[Carlbyte]

Hey guys,

I need to know if there is a better way to monitor WriteProcessMemory instead of using the hook method. With the monitoring in the kernel structures, hook is not a good option.

Thanks

[BKsky]

Far as I know there is no mechanism to do it ( win2k-win8 ), optionally, you can ObRegisterCallbacks (vista+) for handling operations
ObRegisterCallbacks -> PreOp -> check DesiredAccess -> change.

[BKsky]

Guard page is possible too.

[Carlbyte]

Thanks for the reply,
I do not clearly understand the option of DesiredAccess. How could detect WriteProcessoMemory?

Detect if a program is going to open some process?

[Vrtule]

ObRegisterCallback allows you to register a callback routine that is invoked when a call to OpenProcess/OpenThread is made. When a process wants to write to memory of another process, it must get its handle with PROCESS_VM_WRITE access right. So, if you see the PROCESS_VM_WRITE right in the DesiredAccess mask, you know that the current process maybe wishes to write to target's memory.

[Carlbyte]

Understood, but it is independent of the programmer to set PROCESS_VM_WRITE when calling OpenProcess? If the programmer calling OpenProcess with PROCESS_ALL_ACCESS, will be able to use WriteProcessMemory correct?

I might be mistaken, but I think I used "PROCESS_ALL_ACCESS" and use WriteProcessMemory

[Vrtule]

Understood, but it is independent of the programmer to set PROCESS_VM_WRITE when calling OpenProcess? If the programmer calling OpenProcess with PROCESS_ALL_ACCESS, will be able to use WriteProcessMemory correct?

I might be mistaken, but I think I used "PROCESS_ALL_ACCESS" and use WriteProcessMemory

PROCESS_ALL_ACCESS is a bitmask with all PROCESS_VM_XXX bits set, including PROCESS_VM_WRITE. So, the following detection will work:

Code: Select all

BOOLEAN writeMemoryRightPresent = (DesiredAccess & PROCESS_VM_WRITE);

The problem with this method is that you actually don't know whether the caller actually will ever use WriteProcessMemory. AFAIK somebody calls OpenProcess with PROCESS_ALL_ACCESS just to make his/her life simpler, not because he/she needs full access to the target process.

[Carlbyte]

other programs can open the process for other reasons ... If not using the hook method, there is no solution to this?

I do not need monitor, if I block out the operation is already solution.

I was checking kestackattachprocess. I'll keep searching to see if I can find a solution for this.

[Carlbyte]

I do not need to monitor, if I block the function already solved. I will search for a way to put a RET at the beginning of the function. If someone finds a better way...

[kerpow]

system wide hook that detect any writing/modification of your process/application.