Can anybody tell me how can i hook from kernel driver function only for single process. For example ZwQueryInformationProcess.
Thanks!
You can't do that in windows kernel. ZwXXX functions of ntoskrnl are native APIs. They are global common functions. All processes in user mode are using one copy of the function. There is no copy-on-write or something else in kernel.
You can implement this by using this way:
hook ZwQueryInformationProcess of ntdll.dll of special process in
user mode.
Add a filter in your hook function in kernel mode. If
current process context is not what you wanted. Pass through it.
That's all.
Thanks.
Related
Do we have mechanism to invoke functions defined in ebpf/xdp from kernel.
callbacks or RPC(Remote procedural calls) from kernel.
In my current project, we need to invoke ebpf/xdp functions from kernel functionality.
Please let me know, is there mechanism exists. any ideas/pointers how to go about.
Thanks in advance!
I have implemented xdp ebpf helper functions to communicate from xdp to kernel. It is successful and working fine.
Now i need to do communicate from kernel to xdp as per project requirement.
Thanks
As the title says, how is this possible? Basically I want to intercept calls from NetShareEnum function same way as one would intercept calls to ReadDirectoryChangesW via IRP_MJ_DIRECTORY_CONTROL pre/post routines. Is filesystem minifilter enough for the task? Is there a major/minor function to register pre/post callbacks?
NetShareEnum is not file system operation.
I think it's impossible with file system minifilter driver.
I'm working on a way to hook any API call to perform some verification on the function. (I'm creating a SandBox)
The first way that I think about, is with register key, and implement our own dll into MicrosoftNT to be able to redirect any defined syscall. https://www.apriorit.com/dev-blog/160-apihooks .
Problem? only work on 32 bit, and if the binarie is loading User32.dll, so it's abig issue.
The second way is to inject a dll into a process? Simple but impossible, most program is defended from those injection, so it's not possible.
The last way that I think was to modify the SSDT to change the function address by mine and redirect to the original by creating a driver. Or by InlineHook and just modify the first byte of each address that I want.
The Problem, only working on 32 bit, because windows add a PatchGuard on the Kernel, so we can't do that.
We can delete de PatchGuard but, anticheat will notice the technique.
For the Sandbox I think it won't be a problem to delete a PatchGuard.
The main problem is for real time analysis, I have no more idea how I can do to hook every API call that I want, on any windows OS. I mean on 32 and 62 bit.
I'm a beginner in this domain I started this week so I'm open to any suggestion.
You say you want to hook every API call for a sandbox but then reference the SSDT? Those are two very different things. Do you want to hook VirtualQuery(Ex) or do you want to hook NtQueryVirtualMemory? From kernel or user mode? Or maybe you're referring to all loaded module exports as well as kernel system services?
WinApi
Iterate all loaded modules as well as installing an event to hook all future modules loaded. For each one you will iterate all exports and apply a hook of your preference which all jump to some handler. This handler should be raw assembly that preserves the CPU state, calls some method that does the logging and filtering, restores CPU state, before finally jumping to the original.
Syscalls
Disable Patchguard and apply hooks to every method in the service table similar to the WinApi method described above. This is definitely not suitable for production for obvious reasons.
Use an instrumentation callback which uses ZwSetInformationProcess to redirect most syscalls to an arbitrary assembly block. You can extract the syscall id here as well as parameters. Universal support is an issue though as it wasn't introduced until W7 iirc and you have a lot of limitations prior to W10.
Map a wrapper module that has a hook for every syscall into each newly loaded process from kernel. These hooks will apply to ntdll and simply invoke an NtDeviceIoControlFile call with the syscall id and arguments, forwarding it to your kernel driver for processing. This is commonly employed by antivirus software to monitor user mode system calls without disrupting Patchguard.
The most approved method would probably be callbacks. You can register process and thread callbacks in kernel, stripping handle access at your leisure. This will give you full control over process and thread access from external processes, and you can add a file minfilter to similarly restrict access to the file system.
It's simple and straightforward in user mode because of those APIs.
How do you read/write specified process's userspace memory from a windows kernel module?
driver target platform is windows xp/2003
Use NtWriteVirtualMemory / NtReadVirtualMemory to write to other processes - you will need to open a handle to the process first.
Note that if you're already in the process, you can just write directly - for example if you're responding to a DeviceIoControl request from a process you can write directly to user-mode addresses and they will be in the address space of the process that called you.
I'm also starting in the world of windows drivers and from what I've read XxxProcessMemory calls NtXxxVirtualMemory in ntdll (R3-UserMode).
The NtXxxVirtualMemory calls the ZwXxxVirtualMemory (R0-KernelMode) also in the ntdll.
I believe you should use the ZwXxxVirtualMemory.
In the krnel, ZwXxx routines are just wrappers around NtXxx ones, telling the kernel that the caller is a kernel mode component, rather than an user application. When a call comes from usermode, the kernel performs additional security checks.
So, use ZwXxx when in the kernel.
An alternative approach for reading/writing memory from/to another process is:
obtain address of its process object (PsLookupProcessByProcessId),
switch the current thread to its address space (KeStackAttachProcess),
perform the operation (read/write...),
switch the address space back (KeUnstackDetachProcess),
decrement reference count incremented by (1) (ObDereferenceObject).
Is it possible to get current locale of a thread living inside another Windows process? Is there a utility that shows this or maybe a Win32 API call?
The locale is stored in the TEB, so you would have to be able to open the process with PROCESS_VM_READ rights and the thread with THREAD_QUERY_INFORMATION and then call OpenThread()+NtQueryInformationThread(ThreadBasicInformation) and then get the TEB address in THREAD_BASIC_INFORMATION and read it with ReadProcessMemory().
All of this is undocumented and could change at any time, you also need to handle WOW64 etc...
There's no API call for this. Assuming that you can't modify the target app to provide the information on demand, the only solution I can see is a global hook. This allows you to inject your code into the thread in question.