Driver Problems? Questions? Issues?
Put OSR's experience to work for you! Contact us for assistance with:
  • Creating the right design for your requirements
  • Reviewing your existing driver code
  • Analyzing driver reliability/performance issues
  • Custom training mixed with consulting and focused directly on your specific areas of interest/concern.
Check us out. OSR, the Windows driver experts.

Monthly Seminars at OSR Headquarters

East Coast USA
Windows Internals and SW Drivers, Dulles (Sterling) VA, 9 April 2018

Writing WDF Drivers I: Core Concepts, Manchester, NH, 7 May 2018

Kernel Debugging & Crash Analysis for Windows, Manchester, NH, 21 May 2018


Go Back   OSR Online Lists > ntdev
Welcome, Guest
You must login to post to this list
  Message 1 of 35  
25 Dec 17 18:41
Leon Ber
xxxxxx@gmail.com
Join Date: 13 Dec 2017
Posts To This List: 17
Write Current Process Memory From Kernel

Hi, I have a solution for a problem I'm currently facing, but don't know how to do it. I want to use the equivalents of "VirtualProtect" and "WriteProcessMemory" from kernel space. More precisely, I run under the context of process A and just before the main thread has started to run (I'm in the context of the main thread, using PsSetCreateThreadNotifyRoutineEx). I want to make the page where main function resides "Read Write Execute" instead of "Read Execute", and write over few of the first main's opcodes with opcodes given by my driver's data. What I want to do is actually put the main thread in an infinite loop. Thank you
  Message 2 of 35  
26 Dec 17 01:11
Tim Roberts
xxxxxx@probo.com
Join Date: 28 Jan 2005
Posts To This List: 11894
Write Current Process Memory From Kernel

On Dec 25, 2017, at 3:41 PM, xxxxx@gmail.com <xxxxx@lists.osr.com> wrote: > > I have a solution for a problem I'm currently facing, but don't know how to do it. > I want to use the equivalents of "VirtualProtect" and "WriteProcessMemory" from kernel space. Not hard, since every process's address space is accessible from the kernel. > I want to make the page where main function resides "Read Write Execute" instead of "Read Execute", and write over few of the first main's opcodes with opcodes given by my driver's data. > What I want to do is actually put the main thread in an infinite loop. Do you think it's not going to noticeable that every process goes into a tight CPU loop for a period before it starts? ??? Tim Roberts, xxxxx@probo.com Providenza & Boekelheide, Inc.
  Message 3 of 35  
26 Dec 17 04:42
Leon Ber
xxxxxx@gmail.com
Join Date: 13 Dec 2017
Posts To This List: 17
Write Current Process Memory From Kernel

>Not hard, since every process's address space is accessible from the kernel. Well, what API should I use? Haven't found anything relevant and documented. I want to either change the permissions of an existing page (where the entry point resides) to RWX and write infinite loop in the beginning, or create a new page which can be accessed from usermode, and change the entrypoint to that page. >Do you think it's not going to noticeable that every process goes into a tight CPU loop for a period before it starts? I don't mind if its noticed or not, just so that my whole process won't take to long. What I do is pass the PID of the newly created process, put the process' thread in an infinite loop and then attach with a debugger to that process, and continue its execution in other place.
  Message 4 of 35  
26 Dec 17 10:00
wd
xxxxxx@gmail.com
Join Date: 26 Jan 2015
Posts To This List: 18
Write Current Process Memory From Kernel

Sounds a bit like a procedure that could aid one in circumventing anti-piracy protection? Seriously though, what legitimate need do you have for what you're asking? On Tue, Dec 26, 2017 at 4:42 AM, xxxxx@gmail.com < xxxxx@lists.osr.com> wrote: > >Not hard, since every process's address space is accessible from the > kernel. > Well, what API should I use? Haven't found anything relevant and > documented. > I want to either change the permissions of an existing page (where the > entry point resides) to RWX and write infinite loop in the beginning, or > create a new page which can be accessed from usermode, and change the > entrypoint to that page. > > <...excess quoted lines suppressed...> -- *Wade Dawson* *DT Multimedia* --
  Message 5 of 35  
26 Dec 17 10:34
Leon Ber
xxxxxx@gmail.com
Join Date: 13 Dec 2017
Posts To This List: 17
Write Current Process Memory From Kernel

> Sounds a bit like a procedure that could aid one in circumventing anti-piracy protection? Seriously though, what legitimate need do you have for what you're asking? Well, not exactly. I'm doing a project in the university (final, hopefully) which is basically a malware protection system (sort of). In my driver (which is 64 bit) I want to catch any 32 bit process that is created, pass it to my usermode Manager, and if the process is not whitelisted - he is opened under the inspection of another process that attaches to it. Otherwise, my Manager resumes the execution. Very legit, very headache-giving and very urgent (first delivery is on this thursday :) ). -- Another thread I opened here "Create Suspended Process" (from kernel) - http://www.osronline.com/showthread.cfm?link=286958 I didn't get the answer there. So I thought maybe if I get the entry point of my process from the first thread, I could write an infinite loop in the beginning and this way I would be able to attach to the untrusted process before it executes other code. (Also, I want to "suspend" only 32-bit processes which means I need to check the Optional Header in PE).
  Message 6 of 35  
26 Dec 17 11:35
Mark Roddy
xxxxxx@gmail.com
Join Date: 25 Feb 2000
Posts To This List: 4085
Write Current Process Memory From Kernel

The process is effectively suspended while in your process notify handler. I don't quite see what you are going to gain by whacking its code, although that is do-able, see Detours and related libraries. Why not attach your debugger/inspector to the process while you have it suspended in the callback? Mark Roddy On Tue, Dec 26, 2017 at 10:34 AM, xxxxx@gmail.com < xxxxx@lists.osr.com> wrote: > > Sounds a bit like a procedure that could aid one in circumventing > anti-piracy protection? Seriously though, what legitimate need do you have > for what you're asking? > > Well, not exactly. > I'm doing a project in the university (final, hopefully) which is > basically a malware protection system (sort of). > In my driver (which is 64 bit) I want to catch any 32 bit process that is > created, pass it to my usermode Manager, and if the process is not > whitelisted - he is opened under the inspection of another process that <...excess quoted lines suppressed...> --
  Message 7 of 35  
26 Dec 17 14:34
Tim Roberts
xxxxxx@probo.com
Join Date: 28 Jan 2005
Posts To This List: 11894
Write Current Process Memory From Kernel

xxxxx@gmail.com wrote: >> Not hard, since every process's address space is accessible from the kernel. > Well, what API should I use? Haven't found anything relevant and documented. No, it's not going to be documented.  VirtualProtect calls NtProtectVirtualMemory/ZwProtectVirtualMemory, which you can also call, if you can figure out how. -- Tim Roberts, xxxxx@probo.com Providenza & Boekelheide, Inc.
  Message 8 of 35  
26 Dec 17 18:45
Leon Ber
xxxxxx@gmail.com
Join Date: 13 Dec 2017
Posts To This List: 17
Write Current Process Memory From Kernel

> The process is effectively suspended while in your process notify handler. I don't quite see what you are going to gain by whacking its code, although that is do-able, see Detours and related libraries. Why not attach your debugger/inspector to the process while you have it suspended in the callback? Thought about that, though I faced a few problems: 1. Using KeDelayExecutionThread in order to sleep and stay within the callback and try to attach manually with a debugger didn't work. The thread wasn't suspended but in a "Wait:DelayedExecution" state. Trying to attach with windbg resulted in a failure and a message: "The debugging session could not be started: FAILURE HR=0x80070002: Failed to DebugConnect". I'm guessing either I can't attach to a process with one thread in a "Wait" state, or the callback for thread's creation has been called while the process' DebugPort has not been yet initialized. Either way, KeDelayExecutionThread - both UserMode and KernelMode modes - failed. 2. When I used Process Explorer to check on the new process that has been created, procexp crashed when I tried to get the thread's Stack. Maybe callback has been called before the thread's Usermode stack has been yet initialized.
  Message 9 of 35  
26 Dec 17 20:15
Leon Ber
xxxxxx@gmail.com
Join Date: 13 Dec 2017
Posts To This List: 17
Write Current Process Memory From Kernel

Another problem: (Relevant to writing to memory) I tried using 3 callbacks: PsSetCreateProcessNotifyRoutine - to get callback for process creation. PsSetCreateThreadNotifyRoutineEx - to get callback for thread creation - in the new therad's context. PsSetLoadImageNotifyRoutine - to get callback for mapped memories. The chronological order of callbacks is: CreateProcess -> Map (some, partial) Images -> Create first thread. The relevant data from the process' binary itself (blabla.exe) is not fully mapped at the Thread's callback point. What I have is only 1 page from the exe base (first page, contains headers etc.) and it's permissions are READ_EXECUTE (maybe because of the DOS stub there to print that it cannot run in DOS mode...). Other sections and such - are not mapped at this point. So anything related to changing the memory is not relevant now, because this page will become READONLY right after continuing execution and other section will be mapped later on - so nowhere to put my infinite loop to simulate a "Suspend" state.
  Message 10 of 35  
26 Dec 17 20:36
Sergey Pisarev
xxxxxx@gmail.com
Join Date: 21 May 2017
Posts To This List: 85
Write Current Process Memory From Kernel

I think image mapped completely, many pages just not paged-in yet. So you can read the pages you interested in and mm will place them in memory. why do you think READ_EXECUTE is strange? It is how it should be. Debuggers change page protection when they need to place breakpoint. On Wed, 27 Dec 2017 at 04:15, xxxxx@gmail.com <xxxxx@lists.osr.com> wrote: > Another problem: (Relevant to writing to memory) > I tried using 3 callbacks: > PsSetCreateProcessNotifyRoutine - to get callback for process creation. > PsSetCreateThreadNotifyRoutineEx - to get callback for thread creation - > in the new therad's context. > PsSetLoadImageNotifyRoutine - to get callback for mapped memories. > > The chronological order of callbacks is: CreateProcess -> Map (some, > partial) Images -> Create first thread. > <...excess quoted lines suppressed...> --
  Message 11 of 35  
27 Dec 17 18:32
Leon Ber
xxxxxx@gmail.com
Join Date: 13 Dec 2017
Posts To This List: 17
Write Current Process Memory From Kernel

> I think image mapped completely, many pages just not paged-in yet. So you can read the pages you interested in and mm will place them in memory. How to do that exactly? I think its my only option to "pseudo-suspend" the thread from the callback. I see that the "*.exe" image has been loaded, the first 0x1000 bytes are mapped (running "!vad" and then the specific "!vad vadAddress 1" will output me the image base. Running "dc imageBase" gives me the PE header, first 0x1000 bytes. After them - memory is not mapped, see question marks instead of bytes). > why do you think READ_EXECUTE is strange? It is how it should be. Debuggers change page protection when they need to place breakpoint. Didn't put breakpoint there, therefore I didn't change the permissions. The READ_EXECUTE is on the first 0x1000 bytes from the image base (Don't remember "MZ" being executable opcodes).
  Message 12 of 35  
27 Dec 17 18:36
Tim Roberts
xxxxxx@probo.com
Join Date: 28 Jan 2005
Posts To This List: 11894
Write Current Process Memory From Kernel

xxxxx@gmail.com wrote: >> I think image mapped completely, many pages just not paged-in yet. So you can read the pages you interested in and mm will place them in memory. > How to do that exactly?     ULONG fetch = *ptr; That will trigger a page fault.  As long as you are at a passive IRQL, the memory manager will handle that page fault by reading the page from disk. -- Tim Roberts, xxxxx@probo.com Providenza & Boekelheide, Inc.
  Message 13 of 35  
27 Dec 17 19:08
Sergey Pisarev
xxxxxx@gmail.com
Join Date: 21 May 2017
Posts To This List: 85
Write Current Process Memory From Kernel

What I meant is that without debugger read execute is what you should expect. Debugger add write protection before setting breakpoint. I don???t see the problem. So page with magic number mz has read execute protection. So what ? Mz is not the only thing this page contains On Thu, 28 Dec 2017 at 02:36, xxxxx@probo.com <xxxxx@lists.osr.com> wrote: > xxxxx@gmail.com wrote: > >> I think image mapped completely, many pages just not paged-in yet. So > you can read the pages you interested in and mm will place them in memory. > > How to do that exactly? > > ULONG fetch = *ptr; > > That will trigger a page fault. As long as you are at a passive IRQL, > the memory manager will handle that page fault by reading the page from > disk. <...excess quoted lines suppressed...> --
  Message 14 of 35  
27 Dec 17 19:10
Sergey Pisarev
xxxxxx@gmail.com
Join Date: 21 May 2017
Posts To This List: 85
Write Current Process Memory From Kernel

Or rather mapped executable page is copy on write On Thu, 28 Dec 2017 at 03:07, Sergey Pisarev <xxxxx@gmail.com> wrote: > What I meant is that without debugger read execute is what you should > expect. Debugger add write protection before setting breakpoint. > > I don???t see the problem. So page with magic number mz has read execute > protection. So what ? Mz is not the only thing this page contains > > On Thu, 28 Dec 2017 at 02:36, xxxxx@probo.com <xxxxx@lists.osr.com> wrote: > >> xxxxx@gmail.com wrote: >> >> I think image mapped completely, many pages just not paged-in yet. So <...excess quoted lines suppressed...> --
  Message 15 of 35  
27 Dec 17 19:37
R0b0t1
xxxxxx@gmail.com
Join Date: 24 Mar 2017
Posts To This List: 85
Write Current Process Memory From Kernel

On Tue, Dec 26, 2017 at 8:59 AM, xxxxx@gmail.com <xxxxx@lists.osr.com> wrote: > Sounds a bit like a procedure that could aid one in circumventing > anti-piracy protection? Seriously though, what legitimate need do you have > for what you're asking? > This train of thought is pointless. Get off your high horse. Computers are used for breaking the law, so why don't you chuck yours in a dumpster? > On Tue, Dec 26, 2017 at 4:42 AM, xxxxx@gmail.com > <xxxxx@lists.osr.com> wrote: >> >> >Not hard, since every process's address space is accessible from the >> > kernel. >> Well, what API should I use? Haven't found anything relevant and >> documented. >> I want to either change the permissions of an existing page (where the >> entry point resides) to RWX and write infinite loop in the beginning, or >> create a new page which can be accessed from usermode, and change the <...excess quoted lines suppressed...>
  Message 16 of 35  
27 Dec 17 20:27
Tim Roberts
xxxxxx@probo.com
Join Date: 28 Jan 2005
Posts To This List: 11894
Write Current Process Memory From Kernel

xxxxx@gmail.com wrote: > On Tue, Dec 26, 2017 at 8:59 AM, xxxxx@gmail.com > <xxxxx@lists.osr.com> wrote: >> Sounds a bit like a procedure that could aid one in circumventing >> anti-piracy protection? Seriously though, what legitimate need do you have >> for what you're asking? >> > This train of thought is pointless. Get off your high horse. Computers > are used for breaking the law, so why don't you chuck yours in a > dumpster? Of course it's not pointless.  What you say may be true, but the members of this mailing list do not intend to be accessories to the crime. -- Tim Roberts, xxxxx@probo.com Providenza & Boekelheide, Inc.
  Message 17 of 35  
27 Dec 17 21:33
R0b0t1
xxxxxx@gmail.com
Join Date: 24 Mar 2017
Posts To This List: 85
Write Current Process Memory From Kernel

On Wed, Dec 27, 2017 at 7:26 PM, xxxxx@probo.com <xxxxx@lists.osr.com> wrote: > xxxxx@gmail.com wrote: >> On Tue, Dec 26, 2017 at 8:59 AM, xxxxx@gmail.com >> <xxxxx@lists.osr.com> wrote: >>> Sounds a bit like a procedure that could aid one in circumventing >>> anti-piracy protection? Seriously though, what legitimate need do you have >>> for what you're asking? >>> >> This train of thought is pointless. Get off your high horse. Computers >> are used for breaking the law, so why don't you chuck yours in a >> dumpster? <...excess quoted lines suppressed...> If all you look for in the world is ugliness, then that is all you will find. If they would be accessories without knowing about the crime, then certainly you are an accessory to many crimes simply by virtue of using your computer? I apologize leon.berlin101 and list, as I really did not mean to derail your thread. But I felt I should comment as this is part of the mindset that keeps Windows development closed to "outsiders." I experienced much the same thing when I took up an interest in locksmithing. My ability to be a thief does not hinge on my ability to pick a lock; I could simply kick the door in. Likewise, anyone's answer here is not going to change whether or not the OP actually does anything illegal. I probably shouldn't have said anything since he was helped. Sorry. > -- > Tim Roberts, xxxxx@probo.com > Providenza & Boekelheide, Inc. > > > --- > NTDEV is sponsored by OSR > > Visit the list online at: <http://www.osronline.com/showlists.cfm?list=ntdev> >
  Message 18 of 35  
28 Dec 17 02:59
Leon Ber
xxxxxx@gmail.com
Join Date: 13 Dec 2017
Posts To This List: 17
Write Current Process Memory From Kernel

> ULONG fetch = *ptr; That will trigger a page fault.? As long as you are at a passive IRQL, the memory manager will handle that page fault by reading the page from disk. Well, Access violation. Running !vad resulted in this line among the others: ffff8c09a062c830 4 400 5bd 17 Mapped Exe EXECUTE_WRITECOPY \Program Files (x86)\HxD\HxD.exe Base address is 0x400000. Only the first page of the image is loaded to the memory, as follows: kd> 00000000`00400f80 00000000 00000000 00000000 00000000 ................ 00000000`00400f90 00000000 00000000 00000000 00000000 ................ 00000000`00400fa0 00000000 00000000 00000000 00000000 ................ 00000000`00400fb0 00000000 00000000 00000000 00000000 ................ 00000000`00400fc0 00000000 00000000 00000000 00000000 ................ 00000000`00400fd0 00000000 00000000 00000000 00000000 ................ 00000000`00400fe0 00000000 00000000 00000000 00000000 ................ 00000000`00400ff0 00000000 00000000 00000000 00000000 ................ kd> 00000000`00401000 ???????? ???????? ???????? ???????? ???????????????? 00000000`00401010 ???????? ???????? ???????? ???????? ???????????????? 00000000`00401020 ???????? ???????? ???????? ???????? ???????????????? 00000000`00401030 ???????? ???????? ???????? ???????? ???????????????? 00000000`00401040 ???????? ???????? ???????? ???????? ???????????????? 00000000`00401050 ???????? ???????? ???????? ???????? ???????????????? 00000000`00401060 ???????? ???????? ???????? ???????? ???????????????? 00000000`00401070 ???????? ???????? ???????? ???????? ???????????????? The instruction in the driver: USHORT twoBytes = *(PUSHORT)EntryPointRawOffset; resulted in Access Violation. Any idea on how can I map the rest of the pages from the ThreadNotifyRoutineEx callback? (I'm in the Called Thread's context, using Extended API). >No, it's not going to be documented.? VirtualProtect calls NtProtectVirtualMemory/ZwProtectVirtualMemory, which you can also call, if you can figure out how. Also, I guess that getting "ZwProtectVirtualMemory" using MmGetSystemRoutineAddress will do the job, if just I would be able to solve the previous problem. Thanks :)
  Message 19 of 35  
28 Dec 17 13:19
Tim Roberts
xxxxxx@probo.com
Join Date: 28 Jan 2005
Posts To This List: 11894
Write Current Process Memory From Kernel

xxxxx@gmail.com wrote: > On Wed, Dec 27, 2017 at 7:26 PM, xxxxx@probo.com <xxxxx@lists.osr.com> wrote: >> Of course it's not pointless. What you say may be true, but the members >> of this mailing list do not intend to be accessories to the crime. > If they would be accessories without knowing about the crime, then > certainly you are an accessory to many crimes simply by virtue of > using your computer? No, that's stupid, as you well know. The major contributors to this list are all professional driver developers and trainers with decades of computing experience.  This is our living, our passion, our reputation.  We have all wasted countless hours dealing with infections and rootkits, and it pisses us off.  Most of us have a pretty good understanding of how these things are implemented.  Because of that, we have learned to recognize lines of questioning that arise from nefarious intent. Are there places on the internet where you can learn the criminal skills?  Sure there are, but most of them are deeply technical and difficult to understand.  If you come here asking for help in honing those skills, we're going to refuse.  If you went to a locksmith and said "I need help breaking into the vault at US Bank", that locksmith is going to refuse to help you.  If you went to Home Depot and said "I need help disabling the electrical grid near me", the crew is going to refuse to help you.  This is exactly the same. > But I felt I should comment as this is part of the > mindset that keeps Windows development closed to "outsiders." Nonsense, and I have two opposing responses to that. Windows development is not closed to outsiders.  There are billions of Windows computers in the world, all of them running applications of all kinds and all levels of sophistication.  The Windows development landscape is wide, varied, and well-documented. Now, the situation is a bit different when you talk about Windows internal development, and that's true for a damned good reason.  Windows is not a playground.  It used to be, decades ago.  I disassembled and single stepped through Windows 3.1 extensively enough that I actually understood what it was doing, and that meant I could tweak it to make it stand up and bark.  But today, Windows is an industrial-strength operating system.  It is mission-critical in the business world.  We don't want experimenters and hobbyists poking around in the ugly underside, destabilizing the infrastructure.  That time has passed.  If you want to do that, go load Linux. So, yes, the barriers to entry have been raised, at least at the kernel level.  And that's a Good Thing. > I experienced much the same thing when I took up an interest in > locksmithing. My ability to be a thief does not hinge on my ability to > pick a lock; I could simply kick the door in. True, but that's a lot easier to detect, and a lot more dangerous for you.  The locksmith didn't want to make it easy for you.  Same here. > Likewise, anyone's answer here is not going to change whether or not > the OP actually does anything illegal. Maybe not, but it can keep the honest man honest.  If we don't help them, the hobbyist script kiddie is going to get frustrated and go find something else to do. -- Tim Roberts, xxxxx@probo.com Providenza & Boekelheide, Inc.
  Message 20 of 35  
30 Dec 17 03:54
Gabriel Bercea
xxxxxx@gmail.com
Join Date: 03 Mar 2008
Posts To This List: 133
Write Current Process Memory From Kernel

There is (almost) no security product of any kind you cannot write now with the provided MSFT infrastructure for filtering and the respective documentation. There is a reason what you are trying to do is dangerous and instead of resisting you would be better off understanding why. Going through this process of learning why, will not only suppress some of the ignorance, but will give you actual good ideas of how to implement the next best security product in Windows. Good luck, Gabriel www.kasardia.com On Thu, Dec 28, 2017 at 7:19 PM, xxxxx@probo.com <xxxxx@lists.osr.com> wrote: > xxxxx@gmail.com wrote: > > On Wed, Dec 27, 2017 at 7:26 PM, xxxxx@probo.com <xxxxx@lists.osr.com> > wrote: > >> Of course it's not pointless. What you say may be true, but the members > >> of this mailing list do not intend to be accessories to the crime. > > If they would be accessories without knowing about the crime, then > > certainly you are an accessory to many crimes simply by virtue of > > using your computer? > > No, that's stupid, as you well know. <...excess quoted lines suppressed...> -- Bercea. G. --
  Message 21 of 35  
30 Dec 17 12:59
wd
xxxxxx@gmail.com
Join Date: 26 Jan 2015
Posts To This List: 18
Write Current Process Memory From Kernel

Oh yeah? I bet my high horse could beat up your low horse any day! Sent from my iPhone > On Dec 27, 2017, at 20:26, xxxxx@probo.com <xxxxx@lists.osr.com> wrote: > > xxxxx@gmail.com wrote: >> On Tue, Dec 26, 2017 at 8:59 AM, xxxxx@gmail.com >> <xxxxx@lists.osr.com> wrote: >>> Sounds a bit like a procedure that could aid one in circumventing >>> anti-piracy protection? Seriously though, what legitimate need do you have >>> for what you're asking? >>> >> This train of thought is pointless. Get off your high horse. Computers <...excess quoted lines suppressed...>
  Message 22 of 35  
01 Jan 18 08:06
Iolanda Milani
xxxxxx@gmail.com
Join Date: 31 Dec 2017
Posts To This List: 17
Write Current Process Memory From Kernel

For an NtWriteVirtualMemory alternate, you can use KeStackAttachProcess to attach to a process and then use memcpy, or you can use MmCopyVirtualMemory. Remember to detach with KeUnstackDetachProcess if you use the former method. For an NtProtectVirtualMemory solution, simply find the address with the System Service Descriptor Table. Note it won't be 100% "stable" for 64-bit environments but it can easily be found on 64-bit environments (where the kernel does not export it) for Windows 7 - Windows 10 without a code-base change. Simply find the address of KiSystemCall64, then find KiSystemServiceRepeat, and then extract the address (it is referenced by KiSystemServiceRepeat). IA32_LSTAR points to KiSystemCall64 so it is a simple task. May I ask, why not just have a Windows Service call NtProtectVirtualMemory for you? You can even pass down the HANDLE from kernel-mode as long as it isn't a kernel-mode only handle. This would be a lot more stable and reliable. I've been using NtWriteVirtualMemory and NtProtectVirtualMemory for educational purposes in kernel-mode through testing for many years now and it has always been just as reliable as in user-mode for me, but that doesn't mean it is a "good" thing to do. It isn't my job to care if you are taking a bad approach or not. You're a programmer, and you are in-charge of your own project. You asked a question and I answered it, whether you should re-assess your options is down to you - I personally think you should. However, let me make one thing very clear... If you start messing with the System Service Descriptor Table (especially for 64-bit systems) and go down a path of unstable, undocumented and officially unsupported mechanisms, you're going to land yourself in a heap of trouble when the time comes and it could be anything from losing customers over bug-checking their systems after a Windows patch update, to not understanding how to update something efficiently or properly.
  Message 23 of 35  
02 Jan 18 07:07
Aleh Kazakevich
xxxxxx@mail.ru
Join Date: 27 Jul 2015
Posts To This List: 53
Write Current Process Memory From Kernel

Keep in mind that Windows 8.1 and later have a new code integrity policies that prohibits using of dynamic memory. For example, ZwAllocateVirtualMemory and ZwProtectVirtualMemory may return an error 0xC0000604 (STATUS_DYNAMIC_CODE_BLOCKED) if the corresponding policy was enabled for a process. See SetProcessMitigationPolicy for more information. By default, this policy enabled for the services.exe, smss.exe and some other system processes.
  Message 24 of 35  
02 Jan 18 10:47
Iolanda Milani
xxxxxx@gmail.com
Join Date: 31 Dec 2017
Posts To This List: 17
Write Current Process Memory From Kernel

Aleh is correct, there is indeed a new protection mechanism and it's related to the security policies for processes; it has actually existed for a very long time however was not documented or available via a documented interface. SetProcessMitigationPolicy will call NtSetInformationProcess, and the NtSetInformationProcess call for changing the policy information will change data under the KPROCESS kernel-mode structure for the desired process. However, features such as enabling Data Execution Prevention (DEP) on-the-go cannot be done "permanently" from user-mode via NtSetInformationProcess I believe, but can from kernel-mode. Of course, modifying the KPROCESS structure (or even accessing it for that matter) would be highly unstable and unrecommended since it's an opaque structure and the offsets regularly change. Google have been using NtSetInformationProcess since Windows 7 to enforce features like DEP if it wasn't already enabled (even though they compile with it enabled and their 64-bit compilation will always have it enabled of course due to 64-bit security benefits with the 64-bit Windows Kernel). You can still inject a DLL just fine though as long as it doesn't require a manual map shell-code loader (which would require additional memory to be executable and done remotely - and thus blocked - whereas standard DLL injection methods via remote thread creation, handle hijacking or APC with routines like LoadLibraryA/W would not require you to change the protection of memory, nor allocate memory with execute flags but only read/write).
  Message 25 of 35  
02 Jan 18 10:52
Iolanda Milani
xxxxxx@gmail.com
Join Date: 31 Dec 2017
Posts To This List: 17
Write Current Process Memory From Kernel

I'd like to just quickly add that services.exe, smss.exe, csrss.exe and a few others are all protected processes by default since Windows 8. Therefore, attempting to attack them with or without security policies would be a waste of time. Even from kernel-mode, it is not so straight-forward like a call to ZwOpenProcess; that simply won't be enough to get a handle to such processes and those processes don't have user32.dll loaded/a UI at all so there's less exploitation attack vectors available. You'd have to either go deep enough to bypass the checks for the process protection status built-in to the Windows Kernel, or patch the KPROCESS structure so the Windows Kernel doesn't believe the process is actually protected. There's also Protected Process Light, of course it can be beaten but none of these activities are documented, stable nor reliable and should especially not be used in a professional environment because data corruption from a BSOD can cause many issues. To be honest, I am glad Microsoft made these processes protected. It strengthens the OS environment a bit against malicious software. Sadly they left lsass.exe unprotected at default configuration (it can be enabled for process protection via a registry hack) and svchost.exe can be exploited the same way lsass.exe can (to obtain process handles because lsass.exe and svchost.exe have opened handles by default - prevents passing through kernel-mode callbacks or triggering hooks) but maybe they will change that some-day by default which would be good.
  Message 26 of 35  
02 Jan 18 16:36
Leon Ber
xxxxxx@gmail.com
Join Date: 13 Dec 2017
Posts To This List: 17
Write Current Process Memory From Kernel

Few points for the last comments: - KeAttachStack will throw BSOD if run inside the PsSetThreadCreateNotifyRoutine's routine. - I don't mind if the driver is stable in other versions of windows. In fact, I take in the assumption it runs only under Windows 10, so even manipulating the E/K-PROCESS/THREAD - is "ok" for me. Now I'm stuck in a point where I've allocated UserMode buffer, which is RWX, and wrote there my infinite loop. What I want to do now is to set the thread to start running in the allocated address. * Changing entry point inside PE header didn't work. * Changing Win32StartAddress inside ETHREAD structure didn't work. Any clues on how can I do it? All I want is for the thread to run my code (the infinite loop) when I return from the Notify Routine callback. Thanks
  Message 27 of 35  
02 Jan 18 16:53
Don Burn
xxxxxx@windrvr.com
Join Date: 23 Feb 2011
Posts To This List: 1405
Write Current Process Memory From Kernel

" manipulating the E/K-PROCESS/THREAD - is "ok" for me" Well it should not be, in multiple other versions of Windows those structures have changes with Windows Update or Service Packs. When you consider that Windows 10 is supposed to be the version for a very long time, your plans is very stupid. Don Burn Windows Driver Consulting Website: http://www.windrvr.com -----Original Message----- From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com Sent: Tuesday, January 02, 2018 4:35 PM To: Windows System Software Devs Interest List <xxxxx@lists.osr.com> Subject: RE:[ntdev] Write Current Process Memory From Kernel Few points for the last comments: - KeAttachStack will throw BSOD if run inside the PsSetThreadCreateNotifyRoutine's routine. - I don't mind if the driver is stable in other versions of windows. In fact, I take in the assumption it runs only under Windows 10, so even manipulating the E/K-PROCESS/THREAD - is "ok" for me. Now I'm stuck in a point where I've allocated UserMode buffer, which is RWX, and wrote there my infinite loop. What I want to do now is to set the thread to start running in the allocated address. * Changing entry point inside PE header didn't work. * Changing Win32StartAddress inside ETHREAD structure didn't work. Any clues on how can I do it? All I want is for the thread to run my code (the infinite loop) when I return from the Notify Routine callback. Thanks --- NTDEV is sponsored by OSR Visit the list online at: <http://www.osronline.com/showlists.cfm?list=ntdev> MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at <http://www.osr.com/seminars> To unsubscribe, visit the List Server section of OSR Online at <http://www.osronline.com/page.cfm?name=ListServer>
  Message 28 of 35  
02 Jan 18 16:58
Leon Ber
xxxxxx@gmail.com
Join Date: 13 Dec 2017
Posts To This List: 17
Write Current Process Memory From Kernel

> When you consider that Windows 10 is supposed to be the version for a very long time, your plans is very stupid. Like I said before, its a university project, not a product. As far as I know, these structure usually change between different NT versions (mostly), I can be more strict and take in the assumption that its a specific build of Windows 10. Another important note, I do this stuff in a 64 bit OS but only for 32 bit processes (therefore I looked up for Win32StartAddress previously).
  Message 29 of 35  
02 Jan 18 17:15
Don Burn
xxxxxx@windrvr.com
Join Date: 23 Feb 2011
Posts To This List: 1405
Write Current Process Memory From Kernel

The thing about CRAPPY UNIVERSITY PROJECT'S LIKE YOURS is that some idiot takes it as an example of how to do things, and goes running off to try to make a product. I've had multiple queries for consults with startups which told me "we just have a little problem" when in reality they took someone's piece of junk project and based their whole product on it. Things don't go well when I suggest they throw everything out and start over. Don Burn Windows Driver Consulting Website: http://www.windrvr.com -----Original Message----- From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com Sent: Tuesday, January 02, 2018 4:58 PM To: Windows System Software Devs Interest List <xxxxx@lists.osr.com> Subject: RE:[ntdev] Write Current Process Memory From Kernel > When you consider that Windows 10 is supposed to be the version for a very long time, your plans is very stupid. Like I said before, its a university project, not a product. As far as I know, these structure usually change between different NT versions (mostly), I can be more strict and take in the assumption that its a specific build of Windows 10. Another important note, I do this stuff in a 64 bit OS but only for 32 bit processes (therefore I looked up for Win32StartAddress previously). --- NTDEV is sponsored by OSR Visit the list online at: <http://www.osronline.com/showlists.cfm?list=ntdev> MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at <http://www.osr.com/seminars> To unsubscribe, visit the List Server section of OSR Online at <http://www.osronline.com/page.cfm?name=ListServer>
  Message 30 of 35  
02 Jan 18 18:42
Iolanda Milani
xxxxxx@gmail.com
Join Date: 31 Dec 2017
Posts To This List: 17
Write Current Process Memory From Kernel

> "Like I said before, its a university project" University is there for people to study (learn more) and gain experience. You say you are working on a 'malware protection system (sort of)' but you aren't going to gain much useful experience for such a project if you're developing buggy, unstable and extremely unreliable source code, or using the same from someone else. I doubt your University would ask you to do what you are trying to do because it is a bit silly. Try coming up with a project idea which can be followed properly and help you learn skills for a professional environment, such as taking a good and documented/stable approach. That will help you a lot... Trying to put the main thread of a newly starting process in a never-ending infinite loop is beyond stupid.
  Message 31 of 35  
02 Jan 18 18:49
Tim Roberts
xxxxxx@probo.com
Join Date: 28 Jan 2005
Posts To This List: 11894
Write Current Process Memory From Kernel

xxxxx@gmail.com wrote: > Now I'm stuck in a point where I've allocated UserMode buffer, which is RWX, and wrote there my infinite loop. What I want to do now is to set the thread to start running in the allocated address. > * Changing entry point inside PE header didn't work. > * Changing Win32StartAddress inside ETHREAD structure didn't work. > > Any clues on how can I do it? All I want is for the thread to run my code (the infinite loop) when I return from the Notify Routine callback. It's possible the nascent thread's register state has already been set up in a CONTEXT structure.  Have you traces the stack all the way back to user-mode? -- Tim Roberts, xxxxx@probo.com Providenza & Boekelheide, Inc.
  Message 32 of 35  
05 Jan 18 13:36
Gabriel Bercea
xxxxxx@gmail.com
Join Date: 03 Mar 2008
Posts To This List: 133
Write Current Process Memory From Kernel

I would bet everything that is not a university project :) I graduated a university where we did Windows kernel. There were no such nonsense tasks. In University you learn operating system basics and filesystem basics not much beyond that. We also did Windows research kernel part of Microsoft which is anything but this. I'm surprised this thread hasn't died yet here. This is obvious malware. You may not be aware that it is, I give you that at most, but it is. Gabriel www.kasardia.com On Jan 3, 2018 01:54, "xxxxx@gmail.com" <xxxxx@lists.osr.com> wrote: > > "Like I said before, its a university project" > > University is there for people to study (learn more) and gain experience. > You say you are working on a 'malware protection system (sort of)' but you > aren't going to gain much useful experience for such a project if you're > developing buggy, unstable and extremely unreliable source code, or using > the same from someone else. > > I doubt your University would ask you to do what you are trying to do > because it is a bit silly. Try coming up with a project idea which can be <...excess quoted lines suppressed...> --
  Message 33 of 35  
05 Jan 18 13:46
Leon Ber
xxxxxx@gmail.com
Join Date: 13 Dec 2017
Posts To This List: 17
Write Current Process Memory From Kernel

> I would bet everything that is not a university project :) I graduated a university where we did Windows kernel. There were no such nonsense tasks. In University you learn operating system basics and filesystem basics not much beyond that. We also did Windows research kernel part of Microsoft which is anything but this. I'm surprised this thread hasn't died yet here. This is obvious malware. You may not be aware that it is, I give you that at most, but it is. More than happy to answer this one :) I'm a fourth year software engineering student, whereas my final project (as for the diplomma, not for a specific course) is a system which monitors "Untrusted Processes" and treats them in a supervised environment as needed (some kind of "catching any untrusted (== not whitelisted) process and open in under our special sandbox". By special sandbox, I mean it's different from any other sandbox solution in the open-source, therefore we require to use a driver which catches these processes for us. I answered this before, but many people skip some of the comments. What I do is catch any new process, prevent it from running it's code until I attach to it as a debugger. How? Well, I can't put in on suspend for some reason, so I write an infinite loop in it's beginning. After I attach to it - everything is back to normal.
  Message 34 of 35  
05 Jan 18 14:24
Gabriel Bercea
xxxxxx@gmail.com
Join Date: 03 Mar 2008
Posts To This List: 133
Write Current Process Memory From Kernel

It's good that you put quotes around "untrusted process". You might first why to identify WHAT if your criteria for a process to be untrusted. Ask yourself that. In order to do this you might want to analyze it begins execution, as a file. Why wait for it to become a process. At the execution stage you should already "know" if your to-be process is trusted or not. So instead of focusing on doing all the undocumented and not recommended strategy in the book you should focus on looking at your problem in a different way. One that is documented. The undocumented methods and structures are undocumented for a reason and that reason is not to piss off developers and make their lives miserable. That's why you have registry callbacks, minifilter model, Ob callbacks, ndis, wfp, process/thread/module callbacks and many many other models callbacks and documented ways to change the OS behavior in a way that is consistent with the OS. It's like you want to implement a filesystem encryption functionality and instead of using a minifilter you try to hook NTFS's reads/writes and do your dirty work there. Not OK. So, what is an "untrusted process" ? Is it the same as untrusted executable file ? Is it a combination of untrusted source process and target executable file ? Is it more ? Answer all these questions and there will answers where your implementation will not have to depend on hacks. Gabriel www.kasardia.com On Jan 5, 2018 20:47, "xxxxx@gmail.com" <xxxxx@lists.osr.com> wrote: > > I would bet everything that is not a university project :) I graduated a > university where we did Windows kernel. There were no such nonsense tasks. > In University you learn operating system basics and filesystem basics not > much beyond that. We also did Windows research kernel part of Microsoft > which is anything but this. I'm surprised this thread hasn't died yet here. > This is obvious malware. You may not be aware that it is, I give you that > at most, but it is. > > More than happy to answer this one :) > I'm a fourth year software engineering student, whereas my final project <...excess quoted lines suppressed...> --
  Message 35 of 35  
05 Jan 18 15:47
Leon Ber
xxxxxx@gmail.com
Join Date: 13 Dec 2017
Posts To This List: 17
Write Current Process Memory From Kernel

Well, any 32-bit process which is not whitelisted - for me it's an "untrusted" one. My project is a prevention system for malwares - during execution. My grade for this don't take in to account whether this is a good security design, if this is "smart" plan or any of this stuff. Its a university project, not a business product. My driver is not going to be signed or proceed further than the university bounds. If the project succeeds, for educational purposes maybe I'll post all the code for the project on Github or something. I DO understand your concerns though, because all of my intentions and "playing around with the kernel" could be easily circumvented to malicious purposes - but in todays world I mean, what couldn't? Same as any simple pen could be used for stabbing, any piece of code could be used for malicious purposes. Anyway, back to technical. I managed to catch any new process, and for each 32 bit process I replace the main code with infinite loop (if someone knows how to suspend it inside "PsSetCreateThreadNotifyRoutineEx's routine - and it worked for him, I'll be more than happy to know and change my code :) ). I get all the new PIDs to a array and synchronize it with a UM "Manager process". The synchronization is simply done by setting an event, the Manager asks for the newly created PIDs and for more info. (I use an array of PIDs because maybe more than one process is created during this period of setting the event->getting the PIDs). I DO have synchronization problems right now (between the cores and between User-Kernel space), so untill it's not solved I'll be glad to post more problems here and get the help I need. Thank you all very much! :)
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the ntdev list to be able to post.

All times are GMT -5. The time now is 06:08.


Copyright ©2015, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license