HANDLE Invalidated on ZwWriteFile during Boot

Recently I have tested modifying/replacing Windows system files from a kernel-mode driver, as doing this in user mode is not supported. To keep it simple, I read into a buffer from my modified file (SOURCE) and write it into the original system file (TARGET). Such tests have worked on files such as C:\WINDOWS\system32\netapi32.dll.

However, today I tried doing the same technique on C:\WINDOWS\system32\ntdll.dll. If I attempt to replace from my driver located in the “system” startup group, I receive a STATUS_SHARING_VIOLATION.

My first thought was to change the startup group to “boot”. Opening the file in GENERIC_WRITE or FILE_WRITE_DATA as the “DesiredAccess” to ZwCreateFile() works and returns a valid HANDLE. However, when it comes to execute ZwWriteFile() the NTSTATUS returned is STATUS_INVALID_HANDLE.

I have tried setting “FileAttributes” of ZwCreateFile() to both FILE_ATTRIBUTE_NORMAL and FILE_ATTRIBUTE_SYSTEM, independently. I have tried setting the “CreateDisposition” of ZwCreateFile() to both FILE_OPEN and FILE_OVERWRITE, independently. All four combinations will fail during ZwWriteFile(), even though the HANDLE from ZwCreateFile() is valid.

For “CreateOptions” of ZwCreateFile() I used FILE_SYNCHRONOUS_IO_NONALERT for all calls.

I can post the relevant source code if it would help. If it is possible to modify other “protected” system files such as advapi32.dll or netapi32.dll, then it should be possible to modify ntdll.dll?

As further reference, I refer to the target files in kernel mode as L"??\C:\WINDOWS\system32<target>".

TLDR: The kernel driver can open ntdll.dll in write mode during “boot” startup but loses the valid HANDLE during ZwWriteFile(). This is not a problem with other system-protected files on Windows XP system.

The resulting handle is specific to the calling content unless you pass obj_kernel_handle in the attributes. In this case you create the handle context Xxx but making the call in context Yyy will result in STATUS_INVALID_HANDLE

d

Bent from my phone

From: xxxxx@gmail.commailto:xxxxx
Sent: ?4/?24/?2014 2:05 PM
To: Windows System Software Devs Interest Listmailto:xxxxx
Subject: [ntdev] HANDLE Invalidated on ZwWriteFile during Boot

Recently I have tested modifying/replacing Windows system files from a kernel-mode driver, as doing this in user mode is not supported. To keep it simple, I read into a buffer from my modified file (SOURCE) and write it into the original system file (TARGET). Such tests have worked on files such as C:\WINDOWS\system32\netapi32.dll.

However, today I tried doing the same technique on C:\WINDOWS\system32\ntdll.dll. If I attempt to replace from my driver located in the “system” startup group, I receive a STATUS_SHARING_VIOLATION.

My first thought was to change the startup group to “boot”. Opening the file in GENERIC_WRITE or FILE_WRITE_DATA as the “DesiredAccess” to ZwCreateFile() works and returns a valid HANDLE. However, when it comes to execute ZwWriteFile() the NTSTATUS returned is STATUS_INVALID_HANDLE.

I have tried setting “FileAttributes” of ZwCreateFile() to both FILE_ATTRIBUTE_NORMAL and FILE_ATTRIBUTE_SYSTEM, independently. I have tried setting the “CreateDisposition” of ZwCreateFile() to both FILE_OPEN and FILE_OVERWRITE, independently. All four combinations will fail during ZwWriteFile(), even though the HANDLE from ZwCreateFile() is valid.

For “CreateOptions” of ZwCreateFile() I used FILE_SYNCHRONOUS_IO_NONALERT for all calls.

I can post the relevant source code if it would help. If it is possible to modify other “protected” system files such as advapi32.dll or netapi32.dll, then it should be possible to modify ntdll.dll?

As further reference, I refer to the target files in kernel mode as L"??\C:\WINDOWS\system32<target>".

TLDR: The kernel driver can open ntdll.dll in write mode during “boot” startup but loses the valid HANDLE during ZwWriteFile(). This is not a problem with other system-protected files on Windows XP system.

—
NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer</mailto:xxxxx></mailto:xxxxx>

You should also look into the KnownDlls Registry entry, which prevents
spoofing

The resulting handle is specific to the calling content unless you pass
obj_kernel_handle in the attributes. In this case you create the handle
context Xxx but making the call in context Yyy will result in
STATUS_INVALID_HANDLE

d

Bent from my phone

---

From: xxxxx@gmail.commailto:xxxxx
> Sent: ý4/ý24/ý2014 2:05 PM
> To: Windows System Software Devs Interest Listmailto:xxxxx
> Subject: [ntdev] HANDLE Invalidated on ZwWriteFile during Boot
>
> Recently I have tested modifying/replacing Windows system files from a
> kernel-mode driver, as doing this in user mode is not supported. To keep
> it simple, I read into a buffer from my modified file (SOURCE) and write
> it into the original system file (TARGET). Such tests have worked on
> files such as C:\WINDOWS\system32\netapi32.dll.
>
> However, today I tried doing the same technique on
> C:\WINDOWS\system32\ntdll.dll. If I attempt to replace from my driver
> located in the “system” startup group, I receive a
> STATUS_SHARING_VIOLATION.
>
> My first thought was to change the startup group to “boot”. Opening the
> file in GENERIC_WRITE or FILE_WRITE_DATA as the “DesiredAccess” to
> ZwCreateFile() works and returns a valid HANDLE. However, when it comes
> to execute ZwWriteFile() the NTSTATUS returned is STATUS_INVALID_HANDLE.
>
> I have tried setting “FileAttributes” of ZwCreateFile() to both
> FILE_ATTRIBUTE_NORMAL and FILE_ATTRIBUTE_SYSTEM, independently. I have
> tried setting the “CreateDisposition” of ZwCreateFile() to both FILE_OPEN
> and FILE_OVERWRITE, independently. All four combinations will fail during
> ZwWriteFile(), even though the HANDLE from ZwCreateFile() is valid.
>
> For “CreateOptions” of ZwCreateFile() I used FILE_SYNCHRONOUS_IO_NONALERT
> for all calls.
>
> I can post the relevant source code if it would help. If it is possible
> to modify other “protected” system files such as advapi32.dll or
> netapi32.dll, then it should be possible to modify ntdll.dll?
>
> As further reference, I refer to the target files in kernel mode as
> L"??\C:\WINDOWS\system32<target>".
>
> TLDR: The kernel driver can open ntdll.dll in write mode during “boot”
> startup but loses the valid HANDLE during ZwWriteFile(). This is not a
> problem with other system-protected files on Windows XP system.
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer</mailto:xxxxx></mailto:xxxxx>