How does this program access other processes memory? How can it write into the address space of another process? Wasn't it supposed to segfault or something?
A program with a system privilege level is capable of mapping physical addresses to its own virtual address.
Cheat O'Matic (and poke) maps the physical address of whatever program it is trying to scan into its own virtual space.
Once this is done, it scans all the bytes for the target value you enter. It isolates the correct memory address by asking the user to altering the address to known values and basically does a diff between the old and new memory to find the changes.
One way to do it is to inject a DLL (Google for 'Dll injection') into the address process that you want to spy on: that DLL is then inside the process and can do things with the process' memory. The spy process can use an Interprocess Communication method (pipes, sockets, anything) to talk with the DLL which it injected into the other process.
Injecting a DLL takes administrator priviledge (e.g. to set a relevent entry in the system registry).
Related
Let's assume I'm hooking a syscall such as openat in Linux using an LKM. Now coming from a Windows driver development world, i have two questions:
Considering that the file path is passed as an argument in openat, Can we safely directly access that buffer (read or write), which is a user-mode address, without using copy_from_user? Because in Windows, certain callbacks are guaranteed to be called at the context of the calling process, thus we can safely assume that the buffer address is correct and not for another context, and even if they are not in the same context, we can attach to the calling process.
In Windows, there is a concept of paged out memory and IRQL, which means that on callbacks that have IRQL of DISPATCH or above, we cannot access memory that is paged out. Is there a similar concept in Linux? For example what happens if the user-mode address is paged out and i try to access it? Can i catch the exception? In Windows we can catch the exception for accessing invalid user-mode addresses, but invalid kernel-mode address access cannot be caught and it causes a BSOD.
I'm asking this because i need to hook opennat to monitor some file opens, but the problem is that if i try to allocate a kernel buffer and then use copy_from_user to get the file path, this will take a lot of time, but if i can somehow safely access the user-mode buffer directly without any copy and read or write to it, this will save up a lot of time. In Windows, even if the context is invalid, we can still attach to that process, lock the user-mode buffer with the help of MDL, and read/write to it, but I'm not sure if this is possible in Linux or not.
I am trying to understand how ring 3 to ring 0 transfer works in operating systems.
I think I understand how a syscall works.
My understanding is that when user mode program wants to make a syscall it will setup the call arguments and send an INT that will transfer over control to the OS which will then read the args, do that work and then return control back to user program. There Are more optimized sys enter arms sys exit variants as well.
All this makes sense to me If the user voluntarily calls the syscall.
However, to gurarantee safety OS cannot assume that callers will use syscall to access resources.
My question is — what happens if user program directly tries to access resource (disk) directly without involving OS.
How does the OS intercept it?
Any piece of I/O hardware, such as the disk controller, will (designer's choice) either respond to an I/O port address or a memory-space address, or possibly both. There is no other way to talk to the hardware. The hardware is sitting out on some bus. Program code must read/write some I/O port or must read/write some "memory" address which is really the device rather than actual RAM.
On x86, since the kernel controls access to both:
I/O ports, by setting or not setting the I/O port permissions, preventing ring 3 access
physical memory-space addresses (by controlling the virtual-to-physical address mapping)
then it can absolutely remove access from user mode.
So there is no instruction that user mode can execute that addresses the device. This is the fundamental aspect of the kernel/user split on any hardware: the kernel can control what user mode can do.
To pick up on a comment by #sawdust - once the kernel has set up the above restrictions, then:
an attempt to issue an I/O port instruction will trap to the kernel because access has not been granted.
access to memory-space device addresses is simply inexpressible; there is no user-space virtual address that equates to the particular physical address required.
It's simple and straightforward in user mode because of those APIs.
How do you read/write specified process's userspace memory from a windows kernel module?
driver target platform is windows xp/2003
Use NtWriteVirtualMemory / NtReadVirtualMemory to write to other processes - you will need to open a handle to the process first.
Note that if you're already in the process, you can just write directly - for example if you're responding to a DeviceIoControl request from a process you can write directly to user-mode addresses and they will be in the address space of the process that called you.
I'm also starting in the world of windows drivers and from what I've read XxxProcessMemory calls NtXxxVirtualMemory in ntdll (R3-UserMode).
The NtXxxVirtualMemory calls the ZwXxxVirtualMemory (R0-KernelMode) also in the ntdll.
I believe you should use the ZwXxxVirtualMemory.
In the krnel, ZwXxx routines are just wrappers around NtXxx ones, telling the kernel that the caller is a kernel mode component, rather than an user application. When a call comes from usermode, the kernel performs additional security checks.
So, use ZwXxx when in the kernel.
An alternative approach for reading/writing memory from/to another process is:
obtain address of its process object (PsLookupProcessByProcessId),
switch the current thread to its address space (KeStackAttachProcess),
perform the operation (read/write...),
switch the address space back (KeUnstackDetachProcess),
decrement reference count incremented by (1) (ObDereferenceObject).
specifically i want to know if kernel32.dll load address can be different for two processes within the same session ?
I want to use createremote thread so just wanted to know if kernel32 load address in remote process can be different from the injecting process in any scenario ?
Kernel32.dll has the same base address on all processes to allow exactly what you'd like to do. Read: Why are certain DLLs required to be at the same base address system-wide?
System DLLs are loaded at random addresses (ASLRed) for security reasons so that a remote attacker can't guess where bits of code on your system are living in memory (i.e. remote attackers can't guess pointers on your computer).
This happens once per boot, and hence kernel32 will be loaded at the same address in all processes across your system.
I have a few questions related to Windows processes in kernel and usermode.
If I have a hello world application, and a hello world driver that exposes a new system call, foo(), I am curious about what I can and can't do once I am in kernel mode.
For starters, when I write my new hello world app, I am given a new process, which means I have my own user mode VM space (lets keep it simple, 32 bit windows). So I have 2GB of space that I "own", I can poke and peek until my hearts content. However, I am bound by my process. I can't (lets not bring shared memory into this yet) touch anyone elses memory.
If, I write this hello world driver, and call it from my user app, I (the driver code) is now in kernel mode.
First clarification/questions:
I am STILL in the same process as the user mode app, correct? Still have the same PID?
Memory Questions:
Memory is presented to my process as VM, that is even if I have 1GB of RAM, I can still access 4GB of memory (2GB user / 2GB of kernel - not minding details of switches on servers, or specifics, just a general assumption here).
As a user process, I cannot peek at any kernel mode memory address, but I can do whatever I want to the user space, correct?
If I call into my hello world driver, from the driver code, do I still have the same view of the usermode memory? But now I also have access to any memory in kernel mode?
Is this kernel mode memory SHARED (unlike User mode, which is my own processes copy)? That is, writing a driver is more like writing a threaded application for a single process that is the OS (scheduling aside?)
Next question. As a driver, could I change the process that I am running. Say, I knew another app (say, a usermode webserver), and load the VM for that process, change it's instruction pointer, stack, or even load different code into the process, and then switch back to my own app? (I am not trying to do anything nefarious here, I am just curious what it really means to be in kernel mode)?
Also, once in kernel mode, can I prevent the OS from preempting me? I think (in Windows) you can set your IRQL level to do this, but I don't fully understand this, even after reading Solomons book (Inside Windows...). I will ask another question, directly related to IRQL/DPCs but, for now, I would love to know if a kernel driver has the power to set an IRQL to High and take over the system.
More to come, but answers to these questions would help.
Each process has a "context" that, among other things, contains the VM mappings specific to that process (<2 GB normally in 32bit mode). When thread executing in user mode enteres kernel mode (e.g. from a system call or IO request), the same thread is still executing, in the process, with the same context. PsGetCurrentProcessId will return the same thing at this point as GetCurrentProcessID would have just before in user mode (same with thread IDs).
The user memory mappings that came with the context are still in place upon entering kernel mode: you can access user memory from kernel mode directly. There are special things that need to be done for this to be safe though: Using Neither Buffered Nor Direct I/O. In particular, an invalid address access attempt in the user space range will raise a SEH exception that needs to be caught, and the contents of user memory can change at any time due to the action of another thread in that process. Accessing an invalid address in the kernel address range causes a bugcheck. A thread executing in user mode cannot access any kernel memory.
Kernel address space is not part of a process's context, so is mapped the same between all of them. However, any number of threads may be active in kernel mode at any one time, so it is not like a single threaded application. In general, threads service their own system calls upon entering kernel mode (as opposed to having dedicated kernel worker threads to handle all requests).
The underlying structures that save thread and process state is all available in kernel mode. Mapping the VM of another process is best done ahead of time from the other process by creating an MDL from that process and mapping it into system address space. If you just want to alter the context of another thread, this can be done entirely from user mode. Note that a thread must be suspended to change its context without having a race condition. Loading a module into a process from kernel mode is ill advised; all of the loader APIs are designed for use from user mode only.
Each CPU has a current IRQL that it is running at. It determines what things can interrupt what the CPU is currently doing. Only an event from a higher IRQL can preempt the CPU's current activity.
PASSIVE_LEVEL is where all user code and most kernel code executes. Many kernel APIs require the IRQL to be PASSIVE_LEVEL
APC_LEVEL is used for kernel APCs
DISPATCH_LEVEL is for scheduler events (known as the dispatcher in NT terminology). Running at this level will prevent you from being preempted by the scheduler. Note that it is not safe to have any kind of page fault at this level; there would be a deadlock possibility with the memory manager trying to retrieve pages. The kernel will bugcheck immediately if it has a page fault at DISPATCH_LEVEL or higher. This means that you can't safely access paged pool, paged code segments or any user memory that hasn't been locked (i.e. by an MDL).
Above this are levels connected to hardware device interrupt levels, known as DIRQL.
The highest level is HIGH_LEVEL. Nothing can preempt this level. It's used by the kernel during a bugcheck to halt the system.
I recommend reading Scheduling, Thread Context, and IRQL
A good primer for this topic would be found at: http://www.codinghorror.com/blog/archives/001029.html
As Jeff points out for the user mode memory space:
"In User mode, the executing code has no ability to directly access hardware or reference memory. Code running in user mode must delegate to system APIs to access hardware or memory. Due to the protection afforded by this sort of isolation, crashes in user mode are always recoverable. Most of the code running on your computer will execute in user mode."
So your app will have no access to the Kernel Mode memory, infact your communication with the driver is probably through IOCTLs (i.e. IRPs).
The kernel however has access to everything, including to mappings for your user mode processes. This is a one way street, user mode cannot map into kernel mode for security and stability reasons. Even through kernel mode drivers can map into user mode memory I would advise against it.
At least that's the way it was back before WDF. I am not sure of the capabilities of memory mapping with user mode drivers.
See also: http://www.google.com/url?sa=t&source=web&ct=res&cd=1&url=http%3A%2F%2Fdownload.microsoft.com%2Fdownload%2Fe%2Fb%2Fa%2Feba1050f-a31d-436b-9281-92cdfeae4b45%2FKM-UMGuide.doc&ei=eAygSvfuAt7gnQe01P3gDQ&rct=j&q=user+mode+mapping+into+kernel+mode&usg=AFQjCNG1QYQMcIpcokMoQSWJlGSEodaBHQ