Re[2]: NtCreateSection() - relation between parent and child process

> But for example, I want to collect timing statistics of a live system: I

turn on TrueTime, it hooks the world and a half, yet things go on. I want to
check coverage on a live system, so, I turn on TrueCoverage, it hooks just
about everything under the sun, things go on normally. I want to profile
memory allocation and deallocation patterns, so, I hook the memory
alloc/dealloc functions and collect data for future data reduction. I want
to perform a live measurement of my OpenGL or Direct3D frame rate, so I hook
SwapBuffers and I compute the frame rate inside that hook, and I then access
physical video memory to optionally superimpose a frame rate gauge to the
current screen. I want to measure how many times I call glBegin/glEnd, and I
want to split the number of calls according to which polygon I’m drawing. I
want to time a bitblt according to which ROP it invokes. I want to trap that
elusive problem that happens every night around 3 in the morning, so, I turn
on BoundsChecker on the live system, and bingo, I get my event recorded and
data I can analyze, and, if that hook generates an Int 3, I can write my own
Int 3 driver - hook Int 3, that is - and grab information on the fly.

These are all examples of system diagnostic tools where I think most
people would agree that hooking makes complete sense. It begs the
question though of whether or not a general purpose driver can engage
in hooking safely. If every general purpose driver starts hooking who
knows what, how
do you deal with a plug and play world and drivers that are being
loaded and unloaded without any knowledge of each other.

Rob
xxxxx@telusplanet.net

Yeah, but how do you answer the question of multiple hooks, and unload
order?

It would be nice if NT had a system call for… hooking system calls.
People ARE going to do it, it would be nice if this were supported in a
consistent fashion.

– arlie

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Moreira, Alberto
Sent: Tuesday, January 27, 2004 11:39 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] NtCreateSection() - relation between parent and
child process

We extensively hooked the GDI when I was at Number Nine, and we never
had any stability issues.

But for example, I want to collect timing statistics of a live system: I
turn on TrueTime, it hooks the world and a half, yet things go on. I
want to check coverage on a live system, so, I turn on TrueCoverage, it
hooks just about everything under the sun, things go on normally. I want
to profile memory allocation and deallocation patterns, so, I hook the
memory alloc/dealloc functions and collect data for future data
reduction. I want to perform a live measurement of my OpenGL or Direct3D
frame rate, so I hook SwapBuffers and I compute the frame rate inside
that hook, and I then access physical video memory to optionally
superimpose a frame rate gauge to the current screen. I want to measure
how many times I call glBegin/glEnd, and I want to split the number of
calls according to which polygon I’m drawing. I want to time a bitblt
according to which ROP it invokes. I want to trap that elusive problem
that happens every night around 3 in the morning, so, I turn on
BoundsChecker on the live system, and bingo, I get my event recorded and
data I can analyze, and, if that hook generates an Int 3, I can write my
own Int 3 driver - hook Int 3, that is - and grab information on the
fly.

And so on, there’s more to hooking than single-stepping through a
debugger.

Alberto.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of
xxxxx@3Dlabs.com
Sent: Tuesday, January 27, 2004 11:17 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] NtCreateSection() - relation between parent and
child process

Ok, so I understand fully that a debugger must do these things (or at
least, if you want a complete debugging tool, e.g., SoftICE, you must do
this, unless you can convince MS to have an undocumented (or documented)
way of officially “hooking” system calls).

I just wonder how you deal with competing “hookers” (no pun intended)
that may have got there before you, and potentially gets the unloaded at
a later stage, which means that your “old hook” pointer is no pointing
into dead space in memory? Obviously, I can understand that the answer
is a “company secret”, and if it is, can you just explain as much as
possible about it, without revealing the “secret” bits?

I’m just curious, rather than having any specific use for this. In fact,
I haven’t “hooked” anything since I left off the Atari ST that used to
be my home-computer many years ago. At that time, hooking into the OS
was just about the only way to do things if you didn’t have a “public”
support for it.

–
Mats

-----Original Message-----
From: Moreira, Alberto [mailto:xxxxx@compuware.com]
Sent: Tuesday, January 27, 2004 4:06 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] NtCreateSection() - relation between parent and
child process

We hook all sorts of things all the time, and we don’t have
any problems.
And our software is very much commercial grade, and no, it
isn’t a piece of
shit !

Point being: do the job right, and hooking is invisible.

Alberto.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Don Burn
Sent: Monday, January 26, 2004 9:49 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] NtCreateSection() - relation between parent and
child process

The whole concept of hooking is a BAD IDEA. Hopefully this
is for a driver
for you testing only, commercial software with this is a
PIECE OF SHIT.

Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting

----- Original Message -----
From:
> To: “Windows System Software Devs Interest List”
> Sent: Monday, January 26, 2004 9:46 AM
> Subject: [ntdev] NtCreateSection() - relation between parent and child
> process
>
>
> > Hi again,
> >
> > Another question came to my mind.
> >
> > I hooked NtCreateSection() (as was suggested by the guys from
> > www.sysinternals.com back in 1997) right below the frontier
> from user mode
> to kernel mode
> > (changed the SDT entry). Since currently my driver produces
> some debug
> output,
> > I see a query of the section for the child process each
> second or so and
> > obviously coming from the parent process. How is that? What
> does it mean?
> >
> > Could it be that this is how the parent determines wether the child
> process
> > is still active (one of the infamous Wait* functions maybe?!).
> >
> > Does anyone have some details on that?
> >
> > Oliver
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@acm.org
> > To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as:
> xxxxx@compuware.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
> The contents of this e-mail are intended for the named
> addressee only. It
> contains information that may be confidential. Unless you are
> the named
> addressee or an authorized designee, you may not copy or use
> it, or disclose
> it to anyone else. If you received it in error please notify
> us immediately
> and then destroy it.
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@3dlabs.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@compuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

The contents of this e-mail are intended for the named addressee only.
It
contains information that may be confidential. Unless you are the named
addressee or an authorized designee, you may not copy or use it, or
disclose
it to anyone else. If you received it in error please notify us
immediately
and then destroy it.

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@sublinear.org
To unsubscribe send a blank email to xxxxx@lists.osr.com

Believe me, there are ways, yet unfortunately I cannot go into details. Hey,
that’s how we make our living, no ? But think, code is code. A hook is code
too, so, all you’re doing is intercept whatever code’s in there - doesn’t
matter whose - do your act, preserve everything, and pass control to whoever
was already there.

Alberto.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Arlie Davis
Sent: Tuesday, January 27, 2004 1:03 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] NtCreateSection() - relation between parent and
child process

Yeah, but how do you answer the question of multiple hooks, and unload
order?

It would be nice if NT had a system call for… hooking system calls.
People ARE going to do it, it would be nice if this were supported in a
consistent fashion.

– arlie

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Moreira, Alberto
Sent: Tuesday, January 27, 2004 11:39 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] NtCreateSection() - relation between parent and
child process

We extensively hooked the GDI when I was at Number Nine, and we never
had any stability issues.

But for example, I want to collect timing statistics of a live system: I
turn on TrueTime, it hooks the world and a half, yet things go on. I
want to check coverage on a live system, so, I turn on TrueCoverage, it
hooks just about everything under the sun, things go on normally. I want
to profile memory allocation and deallocation patterns, so, I hook the
memory alloc/dealloc functions and collect data for future data
reduction. I want to perform a live measurement of my OpenGL or Direct3D
frame rate, so I hook SwapBuffers and I compute the frame rate inside
that hook, and I then access physical video memory to optionally
superimpose a frame rate gauge to the current screen. I want to measure
how many times I call glBegin/glEnd, and I want to split the number of
calls according to which polygon I’m drawing. I want to time a bitblt
according to which ROP it invokes. I want to trap that elusive problem
that happens every night around 3 in the morning, so, I turn on
BoundsChecker on the live system, and bingo, I get my event recorded and
data I can analyze, and, if that hook generates an Int 3, I can write my
own Int 3 driver - hook Int 3, that is - and grab information on the
fly.

And so on, there’s more to hooking than single-stepping through a
debugger.

Alberto.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of
xxxxx@3Dlabs.com
Sent: Tuesday, January 27, 2004 11:17 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] NtCreateSection() - relation between parent and
child process

Ok, so I understand fully that a debugger must do these things (or at
least, if you want a complete debugging tool, e.g., SoftICE, you must do
this, unless you can convince MS to have an undocumented (or documented)
way of officially “hooking” system calls).

I just wonder how you deal with competing “hookers” (no pun intended)
that may have got there before you, and potentially gets the unloaded at
a later stage, which means that your “old hook” pointer is no pointing
into dead space in memory? Obviously, I can understand that the answer
is a “company secret”, and if it is, can you just explain as much as
possible about it, without revealing the “secret” bits?

I’m just curious, rather than having any specific use for this. In fact,
I haven’t “hooked” anything since I left off the Atari ST that used to
be my home-computer many years ago. At that time, hooking into the OS
was just about the only way to do things if you didn’t have a “public”
support for it.

–
Mats

-----Original Message-----
From: Moreira, Alberto [mailto:xxxxx@compuware.com]
Sent: Tuesday, January 27, 2004 4:06 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] NtCreateSection() - relation between parent and
child process

We hook all sorts of things all the time, and we don’t have
any problems.
And our software is very much commercial grade, and no, it
isn’t a piece of
shit !

Point being: do the job right, and hooking is invisible.

Alberto.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Don Burn
Sent: Monday, January 26, 2004 9:49 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] NtCreateSection() - relation between parent and
child process

The whole concept of hooking is a BAD IDEA. Hopefully this
is for a driver
for you testing only, commercial software with this is a
PIECE OF SHIT.

Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting

----- Original Message -----
From:
> To: “Windows System Software Devs Interest List”
> Sent: Monday, January 26, 2004 9:46 AM
> Subject: [ntdev] NtCreateSection() - relation between parent and child
> process
>
>
> > Hi again,
> >
> > Another question came to my mind.
> >
> > I hooked NtCreateSection() (as was suggested by the guys from
> > www.sysinternals.com back in 1997) right below the frontier
> from user mode
> to kernel mode
> > (changed the SDT entry). Since currently my driver produces
> some debug
> output,
> > I see a query of the section for the child process each
> second or so and
> > obviously coming from the parent process. How is that? What
> does it mean?
> >
> > Could it be that this is how the parent determines wether the child
> process
> > is still active (one of the infamous Wait* functions maybe?!).
> >
> > Does anyone have some details on that?
> >
> > Oliver
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@acm.org
> > To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as:
> xxxxx@compuware.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
> The contents of this e-mail are intended for the named
> addressee only. It
> contains information that may be confidential. Unless you are
> the named
> addressee or an authorized designee, you may not copy or use
> it, or disclose
> it to anyone else. If you received it in error please notify
> us immediately
> and then destroy it.
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@3dlabs.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@compuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

The contents of this e-mail are intended for the named addressee only.
It
contains information that may be confidential. Unless you are the named
addressee or an authorized designee, you may not copy or use it, or
disclose
it to anyone else. If you received it in error please notify us
immediately
and then destroy it.

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@sublinear.org
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@compuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

The contents of this e-mail are intended for the named addressee only. It
contains information that may be confidential. Unless you are the named
addressee or an authorized designee, you may not copy or use it, or disclose
it to anyone else. If you received it in error please notify us immediately
and then destroy it.

And I hook int 3 to disable debugging ( for some very sensitive customer,
name withheld intentionally)
And I hook clipboard copying, so the info does not get spoofed and out …
And I hook to make an worm(a person or any creature) hard to install any
kernel mode spoofs
And I hook to make folder practically untouchable.
And I hook to make even an admin priv not allowed to muck around the windows
file protection.
And I hook to make fairly fast steping into and out of NDIS and/or AFD.

And I hook GDI so that some windows IPC can not kill me …

In the end, use randomizer, even disassembly would not give much of a
deterministic code
Paths…

Destabilized the system? Sure it did, but once fixed most of the known bugs,
20+ millions might be having sound sleep at night.

-prokash

-----Original Message-----
From: Moreira, Alberto [mailto:xxxxx@compuware.com]
Sent: Tuesday, January 27, 2004 8:39 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] NtCreateSection() - relation between parent and child
process

We extensively hooked the GDI when I was at Number Nine, and we never had
any stability issues.

But for example, I want to collect timing statistics of a live system: I
turn on TrueTime, it hooks the world and a half, yet things go on. I want to
check coverage on a live system, so, I turn on TrueCoverage, it hooks just
about everything under the sun, things go on normally. I want to profile
memory allocation and deallocation patterns, so, I hook the memory
alloc/dealloc functions and collect data for future data reduction. I want
to perform a live measurement of my OpenGL or Direct3D frame rate, so I hook
SwapBuffers and I compute the frame rate inside that hook, and I then access
physical video memory to optionally superimpose a frame rate gauge to the
current screen. I want to measure how many times I call glBegin/glEnd, and I
want to split the number of calls according to which polygon I’m drawing. I
want to time a bitblt according to which ROP it invokes. I want to trap that
elusive problem that happens every night around 3 in the morning, so, I turn
on BoundsChecker on the live system, and bingo, I get my event recorded and
data I can analyze, and, if that hook generates an Int 3, I can write my own
Int 3 driver - hook Int 3, that is - and grab information on the fly.

And so on, there’s more to hooking than single-stepping through a debugger.

Alberto.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of
xxxxx@3Dlabs.com
Sent: Tuesday, January 27, 2004 11:17 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] NtCreateSection() - relation between parent and child
process

Ok, so I understand fully that a debugger must do these things (or at least,
if you want a complete debugging tool, e.g., SoftICE, you must do this,
unless you can convince MS to have an undocumented (or documented) way of
officially “hooking” system calls).

I just wonder how you deal with competing “hookers” (no pun intended) that
may have got there before you, and potentially gets the unloaded at a later
stage, which means that your “old hook” pointer is no pointing into dead
space in memory? Obviously, I can understand that the answer is a “company
secret”, and if it is, can you just explain as much as possible about it,
without revealing the “secret” bits?

I’m just curious, rather than having any specific use for this. In fact, I
haven’t “hooked” anything since I left off the Atari ST that used to be my
home-computer many years ago. At that time, hooking into the OS was just
about the only way to do things if you didn’t have a “public” support for
it.

–
Mats

-----Original Message-----
From: Moreira, Alberto [mailto:xxxxx@compuware.com]
Sent: Tuesday, January 27, 2004 4:06 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] NtCreateSection() - relation between parent and
child process

We hook all sorts of things all the time, and we don’t have
any problems.
And our software is very much commercial grade, and no, it
isn’t a piece of
shit !

Point being: do the job right, and hooking is invisible.

Alberto.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Don Burn
Sent: Monday, January 26, 2004 9:49 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] NtCreateSection() - relation between parent and
child process

The whole concept of hooking is a BAD IDEA. Hopefully this
is for a driver
for you testing only, commercial software with this is a
PIECE OF SHIT.

Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting

----- Original Message -----
From:
> To: “Windows System Software Devs Interest List”
> Sent: Monday, January 26, 2004 9:46 AM
> Subject: [ntdev] NtCreateSection() - relation between parent and child
> process
>
>
> > Hi again,
> >
> > Another question came to my mind.
> >
> > I hooked NtCreateSection() (as was suggested by the guys from
> > www.sysinternals.com back in 1997) right below the frontier
> from user mode
> to kernel mode
> > (changed the SDT entry). Since currently my driver produces
> some debug
> output,
> > I see a query of the section for the child process each
> second or so and
> > obviously coming from the parent process. How is that? What
> does it mean?
> >
> > Could it be that this is how the parent determines wether the child
> process
> > is still active (one of the infamous Wait* functions maybe?!).
> >
> > Does anyone have some details on that?
> >
> > Oliver
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@acm.org
> > To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as:
> xxxxx@compuware.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
> The contents of this e-mail are intended for the named
> addressee only. It
> contains information that may be confidential. Unless you are
> the named
> addressee or an authorized designee, you may not copy or use
> it, or disclose
> it to anyone else. If you received it in error please notify
> us immediately
> and then destroy it.
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@3dlabs.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@compuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

The contents of this e-mail are intended for the named addressee only. It
contains information that may be confidential. Unless you are the named
addressee or an authorized designee, you may not copy or use it, or disclose
it to anyone else. If you received it in error please notify us immediately
and then destroy it.

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@maxtor.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Certainly hooking is to be discouraged when alternatives are available.

However, I think that the documented and “recommended” techniques of
“layered device drivers”, “layered service providers”, “filter drivers” are
equally vunerable to misuse and instability. The third party who inserts any
kind of filter really needs to have prefect visibility into components above
and below. The needed visability is often not available for propritary
reasons or lack of documentation.

Thomas F. Divine
www.pcausa.com

wrote in message news:xxxxx@ntdev…
> Ok, so I understand fully that a debugger must do these things (or at
least,
> if you want a complete debugging tool, e.g., SoftICE, you must do this,
> unless you can convince MS to have an undocumented (or documented) way of
> officially “hooking” system calls).
>
> I just wonder how you deal with competing “hookers” (no pun intended) that
> may have got there before you, and potentially gets the unloaded at a
later
> stage, which means that your “old hook” pointer is no pointing into dead
> space in memory? Obviously, I can understand that the answer is a “company
> secret”, and if it is, can you just explain as much as possible about it,
> without revealing the “secret” bits?
>
> I’m just curious, rather than having any specific use for this. In fact, I
> haven’t “hooked” anything since I left off the Atari ST that used to be my
> home-computer many years ago. At that time, hooking into the OS was just
> about the only way to do things if you didn’t have a “public” support for
> it.
>
> –
> Mats
>
> > -----Original Message-----
> > From: Moreira, Alberto [mailto:xxxxx@compuware.com]
> > Sent: Tuesday, January 27, 2004 4:06 PM
> > To: Windows System Software Devs Interest List
> > Subject: RE: [ntdev] NtCreateSection() - relation between parent and
> > child process
> >
> >
> > We hook all sorts of things all the time, and we don’t have
> > any problems.
> > And our software is very much commercial grade, and no, it
> > isn’t a piece of
> > shit !
> >
> > Point being: do the job right, and hooking is invisible.
> >
> >
> > Alberto.
> >
> >
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com]On Behalf Of Don Burn
> > Sent: Monday, January 26, 2004 9:49 AM
> > To: Windows System Software Devs Interest List
> > Subject: Re: [ntdev] NtCreateSection() - relation between parent and
> > child process
> >
> >
> > The whole concept of hooking is a BAD IDEA. Hopefully this
> > is for a driver
> > for you testing only, commercial software with this is a
> > PIECE OF SHIT.
> >
> > Don Burn (MVP, Windows DDK)
> > Windows 2k/XP/2k3 Filesystem and Driver Consulting
> >
> > ----- Original Message -----
> > From:
> > To: “Windows System Software Devs Interest List”
> > Sent: Monday, January 26, 2004 9:46 AM
> > Subject: [ntdev] NtCreateSection() - relation between parent and child
> > process
> >
> >
> > > Hi again,
> > >
> > > Another question came to my mind.
> > >
> > > I hooked NtCreateSection() (as was suggested by the guys from
> > > www.sysinternals.com back in 1997) right below the frontier
> > from user mode
> > to kernel mode
> > > (changed the SDT entry). Since currently my driver produces
> > some debug
> > output,
> > > I see a query of the section for the child process each
> > second or so and
> > > obviously coming from the parent process. How is that? What
> > does it mean?
> > >
> > > Could it be that this is how the parent determines wether the child
> > process
> > > is still active (one of the infamous Wait* functions maybe?!).
> > >
> > > Does anyone have some details on that?
> > >
> > > Oliver
> > >
> > >
> > > —
> > > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> > >
> > > You are currently subscribed to ntdev as: xxxxx@acm.org
> > > To unsubscribe send a blank email to
> > xxxxx@lists.osr.com
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as:
> > xxxxx@compuware.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
> >
> >
> > The contents of this e-mail are intended for the named
> > addressee only. It
> > contains information that may be confidential. Unless you are
> > the named
> > addressee or an authorized designee, you may not copy or use
> > it, or disclose
> > it to anyone else. If you received it in error please notify
> > us immediately
> > and then destroy it.
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@3dlabs.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

Well, what about the most obvious solution: Don’t unload.

Instead of unhooking, you just set some flag. The first thing that the
hook function does when it’s called is checking for that flag. If it
isn’t set, it does whatever it was designed to do. When it’s set, it
just calls the hooked code, not doing anything else.

Not a ‘beautiful’ solution, but probably a safe one. Not unloading the
driver costs some memory, of course, but on most end-user system
nowadays those few bytes shouldn’t matter. At least not as much as a BSOD.

Rolf Schaeuble

Arlie Davis wrote:

Yeah, but how do you answer the question of multiple hooks, and unload
order?

It would be nice if NT had a system call for… hooking system calls.
People ARE going to do it, it would be nice if this were supported in a
consistent fashion.

– arlie

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Moreira, Alberto
Sent: Tuesday, January 27, 2004 11:39 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] NtCreateSection() - relation between parent and
child process

We extensively hooked the GDI when I was at Number Nine, and we never
had any stability issues.

But for example, I want to collect timing statistics of a live system: I
turn on TrueTime, it hooks the world and a half, yet things go on. I
want to check coverage on a live system, so, I turn on TrueCoverage, it
hooks just about everything under the sun, things go on normally. I want
to profile memory allocation and deallocation patterns, so, I hook the
memory alloc/dealloc functions and collect data for future data
reduction. I want to perform a live measurement of my OpenGL or Direct3D
frame rate, so I hook SwapBuffers and I compute the frame rate inside
that hook, and I then access physical video memory to optionally
superimpose a frame rate gauge to the current screen. I want to measure
how many times I call glBegin/glEnd, and I want to split the number of
calls according to which polygon I’m drawing. I want to time a bitblt
according to which ROP it invokes. I want to trap that elusive problem
that happens every night around 3 in the morning, so, I turn on
BoundsChecker on the live system, and bingo, I get my event recorded and
data I can analyze, and, if that hook generates an Int 3, I can write my
own Int 3 driver - hook Int 3, that is - and grab information on the
fly.

And so on, there’s more to hooking than single-stepping through a
debugger.

Alberto.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of
xxxxx@3Dlabs.com
Sent: Tuesday, January 27, 2004 11:17 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] NtCreateSection() - relation between parent and
child process

Ok, so I understand fully that a debugger must do these things (or at
least, if you want a complete debugging tool, e.g., SoftICE, you must do
this, unless you can convince MS to have an undocumented (or documented)
way of officially “hooking” system calls).

I just wonder how you deal with competing “hookers” (no pun intended)
that may have got there before you, and potentially gets the unloaded at
a later stage, which means that your “old hook” pointer is no pointing
into dead space in memory? Obviously, I can understand that the answer
is a “company secret”, and if it is, can you just explain as much as
possible about it, without revealing the “secret” bits?

I’m just curious, rather than having any specific use for this. In fact,
I haven’t “hooked” anything since I left off the Atari ST that used to
be my home-computer many years ago. At that time, hooking into the OS
was just about the only way to do things if you didn’t have a “public”
support for it.

–
Mats

>-----Original Message-----
>From: Moreira, Alberto [mailto:xxxxx@compuware.com]
>Sent: Tuesday, January 27, 2004 4:06 PM
>To: Windows System Software Devs Interest List
>Subject: RE: [ntdev] NtCreateSection() - relation between parent and
>child process
>
>
>We hook all sorts of things all the time, and we don’t have
>any problems.
>And our software is very much commercial grade, and no, it
>isn’t a piece of
>shit !
>
>Point being: do the job right, and hooking is invisible.
>
>
>Alberto.
>
>
>-----Original Message-----
>From: xxxxx@lists.osr.com
>[mailto:xxxxx@lists.osr.com]On Behalf Of Don Burn
>Sent: Monday, January 26, 2004 9:49 AM
>To: Windows System Software Devs Interest List
>Subject: Re: [ntdev] NtCreateSection() - relation between parent and
>child process
>
>
>The whole concept of hooking is a BAD IDEA. Hopefully this
>is for a driver
>for you testing only, commercial software with this is a
>PIECE OF SHIT.
>
>Don Burn (MVP, Windows DDK)
>Windows 2k/XP/2k3 Filesystem and Driver Consulting
>
>----- Original Message -----
>From:
>>To: “Windows System Software Devs Interest List”
>>Sent: Monday, January 26, 2004 9:46 AM
>>Subject: [ntdev] NtCreateSection() - relation between parent and child
>>process
>>
>>
>>
>>>Hi again,
>>>
>>>Another question came to my mind.
>>>
>>>I hooked NtCreateSection() (as was suggested by the guys from
>>>www.sysinternals.com back in 1997) right below the frontier
>>
>>from user mode
>>to kernel mode
>>
>>>(changed the SDT entry). Since currently my driver produces
>>
>>some debug
>>output,
>>
>>>I see a query of the section for the child process each
>>
>>second or so and
>>
>>>obviously coming from the parent process. How is that? What
>>
>>does it mean?
>>
>>>Could it be that this is how the parent determines wether the child
>>
>>process
>>
>>>is still active (one of the infamous Wait* functions maybe?!).
>>>
>>>Does anyone have some details on that?
>>>
>>>Oliver
>>>
>>>
>>>—
>>>Questions? First check the Kernel Driver FAQ at
>>
>>http://www.osronline.com/article.cfm?id=256
>>
>>>You are currently subscribed to ntdev as: xxxxx@acm.org
>>>To unsubscribe send a blank email to
>>
>>xxxxx@lists.osr.com
>>
>>
>>—
>>Questions? First check the Kernel Driver FAQ at
>>http://www.osronline.com/article.cfm?id=256
>>
>>You are currently subscribed to ntdev as:
>>xxxxx@compuware.com
>>To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>>
>>
>>The contents of this e-mail are intended for the named
>>addressee only. It
>>contains information that may be confidential. Unless you are
>>the named
>>addressee or an authorized designee, you may not copy or use
>>it, or disclose
>>it to anyone else. If you received it in error please notify
>>us immediately
>>and then destroy it.
>>
>>
>>—
>>Questions? First check the Kernel Driver FAQ at
>
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@3dlabs.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@compuware.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
> The contents of this e-mail are intended for the named addressee only.
> It
> contains information that may be confidential. Unless you are the named
> addressee or an authorized designee, you may not copy or use it, or
> disclose
> it to anyone else. If you received it in error please notify us
> immediately
> and then destroy it.
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@sublinear.org
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>

> It would be nice if NT had a system call for… hooking system calls.

People ARE going to do it, it would be nice if this were supported in a

The main purpose with which it is done is a) determining the process EXE name
b) making some restriction decisions based on it, up to failing
NtCreateProcess.

With current “load image” and “process creation” notify routines, the things
are easier, but “load image” notifier is absent in NT4, so, NT4+ products must
do hackery.

Also it is a shame that PsLookupProcessByProcessId is undocumented. It just
MUST be called in some scenarios from inside the “process creation” callback.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

Yeah, right. Sounds like a total hand-wave to me.

The only solution to the problem is not to solve it – to make the
driver not unloadable.

– arlie

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Moreira, Alberto
Sent: Tuesday, January 27, 2004 1:11 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] NtCreateSection() - relation between parent and
child process

Believe me, there are ways, yet unfortunately I cannot go into details.
Hey, that’s how we make our living, no ? But think, code is code. A hook
is code too, so, all you’re doing is intercept whatever code’s in there

• doesn’t matter whose - do your act, preserve everything, and pass
  control to whoever was already there.

Alberto.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Arlie Davis
Sent: Tuesday, January 27, 2004 1:03 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] NtCreateSection() - relation between parent and
child process

Yeah, but how do you answer the question of multiple hooks, and unload
order?

It would be nice if NT had a system call for… hooking system calls.
People ARE going to do it, it would be nice if this were supported in a
consistent fashion.

– arlie

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Moreira, Alberto
Sent: Tuesday, January 27, 2004 11:39 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] NtCreateSection() - relation between parent and
child process

We extensively hooked the GDI when I was at Number Nine, and we never
had any stability issues.

But for example, I want to collect timing statistics of a live system: I
turn on TrueTime, it hooks the world and a half, yet things go on. I
want to check coverage on a live system, so, I turn on TrueCoverage, it
hooks just about everything under the sun, things go on normally. I want
to profile memory allocation and deallocation patterns, so, I hook the
memory alloc/dealloc functions and collect data for future data
reduction. I want to perform a live measurement of my OpenGL or Direct3D
frame rate, so I hook SwapBuffers and I compute the frame rate inside
that hook, and I then access physical video memory to optionally
superimpose a frame rate gauge to the current screen. I want to measure
how many times I call glBegin/glEnd, and I want to split the number of
calls according to which polygon I’m drawing. I want to time a bitblt
according to which ROP it invokes. I want to trap that elusive problem
that happens every night around 3 in the morning, so, I turn on
BoundsChecker on the live system, and bingo, I get my event recorded and
data I can analyze, and, if that hook generates an Int 3, I can write my
own Int 3 driver - hook Int 3, that is - and grab information on the
fly.

And so on, there’s more to hooking than single-stepping through a
debugger.

Alberto.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of
xxxxx@3Dlabs.com
Sent: Tuesday, January 27, 2004 11:17 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] NtCreateSection() - relation between parent and
child process

Ok, so I understand fully that a debugger must do these things (or at
least, if you want a complete debugging tool, e.g., SoftICE, you must do
this, unless you can convince MS to have an undocumented (or documented)
way of officially “hooking” system calls).

I just wonder how you deal with competing “hookers” (no pun intended)
that may have got there before you, and potentially gets the unloaded at
a later stage, which means that your “old hook” pointer is no pointing
into dead space in memory? Obviously, I can understand that the answer
is a “company secret”, and if it is, can you just explain as much as
possible about it, without revealing the “secret” bits?

I’m just curious, rather than having any specific use for this. In fact,
I haven’t “hooked” anything since I left off the Atari ST that used to
be my home-computer many years ago. At that time, hooking into the OS
was just about the only way to do things if you didn’t have a “public”
support for it.

–
Mats

-----Original Message-----
From: Moreira, Alberto [mailto:xxxxx@compuware.com]
Sent: Tuesday, January 27, 2004 4:06 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] NtCreateSection() - relation between parent and
child process

We hook all sorts of things all the time, and we don’t have any
problems. And our software is very much commercial grade, and no, it
isn’t a piece of
shit !

Point being: do the job right, and hooking is invisible.

Alberto.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Don Burn
Sent: Monday, January 26, 2004 9:49 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] NtCreateSection() - relation between parent and
child process

The whole concept of hooking is a BAD IDEA. Hopefully this is for a
driver for you testing only, commercial software with this is a
PIECE OF SHIT.

Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting

----- Original Message -----
From:
> To: “Windows System Software Devs Interest List”
> Sent: Monday, January 26, 2004 9:46 AM
> Subject: [ntdev] NtCreateSection() - relation between parent and child

> process
>
>
> > Hi again,
> >
> > Another question came to my mind.
> >
> > I hooked NtCreateSection() (as was suggested by the guys from
> > www.sysinternals.com back in 1997) right below the frontier
> from user mode
> to kernel mode
> > (changed the SDT entry). Since currently my driver produces
> some debug
> output,
> > I see a query of the section for the child process each
> second or so and
> > obviously coming from the parent process. How is that? What
> does it mean?
> >
> > Could it be that this is how the parent determines wether the child
> process
> > is still active (one of the infamous Wait* functions maybe?!).
> >
> > Does anyone have some details on that?
> >
> > Oliver
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@acm.org
> > To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as:
> xxxxx@compuware.com To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>
>
>
> The contents of this e-mail are intended for the named addressee only.

> It contains information that may be confidential. Unless you are
> the named
> addressee or an authorized designee, you may not copy or use
> it, or disclose
> it to anyone else. If you received it in error please notify
> us immediately
> and then destroy it.
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@3dlabs.com To
unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@compuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

The contents of this e-mail are intended for the named addressee only.
It contains information that may be confidential. Unless you are the
named addressee or an authorized designee, you may not copy or use it,
or disclose it to anyone else. If you received it in error please notify
us immediately and then destroy it.

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@sublinear.org To
unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@compuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

The contents of this e-mail are intended for the named addressee only.
It contains information that may be confidential. Unless you are the
named addressee or an authorized designee, you may not copy or use it,
or disclose it to anyone else. If you received it in error please notify
us immediately and then destroy it.

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@sublinear.org To
unsubscribe send a blank email to xxxxx@lists.osr.com

Don’t want to be lame. But could you explain to me how? Or point to those
“nice” examples.

-htfv

wrote in message news:xxxxx@ntdev…
> Aha,
>
> so it only gets invoked when NtCreateProcess() (the system service) is
> used?! That’s bad. There are nice examples on how to create a process
without this
> system service.
>
> Thanks for the information.
>
> @Don: Seems I have to fall back to the Hooking method. Although it’s not
> nice I am sure it will work since I am the admin on the machines where it
is to
> be used
>
> Oliver
>
> > No. It is invoked from MmCreateProcessAddressSpace when EXE is
mapped
> > to
> > the process, this is inside NtCreateProcess.
> >
> > Maxim Shatskih, Windows DDK MVP
> > StorageCraft Corporation
> > xxxxx@storagecraft.com
> > http://www.storagecraft.com
> >
> >
> > ----- Original Message -----
> > From: “Oliver Schneider”
> > To: “Windows System Software Devs Interest List”
> > Sent: Monday, January 26, 2004 7:05 PM
> > Subject: Re: [ntdev] NtCreateSection() - relation between parent and
child
> > process
> >
> >
> > > Wait,
> > >
> > > I was aware of this function PsSetLoadImageNotifyRoutine() but it is
> > invoked
> > > somewhen AFTER the process runs, or not? This is how I understood it.
> > The
> > > alternative sounds much better indeed. Will try it out.
> > >
> > > Thanks for the help,
> > >
> > > Oliver
> > >
> > > > Fine use PsSetLoadImageNotifyRoutine, this will do exactly what you
> > are
> > > > trying to with hooking NtCreateSection and it is documented. While
it
> > is
> > > > not documented, if you terminate the calling thread of this routine,
> > you
> > > > terminate the process cleanly. As far as user account, you are
going
> > to
> > > > have to have a user piece if you want anything more than the SID.
> > >
> > >
> > > —
> > > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> > >
> > > You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> > > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@gmxpro.net
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
>
>

Hi Arlie,

The only solution to the problem is not to solve it – to make the
driver not unloadable.
Well, I think that there are two fundamental problems with hook’s operation:

1. being able to hook early enough
2. pointing to an address that will become invalid after your driver has been
   unloaded

There are solutions for both problems:

1. you can make sure that your driver is loaded immediately after the hook
   target by using load order/groups/etc and patch the PE export

2. the address you point to must always be in RAM, so, just use something in the
   same file – say slack space at the end of the code section. Add a 20 byte stub
   and point the export at it. This stub would jump to your handler.

When unloading, just patch the stub to jump to the original address. This means
that other hooks would continue to work properly, because they will continue
using your stub – they think it was the original API.

P.S. yes, this is a virus-like hack, and one should not have to resort to adding
executable code to someone’s section

Best regards,

Oleg Smolsky
Software Design Authority
Allied Telesyn Research

NOTICE: This message contains privileged and confidential
information intended only for the use of the addressee
named above. If you are not the intended recipient of
this message you are hereby notified that you must not
disseminate, copy or take any action in reliance on it.
If you have received this message in error please
notify Allied Telesyn Research Ltd immediately.
Any views expressed in this message are those of the
individual sender, except where the sender has the
authority to issue and specifically states them to
be the views of Allied Telesyn Research.

Actually, you haven’t solved it, but like many others including myself at
one time you think you have and this is the problem. It doesn’t matter what
the hooking approach is, you have the base problems
still.

First you state “you can make sure that your driver is loaded immediately”
sorry this is the classsic filter falicy that say I can get there first,
what do you do when someone else tries to get there first? One of you is
going to be wrong.

For unloading you say “just patch the stub to jump to the original address”,
how do you know that the address you got as the original was the original
(since you cannot guarantee you are first), if not and the driver that got
there first unloaded, you have a problem. Of course you probably have a
problem already, since when the first driver unloaded, they probably put the
tables back to the original state, and wiped out your hooks.

The bottom line is it can’t be done safely if you ever intend to unload.
And since you cannot trust that another driver didn’t get there first, and
then stupidly tried to unload, you can’t do it safely period.

Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting

From: “oleg smolsky”:

The only solution to the problem is not to solve it – to make the
driver not unloadable.
Well, I think that there are two fundamental problems with hook’s operation:

1. being able to hook early enough
2. pointing to an address that will become invalid after your driver has
   been
   unloaded

There are solutions for both problems:

1. you can make sure that your driver is loaded immediately after the hook
   target by using load order/groups/etc and patch the PE export

2. the address you point to must always be in RAM, so, just use something in
   the
   same file – say slack space at the end of the code section. Add a 20
   byte stub
   and point the export at it. This stub would jump to your handler.

When unloading, just patch the stub to jump to the original address. This
means
that other hooks would continue to work properly, because they will continue
using your stub – they think it was the original API.

P.S. yes, this is a virus-like hack, and one should not have to resort to
adding
executable code to someone’s section

> For unloading you say "just patch the stub to jump to the

original address",
how do you know that the address you got as the original was the original
(since you cannot guarantee you are first),

Can we make sure that we are first hooking first time, may be compared the
startin bytes in function with the stored file in HDD ?

Regards,
Satish K.S

The file stored on the hard disk may be relocated when it’s loaded, so it’s
not a sure thing…

–
Mats

-----Original Message-----
From: int3 [mailto:xxxxx@liqwidkrystal.com]
Sent: Wednesday, January 28, 2004 2:39 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] NtCreateSection() - relation between parent and
child process

> For unloading you say “just patch the stub to jump to the
> original address”,
> how do you know that the address you got as the original
was the original
> (since you cannot guarantee you are first),

Can we make sure that we are first hooking first time, may be
compared the
startin bytes in function with the stored file in HDD ?

Regards,
Satish K.S

---

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@3dlabs.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Even if you do validate it, you have to fail if someone else gets there
first, this is not the sign of a safe stable driver. This is why the
technique should be used in regular products, note I believe debuggers and
other items of similar nature are ok, since the user should understand that
problems can occur.

Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting

----- Original Message -----
From: “int3”
To: “Windows System Software Devs Interest List”
Sent: Wednesday, January 28, 2004 9:38 AM
Subject: RE: [ntdev] NtCreateSection() - relation between parent and child
process

> > For unloading you say “just patch the stub to jump to the
> > original address”,
> > how do you know that the address you got as the original was the
original
> > (since you cannot guarantee you are first),
>
> Can we make sure that we are first hooking first time, may be compared the
> startin bytes in function with the stored file in HDD ?
>
> Regards,
> Satish K.S
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@acm.org
> To unsubscribe send a blank email to xxxxx@lists.osr.com

Mats wrote:

The file stored on the hard disk may be relocated when it’s loaded, so
it’s not a sure thing…
Isn’t relocation always continuous? AFAIK it is. That is, when I know the
base address I already know the offset I have add to the RVA. Furthermore it’s
highly improbable that NTOSKRNL be relocated!

Don wrote:

For unloading you say “just patch the stub to jump to the original
address”,
how do you know that the address you got as the original was the original
(since you cannot guarantee you are first), if not and the driver that got
there first unloaded, you have a problem. Of course you probably have a
problem already, since when the first driver unloaded, they probably put
the
tables back to the original state, and wiped out your hooks.
Wrong, it is possible by using the above method ([a] comparing either with
the file on disk or [b] comparing the EAT entry of NTOSKRNL with the SDT entry
and check wether the EAT entry is located inside the NTOSKRNL section in
case the EAT was patched [*]). Anyway, I agree with you that is is not the
“nice” way
So it’s possible to ensure integrity AND even to override hooks down the
hook chain.

BTW: How would you start a Win32 process from a driver? I want to show the
user that access to a certain module was denied. Using the hooking method I
can simply return the section to my own executable whenever I deny access -
using the notification approach I would have to use some other method to show
the user a message (in his own security context).

Oliver

[*] Agreed, someone could interchange the offsets of functions INSIDE the
NTOSKRNL section by modifying both EAT and SDT “consistently” … but then we
are again at this point: A driver is part of the TCB!

Comments inline:
----- Original Message -----
From: “Oliver Schneider”
To: “Windows System Software Devs Interest List”
Sent: Wednesday, January 28, 2004 9:47 AM
Subject: RE: [ntdev] NtCreateSection() - relation between parent and child
process

> Mats wrote:
> > The file stored on the hard disk may be relocated when it’s loaded, so
> > it’s not a sure thing…
> Isn’t relocation always continuous? AFAIK it is. That is, when I know the
> base address I already know the offset I have add to the RVA. Furthermore
it’s
> highly improbable that NTOSKRNL be relocated!

> Don wrote:
> > For unloading you say “just patch the stub to jump to the original
> address”,
> > how do you know that the address you got as the original was the
original
> > (since you cannot guarantee you are first), if not and the driver that
got
> > there first unloaded, you have a problem. Of course you probably have a
> > problem already, since when the first driver unloaded, they probably put
> the
> > tables back to the original state, and wiped out your hooks.
> Wrong, it is possible by using the above method ([a] comparing either with
> the file on disk or [b] comparing the EAT entry of NTOSKRNL with the SDT
entry
> and check wether the EAT entry is located inside the NTOSKRNL section in
> case the EAT was patched [*]). Anyway, I agree with you that is is not the
> “nice” way
> So it’s possible to ensure integrity AND even to override hooks down the
> hook chain.

Only if you get there first, otherwise your product is unusable or it
trashes some other driver which can crash the system with the override, so
you still don’t have a product.

>
> BTW: How would you start a Win32 process from a driver? I want to show the
> user that access to a certain module was denied. Using the hooking method
I
> can simply return the section to my own executable whenever I deny
access -
> using the notification approach I would have to use some other method to
show
> the user a message (in his own security context).

You can’t start a Win32 process fully from the kernel, you need a service to
do the CreateProcess for you since there are user space and kernel space
actions going on here.

Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting

> Only if you get there first, otherwise your product is unusable or it

trashes some other driver which can crash the system with the override, so
you still don’t have a product.
Why that? If it allows me to override hooks it still does not mean I’ll do
it … I just have this option!
Why do I need to get there first? In case I create my own jumptable in some
gaps between section end and real code in NTOSKRNL and then modify the
section table of NTOSKRNL in memory to reflect my changes (i.e. including my code
in the size of the section) it should work.

But again, we are not on the opposite side, although it may seem like:
If your driver drives well and behaves well it does not imply that others do
as well. It’s like traffic on the streets, the probability of a crash does
not only depend on you!
What I am saying is, that the documented (Sven B. Schreiber and Prasad
Dabak, Sandeep Phadke, Milind Borate and Bryce Cogswell and Mark Russinovich)
methods are not safeguarded against any such odds. But I am (already) sure that
it (would be?! or) is possible to have a safe hooking mechanism running. But
the probability of crashing is gain raising with the number of drivers which
do not take the full extent of such measures.

May the source be with you

Oliver

> BTW: How would you start a Win32 process from a driver? I want to show the

user that access to a certain module was denied.

Very bad idea. What if the module was attempted from, say, an IIS script?

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

> Very bad idea. What if the module was attempted from, say, an IIS script?
*g* I intentionally do not use IIS. Did you ever have the pleasure to check
a system with or without IIS using the MBSA?! Or with or without Office?
There are quite some reasons to not use either of these programs.

Oliver

Mats,

File which i referred is some .EXE stored in HDD which will not be modified
from anyone, if somebody modifies this .EXE itself, then i cant imagine the
type of problems which might occure easily.

Regards,
Satish K.S

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of
xxxxx@3Dlabs.com
Sent: Wednesday, January 28, 2004 7:42 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] NtCreateSection() - relation between parent and
child process

The file stored on the hard disk may be relocated when it’s
loaded, so it’s
not a sure thing…

–
Mats

> -----Original Message-----
> From: int3 [mailto:xxxxx@liqwidkrystal.com]
> Sent: Wednesday, January 28, 2004 2:39 PM
> To: Windows System Software Devs Interest List
> Subject: RE: [ntdev] NtCreateSection() - relation between parent and
> child process
>
>
> > For unloading you say “just patch the stub to jump to the
> > original address”,
> > how do you know that the address you got as the original
> was the original
> > (since you cannot guarantee you are first),
>
> Can we make sure that we are first hooking first time, may be
> compared the
> startin bytes in function with the stored file in HDD ?
>
> Regards,
> Satish K.S
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@3dlabs.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

---

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@liqwidkrystal.com
To unsubscribe send a blank email to xxxxx@lists.osr.com