Fernando,
In one of my initial messages I mentioned NtProtectVirtualMemory, have you
used this technique before? Do you see any significant performance hit? Or
for that matter, does anyone else forsee problems using this technique?
I really want to say thanks to everyone so far for the help, idea’s, and
input that have been supplied already. I appreciated all the feedback.
Matt
----- Original Message -----
From: “Fernando Roberto”
To: “Windows System Software Devs Interest List”
Sent: Thursday, August 25, 2005 8:09 AM
Subject: RES: Re[2]: [ntdev] How To Protect Against “Process Inject”
Matt,
You can hook NtProtectVirtualMemory , NtWriteProcessMemory and
NtQueryVirtualMemory to track addresses and filter writes in specific
addresses or filter writes that comes from different process yet. It
isn’t a complete filter, but filters the most of code injections made in
user mode.
Regards,
Fernando Roberto da Silva.
-----Mensagem original-----
De: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] Em nome de Matt Martin
Enviada em: quinta-feira, 25 de agosto de 2005 09:53
Para: Windows System Software Devs Interest List
Assunto: Re: Re[2]: [ntdev] How To Protect Against “Process Inject”
How about this,
I know file system filters are very possible, what about memory filters?
Could a filter driver be created to filter memory alloc’s? Perhaps
filter
memory alloc’s for known processes or libraries? I’ve been searching
threw
the DDK, and I don’t see anything that could ‘shim’ into the memory
manager.
Am I missing something, is there an undocumented method, or is it simply
not
possible?
Basically, is there anyway to filter memory writes, anyway to hook a
particular address range via kernel mode?
Thanks,
Matt
----- Original Message -----
From: “Dan Partelly”
To: “Windows System Software Devs Interest List”
Sent: Thursday, August 25, 2005 6:54 AM
Subject: Re: Re[2]: [ntdev] How To Protect Against “Process Inject”
> CreateRemoteThread and WriteProcessMemory are most used APIs for this
> indeed.
> But keep in mind that during a process creation phase both those APIs
(at
> native level),
> are used to create a new process.
>
>
> Dan
>
> ----- Original Message -----
> From: “Matt Martin”
> To: “Windows System Software Devs Interest List”
> Sent: Thursday, August 25, 2005 2:02 PM
> Subject: Re: Re[2]: [ntdev] How To Protect Against “Process Inject”
>
>
>> Thanks Ivona,
>>
>> I’m sure as everyone can tell, I know very little about this subject.
>> Being self-taught, there are gapping holes in my knowledge. I
appreciate
>> your feedback, once I get a handle on this I’m sure I’ll be able to
run
>> with it in multiple directions…
>>
>> Thanks,
>>
>> Matt
>> ----- Original Message -----
>> From: “ivona prenosilova”
>> To: “Windows System Software Devs Interest List”
>> Sent: Thursday, August 25, 2005 5:44 AM
>> Subject: Re[2]: [ntdev] How To Protect Against “Process Inject”
>>
>>
>>> Hello Matt,
>>>
>>> MM> I believe you when you say there are many ways to inject code.
I’m
>>> looking
>>> MM> to block the most common approaches(from what I can see,
>>> CreateRemoteThread
>>> MM> and WriteProcessMemory seem to be the most common, could be
wrong
>>> though).
>>> well, the start of this all is (Nt)OpenProcess. anyway, from what i
>>> see, you should probably RTM, get decent books on windows internals,
>>> do some reverse engineering on the functions you’re dealing with,
get
>>> some tutorials from the other side (like VX tutorials,
vx.netlux.org)
>>> - if you want to know more about the injecting that is used in
current
>>> malware - and after you do all of this, you’ll probably after all
get
>>> what Dan said.
>>>
>>> MM> Would VDDInstallMemoryHook in a Virtual driver work in any way?
>>> eh, no way, this is not what you’re looking for … that is NTVDM,
not
>>> native subsystem.
>>>
>>> –
>>> Best regards,
>>> Ivona Prenosilova
>>>
>>>
>>> —
>>> Questions? First check the Kernel Driver FAQ at
>>> http://www.osronline.com/article.cfm?id=256
>>>
>>> You are currently subscribed to ntdev as: xxxxx@comcast.net
>>> To unsubscribe send a blank email to
xxxxx@lists.osr.com
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@comcast.net
> To unsubscribe send a blank email to xxxxx@lists.osr.com
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@opencs.com.br
To unsubscribe send a blank email to xxxxx@lists.osr.com
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com