I’m very new to windows driver development and spent the past couple weeks familiarizing myself with the tools and building a few simple drivers in the WDK. I’m trying to write a driver that can intercept a process being spawned and either pause it, or kill it. Currently I’m working on windows XP. I discovered “PsSetCreateProcessNotifyRoutine” which allows me to create a callback and know when a process is created and destroyed, but are there any ddk API functions that allow me to actually control them? I’m curious as to whether I need to hook some existing functions in order to do this or if there is a simpler way.
Any advice on this would be greatly appreciated, as well as any advice on getting resources (ie what books if any) that might help me along.
-Chad
wrote in message news:xxxxx@ntdev…
> I’m very new to windows driver development and spent the past couple
> weeks familiarizing myself with the tools and building a few simple
> drivers in the WDK. I’m trying to write a driver that can intercept a
> process being spawned and either pause it, or kill it. Currently I’m
> working on windows XP. I discovered “PsSetCreateProcessNotifyRoutine”
> which allows me to create a callback and know when a process is created
> and destroyed, but are there any ddk API functions that allow me to
> actually control them? I’m curious as to whether I need to hook some
> existing functions in order to do this or if there is a simpler way.
>
> Any advice on this would be greatly appreciated, as well as any advice on
> getting resources (ie what books if any) that might help me along.
>
Chad,
This is a complex problem, unfortunately the callbacks from the
PsSetXxxNotifyRoutine functions do not allow control. The first question
you need to answer is what are you trying to do, and for what environment?
For the what are you trying to do question some examples could be:
“I am trying to stop the execution of some well known applications”
“I am trying to stop the execution of any program I do not recognize”
The above two can have radically different answers as to the best
approach. As for the evironment, if this is pure reseach project and not
going to use x64 OS’es then hooking may be a good approach, but if this is
a commercial product or neads to support x64 hooking is going to be more
problems than it is likely to be worth.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply
Don is quite correct here. To amplify his answer just a touch, assuming
that you first meet the important issues of research and no x64, the
next I think that you need to answer adequately first is how you are
going to identify an application. If you’re going to use either module
name or filename, then don’t waste your time; this information is
already commonly (among exploits) spoofed. The corollary is how
important being correct is, considering the consequences of both false
positives and false negatives. The long and short, in my opinion, is
that if this is your personal edification, or you’re getting paid by
someone for research purposes who is willing to accept the either
answer, then it will be interesting. Otherwise, it is not very likely
to turn out well enough to be worth the investment than, say, locking
down and renaming the file, which will stop any one casual, anyone who
is not an admin, and no one worth worrying about, but it will also cost
basically nothing. If they’re are costs to, say, killing the wrong app,
or missing the one you’re supposed to stop, then these are a real
problem, because this is hard to control.
mm
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Friday, July 27, 2007 11:58
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Need help getting started
wrote in message news:xxxxx@ntdev…
> I’m very new to windows driver development and spent the past couple
> weeks familiarizing myself with the tools and building a few simple
> drivers in the WDK. I’m trying to write a driver that can intercept a
> process being spawned and either pause it, or kill it. Currently I’m
> working on windows XP. I discovered “PsSetCreateProcessNotifyRoutine”
> which allows me to create a callback and know when a process is
created
> and destroyed, but are there any ddk API functions that allow me to
> actually control them? I’m curious as to whether I need to hook some
> existing functions in order to do this or if there is a simpler way.
>
> Any advice on this would be greatly appreciated, as well as any advice
on
> getting resources (ie what books if any) that might help me along.
>
Chad,
This is a complex problem, unfortunately the callbacks from the
PsSetXxxNotifyRoutine functions do not allow control. The first
question
you need to answer is what are you trying to do, and for what
environment?
For the what are you trying to do question some examples could be:
“I am trying to stop the execution of some well known applications”
“I am trying to stop the execution of any program I do not
recognize”
The above two can have radically different answers as to the best
approach. As for the evironment, if this is pure reseach project and
not
going to use x64 OS’es then hooking may be a good approach, but if this
is
a commercial product or neads to support x64 hooking is going to be more
problems than it is likely to be worth.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
This application is for research purposes only, and it isn’t for security – so being correct isn’t absolutely critical. I’ll be recording performance data with an executable in user mode based on the names of the processes. Each time a process is about to be spawned, I’d like to hault it temporarily and then try to predict it’s effect on stability in the system (based on preveiously recorded data that will be tied to the process name). Then if the process is predicted to destabalize the system, I want to prompt the user if they want it to spawn anyway. Based on this decision I’ll allow it to run, or kill it. Can this only be done with hooks?
wrote in message news:xxxxx@ntdev…
> This application is for research purposes only, and it isn’t for
> security – so being correct isn’t absolutely critical. I’ll be
> recording performance data with an executable in user mode based on the
> names of the processes. Each time a process is about to be spawned, I’d
> like to hault it temporarily and then try to predict it’s effect on
> stability in the system (based on preveiously recorded data that will be
> tied to the process name). Then if the process is predicted to
> destabalize the system, I want to prompt the user if they want it to
> spawn anyway. Based on this decision I’ll allow it to run, or kill it.
> Can this only be done with hooks?
>
If you are not trying to deal with malware, but only reasonably known
applications you can do this with a relatively simple file system filter,
since most applications will do one or more file opens early in
initialization, the filter would block them at that point and terminate the
execution if needed. This will not work for some applicaitons, but is good
for 98% of the code out there.
If you really need everything you probably are stuck with hooks. The
challenge here is that the hooks are more likely to destabilize the system
than any user space application can, so your research is probably going to
be questionable.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply
At this point I’m not overly concerned with the criteria that I’m going to use for stopping applications, or if it will work universally or not. I’m most interested in learning what mechanisms can be used to pause, and kill a process, that are fast, or early enough that the process won’t be able to start consuming the system resources. Once I have this, then I can start experimenting with it.
So if I were to use a file filter, how would it “block them at that point and terminate the execution”?
Chad,
The simple model is to:
-
Use PsSetCreateProcessNotifyRoutine to register a callback so you
know a new process is starting. Put the processId in a queued data
structure on a “process starting queue”
-
Use PsSetLoadImageNotifyRoutine to register a callback to
associate the executable name (this will be the first file loaded for a
given processId) with the Process. Typically this will deque things from
the “process starting queue” and put it on a “process loaded queue”. For
your case this is where the prediction would go, if the process is not
likely to destabilize things do not put it on the “process loaded queue”.
-
Create a simple mini-filter that catches create calls, check if
the processID is on the “process loaded queue” then deque the item, free
the memory, and interact with a user application to popup the prompt, if
the promt’s response is fail the application then have the application kill
the process.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply
wrote in message news:xxxxx@ntdev…
> At this point I’m not overly concerned with the criteria that I’m going
> to use for stopping applications, or if it will work universally or not.
> I’m most interested in learning what mechanisms can be used to pause, and
> kill a process, that are fast, or early enough that the process won’t be
> able to start consuming the system resources. Once I have this, then I
> can start experimenting with it.
>
> So if I were to use a file filter, how would it “block them at that point
> and terminate the execution”?
>
Hooks might also do a number on your “performance data,” depending on
how you interpret it.
mm
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Monday, July 30, 2007 13:09
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Need help getting started
wrote in message news:xxxxx@ntdev…
> This application is for research purposes only, and it isn’t for
> security – so being correct isn’t absolutely critical. I’ll be
> recording performance data with an executable in user mode based on
the
> names of the processes. Each time a process is about to be spawned,
I’d
> like to hault it temporarily and then try to predict it’s effect on
> stability in the system (based on preveiously recorded data that will
be
> tied to the process name). Then if the process is predicted to
> destabalize the system, I want to prompt the user if they want it to
> spawn anyway. Based on this decision I’ll allow it to run, or kill
it.
> Can this only be done with hooks?
>
If you are not trying to deal with malware, but only reasonably known
applications you can do this with a relatively simple file system
filter,
since most applications will do one or more file opens early in
initialization, the filter would block them at that point and terminate
the
execution if needed. This will not work for some applicaitons, but is
good
for 98% of the code out there.
If you really need everything you probably are stuck with hooks. The
challenge here is that the hooks are more likely to destabilize the
system
than any user space application can, so your research is probably going
to
be questionable.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer