Hi all, I am searching for a way to track when a process writes to the
memory of another process.
currently I use notification call backs when a process requests a process
handle and check the disposition. I also use callback when a dll is loaded
into a process (runs in context of loaded process so pids are of this
process and not the loader). thanks to don burn for these two suggestions.
using the above I can claim a process’s memory has been loaded with a dll
but can only guess which process may have initiated the task by reviewing
handle requests.
what I want is an equivalent to hookng ZwWriteVirtualMemory, a windows
support approach to tell me process A is/has/about to write to the memory
of process B.
thanks, Jose.
–
Yours in Success,
Jose Andre Morales, Ph.D.
www.josemorales.org
Starting in Win10 1709 there are ETW trace points for this (run “wevtutil gp
Microsoft-Windows-Threat-Intelligence”).
However, in order to get access to them you need to enable tracing for each
process (see PROCESS_READWRITEVM_LOGGING_INFORMATION) and be an anti-malware
protected process. Practically speaking, it’s not clear to me if these are
available to anyone other than Defender.
Without access to these trace points all you can do is build heuristics
based on the documented Ob/Ps callbacks. Alternatively you can hook this
operation in user mode (not ideal, but a kernel mode hook isn’t
happening…).
-scott
OSR
@OSRDrivers
I’m wondering which Ps callbacks aside from createprocess and loadimage can
I use to gather more evidence that process a is writing to memory of
process b. The Ob already provide evidnce for permission request of write
to the mem of proc b by proc a
On Fri, Mar 23, 2018 at 12:56 PM Scott Noone <
xxxxx@lists.osr.com> wrote:
> Starting in Win10 1709 there are ETW trace points for this (run “wevtutil
> gp
> Microsoft-Windows-Threat-Intelligence”).
>
> However, in order to get access to them you need to enable tracing for each
> process (see PROCESS_READWRITEVM_LOGGING_INFORMATION) and be an
> anti-malware
> protected process. Practically speaking, it’s not clear to me if these are
> available to anyone other than Defender.
>
> Without access to these trace points all you can do is build heuristics
> based on the documented Ob/Ps callbacks. Alternatively you can hook this
> operation in user mode (not ideal, but a kernel mode hook isn’t
> happening…).
>
> -scott
> OSR
> @OSRDrivers
>
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: <
> http://www.osronline.com/showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
>
–
Yours in Success,
Jose Andre Morales, Ph.D.
www.josemorales.org</http:>