Terminate a process from kernel-mode with the help of usermode

Hi guys,
suppose we have an application (3rd party - usermode) which get a Process ID (pid) from the user and send it back to the driver (kernel-mode) for doing some stuff, at the driver part, related to the process (whether malicious or not) kernel driver might Terminate the process with ZwTerminateProcess Function.
at this point I have no problem with the kernel-driver part and the ZwTerminateProcess works fine, but don’t know how to handle the user input as a parameter to the kernel-mode driver … . I think there’s a method for communicating between kernel mode and user-mode , even I know, I should use writefile() function to write into the driver as an installed service but the problem is related to the passing user input from usermode application as PID to the kernel-mode driver .

thnx

Genius

You can do it by passing the PID in via an IOCTL call, and then use
ZwOpenProcess to get the handle to pass to ZwTerminateProcess to kill the
process. Now, you have just opened a security hole if you do not do a lot
of work since you now have a way for an unpriviledged process to kill any
process.

So before you blindly go ahead with this, you might explain to the group
what the overall model is, because this one has lots of challenges.

–
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

wrote in message news:xxxxx@ntdev…
> Hi guys,
> suppose we have an application (3rd party - usermode) which get a Process
> ID (pid) from the user and send it back to the driver (kernel-mode) for
> doing some stuff, at the driver part, related to the process (whether
> malicious or not) kernel driver might Terminate the process with
> ZwTerminateProcess Function.
> at this point I have no problem with the kernel-driver part and the
> ZwTerminateProcess works fine, but don’t know how to handle the user input
> as a parameter to the kernel-mode driver … . I think there’s a method
> for communicating between kernel mode and user-mode , even I know, I
> should use writefile() function to write into the driver as an installed
> service but the problem is related to the passing user input from usermode
> application as PID to the kernel-mode driver .
>
> thnx
>
> Genius
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 4836 (20100204)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>

Information from ESET NOD32 Antivirus, version of virus signature database 4836 (20100204)

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

thanks Don, do you mean which driver model? ( you might explain to the group what the overall model is?)

Genius

I think he means ‘goal.’

mm

I meant the model and goal of your product.

–
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply

wrote in message news:xxxxx@ntdev…
> thanks Don, do you mean which driver model? ( you might explain to the
> group what the overall model is?)
>
>
> Genius
>
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 4836 (20100204)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>

Information from ESET NOD32 Antivirus, version of virus signature database 4836 (20100204)

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

hmm, I would like to analys some aspects of a process , analys some of it’s behaviours with some Dll Injection and hooking method (like automatic sandbox systems for analysing malicous code) .
It’s a run-time analysis system, after checking the behaviour if the process flagged as suspicious the kernel driver should terminate it with ZwTerminateProcess,
also it should be capable of Terminating the processes which user defined … (such a thing like task manager with better features - also it’s not usermode).
also I must implement the best Process Termination method, also I would like to know which is the best terminating method? is there any better kernel mode function available for terminating a process?

thnx

Genius

Terminate in user space, there is no reason to terminate it in the kernel,
if your process can do the other things, it can terminate the process.
There is no reason to be in the kernel for this, and if your user mode code
is indicating the process is malicious, then anyone who can open your driver
can indicate some process is malicious and get termination.

If you do it in the driver, at a minimum you are going to need some good
security on the open, but even that means there is a vector which bypasses
the normal system rights management and allows for killing a process which
is not a desirable thing.

–
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

wrote in message news:xxxxx@ntdev…
> hmm, I would like to analys some aspects of a process , analys some of
> it’s behaviours with some Dll Injection and hooking method (like automatic
> sandbox systems for analysing malicous code) .
> It’s a run-time analysis system, after checking the behaviour if the
> process flagged as suspicious the kernel driver should terminate it with
> ZwTerminateProcess,
> also it should be capable of Terminating the processes which user defined
> … (such a thing like task manager with better features - also it’s not
> usermode).
> also I must implement the best Process Termination method, also I would
> like to know which is the best terminating method? is there any better
> kernel mode function available for terminating a process?
>
> thnx
>
> Genius
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 4836 (20100204)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>

Information from ESET NOD32 Antivirus, version of virus signature database 4836 (20100204)

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

If you are going to use ZwOpenProcess/ZwTerminateProcess you don’t need a
driver. OpenProcess/TerminateProcess in a service will work just as well. If
you are injecting a dll into the process you don’t need either a driver or a
service.

Bill Wandel

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com]
On Behalf Of xxxxx@yahoo.com
Sent: Thursday, February 04, 2010 8:59 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Terminate a process from kernel-mode with the help of
usermode

hmm, I would like to analys some aspects of a process , analys some of it’s
behaviours with some Dll Injection and hooking method (like automatic
sandbox systems for analysing malicous code) .
It’s a run-time analysis system, after checking the behaviour if the process
flagged as suspicious the kernel driver should terminate it with
ZwTerminateProcess, also it should be capable of Terminating the processes
which user defined … (such a thing like task manager with better features

• also it’s not usermode).
  also I must implement the best Process Termination method, also I would like
  to know which is the best terminating method? is there any better kernel
  mode function available for terminating a process?

thnx

Genius

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Hi,

i personally do not see any sense to terminate a process in kernel mode when there are the stubs in user mode that transist into kernel mode and call the functions. Using a approach like that (as said before) is a great security problem and not really recommended.

But one thing that everybody forget here is the fact that many of the commercial security solutions would (possibly) flag such a product as a security thread/risk, especially when it comes to calls like Nt/ZwTerminateProcess and functions acting in that space (everything that hooks something)! Am i right or wrong!

The best termination method is by far using TerminateProcess(…)/ExitProcess(…) or possibly FatalAppExit(…) (depending on the goal) from Usermode when the main application runs there as this one seems to be one of this kind.

Regards

Kerem

The user mode functions could already have been subverted, maybe that’s why
the OP wants to terminate the process in kernel mode.

But then so could the kernel functions of course…

If he’s checking the behaviour of a process after it’s been run, it’s kind
of like cutting off the branch you’re sitting on.

He’s also assuming that he can analyse this processes behaviours without it
realising that it is being tampered with, and reacting to that tampering.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@arcor.de
Sent: 05 February 2010 03:13
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Terminate a process from kernel-mode with the help of
usermode

Hi,

i personally do not see any sense to terminate a process in kernel mode when
there are the stubs in user mode that transist into kernel mode and call the
functions. Using a approach like that (as said before) is a great security
problem and not really recommended.

But one thing that everybody forget here is the fact that many of the
commercial security solutions would (possibly) flag such a product as a
security thread/risk, especially when it comes to calls like
Nt/ZwTerminateProcess and functions acting in that space (everything that
hooks something)! Am i right or wrong!

The best termination method is by far using
TerminateProcess(…)/ExitProcess(…) or possibly FatalAppExit(…)
(depending on the goal) from Usermode when the main application runs there
as this one seems to be one of this kind.

Regards

Kerem

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

__________ Information from ESET NOD32 Antivirus, version of virus signature
database 4837 (20100205) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

__________ Information from ESET NOD32 Antivirus, version of virus signature
database 4837 (20100205) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

thnx all,but :
one of them reasons that I have tenacity on using kernel functions and Kernel mode is that the functions in user space is not more powerful than kernel-mode functions .
if you had took a glance at the APT (advanced process termination) tool, then you seen it has more than 10 method for terminating a process , such methods like : ZwTerminateProcess, WriteProcessMemory, ExitProcess,CreateRemoteThread,VirtualProtectEx and so forth …
some malicious processes could not be Terminate as easy …, processes like anti-virus softwares is also could not be terminated easily like kaspersky, nod and …
malware writers always have some methods for preventing the security products to terminate them easily.
and I thought if I can the best / robust method for killing a process then there’s not a necessary to be worry about the malicious processes .
I’m almost new to windows kernel mode stuff and also new to driver development .
if anyone could explain something about the best and most robust method for killing / terminating a process it would be helpful.
thanks .

Genius

They are not more powerful in kernel space. The Zw calls can be used in
user space or kernel. The easiest and best way to terminate is to use the
user-mode API’s and yes they do terminate anti-virus programs. You can use
hack methods from either user space or kernel space to intercept the
operation of a program and cause it to fail as a fall back, but note the
smarter malware will have some other piece of code checking for the failure
and restarting it.

You state you are new to both kernel development and the Windows kernel, but
you are trying to tackle something very tricky and if you do it wrong you
open security holes not make the system more secure (a number of AV systems
have done this). You are doing the equivalent of saying I am going to
learn to swim, I will start with swimming the English Channel.

–
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

wrote in message news:xxxxx@ntdev…
> thnx all,but :
> one of them reasons that I have tenacity on using kernel functions and
> Kernel mode is that the functions in user space is not more powerful than
> kernel-mode functions .
> if you had took a glance at the APT (advanced process termination) tool,
> then you seen it has more than 10 method for terminating a process , such
> methods like : ZwTerminateProcess, WriteProcessMemory,
> ExitProcess,CreateRemoteThread,VirtualProtectEx and so forth …
> some malicious processes could not be Terminate as easy …, processes
> like anti-virus softwares is also could not be terminated easily like
> kaspersky, nod and …
> malware writers always have some methods for preventing the security
> products to terminate them easily.
> and I thought if I can the best / robust method for killing a process then
> there’s not a necessary to be worry about the malicious processes .
> I’m almost new to windows kernel mode stuff and also new to driver
> development .
> if anyone could explain something about the best and most robust method
> for killing / terminating a process it would be helpful.
> thanks .
>
> Genius
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 4837 (20100205)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>

Information from ESET NOD32 Antivirus, version of virus signature database 4837 (20100205)

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

At 13:53 05/02/2010, Don Burn wrote:

You are doing the equivalent of saying I am going to
learn to swim, I will start with swimming the English Channel.

Sorry, but I can’t help but extend Don’s metaphor. Swimming the
English Channel is very dangerous. First it’s one of the busiest
shipping lanes in the World - you have to avoid the big tankers and
cargo ships. And just when you’re happy you’ve avoided those
obstacles, you’ll notice that the sea around you is full of turds.

Mark.

What is “turds”? I’ve never heard that word before,…

Is there a sample of using ZwTerminateProcess from usermode ?

NTSTATUS
ZwTerminateProcess(
IN HANDLE ProcessHandle,
IN NTSTATUS ExitStatus
);

but there is NO need for! The TerminateProcess(…) is exactly the same, wrapped arround NtTerminateProcess(…)! Use the User Mode one! You need PROCESS_TERMINATE rights for using that. Even at assembly level it simply pushes EBP twice and calls NtTerminateProcess(…). SO there is absolutely NO reason to use the Zw/Nt one!

Regards

Kerem

First the OpenProcess/TerminateProcess are just wrappers of
ZwOpenProcess/ZwTerminateProcess. If you want a sample dig up a copy of
the “Windows NT/2000 Native API Reference” by Gary Nebbett.

–
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

wrote in message news:xxxxx@ntdev…
> Is there a sample of using ZwTerminateProcess from usermode ?
>
>
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 4838 (20100205)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>

Information from ESET NOD32 Antivirus, version of virus signature database 4838 (20100205)

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

@ Kerem & @ Don Burn :
Thanks for the useful explanations, now I’ve been relized that the TerminteProcess is the same as ZwTerminateProcess, when we call to TerminateProcess it’s automatically call ZwTerminateProcess from the kernel and don’t need to Call it directly .
thanks all .

I need more things to understand the concepts, I should increase my study …

> I should increase my study

start here:

kernel32!TerminateProcess->ntdll!NtTerminateProcess->this then loads EAX with a service number, then EDX is load with a transition code, then then EDX is called with CALL instruction. At least thats what my vista looks like. I think in W2k, if i remember right, this was dispatched with a LEA instruction instead EDX and then a INT 2E was issued. But you dont need that i guess, just for the case what it looks beneath,…

Regards

Kerem

Why the heck should he start there? We have already indicated to him that
he does not need the call, so why should he be mucking with assembler when
he is still learning the basic’s. This is the type of logic that produces
some of the crap we see in the anti-malware space, i.e. dive to the bottom
to begin with.

–
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

wrote in message news:xxxxx@ntdev…
>> I should increase my study
>
> start here:
>
> kernel32!TerminateProcess->ntdll!NtTerminateProcess->this then loads EAX
> with a service number, then EDX is load with a transition code, then then
> EDX is called with CALL instruction. At least thats what my vista looks
> like. I think in W2k, if i remember right, this was dispatched with a LEA
> instruction instead EDX and then a INT 2E was issued. But you dont need
> that i guess, just for the case what it looks beneath,…
>
>
> Regards
>
> Kerem
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 4838 (20100205)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>

Information from ESET NOD32 Antivirus, version of virus signature database 4838 (20100205)

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com