Hello,
I’ve seen an article online (one single article) referring to the ability to monitor additional object types (than PsProcessType/PsThreadType) with ObRegisterCallbacks but have not been able to find any example on how to do so.
x64 compatibility is important and I agree with the movement to the defined interfaces rather than relying on hacks but it is severely limited because of the inability to monitor access to other object types.
Is there any workaround to this limitation that doesn’t disturb Patchguard? Ideally it would be possible to monitor access to MmSectionObjectType and SeTokenType and in a perfect world it would be possible to interface with the Win32k side of the OS to limit access to NtGdiBitBlt and similar functions.
Thank you for your input and time!
This would be really interesting. Please post a link if you can find it.
//Daniel
wrote in message news:xxxxx@ntdev…
> Hello,
> I’ve seen an article online (one single article) referring to the ability
> to monitor additional object types (than PsProcessType/PsThreadType) with
> ObRegisterCallbacks …
The article I’m referring to is: http://www.usenix.org/event/woot08/tech/full_papers/miller/miller_html/
“This feature provides a new API, ObRegisterCallbacks, which allows device drivers to register a callback that is notified when handles to objects of a given type are created or duplicated. While this API would appear to be the perfect choice, the default implementation only allows callbacks to be registered for process and thread object types (PsProcessType and PsThreadType). Fortunately, this limitation can be overcome by dynamically altering a flag associated with each object type which enables the use of ObRegisterCallbacks. Once registered, each callback is then able to log information about the context that uses a given object such as the calling process context, active security tokens, assigned security descriptor, granted access rights, call stack, and object name information.”
I’ve looked through the individual object types structures and haven’t found this flag or any other mention of it but ObRegisterCallbacks seems to be largely under-discussed anyway.
Though it’s likely to be of little help to you if you need the information right away, the NEXT issue of The NT Insider is coincidentally scheduled to have an article about Vista-and-later kernel mode callbacks (such as for Ob, Registry, etc).
Peter
OSR
Hello,
here’s the associated sample code:
http://hick.org/~mmiller/presentations/woot08/code.zip
On Mon, 10 Aug 2009 02:11:45 +0200, wrote:
> The article I’m referring to is:
> http://www.usenix.org/event/woot08/tech/full_papers/miller/miller_html/
>
> “This feature provides a new API, ObRegisterCallbacks, which allows
> device drivers to register a callback that is notified when handles to
> objects of a given type are created or duplicated. While this API would
> appear to be the perfect choice, the default implementation only allows
> callbacks to be registered for process and thread object types
> (PsProcessType and PsThreadType). Fortunately, this limitation can be
> overcome by dynamically altering a flag associated with each object type
> which enables the use of ObRegisterCallbacks. Once registered, each
> callback is then able to log information about the context that uses a
> given object such as the calling process context, active security
> tokens, assigned security descriptor, granted access rights, call stack,
> and object name information.”
>
> I’ve looked through the individual object types structures and haven’t
> found this flag or any other mention of it but ObRegisterCallbacks seems
> to be largely under-discussed anyway.
So this uses a new flag in the object type initializer structure. While the
object manager structures were unchanged for many years, they are now
changing with about every new OS or SP release. So this technique is
definitely not recommended for a production driver and may even violate
patchguard, putting malware authors at an advantage.
//Daniel
“Cay Bremer” wrote in message news:xxxxx@ntdev…
> Hello,
>
> here’s the associated sample code:
> http://hick.org/~mmiller/presentations/woot08/code.zip
>
>
> - Cay
>
>
> On Mon, 10 Aug 2009 02:11:45 +0200, wrote:
>> The article I’m referring to is:
>> http://www.usenix.org/event/woot08/tech/full_papers/miller/miller_html/
>>
>> “This feature provides a new API, ObRegisterCallbacks, which allows
>> device drivers to register a callback that is notified when handles to
>> objects of a given type are created or duplicated. While this API would
>> appear to be the perfect choice, the default implementation only allows
>> callbacks to be registered for process and thread object types
>> (PsProcessType and PsThreadType). Fortunately, this limitation can be
>> overcome by dynamically altering a flag associated with each object type
>> which enables the use of ObRegisterCallbacks. Once registered, each
>> callback is then able to log information about the context that uses a
>> given object such as the calling process context, active security
>> tokens, assigned security descriptor, granted access rights, call stack,
>> and object name information.”
>>
>> I’ve looked through the individual object types structures and haven’t
>> found this flag or any other mention of it but ObRegisterCallbacks seems
>> to be largely under-discussed anyway.
>
Thank you very much for the replies and Cay for the link. I feared this would be the type of solution required - unfortunately the hacks in here fall miles past my threshold for stability.
Hopefully the next NT Insider will shed some light on a more elegant approach, if its possible.