A forum for reverse engineering, OS internals and malware analysis 

 #10373  by Victor43
 Thu Dec 15, 2011 10:00 am
Hello I am very much new to kernel mode driver programming and wanted to know if someone could give me some ideas or suggestions on how to go about writing a kernel mode driver that searches out hooks within system system dll's like kernel32.dll and user32.dll and Advapi32.dll and so on...But I am having a tough time finding a kernel mode function replacement for GetModuleHandle ? If anyone has any ideas on this point on this I would appreciate a response. The other question I had was how is it possible to scan the memory space of these system dll's I have read that it can be dangerous and cause instability of the whole system, not sure about this comments welcome. Oh yea I have found some code that can check if ntoskrnl.exe or rather the SSDT has been hooked which is fine.

Better yet if anyone knows of any open source code for rootkit detection would be a great.

Thanks in advance

Victor.
 #10374  by rkhunter
 Thu Dec 15, 2011 10:12 am
MmGetSystemRoutineAddress for retrieve export functions from ntoskrnl and hal. Look this topic http://www.kernelmode.info/forum/viewto ... 254&p=9622.

Also look useful rk sources from http://www.kernelmode.info/forum/viewto ... 624&p=6798.
Articles for rk tricks http://www.kernelmode.info/forum/viewto ... 990&p=7135.
 #10375  by Victor43
 Thu Dec 15, 2011 11:29 am
Thanks rkhunter. I just took a look at the links you have given. The reason that I need to find the base address of these system dll's like the one I have mentioned is because I plan on checking the address of each exported function and compare it to the address space of the dll to see if its inside the address space range if found outside then its hooked.

Victor
 #10383  by EP_X0FF
 Thu Dec 15, 2011 4:00 pm
Such stuff must be implemented in user mode. Driver here can be used to read/write processes memory. But unless you want to create BSOD-generator then ok.
 #10400  by Victor43
 Fri Dec 16, 2011 9:24 am
Thanks EP_X0FF. I appreciate the comment and suggestion. I just was not sure if what I would like to accomplish could be done in kernel mode. I'll take your advice and check to see if it can be implemented in user mode. I did have one more question about kernel mode, suppose I was able to retrieve the base address of these system dll's...then would trying to access the memory space of these system dll's cause a BSOD ? I thought that kernel mode operates in ring 0 which has access to all system and user mode memory space ? Please correct me if I am wrong.

Best Regards

Victor
 #10405  by rkhunter
 Fri Dec 16, 2011 9:43 am
From ring0 you can access to all memory, but can't refer to all. And there are a lot of special cases, look Windows Internals book. In general, from ring0 you can refer only to memory that was checked with MmIsAddressValid API.
 #10419  by Victor43
 Sat Dec 17, 2011 4:31 am
Thanks EP_XOFF and rkhunter for the reply.

I do have a book on Windows Internals fifth edition and will go through the relevant content. However since this is an excellent site with very helpful replies I hope no one would mind if I ask another question ? If reading memory is an issue for drivers then how do AntiVirus programs access memory for modules that are already loaded for scanning ? Do they map the memory modules into a another section of memory and then run their scans ? I was also thinking of user mode API's liike Createfile->CreateFileMapping->MapViewOfFile but the use of such API's in user mode only maps disk images into memory. How can one map into a new section of memory for already loaded modules (i.e. the ones found in taskmanager or loaded Dll's) to a new section of memory for analysis is there a kernel mode API that can do this ?

Thanks again

Victor
 #10421  by Brock
 Sat Dec 17, 2011 5:35 am
Victor43,

In kernel mode you could call ZwWriteVirtualMemory to write to another process' memory but IIRC it's not exported by the kernel but you could get its address from the SSDT or locate the service index from the SSDT and use it in a direct SYSCALL / INT 0x2E yourself using asm etc. Same applies to ZwReadVirtualMemory being unexported from the kernel. Anyhow, you don't really need to use these "service" APIs since you can directly attach to the target process via its Eprocess object and do whatever you want with the process memory, you can attach with KeStackAttachProcess and when done use KeUnstackDetachProcess.

Use whatever you feel more comfortable with I guess, since you are somewhat new to writing drivers??? This is why I have mentioned a few different ways. Reading or writing to a particular process' memory using the latter method is literally as easy as calling RtlCopyMemory for example within the running process context, since you are currently within the process' address space much like an injected DLL would be for example. I hope you understand that analogy? I would suggest, as EP_X0FF already mentioned, to not do all this non-trivial hook checking / detection work in a kernel mode driver, especially since this can more easily be done from usermode with less chances of BSODing the system if implemented properly. Simply create your own kernel mode memory reading and writing routines and expose them to your usermode component(s)

Basic skeleton or pseudo code of model might look like this...

-Process calls DeviceIoControl with special control code for reading/writing to a process' address space
-Driver receives code and sees any _input_ parameters such as target process id, operation type (r/w), size of data, code area in target process which will be a virtual address, buffer to copy from or copy to depending on which operation (r/w)
-Driver takes in process id and converts this to something usable such as Eprocess object (PsLookupProcessByProcessId)
-Driver makes a call to KeStackAttachProcess using the returned pointer to Eprocess from above step
-Driver validates both target r/w address in process as well as buffer from usermode (Probing .. MmIsAddressValid .. MDLs)
-Driver uses RtlCopyMemory to copy _in_ data or copy _out_ data to/from process since now directly in process' context
-Driver calls KeUnstackDetachProcess and cleans up any memory allocations, locks etc.

I'd also recommend that you use process rundown protection when attaching to a process but this is out of the scope of this basic design
 #10428  by Victor43
 Sat Dec 17, 2011 10:51 am
Hey Brock.

Yes I am new to kernel mode programming as you can tell by the number of questions that I am asking :). I appreciate the reply though since I need to grasp a lot of basic and fundamental ideas of kernel mode programming. Have said that I like the idea of using a user mode application to provide certain pieces of the needed data in which the kernel mode driver would be able to use. Thanks for the tip about using the EPROCESS structure, I honestly did not know the extent of its use which really helps. Also I understand the pseudo code you have given. I actually ran into some kernel mode code on more then one instance that resembles the pseudo code you have kindly provided :). Oh by the way since I am new to kernel mode programming I've already seen my share of BSOD. I think its also when you get a little careless or not knowing what your doing is when you can run into trouble when working with kernel programming. I speak from experience here :)

Thanks again

Victor