A forum for reverse engineering, OS internals and malware analysis 

Forum for discussion about kernel-mode development.
 #16900  by Tigzy
 Thu Nov 29, 2012 7:52 pm
Hello

I was wondering if in modern OS, there were documented methods for protecting processes?
For files => minifilter
For registry keys => ObRegisterCallback

But for process, I could not find any interesting thing (PsSetCreateProcessNotifyRoutine and PsSetCreateThreadNotifyRoutine can't forbid thread termination)
Any suggestion?
 #16902  by Vrtule
 Thu Nov 29, 2012 8:02 pm
Hello,

ObRegisterCallbacks can be used to filter creation of process and thread handles. PsSetCreateProcessNotifyRoutineEx can filter process creation.
 #16905  by r2nwcnydc
 Thu Nov 29, 2012 8:45 pm
It's not a great solution, but you could use NtSetInformationProcess with ProcessBreakOnTermination. This will mark the process as a critical system process, and the machine will crash if the process is terminated.

ObRegisterCallbacks is a better solution, but I just thought this method was worth mentioning.
 #16907  by xdeadcode
 Thu Nov 29, 2012 10:19 pm
Hi Tigzy,

Please take a look here:
http://code.msdn.microsoft.com/windowsh ... 41#content

Same can be achieved on 'older' obcallback-like OSes.

According to you post I believe you meant to use CmCallbacks for tracking registries.
Also if you're interested in use ObCallbacks in 'non-per-design-style' take a look here: http://www.inreverse.net/?p=1740

Best regards,
 #16908  by EP_X0FF
 Thu Nov 29, 2012 11:47 pm
Tigzy wrote:I was wondering if in modern OS, there were documented methods for protecting processes?
From what? And what is modern OS?
 #16922  by Tigzy
 Fri Nov 30, 2012 7:04 am
Yeah I meant Cm callback for registry
I didnt know Obregister could monitor processes :/

For EP_X0FF, This should work since XP to Win8 x64 (this is what I call "modern" => x64) so no hooks
Thanks for the answers, I have a look
 #16923  by EP_X0FF
 Fri Nov 30, 2012 7:09 am
Ob callbacks/PsSetCreateProcessNotifyRoutineEx are not supported by anything prior to Vista SP1. Overall self-protection sucks and you waste your time. If someone want to kill your soft - it will do this.
 #16941  by Tigzy
 Sat Dec 01, 2012 11:31 am
I totally agree with you EP. But something I don't want is simply opening the task manager and kill the service associated to my kernel filter.
I don't want to have a full-proof protection, but just a basic one to avoid at least userland tricks.

If I'm right, on XP there's no documented way to do this? I'm obliged to use ugly hooks on NtOpenProcess?
 #16944  by xdeadcode
 Sat Dec 01, 2012 1:20 pm
Hi Tigzy,

On non obcallback-alike systems (like wxp) you have no choice to achieve that - only hooks (not sure if in your case you should be interested exactly in hooking NtOpenProcess, but this is your choice). For obcallback-alike systems look at link I posted before. Not perfect, but should be enough for your purpose.
Be also aware of 'creatures' like wxp x64 where I believe you have no option at all.

Best regards,
 #16945  by EP_X0FF
 Sat Dec 01, 2012 1:40 pm
Tigzy wrote:I totally agree with you EP. But something I don't want is simply opening the task manager and kill the service associated to my kernel filter.
When you open TaskManager on Vista/7/8 with default system settings (UAC on) - you CANNOT kill anything running not from your account. Once TaskManager started privileged - it can kill everything, except some internally blacklisted applications. So the question is not how many and which hooks you install - the question is when and how code will be executed. Once something gets system privileges - game over. On x64 you have advantage because common malware cannot into ring0. So use it.
I don't want to have a full-proof protection, but just a basic one to avoid at least userland tricks.
Run service->application combo with service configured to restart on any error. Service is responsible for running your main tasks and restarting your application, while your application only provides GUI (requestedExecutionLevel = asInvoker) for manipulating some service features like for example scan. Protect service registry keys by removing current user from ACL. Remove SeDebugPrivilege from current user token globally or downgrade every new starting process privileges in ProcessNotify. That is all - no hooks. Or do you want to be the same laughingstock like these expensive and useless rattles? http://www.kernelmode.info/forum/viewto ... 657#p16657 <- Without hook this is impossible, with comodo driver incorrect call to SST become legal, wonderful isn't it?
If I'm right, on XP there's no documented way to do this? I'm obliged to use ugly hooks on NtOpenProcess?
PatchGuard won't allow you do this.

Instead of trying implement useless features better focus on program itself.