Oh yeah? I bet my high horse could beat up your low horse any day!
Sent from my iPhone
On Dec 27, 2017, at 20:26, xxxxx@probo.com wrote: > > xxxxx@gmail.com wrote: >> On Tue, Dec 26, 2017 at 8:59 AM, xxxxx@gmail.com >> wrote: >>> Sounds a bit like a procedure that could aid one in circumventing >>> anti-piracy protection? Seriously though, what legitimate need do you have >>> for what you’re asking? >>> >> This train of thought is pointless. Get off your high horse. Computers >> are used for breaking the law, so why don’t you chuck yours in a >> dumpster? > > Of course it’s not pointless. What you say may be true, but the members > of this mailing list do not intend to be accessories to the crime. > > – > Tim Roberts, xxxxx@probo.com > Providenza & Boekelheide, Inc. > > > — > NTDEV is sponsored by OSR > > Visit the list online at: http: > > MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! > Details at http: > > To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:>
For an NtWriteVirtualMemory alternate, you can use KeStackAttachProcess to attach to a process and then use memcpy, or you can use MmCopyVirtualMemory. Remember to detach with KeUnstackDetachProcess if you use the former method.
For an NtProtectVirtualMemory solution, simply find the address with the System Service Descriptor Table. Note it won’t be 100% “stable” for 64-bit environments but it can easily be found on 64-bit environments (where the kernel does not export it) for Windows 7 - Windows 10 without a code-base change. Simply find the address of KiSystemCall64, then find KiSystemServiceRepeat, and then extract the address (it is referenced by KiSystemServiceRepeat). IA32_LSTAR points to KiSystemCall64 so it is a simple task.
May I ask, why not just have a Windows Service call NtProtectVirtualMemory for you? You can even pass down the HANDLE from kernel-mode as long as it isn’t a kernel-mode only handle. This would be a lot more stable and reliable.
I’ve been using NtWriteVirtualMemory and NtProtectVirtualMemory for educational purposes in kernel-mode through testing for many years now and it has always been just as reliable as in user-mode for me, but that doesn’t mean it is a “good” thing to do.
It isn’t my job to care if you are taking a bad approach or not. You’re a programmer, and you are in-charge of your own project. You asked a question and I answered it, whether you should re-assess your options is down to you - I personally think you should. However, let me make one thing very clear… If you start messing with the System Service Descriptor Table (especially for 64-bit systems) and go down a path of unstable, undocumented and officially unsupported mechanisms, you’re going to land yourself in a heap of trouble when the time comes and it could be anything from losing customers over bug-checking their systems after a Windows patch update, to not understanding how to update something efficiently or properly.
Keep in mind that Windows 8.1 and later have a new code integrity policies that prohibits
using of dynamic memory. For example, ZwAllocateVirtualMemory and ZwProtectVirtualMemory
may return an error 0xC0000604 (STATUS_DYNAMIC_CODE_BLOCKED) if the
corresponding policy was enabled for a process.
See SetProcessMitigationPolicy for more information.
By default, this policy enabled for the services.exe, smss.exe and some other system processes.
Aleh is correct, there is indeed a new protection mechanism and it’s related to the security policies for processes; it has actually existed for a very long time however was not documented or available via a documented interface.
SetProcessMitigationPolicy will call NtSetInformationProcess, and the NtSetInformationProcess call for changing the policy information will change data under the KPROCESS kernel-mode structure for the desired process. However, features such as enabling Data Execution Prevention (DEP) on-the-go cannot be done “permanently” from user-mode via NtSetInformationProcess I believe, but can from kernel-mode. Of course, modifying the KPROCESS structure (or even accessing it for that matter) would be highly unstable and unrecommended since it’s an opaque structure and the offsets regularly change.
Google have been using NtSetInformationProcess since Windows 7 to enforce features like DEP if it wasn’t already enabled (even though they compile with it enabled and their 64-bit compilation will always have it enabled of course due to 64-bit security benefits with the 64-bit Windows Kernel).
You can still inject a DLL just fine though as long as it doesn’t require a manual map shell-code loader (which would require additional memory to be executable and done remotely - and thus blocked - whereas standard DLL injection methods via remote thread creation, handle hijacking or APC with routines like LoadLibraryA/W would not require you to change the protection of memory, nor allocate memory with execute flags but only read/write).
I’d like to just quickly add that services.exe, smss.exe, csrss.exe and a few others are all protected processes by default since Windows 8. Therefore, attempting to attack them with or without security policies would be a waste of time. Even from kernel-mode, it is not so straight-forward like a call to ZwOpenProcess; that simply won’t be enough to get a handle to such processes and those processes don’t have user32.dll loaded/a UI at all so there’s less exploitation attack vectors available. You’d have to either go deep enough to bypass the checks for the process protection status built-in to the Windows Kernel, or patch the KPROCESS structure so the Windows Kernel doesn’t believe the process is actually protected. There’s also Protected Process Light, of course it can be beaten but none of these activities are documented, stable nor reliable and should especially not be used in a professional environment because data corruption from a BSOD can cause many issues.
To be honest, I am glad Microsoft made these processes protected. It strengthens the OS environment a bit against malicious software. Sadly they left lsass.exe unprotected at default configuration (it can be enabled for process protection via a registry hack) and svchost.exe can be exploited the same way lsass.exe can (to obtain process handles because lsass.exe and svchost.exe have opened handles by default - prevents passing through kernel-mode callbacks or triggering hooks) but maybe they will change that some-day by default which would be good.
KeAttachStack will throw BSOD if run inside the PsSetThreadCreateNotifyRoutine’s routine.
I don’t mind if the driver is stable in other versions of windows. In fact, I take in the assumption it runs only under Windows 10, so even manipulating the E/K-PROCESS/THREAD - is “ok” for me.
Now I’m stuck in a point where I’ve allocated UserMode buffer, which is RWX, and wrote there my infinite loop. What I want to do now is to set the thread to start running in the allocated address.
* Changing entry point inside PE header didn’t work.
* Changing Win32StartAddress inside ETHREAD structure didn’t work.
Any clues on how can I do it? All I want is for the thread to run my code (the infinite loop) when I return from the Notify Routine callback.
Thanks
" manipulating the E/K-PROCESS/THREAD - is “ok” for me" Well it should not
be, in multiple other versions of Windows those structures have changes with
Windows Update or Service Packs. When you consider that Windows 10 is
supposed to be the version for a very long time, your plans is very stupid.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Tuesday, January 02, 2018 4:35 PM
To: Windows System Software Devs Interest List Subject: RE:[ntdev] Write Current Process Memory From Kernel
Few points for the last comments: - KeAttachStack will throw BSOD if run inside the PsSetThreadCreateNotifyRoutine’s routine. - I don’t mind if the driver is stable in other versions of windows. In fact, I take in the assumption it runs only under Windows 10, so even manipulating the E/K-PROCESS/THREAD - is “ok” for me.
Now I’m stuck in a point where I’ve allocated UserMode buffer, which is RWX, and wrote there my infinite loop. What I want to do now is to set the thread to start running in the allocated address. * Changing entry point inside PE header didn’t work. * Changing Win32StartAddress inside ETHREAD structure didn’t work.
Any clues on how can I do it? All I want is for the thread to run my code (the infinite loop) when I return from the Notify Routine callback. Thanks
> When you consider that Windows 10 is supposed to be the version for a very long time, your plans is very stupid.
Like I said before, its a university project, not a product. As far as I know, these structure usually change between different NT versions (mostly), I can be more strict and take in the assumption that its a specific build of Windows 10.
Another important note, I do this stuff in a 64 bit OS but only for 32 bit processes (therefore I looked up for Win32StartAddress previously).
The thing about CRAPPY UNIVERSITY PROJECT’S LIKE YOURS is that some idiot
takes it as an example of how to do things, and goes running off to try to
make a product. I’ve had multiple queries for consults with startups which
told me “we just have a little problem” when in reality they took someone’s
piece of junk project and based their whole product on it. Things don’t go
well when I suggest they throw everything out and start over.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Tuesday, January 02, 2018 4:58 PM
To: Windows System Software Devs Interest List Subject: RE:[ntdev] Write Current Process Memory From Kernel
> When you consider that Windows 10 is supposed to be the version for a very long time, your plans is very stupid.
Like I said before, its a university project, not a product. As far as I know, these structure usually change between different NT versions (mostly), I can be more strict and take in the assumption that its a specific build of Windows 10.
Another important note, I do this stuff in a 64 bit OS but only for 32 bit processes (therefore I looked up for Win32StartAddress previously).
University is there for people to study (learn more) and gain experience. You say you are working on a ‘malware protection system (sort of)’ but you aren’t going to gain much useful experience for such a project if you’re developing buggy, unstable and extremely unreliable source code, or using the same from someone else.
I doubt your University would ask you to do what you are trying to do because it is a bit silly. Try coming up with a project idea which can be followed properly and help you learn skills for a professional environment, such as taking a good and documented/stable approach. That will help you a lot… Trying to put the main thread of a newly starting process in a never-ending infinite loop is beyond stupid.
Now I’m stuck in a point where I’ve allocated UserMode buffer, which is RWX, and wrote there my infinite loop. What I want to do now is to set the thread to start running in the allocated address.
* Changing entry point inside PE header didn’t work.
* Changing Win32StartAddress inside ETHREAD structure didn’t work.
Any clues on how can I do it? All I want is for the thread to run my code (the infinite loop) when I return from the Notify Routine callback.
It’s possible the nascent thread’s register state has already been set
up in a CONTEXT structure. Have you traces the stack all the way back
to user-mode?
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
I would bet everything that is not a university project
I graduated a university where we did Windows kernel. There were no such
nonsense tasks.
In University you learn operating system basics and filesystem basics not
much beyond that.
We also did Windows research kernel part of Microsoft which is anything but
this.
I’m surprised this thread hasn’t died yet here. This is obvious malware.
You may not be aware that it is, I give you that at most, but it is.
> > “Like I said before, its a university project” > > University is there for people to study (learn more) and gain experience. > You say you are working on a ‘malware protection system (sort of)’ but you > aren’t going to gain much useful experience for such a project if you’re > developing buggy, unstable and extremely unreliable source code, or using > the same from someone else. > > I doubt your University would ask you to do what you are trying to do > because it is a bit silly. Try coming up with a project idea which can be > followed properly and help you learn skills for a professional environment, > such as taking a good and documented/stable approach. That will help you a > lot… Trying to put the main thread of a newly starting process in a > never-ending infinite loop is beyond stupid. > > — > NTDEV is sponsored by OSR > > Visit the list online at: http:> showlists.cfm?list=ntdev> > > MONTHLY seminars on crash dump analysis, WDF, Windows internals and > software drivers! > Details at http: > > To unsubscribe, visit the List Server section of OSR Online at < > http://www.osronline.com/page.cfm?name=ListServer> ></http:></http:>
> I would bet everything that is not a university project I graduated a university where we did Windows kernel. There were no such nonsense tasks. In University you learn operating system basics and filesystem basics not much beyond that. We also did Windows research kernel part of Microsoft which is anything but this. I’m surprised this thread hasn’t died yet here. This is obvious malware. You may not be aware that it is, I give you that at most, but it is.
More than happy to answer this one
I’m a fourth year software engineering student, whereas my final project (as for the diplomma, not for a specific course) is a system which monitors “Untrusted Processes” and treats them in a supervised environment as needed (some kind of “catching any untrusted (== not whitelisted) process and open in under our special sandbox”. By special sandbox, I mean it’s different from any other sandbox solution in the open-source, therefore we require to use a driver which catches these processes for us.
I answered this before, but many people skip some of the comments. What I do is catch any new process, prevent it from running it’s code until I attach to it as a debugger. How? Well, I can’t put in on suspend for some reason, so I write an infinite loop in it’s beginning. After I attach to it - everything is back to normal.
It’s good that you put quotes around “untrusted process”.
You might first why to identify WHAT if your criteria for a process to be
untrusted. Ask yourself that.
In order to do this you might want to analyze it begins execution, as a
file. Why wait for it to become a process. At the execution stage you
should already “know” if your to-be process is trusted or not. So instead
of focusing on doing all the undocumented and not recommended strategy in
the book you should focus on looking at your problem in a different way.
One that is documented. The undocumented methods and structures are
undocumented for a reason and that reason is not to piss off developers and
make their lives miserable. That’s why you have registry callbacks,
minifilter model, Ob callbacks, ndis, wfp, process/thread/module callbacks
and many many other models callbacks and documented ways to change the OS
behavior in a way that is consistent with the OS.
It’s like you want to implement a filesystem encryption functionality and
instead of using a minifilter you try to hook NTFS’s reads/writes and do
your dirty work there. Not OK.
So, what is an “untrusted process” ? Is it the same as untrusted executable
file ? Is it a combination of untrusted source process and target
executable file ? Is it more ? Answer all these questions and there will
answers where your implementation will not have to depend on hacks.
> > I would bet everything that is not a university project I graduated a > university where we did Windows kernel. There were no such nonsense tasks. > In University you learn operating system basics and filesystem basics not > much beyond that. We also did Windows research kernel part of Microsoft > which is anything but this. I’m surprised this thread hasn’t died yet here. > This is obvious malware. You may not be aware that it is, I give you that > at most, but it is. > > More than happy to answer this one > I’m a fourth year software engineering student, whereas my final project > (as for the diplomma, not for a specific course) is a system which monitors > “Untrusted Processes” and treats them in a supervised environment as needed > (some kind of “catching any untrusted (== not whitelisted) process and open > in under our special sandbox”. By special sandbox, I mean it’s different > from any other sandbox solution in the open-source, therefore we require to > use a driver which catches these processes for us. > > I answered this before, but many people skip some of the comments. What I > do is catch any new process, prevent it from running it’s code until I > attach to it as a debugger. How? Well, I can’t put in on suspend for some > reason, so I write an infinite loop in it’s beginning. After I attach to it > - everything is back to normal. > > — > NTDEV is sponsored by OSR > > Visit the list online at: http:> showlists.cfm?list=ntdev> > > MONTHLY seminars on crash dump analysis, WDF, Windows internals and > software drivers! > Details at http: > > To unsubscribe, visit the List Server section of OSR Online at < > http://www.osronline.com/page.cfm?name=ListServer> ></http:></http:>
Well, any 32-bit process which is not whitelisted - for me it’s an “untrusted” one.
My project is a prevention system for malwares - during execution.
My grade for this don’t take in to account whether this is a good security design, if this is “smart” plan or any of this stuff. Its a university project, not a business product. My driver is not going to be signed or proceed further than the university bounds.
If the project succeeds, for educational purposes maybe I’ll post all the code for the project on Github or something.
I DO understand your concerns though, because all of my intentions and “playing around with the kernel” could be easily circumvented to malicious purposes - but in todays world I mean, what couldn’t?
Same as any simple pen could be used for stabbing, any piece of code could be used for malicious purposes.
Anyway, back to technical. I managed to catch any new process, and for each 32 bit process I replace the main code with infinite loop (if someone knows how to suspend it inside "PsSetCreateThreadNotifyRoutineEx’s routine - and it worked for him, I’ll be more than happy to know and change my code ). I get all the new PIDs to a array and synchronize it with a UM “Manager process”. The synchronization is simply done by setting an event, the Manager asks for the newly created PIDs and for more info. (I use an array of PIDs because maybe more than one process is created during this period of setting the event->getting the PIDs).
I DO have synchronization problems right now (between the cores and between User-Kernel space), so untill it’s not solved I’ll be glad to post more problems here and get the help I need.
