I hooked ZwCreateFile function to track file creation done by various processes and noted that whenever a .sys creates any file my hooked function DbgPrints “services.exe” with process id 004 which was quite obvious.
However, I needed to find the service handle or service name on behalf of which services.exe called ZwCreateFile to clearly identify the driver on behalf of which systaem call was made. Please suggest any method and if possible any alternative method to do the same.
Why you need to do that? What you’re trying to achieve?
Track all system calls made by a particular driver service and to decide wether to allow it or block it.
0004 is the system process, not services.exe. Good luck on whatever it
is you are really trying to do.
Mark Roddy
On Fri, Feb 25, 2011 at 12:06 PM, wrote:
> I hooked ZwCreateFile function to track file creation done by various processes and noted that whenever a .sys creates any file my hooked function DbgPrints “services.exe” with process id 004 which was quite obvious.
> However, I needed to find the service handle or service name on behalf of which services.exe called ZwCreateFile to clearly identify the driver on behalf of which systaem call was made. Please suggest any method and if possible any alternative method to do the same.
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
OK. Here is the question I hoped you’d answer:
Why do you think you need to track calls made by a particular driver service and what do you think you will achieve by doing that.
This I am doing for study purposes. By tracking all calls of service a behaviour profile of service can be created.
>> 0004 is the system process, not services.exe.
This is what indeed has been puzzling me.
Is it possible to write a callback routine that gives me process/ driver name and loaded image or service name whenever any system call like ZwCreateFile,ZwDeleteFile etc. is made.
OK, so my attempt to load the firmware on my card, which involves
ZwCreateFile to read the binary, makes my driver malware?
Oh, and to protect my IP, the only way to update the binary is to run a
program which calls the driver through an undocumented DeviceIoControl, and
I pass in the binary, which is encrypted, and the driver creates the new
file, copies the data to it, and deletes the old file. This is malware?
You really have some weird ideas of what constitutes malware, and they are
provably wrong. I just gave a perfectly legitimate reason for using
ZwCreateFile and ZwDeleteFile.
If you understood the problem, you would know the answer to this question,
but the answer is that you have to detour-hook those calls, and do an
“inverted call” which is to complete an IRP back to user space. But that
hook is itself malware, so you will end up catching your own driver.
If ZsCreateFile is called entirely from within the kernel, why do you think
it is going to have a process ID? And how to do you plan to get the driver
name from the address of the call? Maybe one of the OSR guys has an answer.
joe
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@hotmail.com
Sent: Tuesday, March 01, 2011 8:58 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Tracking service for running services.exe
> 0004 is the system process, not services.exe.
This is what indeed has been puzzling me.
Is it possible to write a callback routine that gives me process/ driver
name and loaded image or service name whenever any system call like
ZwCreateFile,ZwDeleteFile etc. is made.
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
–
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
>>OK, so my attempt to load the firmware on my card, which involves
ZwCreateFile to read the binary, makes my driver malware?
Oh, and to protect my IP, the only way to update the binary is to run a
program which calls the driver through an undocumented DeviceIoControl, and
I pass in the binary, which is encrypted, and the driver creates the new
file, copies the data to it, and deletes the old file. This is malware?
Please read my post I never talked about malware here.
>If ZsCreateFile is called entirely from within the kernel, why do you think
it is going to have a process ID? And how to do you plan to get the driver
name from the address of the call? Maybe one of the OSR guys has an answer.
The question you asked is the question that I have been asking. If you find any alternative approach then do tell me. I just want to know if it is possible to write a callback routine that gives me process/ driver name and loaded image or service name whenever any system call like ZwCreateFile, ZwDeleteFile etc. is made and how?
See below…
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@hotmail.com
Sent: Wednesday, March 02, 2011 5:24 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Tracking service for running services.exe
>OK, so my attempt to load the firmware on my card, which involves
ZwCreateFile to read the binary, makes my driver malware?
Oh, and to protect my IP, the only way to update the binary is to run a
program which calls the driver through an undocumented DeviceIoControl,
and
I pass in the binary, which is encrypted, and the driver creates the new
file, copies the data to it, and deletes the old file. This is malware?
Please read my post I never talked about malware here.
****************************************************************
From your message of 2/26/11:
virus and bots manipulate ZwCreateXxx and ZwMapViewSection to inject their
code.
****************************************************************
>If ZsCreateFile is called entirely from within the kernel, why do you
think
it is going to have a process ID? And how to do you plan to get the
driver
name from the address of the call? Maybe one of the OSR guys has an
answer.
The question you asked is the question that I have been asking. If you find
any alternative approach then do tell me. I just want to know if it is
possible to write a callback routine that gives me process/ driver name and
loaded image or service name whenever any system call like ZwCreateFile,
ZwDeleteFile etc. is made and how?
******************************************************************
Suppose ZwCreateFile is called from within the kernel, from a driver.
Suppose furthermore that you can actually detect this has happened. What
could it possibly mean? [Answer: you have no idea what it could mean]
Suppose you know where it is called from? Assuming you can figure this out
in a meaningful way, what does it mean to you? [Answer: nothing]
Suppose it is called as a consequence of another API calling the kernel.
Suppose you can figure this out. Suppose you can get the process ID. What
does this tell you? [Answer: nothing]
Suppose you know what the driver name is that called it. What does this
tell you? [Answer: nothing]
If you could figure out any of this reliably, a key question is how would
you do any kind of malware detection with the knowledge you can deduce?
Unless you have an answer to this, it doesn’t matter that you don’t know how
to discover what is going on, because it won’t matter in the slightest.
This is what I call the “information overload-trophy phenomenon” (as in
phototrophy, which is the tendency of plants to turn to the Sun) which is
the mistaken belief that if you have lots of information this information
will necessarily be useful, so the secret is to create situations in which
lots of information is gathered. This was the failure of “Management
Information Systems” of the 70s and even the 80s (by which point people
should have known better). I have a WONDERFUL conference proceedings I
picked up at a used bookstore, of a 1963 conference: “Computers: Key to
Total System Control”, when the average mainframe had the computing power of
an 8088 but much less memory. ROTFLMAO papers in it, but they all had the
same basic premise: if only I could know everything possible, I could solve
every problem I have ever seen. So you keep asking “How do I do X?” in the
hope that if you have discovered how to do X, then malware detection is a
solved problem. People who worry about such things full-time know that if
you know X, and Y, and Z, and W, and On Beyond Zebra, you still have no
solid predicate for saying “this is malware”.
No, there are no callbacks. If they existed, they would not help. You
could create them by hooking the function call, using Detours, etc., but
having done so you have not solved anything that is going to help in the
malware detection problem (I have a friend that worked in this business for
about a decade, and he left it when it became clear that the problem was not
solvable without imposing orders-of-magnitude performance hits on the
system, which essentially boiled down to simulating every API and examining
its direct consequences. Ultimately he retired without having found any
viable solution to the problem).
For example, you could look at ZwCreateFile and make sure it is working only
with user-level privileges, but generally all you could intercept are
techniques of virus injection, which are not terribly interesting these days
compared to other malware attacks. The issue there is not where it is coming
from, but what it is acting on, and how.
So you keep asking for information of type X, without any hint of how it
might be useful for solving the problem. Not good enough.
First and foremost, I suggest getting several good books on malware
detection and analysis as it is currently practiced. None of the approaches
you are suggesting seem consistent with current practice. It is not clear
they would ever have made sense.
We once set up a system that did SHA-1-equivalent checksums on all
executables (this was before SHA-1 was a standard, note that SHA-1 has a
vulnerability which is why SHA-2 is now the standard. Our checksums were
weaker than SHA-1). This probably caught more problems than any other
approach I’ve seen, and it ran in the background at night, so didn’t impact
users during the day. We had windows of vulnerability, but even if
someone’s entire disk was infected, we would isolate the files that night
and they’d be re-instated before they arrived for work the next day (OK,
most of us didn’t show up until 10am…)
joe
***************************************************************************
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
–
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
>>From your message of 2/26/11:
> virus and bots manipulate ZwCreateXxx and ZwMapViewSection to inject their
code
Thanks for all your valuable suggestions but you are mixing up the contents of my two posts. This content is from “DLL injection in sys file” and not the current post. Anyway you talked abouit books regarding malware detection and analysis however such books are not very clear in their writing and are mostly theoritical and repetative as comparative to books for malware that provide even source code to test. Can you suggest me some good books regarding malware detection and analysis you came across?
>Suppose ZwCreateFile is called from within the kernel, from a driver.
Suppose furthermore that you can actually detect this has happened. What
could it possibly mean? [Answer: you have no idea what it could mean]
Suppose you know where it is called from? Assuming you can figure this out
in a meaningful way, what does it mean to you? [Answer: nothing]
Suppose it is called as a consequence of another API calling the kernel.
Suppose you can figure this out. Suppose you can get the process ID. What
does this tell you? [Answer: nothing]
Suppose you know what the driver name is that called it. What does this
tell you? [Answer: nothing]
I was just trying to have a clear understanding practically of what goes inside the kernel rather than just reading books.
please consider the case of IoCreateFileSpecifyDeviceObjectHint also.
On Thu, Mar 3, 2011 at 2:40 PM, wrote:
> >>From your message of 2/26/11:
> > virus and bots manipulate ZwCreateXxx and ZwMapViewSection to inject
> their
> code
>
> Thanks for all your valuable suggestions but you are mixing up the contents
> of my two posts. This content is from “DLL injection in sys file” and not
> the current post. Anyway you talked abouit books regarding malware detection
> and analysis however such books are not very clear in their writing and are
> mostly theoritical and repetative as comparative to books for malware that
> provide even source code to test. Can you suggest me some good books
> regarding malware detection and analysis you came across?
>
> >>Suppose ZwCreateFile is called from within the kernel, from a driver.
> Suppose furthermore that you can actually detect this has happened. What
> could it possibly mean? [Answer: you have no idea what it could mean]
>
> Suppose you know where it is called from? Assuming you can figure this
> out
> in a meaningful way, what does it mean to you? [Answer: nothing]
>
> Suppose it is called as a consequence of another API calling the kernel.
> Suppose you can figure this out. Suppose you can get the process ID.
> What
> does this tell you? [Answer: nothing]
>
> Suppose you know what the driver name is that called it. What does this
> tell you? [Answer: nothing]
>
> I was just trying to have a clear understanding practically of what goes
> inside the kernel rather than just reading books.
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
–
- amitr0