hi all,
is there a way to launch a user land process/service from the kernel driver?
windows must be doing it, but is it documented?
Bedanto wrote:
is there a way to launch a user land process/service from the kernel
driver? windows must be doing it, but is it documented?
Yes, there is a way to launch a program from a kernel driver.
For example, in Vista+ you can assign a custom handler to a
certain eventlog message, and post this message from a driver.
The app specified in the handler will start 
In Win7, a service can start on arrival
of a specific device, or other conditions that can be
triggered from a driver.
Regards,
–pa
There is no documented way, it is very complicated and not the result of just one API call. Windows is not doing it outside of launching smss at boot. Have a helper in user mode which does this for you and you will be much happier in the end
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Bedanto
Sent: Tuesday, May 05, 2009 10:40 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] launch process
hi all,
is there a way to launch a user land process/service from the kernel driver? windows must be doing it, but is it documented?
— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
This uses a a lot of undocuments crap, and will not work from one version to
another, a great way to crash systems, but really stupid for the goal at
hand.
–
Don Burn (MVP, Windows DDK)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
wrote in message news:xxxxx@ntdev…
> http://www.codeproject.com/KB/system/KernelExec.aspx
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 4055 (20090506)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
Information from ESET NOD32 Antivirus, version of virus signature database 4055 (20090506)
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
Good HEAVENS, that’s hideous.
Just what I’d expect for kernel-mode code written by a buy who’s a web developer.
Beware kernel-mode samples such as this that are posted by people you don’t know, on sites where the content isn’t technically reviewed.
If you write user-mode code, you know that while there are some truly excellent articles and examples (about, say, C# .Net or whatever) on sites like CodeProject, most of the examples are of much lower quality. While this can be evaluated rather easily for user-mode stuff (you suck it into Visual Studio, try to build and run the project, maybe Google around a bit to see if the advice you’re getting matche what others are saying), it’s rather more complicated to evaluate a kernel-mode solution (given the vaguaries of what’s documented, what’s good practice, and the MUCH smaller number of competent kernel devs).
When in doubt, ask here… SOMEbody here will almost certainly have an opinion
Peter
OSR
that guy is actually from my country, surprisingly, thinking that
crapping the kernel on codeproject will give him the stats of kernel guru.
Seen a lot of that on codeproject and codeguru, and still surprised how
people recommend those articles.
To finish with, I don’t see any reason to actually start a process from
kernel mode. Why mix, having to write kernel routines which almost all the
time have arbitrary context, and having to launch a process, with a specific
context. I don?t see the connexion, and probably the driver design which
depends on launching a process from kernel mode has a lot of implementation
issues to deal with.
With respect,
Gabriel Bercea
GaMiTech Software Development
Mobile contact: ?(+40)0740049634
eMail: xxxxx@gmail.com
Blog: http://gamitech.blogspot.com/
Linkedin: http://www.linkedin.com/in/gamitech
Twitter: http://www.twitter.com/gamitech
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@osr.com
Sent: Wednesday, May 06, 2009 4:16 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] launch process
Good HEAVENS, that’s hideous.
Just what I’d expect for kernel-mode code written by a buy who’s a web
developer.
Beware kernel-mode samples such as this that are posted by people you don’t
know, on sites where the content isn’t technically reviewed.
If you write user-mode code, you know that while there are some truly
excellent articles and examples (about, say, C# .Net or whatever) on sites
like CodeProject, most of the examples are of much lower quality. While
this can be evaluated rather easily for user-mode stuff (you suck it into
Visual Studio, try to build and run the project, maybe Google around a bit
to see if the advice you’re getting matche what others are saying), it’s
rather more complicated to evaluate a kernel-mode solution (given the
vaguaries of what’s documented, what’s good practice, and the MUCH smaller
number of competent kernel devs).
When in doubt, ask here… SOMEbody here will almost certainly have an
opinion
Peter
OSR
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
> Just what I’d expect for kernel-mode code written by a buy who’s a web developer.
It looks like Codeproject guys think of everyone as of web developer - if you write an article there your occupation is more than likely to be stated as “web developer” as well. Therefore, this info is not really indicative.
Concerning the article itself, although I did not really look though it carefully, it seems to rely upon delivering an APC to an target UM process from a driver. I believe this trick was first described on rootkit.com quite a while ago…
Anton Bassov
but anton, what about things done for educational/proof of concept purposes,
and things that should actually not be encouraged. this is more like
subverting if implemented in a commercial application or what about
backwards compatibility. I would rather say that you don’t need to look
carefully to realize the quality of the code.
About the “web developer” position, when you make your account you cand edit
your settings and state your occupation, I know I did that, and I am stated
as Software Developer,
Good luck !
On Wed, May 6, 2009 at 10:10 PM, wrote:
> > Just what I’d expect for kernel-mode code written by a buy who’s a web
> developer.
>
> It looks like Codeproject guys think of everyone as of web developer - if
> you write an article there your occupation is more than likely to be stated
> as “web developer” as well. Therefore, this info is not really indicative.
>
> Concerning the article itself, although I did not really look though it
> carefully, it seems to rely upon delivering an APC to an target UM process
> from a driver. I believe this trick was first described on rootkit.comquite a while ago…
>
>
> Anton Bassov
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>is there a way to launch a user land process/service from the kernel driver? windows must be doing it,
Peter Wieland once told me that it is an extremely hard thing to do even having Windows source at hand.
For me, it looks like it is better to write a service which will do the things.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
Not portable to 64bit without a significant effort.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
wrote in message news:xxxxx@ntdev…
> http://www.codeproject.com/KB/system/KernelExec.aspx
>
Much easier to do it from a service. The only process that I’m aware of which is launched by the kernel is SMSS and that?s a native process, not a Win32 process.
-p
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
Sent: Wednesday, May 06, 2009 12:48 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] launch process
is there a way to launch a user land process/service from the kernel driver? windows must be doing it,
Peter Wieland once told me that it is an extremely hard thing to do even having Windows source at hand.
For me, it looks like it is better to write a service which will do the things.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
> it seems to rely upon delivering an APC to an target UM process from a
driver.
I believe this trick was first described on rootkit.com quite a while ago
It may be close to what I called “Vorobey’s trick”, not related to any
rootkits, I
found at about year 2000: the driver forces a flag value into TIB so a
thread
thinks that it is in an alertable state (as in SleepEx and other …Ex) and
an APC
is therefore executed.
If these two are close, then it is as bad as can be, as Skywing (IIANM)
explained on this list/on his page a while ago (idea: what if this
“interrupt”
happens in the midst of malloc, and your APC wants to malloc also?).
Nothing can be worse than code that works sometimes.
----- Original Message -----
From:
To: “Windows System Software Devs Interest List”
Sent: Wednesday, May 06, 2009 3:10 PM
Subject: RE:[ntdev] launch process
>> Just what I’d expect for kernel-mode code written by a buy who’s a web
>> developer.
>
> It looks like Codeproject guys think of everyone as of web developer - if
> you write an article there your occupation is more than likely to be
> stated as “web developer” as well. Therefore, this info is not really
> indicative.
>
> Concerning the article itself, although I did not really look though it
> carefully, it seems to rely upon delivering an APC to an target UM
> process from a driver. I believe this trick was first described on
> rootkit.com quite a while ago…
>
>
> Anton Bassov
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
> -----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Bercea Gabriel
Sent: Wednesday, May 06, 2009 4:31 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] launch processTo finish with, I don’t see any reason to actually start a
process from
kernel mode.
I see one reason. Malware which is a kernel driver and doesn’t want to
have a helper user mode part which could be easier to detect.
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]
And why would we want to help malware do that? Let’s rephrase. What legit reason would you want to start a process in KM?
d
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Michal Vodicka
Sent: Wednesday, May 06, 2009 4:30 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] launch process
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Bercea Gabriel
Sent: Wednesday, May 06, 2009 4:31 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] launch processTo finish with, I don’t see any reason to actually start a
process from
kernel mode.
I see one reason. Malware which is a kernel driver and doesn’t want to
have a helper user mode part which could be easier to detect.
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Sure, we don’t want. Just wanted to point out everything has a reason,
good or bad 
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Doron Holan
Sent: Thursday, May 07, 2009 1:35 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] launch processAnd why would we want to help malware do that? Let’s
rephrase. What legit reason would you want to start a process in KM?d
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Michal Vodicka
Sent: Wednesday, May 06, 2009 4:30 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] launch process> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of
Bercea Gabriel
> Sent: Wednesday, May 06, 2009 4:31 PM
> To: Windows System Software Devs Interest List
> Subject: RE: [ntdev] launch process
>
> To finish with, I don’t see any reason to actually start a
> process from
> kernel mode.I see one reason. Malware which is a kernel driver and doesn’t want to
have a helper user mode part which could be easier to detect.Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online
at http://www.osronline.com/page.cfm?name=ListServer
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online
at http://www.osronline.com/page.cfm?name=ListServer
> Peter Wieland once told me that it is an extremely hard thing to do even having Windows
source at hand.
Well, process creation in itself is not the easiest thing one can imagine - even if you it from the UM…
You have to:
-
Create image section
-
Create process environment
-
Allocate stack for its main thread and set up its stack
-
Create its main thread in suspended state
-
Create process parameters
-
Inform CRSS about it
-
Resume thread
Do you really think it belongs in the kernel??? The only thing that “officially” can be done from a driver is step 1 - once ZwCreateSection() and NtCreateSection() are exported by ntsokrnl.exe via IAT they are available to drivers. However, all subsequent calls that you make are exported only via SSDT, which means that they are expected to get called by he UM code.
Anton Bassov
> About the “web developer” position, when you make your account you cand edit your settings and
state your occupation, I know I did that, and I am stated as Software Developer,
Well, I did the same when I set up an account there in 2004, so that I used to be a “software developer” for quite a while - I got “demoted” to web developmen just a couple of years ago when they made some update to their site…
Anton Bassov
:)) really ?
Never noticed :))
With respect,
Gabriel Bercea
GaMiTech Software Development
Mobile contact: ?(+40)0740049634
eMail: xxxxx@gmail.com
Blog: http://gamitech.blogspot.com/
Linkedin: http://www.linkedin.com/in/gamitech
Twitter: http://www.twitter.com/gamitech
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@hotmail.com
Sent: Thursday, May 07, 2009 5:01 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] launch process
About the “web developer” position, when you make your account you cand
edit your settings and
state your occupation, I know I did that, and I am stated as Software
Developer,
Well, I did the same when I set up an account there in 2004, so that I used
to be a “software developer” for quite a while - I got “demoted” to web
developmen just a couple of years ago when they made some update to their
site…
Anton Bassov
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Doron Holan wrote:
And why would we want to help malware do that? Let’s rephrase. What legit reason would you want to start a process in KM?
The reason is exactly why the “service triggers” have been added in
Win7: so that the user mode component does not need to start
automatically and keep running all the time. The kernel side should be
able to activate it Just In Time.
/* Begging everyone’s pardon, but the concept is similar to the “udev”
thing in the Other OS */
Regards,
– pa