[Carlbyte]

Hey guys,

I wonder if anyone knows another way to prevent image loading in pssetloadimagenotifyroutine event? (dll, sys ...)

I found on the net a code that inserts a (B8 220000C0) in the entrypoint and then the image does not load, but this code caught the exe which is not good to occur.

any ideas?

Thanks

[Carlbyte]

I need the FreeLibrary function in kernel mode .... below another example that works only with exe

status = ZwUnmapViewOfSection(Prochandle, pImageInfo->ImageBase);

[Vrtule]

Hello,

the ZwUnmapViewOfSection will work only for usermode images (and other types of memory mapped files). It is too high-level to be used to map kernel drivers to memory. Additionally, the target process won't be very happy when you unmap a DLL from its address space at once.

For kernel drivers, you can try to write the following code to their entrypoint during your Image Notification Callback:
(32-bit case)

Code: Select all

MOV EAX, 0xC0000022 ; STATUS_ACCESS_DENIED
RET 8 ; DriverEntry has usually two parameters

(64-bit case)

Code: Select all

MOV RAX, 0xC0000022 ; STATUS_ACCESS_DENIED
RET ; I expect the parameters are passed via registers (RCX, RDX)

This approach will not work for kernelmode DLLs because they do not use DriverEntry. AFAIR they also have an initialization routine but it has more than two arguments.

P.S. When rewriting an entrypoint code, you must always write 32-bit code to 32-bit image and 64-bit one to 64-bit image.

P.P.S. File system minifilters are able to catch mapping an executable code to memory and are able (by design, there are no undocumented tricks required) to block the call the event. This approach should work for drivers too I think

[Carlbyte]

Thanks,

According to your answer, I have the solution for cases of exe and driver, Do you have any tips to be made in the case of Dll?


The idea is to control what can be loaded in psseloadimagenotifyroutine event

[Vrtule]

Thanks,

According to your answer, I have the solution for cases of exe and driver, Do you have any tips to be made in the case of Dll?


The idea is to control what can be loaded in psseloadimagenotifyroutine event

How does your method (the code injection to entrypoint) behaves in the case of DLLs. If you are trying also the ZwUnmapViewOfSection, what status code does it return?

[Carlbyte]

In the case of the dll, EXE crashes.
I have to test with ZwUnmapViewOfSection function. The page I found the code, the author advises that simply nothing happens when it is the case of dll.

http://www.osronline.com/showThread.cfm?link=100068

[Carlbyte]

LdrUnloadDll, let's see what happens

[Vrtule]

I do not think it will work well. The ideal solution would be to tell the target process that an attempt to map a DLL to its address space failed. If LoadLibrary/LoadLibraryEx succeeds, the process assumes the DLL is mapped and may attempt to execute some of its functions or use some of its resources.

Mapping a DLL does not imply that its initialization code is executed (LoadLibraryEx with certain settings for example).

Minifilter callbacks registered for IRP_MJ_ACQUIRE_FOR_SECION_SYNCHRONIZATION when a section object for an executable image is created and may block the creation.
(http://msdn.microsoft.com/en-us/library ... s.85).aspx)

[Carlbyte]

Thanks for the help ... Always good tips ...
I had considerable work to implement some things in PsSetLoadImageNotifyRoutine event, but IRP will be better. Let me implement to see what happens.

[Carlbyte]

IRP worked perfectly! The system displays a message invalid file and does not load the file. Worked for EXE, DLL and SYS and did not stop the exe worked in the case of dll. So who are looking for this information, use IRP instead of PsSetLoadImageNotifyRoutine.