A forum for reverse engineering, OS internals and malware analysis 

Ask your beginner questions here.
 #9156  by Tigzy
 Fri Oct 14, 2011 3:17 pm
Hello

I'm trying to implement a self protection module for "one of my tools", and as this is widely used across the world I can't use any undocumented way (I mean hooks especially).
I've registred a callback notification with PsSetCreateProcessNotifyRoutine, but I found this really useless... :| , or maybe I don't know how to use it.

This callback only gives the PID of the concerned process, and we cannot act on either the creation or the termination...
We can't even get the calling process (the one who has created / terminated the process)

Anyone got a better idea to self protect a process?
 #9158  by EP_X0FF
 Fri Oct 14, 2011 3:22 pm
Tigzy wrote: and we cannot act on either the creation
That's isn't true. You can pass termination APC to user mode. If you are using Vista, Server 2008 or Window7 use PsSetCreateProcessNotifyRoutineEx since it has a way to terminate the process. For anything else you are using hack unfortunately.
 #9159  by Tigzy
 Fri Oct 14, 2011 3:32 pm
hat's isn't true. You can pass termination APC to user mode.
Yes you're right, I've spoken quickly.
You can also just use ZwOpenProcess / ZwTerminateProcess on the PID.

---

So there's no "good way" to protect a process?
Everybody says hooks are evil, but assuming this, how AVs are doing to protect themself without that?
 #9160  by EP_X0FF
 Fri Oct 14, 2011 3:44 pm
AV's using complex methods of self-protection mostly based on filters and illegal hacks for x86-32 targetting few points: not let attacker load kernel mode driver or acquiring handles/perform termination/injection/patching etc. Beginning from Vista SP1 MS started adding new interfaces which can be used for this purpose (ObCallbacks for example). And of course, nothing can protect you against driver level attack. For my point of view if 3rd party product has no full functional HIPS at board it can forget about self-protection, because it's quite useless.
 #9161  by Tigzy
 Fri Oct 14, 2011 3:48 pm
For my point of view if 3rd party product has no full functional HIPS at board it can forget about self-protection, because it's quite useless.
Agreed, that will be my conclusion too.
Thanks for replying ;)