorcycle that I can only dream of doing. Does
> that make the things he does safe? No.
>
> The guys at Sysinternals are like Gary Rothwell. They have a lot of
> experience in trying to do “the impossible”. They are the Gary Rothwells
> of
> the Windows system. They do difficult things that aren’t safe and make it
> look easy.
>
> Also, Sysinternals do not charge money for the products you talk about,
> and
> they do come with a disclaimer saying that ‘if it doesn’t work. your
> problem’. Now, for everyone on this list, what that means is quite clear.
>
> However, if someone is writing a filter-driver of some sort, that is
> supposed to go out to a variety of skill-level people that are going to
> install this driver, then it needs to be known to work even if the user
> installs “Service Pack 3”, and even when the user runs the “XYZ”
> application that some rather dodgy coder wrote to do something magical, it
> should also not allow the Virus writes free passages into the kernel space
> to wreak havoc.
>
> All of these things have to be considered when writing a driver.
> Suggesting
> that just because someone did something, it’s also safe and secur thing to
> do, isn’t the best way to get secure, safe and reliable windows systems
> out
> there.
>
> –
> Mats
>
>
> xxxxx@lists.osr.com wrote on 01/18/2005 01:38:41 PM:
>
>> maybe, but sometimes you need to load driver after some processes
>> already started. Process explorer (procexp) and listDll tools (both
>> sysinternals) shows
>> that it is safe.
>>
>> Maxim
>>
>> ----- Original Message -----
>> From: “Don Burn”
>> Newsgroups: ntdev
>> To: “Windows System Software Devs Interest List”
>> Sent: Tuesday, January 18, 2005 3:24 PM
>> Subject: Re:[ntdev] KPEB
>>
>>
>> > ACTUALLY, the last idiot who said that looking at the loaded module
> list
>> > was
>> > safe was trying to justify to one of my customers why their system
> crashed
>> > thanks to his CRAP. Big deal you have the undocumented structures,
> unless
>> > you can coordinate with the rest of the kernel on access to this list
> you
>> > are likely to crash.
>> >
>> > This is really stupid to do this since you can either use
>> > PsSetLoadImageNotifyRoutine and build the list yourself, this is
>> > completely
>> > safe and documented.
>> >
>> > To the original poster, don’t look up KPEB in the archives, look up
>> > hooking
>> > and understand you are producing something that is a very bad idea.
>> >
>> >
>> > –
>> > Don Burn (MVP, Windows DDK)
>> > Windows 2k/XP/2k3 Filesystem and Driver Consulting
>> > Remove StopSpam from the email to reply
>> >
>> >
>> > “Egemen Tas” wrote in message
> news:xxxxx@ntdev…
>> >> Reading the loaded module list from the kernel is quite possible but
> not
>> >> SAFE :
>> >>
>> >>
>> >>
>> >> typedef struct _PEB_LDR_DATA
>> >>
>> >> {
>> >>
>> >> ULONG Length;
>> >>
>> >> BOOLEAN Initialized;
>> >>
>> >> PVOID SsHandle;
>> >>
>> >> LIST_ENTRY InLoadOrderModuleList;
>> >>
>> >> LIST_ENTRY InMemoryOrderModuleList;
>> >>
>> >> LIST_ENTRY InInitializationOrderModuleList;
>> >>
>> >> PVOID EntryInProgress;
>> >>
>> >> } PEB_LDR_DATA, *PPEB_LDR_DATA;
>> >>
>> >>
>> >>
>> >> typedef struct _LDR_DATA_TABLE_ENTRY
>> >>
>> >> {
>> >>
>> >> LIST_ENTRY InLoadOrderLinks;
>> >>
>> >> LIST_ENTRY InMemoryOrderLinks;
>> >>
>> >> LIST_ENTRY InInitializationOrderLinks;
>> >>
>> >> PVOID DllBase;
>> >>
>> >> PVOID EntryPoint;
>> >>
>> >> ULONG SizeOfImage;
>> >>
>> >> UNICODE_STRING FullDllName;
>> >>
>> >> UNICODE_STRING BaseDllName;
>> >>
>> >> …
>> >>
>> >> }
>> >>
>> >>
>> >>
>> >> typedef struct _PEB
>> >>
>> >> {
>> >>
>> >> unsigned char _pad[0x00c]; //XP SP2 offset
>> >>
>> >> PEB_LDR_DATA Ldr;
>> >>
>> >> …
>> >>
>> >> }
>> >>
>> >>
>> >>
>> >> After you obtain the address of the PEB of the process, you can obtain
>
>> >> the
>> >> address of the loader data encapsulated as
>> >>
>> >> struct_PEB_LDR_DATA . Within this structure there are
>> > InXXXOrderModuleLists
>> >> links which links the module information in _LDR_DATA_TABLE_ENTRY
>> >>
>> >> strucures.
>> >>
>> >>
>> >>
>> >> I have not tested this but the strategy must work.
>> >>
>> >>
>> >>
>> >> However, this method is not thread SAFE. The driver must ensure serial
>> >> access to these links and ensure that that data is valid!
>> >>
>> >> When you look at the PEB structure, you see a member called LoaderLock
>> > which
>> >> is used by nt loader thorugh RTlXXXCriticalSection native api
> functions
>> >> to
>> >> syncronize loader related operations on the PEB.
>> >>
>> >>
>> >>
>> >> Indeed from the security point of view, PEB of a process is accessible
>> > from
>> >> the user mode so accessing and basing the operations on the user
>> >> manipulatable data from the driver is conceptually unsafe.
>> >>
>> >> What if a rootkit changes the links in these data structure which may
>> >> lead
>> >> to an infinite loop at the driver level or something else?
>> >>
>> >> It is better to face such conditions at the user level.
>> >>
>> >>
>> >>
>> >> Look at the documentation of PsSetLoadImageNotifyRoutine in DDK help.
> it
>> > may
>> >> be useful.
>> >>
>> >>
>> >>
>> >> Good luck,
>> >>
>> >>
>> >>
>> >> Egemen Tas
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> -------Original Message-------
>> >>
>> >>
>> >>
>> >> From: xxxxx@wipro.com
>> >>
>> >> Date: 01/18/05 10:40:52
>> >>
>> >> To: Windows System Software Devs Interest List
>> >>
>> >> Subject: [ntdev] KPEB
>> >>
>> >>
>> >>
>> >> Hi,
>> >>
>> >> I wanted to implement a hooking function same like Regmon. I could
> able
>> >> to
>> >> hook to registry and could able to read the process information block
>> > (KPEB)
>> >> I want to know some of the clarifications and pointers.
>> >>
>> >> Is it possible to read what are the modules(dll) that are loaded by
> the
>> > user
>> >> application from kernel mode ? If it is can we know which is the
> present
>> >> module that is running in the user space ?
>> >>
>> >> Presently I have hooked to registry call. Any call to registry will
>> >> invoke
>> >> my function first and from my function I will call the actual registry
>> >> function. The registry call from user application may be done from
> listed
>> >> dlls of a particular process. Is it possible to know which module has
>> > called
>> >> my registry function.
>> >>
>> >> Any suggestions will be helpful.
>> >>
>> >>
>> >>
>> >> Thanks and Regards,
>> >>
>> >> Abhiman.
>> >>
>> >>
>> >>
>> >> —
>> >>
>> >> Questions? First check the Kernel Driver FAQ at http://www.osronline
>> >> com/article.cfm?id=256
>> >>
>> >>
>> >>
>> >> You are currently subscribed to ntdev as: unknown lmsubst tag
> argument:
>> >> ‘’
>> >>
>> >> To unsubscribe send a blank email to xxxxx@lists.osr.com
>> >>
>> >>
>> >>
>> >
>> >
>> >
>> > —
>> > Questions? First check the Kernel Driver FAQ at
>> > http://www.osronline.com/article.cfm?id=256
>> >
>> > You are currently subscribed to ntdev as: xxxxx@secureol.com
>> > To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at http://www.
>> osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: xxxxx@3dlabs.com
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>> ForwardSourceID:NT0000B172
>
>

I have to take exception with both of these statements. On process names,
first the process name is not the executable path, and can be totally a
different name in some cases. Second there is nothing that says the process
name has to stay coded as it is, so using this is stupid. Third if you
really want this, consider using ZwQuerySystemInformation, yes it is
undocumented but no you are not mucking with kernel data structures.

On the registry hooking, the answer is you don’t. Microsoft has put in API,
and documented them (ok they need to do this better), seach the list for
previous discussion on this. A heck of a lot of hooking is because
developers are too lazy to write a file system filter driver, or do other
documented ways of getting the info. Sorry that is just crap and if people
identify firms that do this, they should be publicized so that their
products can be boycotted.

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

“Daniel Terhell” wrote in message
news:xxxxx@ntdev…
> Looking up the process name in the environment block only goes wrong
because
> some programmers use hard coded offsets instead of scanning for it. For
the
> alternatives of obtaining the process name, PsSetLoadImageNotifyRoutine
> allows registration of only 8 callbacks and if you use it your driver MUST
> remain loaded until the system reboots.
>
> About hooking … the real question is of course why do we have to write a
> kernel mode device driver if we want to do something simple like registry
> monitoring. Until Microsoft is going to provide some normal APIs to
simple
> problems, they are not going to have much chance removing the possibility
of
> hooking the kernel descriptor table on 64bit Windows. And it’s really
better
> because the real nighmare has yet to start when application writers
suddenly
> have to develop filter driver en masse or developers start injecting user
> mode DLLs into all processes on a big scale. MS arguments for system
> security are purely theoretical but do not hit much ground in reality
> because the alternatives are lacking.
>
> Regards,
>
> Daniel Terhell
> Resplendence Software Projects Sp
> xxxxx@resplendence.com
> http://www.resplendence.com
>

This registry monitor api is I think still unofficial, only for the latest
OSes, not part of the latest DDK. For a lot of the situations that
developers do hooking the reason is that an acceptable solution still does
not exist. If you get serious about your boycot you might find that includes
most of the antivirus, monitoring and debugging tool vendors. This world has
real problems but for many real solutions do not exist. If this is because
the tools to develop them are lacking I think this religion is not something
we should embraced.

Regards,

Daniel Terhell
Resplendence Software Projects Sp
xxxxx@resplendence.com
http://www.resplendence.com

“Don Burn” wrote in message news:xxxxx@ntdev…
>I have to take exception with both of these statements. On process names,
> first the process name is not the executable path, and can be totally a
> different name in some cases. Second there is nothing that says the
> process
> name has to stay coded as it is, so using this is stupid. Third if you
> really want this, consider using ZwQuerySystemInformation, yes it is
> undocumented but no you are not mucking with kernel data structures.
>
> On the registry hooking, the answer is you don’t. Microsoft has put in
> API,
> and documented them (ok they need to do this better), seach the list for
> previous discussion on this. A heck of a lot of hooking is because
> developers are too lazy to write a file system filter driver, or do other
> documented ways of getting the info. Sorry that is just crap and if
> people
> identify firms that do this, they should be publicized so that their
> products can be boycotted.
>
>
> –
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> Remove StopSpam from the email to reply
>
> “Daniel Terhell” wrote in message
> news:xxxxx@ntdev…
>> Looking up the process name in the environment block only goes wrong
> because
>> some programmers use hard coded offsets instead of scanning for it. For
> the
>> alternatives of obtaining the process name, PsSetLoadImageNotifyRoutine
>> allows registration of only 8 callbacks and if you use it your driver
>> MUST
>> remain loaded until the system reboots.
>>
>> About hooking … the real question is of course why do we have to write a
>> kernel mode device driver if we want to do something simple like registry
>> monitoring. Until Microsoft is going to provide some normal APIs to
> simple
>> problems, they are not going to have much chance removing the possibility
> of
>> hooking the kernel descriptor table on 64bit Windows. And it’s really
> better
>> because the real nighmare has yet to start when application writers
> suddenly
>> have to develop filter driver en masse or developers start injecting user
>> mode DLLs into all processes on a big scale. MS arguments for system
>> security are purely theoretical but do not hit much ground in reality
>> because the alternatives are lacking.
>>
>> Regards,
>>
>> Daniel Terhell
>> Resplendence Software Projects Sp
>> xxxxx@resplendence.com
>> http://www.resplendence.com
>>
>
>
>

Safe as a rarely used tool - yes. Safe as a main path of the production
code which runs millions of times - no.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Maxim”
To: “Windows System Software Devs Interest List”
Sent: Tuesday, January 18, 2005 4:38 PM
Subject: Re: Re:[ntdev] KPEB

> maybe, but sometimes you need to load driver after some processes
> already started. Process explorer (procexp) and listDll tools (both
> sysinternals) shows
> that it is safe.
>
> Maxim
>
> ----- Original Message -----
> From: “Don Burn”
> Newsgroups: ntdev
> To: “Windows System Software Devs Interest List”
> Sent: Tuesday, January 18, 2005 3:24 PM
> Subject: Re:[ntdev] KPEB
>
>
> > ACTUALLY, the last idiot who said that looking at the loaded module list
> > was
> > safe was trying to justify to one of my customers why their system crashed
> > thanks to his CRAP. Big deal you have the undocumented structures, unless
> > you can coordinate with the rest of the kernel on access to this list you
> > are likely to crash.
> >
> > This is really stupid to do this since you can either use
> > PsSetLoadImageNotifyRoutine and build the list yourself, this is
> > completely
> > safe and documented.
> >
> > To the original poster, don’t look up KPEB in the archives, look up
> > hooking
> > and understand you are producing something that is a very bad idea.
> >
> >
> > –
> > Don Burn (MVP, Windows DDK)
> > Windows 2k/XP/2k3 Filesystem and Driver Consulting
> > Remove StopSpam from the email to reply
> >
> >
> > “Egemen Tas” wrote in message news:xxxxx@ntdev…
> >> Reading the loaded module list from the kernel is quite possible but not
> >> SAFE :
> >>
> >>
> >>
> >> typedef struct _PEB_LDR_DATA
> >>
> >> {
> >>
> >> ULONG Length;
> >>
> >> BOOLEAN Initialized;
> >>
> >> PVOID SsHandle;
> >>
> >> LIST_ENTRY InLoadOrderModuleList;
> >>
> >> LIST_ENTRY InMemoryOrderModuleList;
> >>
> >> LIST_ENTRY InInitializationOrderModuleList;
> >>
> >> PVOID EntryInProgress;
> >>
> >> } PEB_LDR_DATA, *PPEB_LDR_DATA;
> >>
> >>
> >>
> >> typedef struct _LDR_DATA_TABLE_ENTRY
> >>
> >> {
> >>
> >> LIST_ENTRY InLoadOrderLinks;
> >>
> >> LIST_ENTRY InMemoryOrderLinks;
> >>
> >> LIST_ENTRY InInitializationOrderLinks;
> >>
> >> PVOID DllBase;
> >>
> >> PVOID EntryPoint;
> >>
> >> ULONG SizeOfImage;
> >>
> >> UNICODE_STRING FullDllName;
> >>
> >> UNICODE_STRING BaseDllName;
> >>
> >> …
> >>
> >> }
> >>
> >>
> >>
> >> typedef struct _PEB
> >>
> >> {
> >>
> >> unsigned char _pad[0x00c]; //XP SP2 offset
> >>
> >> PEB_LDR_DATA Ldr;
> >>
> >> …
> >>
> >> }
> >>
> >>
> >>
> >> After you obtain the address of the PEB of the process, you can obtain
> >> the
> >> address of the loader data encapsulated as
> >>
> >> struct_PEB_LDR_DATA . Within this structure there are
> > InXXXOrderModuleLists
> >> links which links the module information in _LDR_DATA_TABLE_ENTRY
> >>
> >> strucures.
> >>
> >>
> >>
> >> I have not tested this but the strategy must work.
> >>
> >>
> >>
> >> However, this method is not thread SAFE. The driver must ensure serial
> >> access to these links and ensure that that data is valid!
> >>
> >> When you look at the PEB structure, you see a member called LoaderLock
> > which
> >> is used by nt loader thorugh RTlXXXCriticalSection native api functions
> >> to
> >> syncronize loader related operations on the PEB.
> >>
> >>
> >>
> >> Indeed from the security point of view, PEB of a process is accessible
> > from
> >> the user mode so accessing and basing the operations on the user
> >> manipulatable data from the driver is conceptually unsafe.
> >>
> >> What if a rootkit changes the links in these data structure which may
> >> lead
> >> to an infinite loop at the driver level or something else?
> >>
> >> It is better to face such conditions at the user level.
> >>
> >>
> >>
> >> Look at the documentation of PsSetLoadImageNotifyRoutine in DDK help. it
> > may
> >> be useful.
> >>
> >>
> >>
> >> Good luck,
> >>
> >>
> >>
> >> Egemen Tas
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> -------Original Message-------
> >>
> >>
> >>
> >> From: xxxxx@wipro.com
> >>
> >> Date: 01/18/05 10:40:52
> >>
> >> To: Windows System Software Devs Interest List
> >>
> >> Subject: [ntdev] KPEB
> >>
> >>
> >>
> >> Hi,
> >>
> >> I wanted to implement a hooking function same like Regmon. I could able
> >> to
> >> hook to registry and could able to read the process information block
> > (KPEB)
> >> I want to know some of the clarifications and pointers.
> >>
> >> Is it possible to read what are the modules(dll) that are loaded by the
> > user
> >> application from kernel mode ? If it is can we know which is the present
> >> module that is running in the user space ?
> >>
> >> Presently I have hooked to registry call. Any call to registry will
> >> invoke
> >> my function first and from my function I will call the actual registry
> >> function. The registry call from user application may be done from listed
> >> dlls of a particular process. Is it possible to know which module has
> > called
> >> my registry function.
> >>
> >> Any suggestions will be helpful.
> >>
> >>
> >>
> >> Thanks and Regards,
> >>
> >> Abhiman.
> >>
> >>
> >>
> >> —
> >>
> >> Questions? First check the Kernel Driver FAQ at http://www.osronline
> >> com/article.cfm?id=256
> >>
> >>
> >>
> >> You are currently subscribed to ntdev as: unknown lmsubst tag argument:
> >> ‘’
> >>
> >> To unsubscribe send a blank email to xxxxx@lists.osr.com
> >>
> >>
> >>
> >
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@secureol.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

The API’'s have been there a long time, since it was years ago that RegMon
switched to them. I agree that Microsoft needs to document them properly.
I have checked a number of antivirus tools and most don’t hook, nor do the
majority of the monitoring tools. Debugging tools are a special case, this
list had a discussion a while back about IrpTracker as an example of
something that a developer has to realize can help but has risks.

The reason I hate hooking and other bad practices is that I come from a
fault tolerant background. I am part of a team trying to bring fault
tolerance and reliability to Windows. Now having looked at the kernel
sources, Windows has come a long way in the last 7 years and is a robust
system. What hasn’t come along is the improvement in 3rd party drivers. A
few years ago BillG in a speech ripped apart the antivirus vendors since
they accounted for a large percentage of the crashes of Windows. I believe
that AV has reduced the percentage, but from what I can tell AV and security
are still a major reason Windows crashed.

If you believe there is a real problem that Microsoft is not addressing, ask
them. They have been highly respectful of input as of late. No, I don’t
expect they will turn on a dime and add all the feature we want, but they
will listen and perhaps suggest a better way or offer a fix.

There is a perception in the marketplace that Windows is buggy and crashes
all the time and a an alternate OS is robust and reliable. I’ve gone
through the kernels of both and I know I would trust Windows over the
alternate. I also know that the last time I checked driver guru’s for the
alternate were getting a heck of a lot less for a consult that developers
for Windows. If we want long term to keep programming Windows we all have
to make an effort to make it more reliable, and that means cutting out the
hacks.

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

“Daniel Terhell” wrote in message
news:xxxxx@ntdev…
> This registry monitor api is I think still unofficial, only for the latest
> OSes, not part of the latest DDK. For a lot of the situations that
> developers do hooking the reason is that an acceptable solution still does
> not exist. If you get serious about your boycot you might find that
includes
> most of the antivirus, monitoring and debugging tool vendors. This world
has
> real problems but for many real solutions do not exist. If this is because
> the tools to develop them are lacking I think this religion is not
something
> we should embraced.
>
> Regards,
>
> Daniel Terhell
> Resplendence Software Projects Sp
> xxxxx@resplendence.com
> http://www.resplendence.com
>
>

I had no crash in any XP/2K with any SP combination, and it works fine for
about 2 years. So, I can say - it works fine.

About sysinternals - a lot of people use their tools, and I’m not sure if I
can remember any crash they caused. Of course they got bugs like everyone
else, but in general their tools are ok.

Safe way or unsafe way, I’m not sure anyone can be sure that with the next
SP our drivers will not go down - XP SP2 is a good example for that.

Regards,
Maxim

----- Original Message -----
From: “Don Burn”
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”
Sent: Tuesday, January 18, 2005 3:44 PM
Subject: Re:[ntdev] Re:KPEB

> Are you sure that these tools get their data in the kernel? There are
> perfectly adequate ways off accessing this from user space that are safe.
> Also, if your driver is trying to track stuff like this, then you should
> be
> able to load it early, if it hooks it sure should not be dynamically
> loading
> and unloading!
>
>
> –
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> Remove StopSpam from the email to reply
>
> “Maxim” wrote in message news:xxxxx@ntdev…
>> maybe, but sometimes you need to load driver after some processes
>> already started. Process explorer (procexp) and listDll tools (both
>> sysinternals) shows
>> that it is safe.
>>
>> Maxim
>>
>> ----- Original Message -----
>> From: “Don Burn”
>> Newsgroups: ntdev
>> To: “Windows System Software Devs Interest List”
>> Sent: Tuesday, January 18, 2005 3:24 PM
>> Subject: Re:[ntdev] KPEB
>>
>>
>> > ACTUALLY, the last idiot who said that looking at the loaded module
>> > list
>> > was
>> > safe was trying to justify to one of my customers why their system
> crashed
>> > thanks to his CRAP. Big deal you have the undocumented structures,
> unless
>> > you can coordinate with the rest of the kernel on access to this list
> you
>> > are likely to crash.
>> >
>> > This is really stupid to do this since you can either use
>> > PsSetLoadImageNotifyRoutine and build the list yourself, this is
>> > completely
>> > safe and documented.
>> >
>> > To the original poster, don’t look up KPEB in the archives, look up
>> > hooking
>> > and understand you are producing something that is a very bad idea.
>> >
>> >
>> > –
>> > Don Burn (MVP, Windows DDK)
>> > Windows 2k/XP/2k3 Filesystem and Driver Consulting
>> > Remove StopSpam from the email to reply
>> >
>> >
>> > “Egemen Tas” wrote in message
>> > news:xxxxx@ntdev…
>> >> Reading the loaded module list from the kernel is quite possible but
> not
>> >> SAFE :
>> >>
>> >>
>> >>
>> >> typedef struct _PEB_LDR_DATA
>> >>
>> >> {
>> >>
>> >> ULONG Length;
>> >>
>> >> BOOLEAN Initialized;
>> >>
>> >> PVOID SsHandle;
>> >>
>> >> LIST_ENTRY InLoadOrderModuleList;
>> >>
>> >> LIST_ENTRY InMemoryOrderModuleList;
>> >>
>> >> LIST_ENTRY InInitializationOrderModuleList;
>> >>
>> >> PVOID EntryInProgress;
>> >>
>> >> } PEB_LDR_DATA, *PPEB_LDR_DATA;
>> >>
>> >>
>> >>
>> >> typedef struct _LDR_DATA_TABLE_ENTRY
>> >>
>> >> {
>> >>
>> >> LIST_ENTRY InLoadOrderLinks;
>> >>
>> >> LIST_ENTRY InMemoryOrderLinks;
>> >>
>> >> LIST_ENTRY InInitializationOrderLinks;
>> >>
>> >> PVOID DllBase;
>> >>
>> >> PVOID EntryPoint;
>> >>
>> >> ULONG SizeOfImage;
>> >>
>> >> UNICODE_STRING FullDllName;
>> >>
>> >> UNICODE_STRING BaseDllName;
>> >>
>> >> …
>> >>
>> >> }
>> >>
>> >>
>> >>
>> >> typedef struct _PEB
>> >>
>> >> {
>> >>
>> >> unsigned char _pad[0x00c]; //XP SP2 offset
>> >>
>> >> PEB_LDR_DATA Ldr;
>> >>
>> >> …
>> >>
>> >> }
>> >>
>> >>
>> >>
>> >> After you obtain the address of the PEB of the process, you can obtain
>> >> the
>> >> address of the loader data encapsulated as
>> >>
>> >> struct_PEB_LDR_DATA . Within this structure there are
>> > InXXXOrderModuleLists
>> >> links which links the module information in _LDR_DATA_TABLE_ENTRY
>> >>
>> >> strucures.
>> >>
>> >>
>> >>
>> >> I have not tested this but the strategy must work.
>> >>
>> >>
>> >>
>> >> However, this method is not thread SAFE. The driver must ensure serial
>> >> access to these links and ensure that that data is valid!
>> >>
>> >> When you look at the PEB structure, you see a member called LoaderLock
>> > which
>> >> is used by nt loader thorugh RTlXXXCriticalSection native api
>> >> functions
>> >> to
>> >> syncronize loader related operations on the PEB.
>> >>
>> >>
>> >>
>> >> Indeed from the security point of view, PEB of a process is accessible
>> > from
>> >> the user mode so accessing and basing the operations on the user
>> >> manipulatable data from the driver is conceptually unsafe.
>> >>
>> >> What if a rootkit changes the links in these data structure which may
>> >> lead
>> >> to an infinite loop at the driver level or something else?
>> >>
>> >> It is better to face such conditions at the user level.
>> >>
>> >>
>> >>
>> >> Look at the documentation of PsSetLoadImageNotifyRoutine in DDK help.
> it
>> > may
>> >> be useful.
>> >>
>> >>
>> >>
>> >> Good luck,
>> >>
>> >>
>> >>
>> >> Egemen Tas
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> -------Original Message-------
>> >>
>> >>
>> >>
>> >> From: xxxxx@wipro.com
>> >>
>> >> Date: 01/18/05 10:40:52
>> >>
>> >> To: Windows System Software Devs Interest List
>> >>
>> >> Subject: [ntdev] KPEB
>> >>
>> >>
>> >>
>> >> Hi,
>> >>
>> >> I wanted to implement a hooking function same like Regmon. I could
>> >> able
>> >> to
>> >> hook to registry and could able to read the process information block
>> > (KPEB)
>> >> I want to know some of the clarifications and pointers.
>> >>
>> >> Is it possible to read what are the modules(dll) that are loaded by
>> >> the
>> > user
>> >> application from kernel mode ? If it is can we know which is the
> present
>> >> module that is running in the user space ?
>> >>
>> >> Presently I have hooked to registry call. Any call to registry will
>> >> invoke
>> >> my function first and from my function I will call the actual registry
>> >> function. The registry call from user application may be done from
> listed
>> >> dlls of a particular process. Is it possible to know which module has
>> > called
>> >> my registry function.
>> >>
>> >> Any suggestions will be helpful.
>> >>
>> >>
>> >>
>> >> Thanks and Regards,
>> >>
>> >> Abhiman.
>> >>
>> >>
>> >>
>> >> —
>> >>
>> >> Questions? First check the Kernel Driver FAQ at http://www.osronline
>> >> com/article.cfm?id=256
>> >>
>> >>
>> >>
>> >> You are currently subscribed to ntdev as: unknown lmsubst tag
>> >> argument:
>> >> ‘’
>> >>
>> >> To unsubscribe send a blank email to xxxxx@lists.osr.com
>> >>
>> >>
>> >>
>> >
>> >
>> >
>> > —
>> > Questions? First check the Kernel Driver FAQ at
>> > http://www.osronline.com/article.cfm?id=256
>> >
>> > You are currently subscribed to ntdev as: xxxxx@secureol.com
>> > To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@secureol.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

xxxxx@lists.osr.com wrote on 01/18/2005 03:34:49 PM:

I had no crash in any XP/2K with any SP combination, and it works fine
for
about 2 years. So, I can say - it works fine.

About sysinternals - a lot of people use their tools, and I’m not sure if
I
can remember any crash they caused. Of course they got bugs like everyone

else, but in general their tools are ok.

Sure, and the guys at Sysinternals do know what they are doing. I don’t
think anyone said anything different.

Safe way or unsafe way, I’m not sure anyone can be sure that with the
next
SP our drivers will not go down - XP SP2 is a good example for that.

Microsoft is pretty clear on any changes that are done to public API’s.
What usually breaks with new service packs is things that do not follow the
corret API or make assumptions (such as assuming that a physical address is
always 32 bits, which is changed to 64 bit with PAE for the standard XP
kernel in SP2).

I agree with Don Burn, all developers need to make sure that the code they
write is as future-proof, safe and reliable as can be. The “Windows needs
to be rebooted every day” thing should be eradicated. [My normal
development machine quite usually is not rebooted for over 100 days, unless
I have to install something that requires a reboot].

–
Mats

Regards,
Maxim

----- Original Message -----
From: “Don Burn”
> Newsgroups: ntdev
> To: “Windows System Software Devs Interest List”
> Sent: Tuesday, January 18, 2005 3:44 PM
> Subject: Re:[ntdev] Re:KPEB
>
>
> > Are you sure that these tools get their data in the kernel? There are
> > perfectly adequate ways off accessing this from user space that are
safe.
> > Also, if your driver is trying to track stuff like this, then you
should
> > be
> > able to load it early, if it hooks it sure should not be dynamically
> > loading
> > and unloading!
> >
> >
> > –
> > Don Burn (MVP, Windows DDK)
> > Windows 2k/XP/2k3 Filesystem and Driver Consulting
> > Remove StopSpam from the email to reply
> >
> > “Maxim” wrote in message news:xxxxx@ntdev…
> >> maybe, but sometimes you need to load driver after some processes
> >> already started. Process explorer (procexp) and listDll tools (both
> >> sysinternals) shows
> >> that it is safe.
> >>
> >> Maxim
> >>
> >> ----- Original Message -----
> >> From: “Don Burn”
> >> Newsgroups: ntdev
> >> To: “Windows System Software Devs Interest List”
> >> Sent: Tuesday, January 18, 2005 3:24 PM
> >> Subject: Re:[ntdev] KPEB
> >>
> >>
> >> > ACTUALLY, the last idiot who said that looking at the loaded module
> >> > list
> >> > was
> >> > safe was trying to justify to one of my customers why their system
> > crashed
> >> > thanks to his CRAP. Big deal you have the undocumented structures,
> > unless
> >> > you can coordinate with the rest of the kernel on access to this
list
> > you
> >> > are likely to crash.
> >> >
> >> > This is really stupid to do this since you can either use
> >> > PsSetLoadImageNotifyRoutine and build the list yourself, this is
> >> > completely
> >> > safe and documented.
> >> >
> >> > To the original poster, don’t look up KPEB in the archives, look up
> >> > hooking
> >> > and understand you are producing something that is a very bad idea.
> >> >
> >> >
> >> > –
> >> > Don Burn (MVP, Windows DDK)
> >> > Windows 2k/XP/2k3 Filesystem and Driver Consulting
> >> > Remove StopSpam from the email to reply
> >> >
> >> >
> >> > “Egemen Tas” wrote in message
> >> > news:xxxxx@ntdev…
> >> >> Reading the loaded module list from the kernel is quite possible
but
> > not
> >> >> SAFE :
> >> >>
> >> >>
> >> >>
> >> >> typedef struct _PEB_LDR_DATA
> >> >>
> >> >> {
> >> >>
> >> >> ULONG Length;
> >> >>
> >> >> BOOLEAN Initialized;
> >> >>
> >> >> PVOID SsHandle;
> >> >>
> >> >> LIST_ENTRY InLoadOrderModuleList;
> >> >>
> >> >> LIST_ENTRY InMemoryOrderModuleList;
> >> >>
> >> >> LIST_ENTRY InInitializationOrderModuleList;
> >> >>
> >> >> PVOID EntryInProgress;
> >> >>
> >> >> } PEB_LDR_DATA, *PPEB_LDR_DATA;
> >> >>
> >> >>
> >> >>
> >> >> typedef struct _LDR_DATA_TABLE_ENTRY
> >> >>
> >> >> {
> >> >>
> >> >> LIST_ENTRY InLoadOrderLinks;
> >> >>
> >> >> LIST_ENTRY InMemoryOrderLinks;
> >> >>
> >> >> LIST_ENTRY InInitializationOrderLinks;
> >> >>
> >> >> PVOID DllBase;
> >> >>
> >> >> PVOID EntryPoint;
> >> >>
> >> >> ULONG SizeOfImage;
> >> >>
> >> >> UNICODE_STRING FullDllName;
> >> >>
> >> >> UNICODE_STRING BaseDllName;
> >> >>
> >> >> …
> >> >>
> >> >> }
> >> >>
> >> >>
> >> >>
> >> >> typedef struct _PEB
> >> >>
> >> >> {
> >> >>
> >> >> unsigned char _pad[0x00c]; //XP SP2 offset
> >> >>
> >> >> PEB_LDR_DATA Ldr;
> >> >>
> >> >> …
> >> >>
> >> >> }
> >> >>
> >> >>
> >> >>
> >> >> After you obtain the address of the PEB of the process, you can
obtain
> >> >> the
> >> >> address of the loader data encapsulated as
> >> >>
> >> >> struct_PEB_LDR_DATA . Within this structure there are
> >> > InXXXOrderModuleLists
> >> >> links which links the module information in _LDR_DATA_TABLE_ENTRY
> >> >>
> >> >> strucures.
> >> >>
> >> >>
> >> >>
> >> >> I have not tested this but the strategy must work.
> >> >>
> >> >>
> >> >>
> >> >> However, this method is not thread SAFE. The driver must ensure
serial
> >> >> access to these links and ensure that that data is valid!
> >> >>
> >> >> When you look at the PEB structure, you see a member called
LoaderLock
> >> > which
> >> >> is used by nt loader thorugh RTlXXXCriticalSection native api
> >> >> functions
> >> >> to
> >> >> syncronize loader related operations on the PEB.
> >> >>
> >> >>
> >> >>
> >> >> Indeed from the security point of view, PEB of a process is
accessible
> >> > from
> >> >> the user mode so accessing and basing the operations on the user
> >> >> manipulatable data from the driver is conceptually unsafe.
> >> >>
> >> >> What if a rootkit changes the links in these data structure which
may
> >> >> lead
> >> >> to an infinite loop at the driver level or something else?
> >> >>
> >> >> It is better to face such conditions at the user level.
> >> >>
> >> >>
> >> >>
> >> >> Look at the documentation of PsSetLoadImageNotifyRoutine in DDK
help.
> > it
> >> > may
> >> >> be useful.
> >> >>
> >> >>
> >> >>
> >> >> Good luck,
> >> >>
> >> >>
> >> >>
> >> >> Egemen Tas
> >> >>
> >> >>
> >> >>
> >> >>
> >> >>
> >> >>
> >> >>
> >> >>
> >> >>
> >> >> -------Original Message-------
> >> >>
> >> >>
> >> >>
> >> >> From: xxxxx@wipro.com
> >> >>
> >> >> Date: 01/18/05 10:40:52
> >> >>
> >> >> To: Windows System Software Devs Interest List
> >> >>
> >> >> Subject: [ntdev] KPEB
> >> >>
> >> >>
> >> >>
> >> >> Hi,
> >> >>
> >> >> I wanted to implement a hooking function same like Regmon. I could
> >> >> able
> >> >> to
> >> >> hook to registry and could able to read the process information
block
> >> > (KPEB)
> >> >> I want to know some of the clarifications and pointers.
> >> >>
> >> >> Is it possible to read what are the modules(dll) that are loaded by

> >> >> the
> >> > user
> >> >> application from kernel mode ? If it is can we know which is the
> > present
> >> >> module that is running in the user space ?
> >> >>
> >> >> Presently I have hooked to registry call. Any call to registry will
> >> >> invoke
> >> >> my function first and from my function I will call the actual
registry
> >> >> function. The registry call from user application may be done from
> > listed
> >> >> dlls of a particular process. Is it possible to know which module
has
> >> > called
> >> >> my registry function.
> >> >>
> >> >> Any suggestions will be helpful.
> >> >>
> >> >>
> >> >>
> >> >> Thanks and Regards,
> >> >>
> >> >> Abhiman.
> >> >>
> >> >>
> >> >>
> >> >> —
> >> >>
> >> >> Questions? First check the Kernel Driver FAQ at
http://www.osronline
> >> >> com/article.cfm?id=256
> >> >>
> >> >>
> >> >>
> >> >> You are currently subscribed to ntdev as: unknown lmsubst tag
> >> >> argument:
> >> >> ‘’
> >> >>
> >> >> To unsubscribe send a blank email to
xxxxx@lists.osr.com
> >> >>
> >> >>
> >> >>
> >> >
> >> >
> >> >
> >> > —
> >> > Questions? First check the Kernel Driver FAQ at
> >> > http://www.osronline.com/article.cfm?id=256
> >> >
> >> > You are currently subscribed to ntdev as: xxxxx@secureol.com
> >> > To unsubscribe send a blank email to
xxxxx@lists.osr.com
> >>
> >>
> >
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@secureol.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.
> osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@3dlabs.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

> ForwardSourceID:NT0000B1BA

Fact is that Bill Gates cannot even to produce an XBox presentation without
bluescreening. As far as he wants to blame antivirus vendors for this, we
know that at least he does know better. Until recently he did not even have
the courage to produce any antivirus solution himself (at least after MSAV
for Dos), it is easy to blame on the others who have done the dirty work
for him. If Microsoft wants to get serious about security they should get
serious about their own reponsability and that includes providing good APIs
for developers.

Greetings,

Daniel Terhell
Resplendence Software Projects Sp
xxxxx@resplendence.com
http://www.resplendence.com

“Don Burn” wrote in message news:xxxxx@ntdev…
> The API’'s have been there a long time, since it was years ago that RegMon
> switched to them. I agree that Microsoft needs to document them properly.
> I have checked a number of antivirus tools and most don’t hook, nor do the
> majority of the monitoring tools. Debugging tools are a special case,
> this
> list had a discussion a while back about IrpTracker as an example of
> something that a developer has to realize can help but has risks.
>
> The reason I hate hooking and other bad practices is that I come from a
> fault tolerant background. I am part of a team trying to bring fault
> tolerance and reliability to Windows. Now having looked at the kernel
> sources, Windows has come a long way in the last 7 years and is a robust
> system. What hasn’t come along is the improvement in 3rd party drivers.
> A
> few years ago BillG in a speech ripped apart the antivirus vendors since
> they accounted for a large percentage of the crashes of Windows. I
> believe
> that AV has reduced the percentage, but from what I can tell AV and
> security
> are still a major reason Windows crashed.
>
> If you believe there is a real problem that Microsoft is not addressing,
> ask
> them. They have been highly respectful of input as of late. No, I don’t
> expect they will turn on a dime and add all the feature we want, but they
> will listen and perhaps suggest a better way or offer a fix.
>
> There is a perception in the marketplace that Windows is buggy and crashes
> all the time and a an alternate OS is robust and reliable. I’ve gone
> through the kernels of both and I know I would trust Windows over the
> alternate. I also know that the last time I checked driver guru’s for the
> alternate were getting a heck of a lot less for a consult that developers
> for Windows. If we want long term to keep programming Windows we all have
> to make an effort to make it more reliable, and that means cutting out the
> hacks.
>
>
> –
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> Remove StopSpam from the email to reply
>
> “Daniel Terhell” wrote in message
> news:xxxxx@ntdev…
>> This registry monitor api is I think still unofficial, only for the
>> latest
>> OSes, not part of the latest DDK. For a lot of the situations that
>> developers do hooking the reason is that an acceptable solution still
>> does
>> not exist. If you get serious about your boycot you might find that
> includes
>> most of the antivirus, monitoring and debugging tool vendors. This world
> has
>> real problems but for many real solutions do not exist. If this is
>> because
>> the tools to develop them are lacking I think this religion is not
> something
>> we should embraced.
>>
>> Regards,
>>
>> Daniel Terhell
>> Resplendence Software Projects Sp
>> xxxxx@resplendence.com
>> http://www.resplendence.com
>>
>>
>
>
>

Courage!!! I suspect Bill Gates has far more courage that you will ever
have.

I also doubt you have ever had a blue screen in your code; we wish we could
all be so perfect and courageous; NOT!

Jamey

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Daniel Terhell
Sent: Tuesday, January 18, 2005 10:51 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Re:KPEB

Fact is that Bill Gates cannot even to produce an XBox presentation without
bluescreening. As far as he wants to blame antivirus vendors for this, we
know that at least he does know better. Until recently he did not even have
the courage to produce any antivirus solution himself (at least after MSAV
for Dos), it is easy to blame on the others who have done the dirty work
for him. If Microsoft wants to get serious about security they should get
serious about their own reponsability and that includes providing good APIs
for developers.

Greetings,

Daniel Terhell
Resplendence Software Projects Sp
xxxxx@resplendence.com
http://www.resplendence.com

“Don Burn” wrote in message news:xxxxx@ntdev…
> The API’'s have been there a long time, since it was years ago that RegMon
> switched to them. I agree that Microsoft needs to document them properly.
> I have checked a number of antivirus tools and most don’t hook, nor do the
> majority of the monitoring tools. Debugging tools are a special case,
> this
> list had a discussion a while back about IrpTracker as an example of
> something that a developer has to realize can help but has risks.
>
> The reason I hate hooking and other bad practices is that I come from a
> fault tolerant background. I am part of a team trying to bring fault
> tolerance and reliability to Windows. Now having looked at the kernel
> sources, Windows has come a long way in the last 7 years and is a robust
> system. What hasn’t come along is the improvement in 3rd party drivers.
> A
> few years ago BillG in a speech ripped apart the antivirus vendors since
> they accounted for a large percentage of the crashes of Windows. I
> believe
> that AV has reduced the percentage, but from what I can tell AV and
> security
> are still a major reason Windows crashed.
>
> If you believe there is a real problem that Microsoft is not addressing,
> ask
> them. They have been highly respectful of input as of late. No, I don’t
> expect they will turn on a dime and add all the feature we want, but they
> will listen and perhaps suggest a better way or offer a fix.
>
> There is a perception in the marketplace that Windows is buggy and crashes
> all the time and a an alternate OS is robust and reliable. I’ve gone
> through the kernels of both and I know I would trust Windows over the
> alternate. I also know that the last time I checked driver guru’s for the
> alternate were getting a heck of a lot less for a consult that developers
> for Windows. If we want long term to keep programming Windows we all have
> to make an effort to make it more reliable, and that means cutting out the
> hacks.
>
>
> –
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> Remove StopSpam from the email to reply
>
> “Daniel Terhell” wrote in message
> news:xxxxx@ntdev…
>> This registry monitor api is I think still unofficial, only for the
>> latest
>> OSes, not part of the latest DDK. For a lot of the situations that
>> developers do hooking the reason is that an acceptable solution still
>> does
>> not exist. If you get serious about your boycot you might find that
> includes
>> most of the antivirus, monitoring and debugging tool vendors. This world
> has
>> real problems but for many real solutions do not exist. If this is
>> because
>> the tools to develop them are lacking I think this religion is not
> something
>> we should embraced.
>>
>> Regards,
>>
>> Daniel Terhell
>> Resplendence Software Projects Sp
>> xxxxx@resplendence.com
>> http://www.resplendence.com
>>
>>
>
>
>

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@tfb.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

NOD32 1.974 (20050117) Information

This message was checked by NOD32 antivirus system.
http://www.nod32.com

Sorry, didn’t want to hurt any toes. It was just a product launch, not a
rocket launch so he is probably forigiven. What I wanted to point out is
only that Microsoft antivirus for Windows is/was blatantly missing from
their software park.

Regards,

Daniel

“Jamey Kirby” wrote in message news:xxxxx@ntdev…
> Courage!!! I suspect Bill Gates has far more courage that you will ever
> have.
>
> I also doubt you have ever had a blue screen in your code; we wish we
> could
> all be so perfect and courageous; NOT!
>
> Jamey
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Daniel Terhell
> Sent: Tuesday, January 18, 2005 10:51 AM
> To: Windows System Software Devs Interest List
> Subject: Re:[ntdev] Re:KPEB
>
> Fact is that Bill Gates cannot even to produce an XBox presentation
> without
> bluescreening. As far as he wants to blame antivirus vendors for this, we
> know that at least he does know better. Until recently he did not even
> have
> the courage to produce any antivirus solution himself (at least after MSAV
> for Dos), it is easy to blame on the others who have done the dirty work
> for him. If Microsoft wants to get serious about security they should get
> serious about their own reponsability and that includes providing good
> APIs
> for developers.
>
> Greetings,
>
> Daniel Terhell
> Resplendence Software Projects Sp
> xxxxx@resplendence.com
> http://www.resplendence.com
>
>
>
> “Don Burn” wrote in message news:xxxxx@ntdev…
>> The API’'s have been there a long time, since it was years ago that
>> RegMon
>> switched to them. I agree that Microsoft needs to document them
>> properly.
>> I have checked a number of antivirus tools and most don’t hook, nor do
>> the
>> majority of the monitoring tools. Debugging tools are a special case,
>> this
>> list had a discussion a while back about IrpTracker as an example of
>> something that a developer has to realize can help but has risks.
>>
>> The reason I hate hooking and other bad practices is that I come from a
>> fault tolerant background. I am part of a team trying to bring fault
>> tolerance and reliability to Windows. Now having looked at the kernel
>> sources, Windows has come a long way in the last 7 years and is a robust
>> system. What hasn’t come along is the improvement in 3rd party drivers.
>> A
>> few years ago BillG in a speech ripped apart the antivirus vendors since
>> they accounted for a large percentage of the crashes of Windows. I
>> believe
>> that AV has reduced the percentage, but from what I can tell AV and
>> security
>> are still a major reason Windows crashed.
>>
>> If you believe there is a real problem that Microsoft is not addressing,
>> ask
>> them. They have been highly respectful of input as of late. No, I don’t
>> expect they will turn on a dime and add all the feature we want, but they
>> will listen and perhaps suggest a better way or offer a fix.
>>
>> There is a perception in the marketplace that Windows is buggy and
>> crashes
>> all the time and a an alternate OS is robust and reliable. I’ve gone
>> through the kernels of both and I know I would trust Windows over the
>> alternate. I also know that the last time I checked driver guru’s for
>> the
>> alternate were getting a heck of a lot less for a consult that developers
>> for Windows. If we want long term to keep programming Windows we all
>> have
>> to make an effort to make it more reliable, and that means cutting out
>> the
>> hacks.
>>
>>
>> –
>> Don Burn (MVP, Windows DDK)
>> Windows 2k/XP/2k3 Filesystem and Driver Consulting
>> Remove StopSpam from the email to reply
>>
>> “Daniel Terhell” wrote in message
>> news:xxxxx@ntdev…
>>> This registry monitor api is I think still unofficial, only for the
>>> latest
>>> OSes, not part of the latest DDK. For a lot of the situations that
>>> developers do hooking the reason is that an acceptable solution still
>>> does
>>> not exist. If you get serious about your boycot you might find that
>> includes
>>> most of the antivirus, monitoring and debugging tool vendors. This world
>> has
>>> real problems but for many real solutions do not exist. If this is
>>> because
>>> the tools to develop them are lacking I think this religion is not
>> something
>>> we should embraced.
>>>
>>> Regards,
>>>
>>> Daniel Terhell
>>> Resplendence Software Projects Sp
>>> xxxxx@resplendence.com
>>> http://www.resplendence.com
>>>
>>>
>>
>>
>>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@tfb.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
> NOD32 1.974 (20050117) Information
>
> This message was checked by NOD32 antivirus system.
> http://www.nod32.com
>
>
>

The missing MSAV is a fact that AV vendors in general are very happy about
as Microsoft has a habit of eating its competition However with the
recent introduction of the MS anti-spyware tool and MSFT’s acquisitions in
the AV area, it appears that this situation is changing. AV was sort of
outside of MSFTs business focus, and by the time AV got big, MSFT was
already in deep doo-doo over their netscape escapades, which I think has
more to do with why they didn’t get involved directly than any major
technical reasons.

=====================
Mark Roddy

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Daniel Terhell
Sent: Tuesday, January 18, 2005 11:09 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Re:KPEB

Sorry, didn’t want to hurt any toes. It was just a product launch, not a
rocket launch so he is probably forigiven. What I wanted to point out is
only that Microsoft antivirus for Windows is/was blatantly missing from
their software park.

Regards,

Daniel

“Jamey Kirby” wrote in message news:xxxxx@ntdev…
> Courage!!! I suspect Bill Gates has far more courage that you will
> ever have.
>
> I also doubt you have ever had a blue screen in your code; we wish we
> could all be so perfect and courageous; NOT!
>
> Jamey
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Daniel Terhell
> Sent: Tuesday, January 18, 2005 10:51 AM
> To: Windows System Software Devs Interest List
> Subject: Re:[ntdev] Re:KPEB
>
> Fact is that Bill Gates cannot even to produce an XBox presentation
> without bluescreening. As far as he wants to blame antivirus vendors
> for this, we know that at least he does know better. Until recently he
> did not even have the courage to produce any antivirus solution
> himself (at least after MSAV for Dos), it is easy to blame on the
> others who have done the dirty work for him. If Microsoft wants to get
> serious about security they should get serious about their own
> reponsability and that includes providing good APIs for developers.
>
> Greetings,
>
> Daniel Terhell
> Resplendence Software Projects Sp
> xxxxx@resplendence.com
> http://www.resplendence.com
>
>
>
> “Don Burn” wrote in message news:xxxxx@ntdev…
>> The API’'s have been there a long time, since it was years ago that
>> RegMon switched to them. I agree that Microsoft needs to document
>> them properly.
>> I have checked a number of antivirus tools and most don’t hook, nor
>> do the majority of the monitoring tools. Debugging tools are a
>> special case, this list had a discussion a while back about
>> IrpTracker as an example of something that a developer has to realize
>> can help but has risks.
>>
>> The reason I hate hooking and other bad practices is that I come from
>> a fault tolerant background. I am part of a team trying to bring
>> fault tolerance and reliability to Windows. Now having looked at the
>> kernel sources, Windows has come a long way in the last 7 years and
>> is a robust system. What hasn’t come along is the improvement in 3rd
party drivers.
>> A
>> few years ago BillG in a speech ripped apart the antivirus vendors
>> since they accounted for a large percentage of the crashes of
>> Windows. I believe that AV has reduced the percentage, but from what
>> I can tell AV and security are still a major reason Windows crashed.
>>
>> If you believe there is a real problem that Microsoft is not
>> addressing, ask them. They have been highly respectful of input as
>> of late. No, I don’t expect they will turn on a dime and add all the
>> feature we want, but they will listen and perhaps suggest a better
>> way or offer a fix.
>>
>> There is a perception in the marketplace that Windows is buggy and
>> crashes all the time and a an alternate OS is robust and reliable.
>> I’ve gone through the kernels of both and I know I would trust
>> Windows over the alternate. I also know that the last time I checked
>> driver guru’s for the alternate were getting a heck of a lot less for
>> a consult that developers for Windows. If we want long term to keep
>> programming Windows we all have to make an effort to make it more
>> reliable, and that means cutting out the hacks.
>>
>>
>> –
>> Don Burn (MVP, Windows DDK)
>> Windows 2k/XP/2k3 Filesystem and Driver Consulting Remove StopSpam
>> from the email to reply
>>
>> “Daniel Terhell” wrote in message
>> news:xxxxx@ntdev…
>>> This registry monitor api is I think still unofficial, only for the
>>> latest OSes, not part of the latest DDK. For a lot of the situations
>>> that developers do hooking the reason is that an acceptable solution
>>> still does not exist. If you get serious about your boycot you might
>>> find that
>> includes
>>> most of the antivirus, monitoring and debugging tool vendors. This
>>> world
>> has
>>> real problems but for many real solutions do not exist. If this is
>>> because the tools to develop them are lacking I think this religion
>>> is not
>> something
>>> we should embraced.
>>>
>>> Regards,
>>>
>>> Daniel Terhell
>>> Resplendence Software Projects Sp
>>> xxxxx@resplendence.com
>>> http://www.resplendence.com
>>>
>>>
>>
>>
>>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@tfb.com To unsubscribe
> send a blank email to xxxxx@lists.osr.com
>
> NOD32 1.974 (20050117) Information
>
> This message was checked by NOD32 antivirus system.
> http://www.nod32.com
>
>
>

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@stratus.com To
unsubscribe send a blank email to xxxxx@lists.osr.com

I dont get it. What have a AV package in common with good coding practices
?
Dan

----- Original Message -----
From: “Daniel Terhell”
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”
Sent: Tuesday, January 18, 2005 6:09 PM
Subject: Re:[ntdev] Re:KPEB

> Sorry, didn’t want to hurt any toes. It was just a product launch, not a
> rocket launch so he is probably forigiven. What I wanted to point out is
> only that Microsoft antivirus for Windows is/was blatantly missing from
> their software park.
>
> Regards,
>
> Daniel
>
>
> “Jamey Kirby” wrote in message news:xxxxx@ntdev…
>> Courage!!! I suspect Bill Gates has far more courage that you will ever
>> have.
>>
>> I also doubt you have ever had a blue screen in your code; we wish we
>> could
>> all be so perfect and courageous; NOT!
>>
>> Jamey
>>
>>
>> -----Original Message-----
>> From: xxxxx@lists.osr.com
>> [mailto:xxxxx@lists.osr.com] On Behalf Of Daniel Terhell
>> Sent: Tuesday, January 18, 2005 10:51 AM
>> To: Windows System Software Devs Interest List
>> Subject: Re:[ntdev] Re:KPEB
>>
>> Fact is that Bill Gates cannot even to produce an XBox presentation
>> without
>> bluescreening. As far as he wants to blame antivirus vendors for this, we
>> know that at least he does know better. Until recently he did not even
>> have
>> the courage to produce any antivirus solution himself (at least after
>> MSAV
>> for Dos), it is easy to blame on the others who have done the dirty work
>> for him. If Microsoft wants to get serious about security they should get
>> serious about their own reponsability and that includes providing good
>> APIs
>> for developers.
>>
>> Greetings,
>>
>> Daniel Terhell
>> Resplendence Software Projects Sp
>> xxxxx@resplendence.com
>> http://www.resplendence.com
>>
>>
>>
>> “Don Burn” wrote in message news:xxxxx@ntdev…
>>> The API’'s have been there a long time, since it was years ago that
>>> RegMon
>>> switched to them. I agree that Microsoft needs to document them
>>> properly.
>>> I have checked a number of antivirus tools and most don’t hook, nor do
>>> the
>>> majority of the monitoring tools. Debugging tools are a special case,
>>> this
>>> list had a discussion a while back about IrpTracker as an example of
>>> something that a developer has to realize can help but has risks.
>>>
>>> The reason I hate hooking and other bad practices is that I come from a
>>> fault tolerant background. I am part of a team trying to bring fault
>>> tolerance and reliability to Windows. Now having looked at the kernel
>>> sources, Windows has come a long way in the last 7 years and is a robust
>>> system. What hasn’t come along is the improvement in 3rd party drivers.
>>> A
>>> few years ago BillG in a speech ripped apart the antivirus vendors since
>>> they accounted for a large percentage of the crashes of Windows. I
>>> believe
>>> that AV has reduced the percentage, but from what I can tell AV and
>>> security
>>> are still a major reason Windows crashed.
>>>
>>> If you believe there is a real problem that Microsoft is not addressing,
>>> ask
>>> them. They have been highly respectful of input as of late. No, I
>>> don’t
>>> expect they will turn on a dime and add all the feature we want, but
>>> they
>>> will listen and perhaps suggest a better way or offer a fix.
>>>
>>> There is a perception in the marketplace that Windows is buggy and
>>> crashes
>>> all the time and a an alternate OS is robust and reliable. I’ve gone
>>> through the kernels of both and I know I would trust Windows over the
>>> alternate. I also know that the last time I checked driver guru’s for
>>> the
>>> alternate were getting a heck of a lot less for a consult that
>>> developers
>>> for Windows. If we want long term to keep programming Windows we all
>>> have
>>> to make an effort to make it more reliable, and that means cutting out
>>> the
>>> hacks.
>>>
>>>
>>> –
>>> Don Burn (MVP, Windows DDK)
>>> Windows 2k/XP/2k3 Filesystem and Driver Consulting
>>> Remove StopSpam from the email to reply
>>>
>>> “Daniel Terhell” wrote in message
>>> news:xxxxx@ntdev…
>>>> This registry monitor api is I think still unofficial, only for the
>>>> latest
>>>> OSes, not part of the latest DDK. For a lot of the situations that
>>>> developers do hooking the reason is that an acceptable solution still
>>>> does
>>>> not exist. If you get serious about your boycot you might find that
>>> includes
>>>> most of the antivirus, monitoring and debugging tool vendors. This
>>>> world
>>> has
>>>> real problems but for many real solutions do not exist. If this is
>>>> because
>>>> the tools to develop them are lacking I think this religion is not
>>> something
>>>> we should embraced.
>>>>
>>>> Regards,
>>>>
>>>> Daniel Terhell
>>>> Resplendence Software Projects Sp
>>>> xxxxx@resplendence.com
>>>> http://www.resplendence.com
>>>>
>>>>
>>>
>>>
>>>
>>
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: xxxxx@tfb.com
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>> NOD32 1.974 (20050117) Information
>>
>> This message was checked by NOD32 antivirus system.
>> http://www.nod32.com
>>
>>
>>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to xxxxx@lists.osr.com

Maqts,

You forgot to mention the cost, all the broken bones, required for Rothwell
to reach the preeminence he currently has. I believe Evil Kneivel managed to
break every bone in his body at least once.

–
The personal opinion of
Gary G. Little

“Mats PETERSSON” wrote in message
news:xxxxx@ntdev…
>
>
>
>
>
> I don’t think anything Sysinternals does is actually “documented and
safe”.
> They show things that CAN BE DONE, but I’m pretty sure that none of it is
> safe from a new version of Windows that changes one or more of the
internal
> structures that aren’t documented.
>
> Let’s make an example. There’s a motorcycle stunt rider called Gary
> Rothwell (do a search on the web if you want to learn more about him).
He’s
> able to do things with a motorcycle that I can only dream of doing. Does
> that make the things he does safe? No.
>
> The guys at Sysinternals are like Gary Rothwell. They have a lot of
> experience in trying to do “the impossible”. They are the Gary Rothwells
of
> the Windows system. They do difficult things that aren’t safe and make it
> look easy.
>
> Also, Sysinternals do not charge money for the products you talk about,
and
> they do come with a disclaimer saying that ‘if it doesn’t work. your
> problem’. Now, for everyone on this list, what that means is quite clear.
>
> However, if someone is writing a filter-driver of some sort, that is
> supposed to go out to a variety of skill-level people that are going to
> install this driver, then it needs to be known to work even if the user
> installs “Service Pack 3”, and even when the user runs the “XYZ”
> application that some rather dodgy coder wrote to do something magical, it
> should also not allow the Virus writes free passages into the kernel space
> to wreak havoc.
>
> All of these things have to be considered when writing a driver.
Suggesting
> that just because someone did something, it’s also safe and secur thing to
> do, isn’t the best way to get secure, safe and reliable windows systems
out
> there.
>
> –
> Mats
>
>
> xxxxx@lists.osr.com wrote on 01/18/2005 01:38:41 PM:
>
> > maybe, but sometimes you need to load driver after some processes
> > already started. Process explorer (procexp) and listDll tools (both
> > sysinternals) shows
> > that it is safe.
> >
> > Maxim
> >
> > ----- Original Message -----
> > From: “Don Burn”
> > Newsgroups: ntdev
> > To: “Windows System Software Devs Interest List”
> > Sent: Tuesday, January 18, 2005 3:24 PM
> > Subject: Re:[ntdev] KPEB
> >
> >
> > > ACTUALLY, the last idiot who said that looking at the loaded module
> list
> > > was
> > > safe was trying to justify to one of my customers why their system
> crashed
> > > thanks to his CRAP. Big deal you have the undocumented structures,
> unless
> > > you can coordinate with the rest of the kernel on access to this list
> you
> > > are likely to crash.
> > >
> > > This is really stupid to do this since you can either use
> > > PsSetLoadImageNotifyRoutine and build the list yourself, this is
> > > completely
> > > safe and documented.
> > >
> > > To the original poster, don’t look up KPEB in the archives, look up
> > > hooking
> > > and understand you are producing something that is a very bad idea.
> > >
> > >
> > > –
> > > Don Burn (MVP, Windows DDK)
> > > Windows 2k/XP/2k3 Filesystem and Driver Consulting
> > > Remove StopSpam from the email to reply
> > >
> > >
> > > “Egemen Tas” wrote in message
> news:xxxxx@ntdev…
> > >> Reading the loaded module list from the kernel is quite possible but
> not
> > >> SAFE :
> > >>
> > >>
> > >>
> > >> typedef struct _PEB_LDR_DATA
> > >>
> > >> {
> > >>
> > >> ULONG Length;
> > >>
> > >> BOOLEAN Initialized;
> > >>
> > >> PVOID SsHandle;
> > >>
> > >> LIST_ENTRY InLoadOrderModuleList;
> > >>
> > >> LIST_ENTRY InMemoryOrderModuleList;
> > >>
> > >> LIST_ENTRY InInitializationOrderModuleList;
> > >>
> > >> PVOID EntryInProgress;
> > >>
> > >> } PEB_LDR_DATA, *PPEB_LDR_DATA;
> > >>
> > >>
> > >>
> > >> typedef struct _LDR_DATA_TABLE_ENTRY
> > >>
> > >> {
> > >>
> > >> LIST_ENTRY InLoadOrderLinks;
> > >>
> > >> LIST_ENTRY InMemoryOrderLinks;
> > >>
> > >> LIST_ENTRY InInitializationOrderLinks;
> > >>
> > >> PVOID DllBase;
> > >>
> > >> PVOID EntryPoint;
> > >>
> > >> ULONG SizeOfImage;
> > >>
> > >> UNICODE_STRING FullDllName;
> > >>
> > >> UNICODE_STRING BaseDllName;
> > >>
> > >> …
> > >>
> > >> }
> > >>
> > >>
> > >>
> > >> typedef struct _PEB
> > >>
> > >> {
> > >>
> > >> unsigned char _pad[0x00c]; //XP SP2 offset
> > >>
> > >> PEB_LDR_DATA Ldr;
> > >>
> > >> …
> > >>
> > >> }
> > >>
> > >>
> > >>
> > >> After you obtain the address of the PEB of the process, you can
obtain
>
> > >> the
> > >> address of the loader data encapsulated as
> > >>
> > >> struct_PEB_LDR_DATA . Within this structure there are
> > > InXXXOrderModuleLists
> > >> links which links the module information in _LDR_DATA_TABLE_ENTRY
> > >>
> > >> strucures.
> > >>
> > >>
> > >>
> > >> I have not tested this but the strategy must work.
> > >>
> > >>
> > >>
> > >> However, this method is not thread SAFE. The driver must ensure
serial
> > >> access to these links and ensure that that data is valid!
> > >>
> > >> When you look at the PEB structure, you see a member called
LoaderLock
> > > which
> > >> is used by nt loader thorugh RTlXXXCriticalSection native api
> functions
> > >> to
> > >> syncronize loader related operations on the PEB.
> > >>
> > >>
> > >>
> > >> Indeed from the security point of view, PEB of a process is
accessible
> > > from
> > >> the user mode so accessing and basing the operations on the user
> > >> manipulatable data from the driver is conceptually unsafe.
> > >>
> > >> What if a rootkit changes the links in these data structure which may
> > >> lead
> > >> to an infinite loop at the driver level or something else?
> > >>
> > >> It is better to face such conditions at the user level.
> > >>
> > >>
> > >>
> > >> Look at the documentation of PsSetLoadImageNotifyRoutine in DDK help.
> it
> > > may
> > >> be useful.
> > >>
> > >>
> > >>
> > >> Good luck,
> > >>
> > >>
> > >>
> > >> Egemen Tas
> > >>
> > >>
> > >>
> > >>
> > >>
> > >>
> > >>
> > >>
> > >>
> > >> -------Original Message-------
> > >>
> > >>
> > >>
> > >> From: xxxxx@wipro.com
> > >>
> > >> Date: 01/18/05 10:40:52
> > >>
> > >> To: Windows System Software Devs Interest List
> > >>
> > >> Subject: [ntdev] KPEB
> > >>
> > >>
> > >>
> > >> Hi,
> > >>
> > >> I wanted to implement a hooking function same like Regmon. I could
> able
> > >> to
> > >> hook to registry and could able to read the process information block
> > > (KPEB)
> > >> I want to know some of the clarifications and pointers.
> > >>
> > >> Is it possible to read what are the modules(dll) that are loaded by
> the
> > > user
> > >> application from kernel mode ? If it is can we know which is the
> present
> > >> module that is running in the user space ?
> > >>
> > >> Presently I have hooked to registry call. Any call to registry will
> > >> invoke
> > >> my function first and from my function I will call the actual
registry
> > >> function. The registry call from user application may be done from
> listed
> > >> dlls of a particular process. Is it possible to know which module has
> > > called
> > >> my registry function.
> > >>
> > >> Any suggestions will be helpful.
> > >>
> > >>
> > >>
> > >> Thanks and Regards,
> > >>
> > >> Abhiman.
> > >>
> > >>
> > >>
> > >> —
> > >>
> > >> Questions? First check the Kernel Driver FAQ at http://www.osronline
> > >> com/article.cfm?id=256
> > >>
> > >>
> > >>
> > >> You are currently subscribed to ntdev as: unknown lmsubst tag
> argument:
> > >> ‘’
> > >>
> > >> To unsubscribe send a blank email to xxxxx@lists.osr.com
> > >>
> > >>
> > >>
> > >
> > >
> > >
> > > —
> > > Questions? First check the Kernel Driver FAQ at
> > > http://www.osronline.com/article.cfm?id=256
> > >
> > > You are currently subscribed to ntdev as: xxxxx@secureol.com
> > > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at http://www.
> > osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@3dlabs.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
>
> > ForwardSourceID:NT0000B172
>
>