I'm trying create child process without getting PROCESS_VM_WRITE rights to parent that way:
Using kernel driver with ObRegisterCallbacks I remove PROCESS_VM_WRITE access when parent try to get handle of starting child process:
In parent process I use CreateProcess function to start child process, but it fails with error that I'm not having rights.
I'm also tried to use RtlCreateUserProcess and this succeed, but as you may know process now running without subsystem and it doesn't work properly.
So for all these reasons I have three questions:
Maybe it is possible to use some ntdll.dll function which will create process properly without writing in child memory?
Maybe it is possible to hook some Nt functions and elevate all write requests during process creating to my kernel driver? If yes, what functions do I need to hook? I hooked NtWriteVirtualMemory, but ntdll.dll checks access right before call it
Maybe it is possible to finish proper process creating myself after using RtlCreateUserProcess? If yes, what function I need to use?
Not getting memory access to parent process is very critical for me as I need to protect child memory from all UserMode tricks, ObRegisterCallback is good for it, but parent process (launcher) is a big hole.
Maybe it is possible to hook some Nt functions and elevate all write requests during process creating to my kernel driver? If yes, what
functions do I need to hook? I hooked NtWriteVirtualMemory, but ntdll.dll
checks access right before call it
Yes, that's all you need to do. Hook NtWriteVirtualMemory, which is called from CreateProcessInternalW. This avoids STATUS_ACCESS_DENIED and in this case all will work.
ntdll.dll checks access right before call it
You're mistaken - nothing like this happens.
In ObjectPreCallback are you checking that the request is from your parent process and removing PROCESS_VM_WRITE only if it is? During process creation CsrClientCallServer is called, and as result csrss.exe also opens a child process. Are you sure that you're not removing PROCESS_VM_WRITE here?
Of course its also possible use RtlCreateUserProcess, but in this case you will be need connect to csrss by yourself and use undocumented and probably unstable interfaces. I think this is not the best way, but it is possible.
And no there isn't another ntdll API for creating processes with csrss connected.
Related
I am trying to figure out who killed my process from taskmanager. Since taskmanager uses TerminateProcess and to Terminate a process remotely, it opens a Process Handle first.
So I am trying to look for UserMode ways to get a notification when a remote process tries to open a handle to my process.
I am aware there are possible solutions for this from Kernel mode using Driver Callbacks etc. But currently I am looking for User Mode possible solutions
I am trying to figure out who killed my process.
There is no official way to do that.
I am trying to look for UserMode ways to get a notification when a remote process tries to open a handle to my process.
There is no such notification in user mode.
The only way I can think of doing this is to use SetWindowsHookEx() to globally inject a custom DLL into every running process, and then you can have that DLL manually hook OpenProcess() directly, such as with a detour.
The hook can then compare the function's dwProcessId parameter value against your app's current process ID, which you can store in a block of globally shared memory while your app is running, such as via CreateFileMapping()+MapViewOfFile() (see Sharing Files and Memory and Creating Named Shared Memory).
So, I wrote a program which is able to successfully read memory from most of processes using VirtualQueryEx. However, I've come across a process for which this function fails. It's not a system process, just a game process. Without Debug privileges I couldn't even open the process's handle. With them I am able to get the process's handle but still get access denied for VirtualQueryEx.
I'm not sure but maybe the process is private? If that's the case, what should I do to successfully use VirtualQueryEx function?
I've also read somewhere that I might have to suspend whole process's threads before running VirtualQueryEx, but so far I didn't need that... And when I used function Thread32First to get the first thread it gave me an error: ERROR_BAD_LENGTH...
I would be very grateful for any help in this matter!
How are you opening the process handle? From the doc:
The handle must have been opened with the PROCESS_QUERY_INFORMATION
access right, which enables using the handle to read information from
the process object.
Another possibility is that the target process and your process are different bitness (32 vs 64). In that case you either need to use MEMORY_BASIC_INFORMATION32 or something like VirtualQueryEx64 from wow64ext library.
I am developing an windows application.
what I want is to prevent this application running multiple in single OS.
(e.g. we can run multiple instance of notepad.exe, calc.exe at the same time... but I don't want this)
what is the most effective way to implement this?(preventing multiple instance of process running at same time)
I'd rather not use methods like checking process names or sharing some global file as a signal... since it is too easy to circumvent
thank you in advance
This is typically done with mutexs. When your process launches you call CreateMutex and check the return value. If it succeeded then this is the first launch, otherwise there is another instance of your process alive. Your mutex should be in the Global\ namespace. Also make sure to ReleaseMutex when your program finishes running.
What framework are you using? I'm assuming it's .Net? Here's a post from an msdn foum on the same thing.
http://social.msdn.microsoft.com/Forums/en-US/winforms/thread/3e139912-45ea-432e-b9e0-e03640c07c9f/
You mentioned you don't want to check current process names or use a global file.
Lock the current executable
.NET example code:
System.IO.File.Open(
System.Diagnostics.Process.GetCurrentProcess().MainModule.FileName,
System.IO.FileMode.Open,
System.IO.FileAccess.Read,
System.IO.FileShare.None);
The FileShare.None keeps any other process (like Windows Explorer) from executing the file until the app closes or the file handle (returned object) is explicitly closed.
Global Mutex
http://msdn.microsoft.com/en-us/library/windows/desktop/ms682411%28v=vs.85%29.aspx
If the mutex is a named mutex and the object existed before this
function call, the return value is a handle to the existing object,
GetLastError returns ERROR_ALREADY_EXISTS, bInitialOwner is ignored,
and the calling thread is not granted ownership. However, if the
caller has limited access rights, the function will fail with
ERROR_ACCESS_DENIED and the caller should use the OpenMutex function.
Global mutex is the easiest way. To clarify another answer you don't just check the return value you check the GetLastError value as well.
i would like to systemwide hook CreateProcessEx
it is redirects all windows calls into my wrapper function
where I will log names to textfile then call oruginal CreateProcessEx
Can it be easy and safely done ?
I would like hook all systemwide calls to it but not etternaly
for some period of time only.. How to do it?
If I will find the adress of this api call in ram then overvrite
it with call to my procedure, how then I will call the oryginal
function if there it is somewhat corrupted?
Hooking CreateProcess is the wrong approach for a few reasons. There is an approved mechanism for doing this sort of thing but you need a driver to be loaded. Your driver can then simply leverage the PsSetCreateProcessNotifyRoutine function.
With that said, would your needs not be served by using the auditing functionality built into Windows? Turning on process creation auditing will cause the system to write an event log entry whenever a process is created, detailing plenty of information about the process being started, including the image path.
CreateProcessEx() is a user-mode function. You have to patch it on a per-process basis. That means creating a DLL that is injected into every running process, such as by using SetWindowsHookEx() or the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs Registry key, and then have that DLL patch the PE Imports table of every process it is loaded into.
I just realized that it is NOT possible to Suspend/Resume/Terminate a thread OUTSIDE its own application (address space?!) if you know the right ThreadHandle Value for it... As far as I guess you will not be able to use WaitForSingleObject either.
However I see that ProcessExplorer is able to Suspend/Resume/Terminate every thread of each process. So I was wondering if there is a method to Inherit a ThreadHandle from a different Process.
If you can get the handle of the originating process, you can use DuplicateHandle() to create a handle to any kernel object within that process that you have access to.