[Tigzy]

Hello

I need to find a mean to unregister callbacks set with cmregistercallback (or others , as PsSetNotifyxxx).
To do so, I guess we could find an object in memory where all of theses are stored, and nullify them.

Anyone ever tried to unregister callbacks?

[EP_X0FF]

Implementation of PsXXX callbacks are different on XP/2003 and Vista+
Implementation of CM callbacks are different on XP/2003 and Vista+

Meanwhile there are exists other callback types (Io, Se, Ke) all can be used by malware.

Yes it possible to remove them all. First of all you need length disasm engine.

[Tigzy]

I'm afraid misunderstood what you meant by "First of all you need length disasm engine."
The CmUnRegisterCallback needs a cookie, is it possible to bruteforce it? I guess a LARGE_INTEGER is a pain in the ass to bruteforce cause it's 64 bits long...

NTSTATUS CmUnRegisterCallback(
__in LARGE_INTEGER Cookie
);

[EP_X0FF]

How do you will decide what callback to remove with your brute-force (which itself is completely abnormal idea)? Kill them all with long long cycle?

I'm afraid misunderstood what you meant by "First of all you need length disasm engine."

http://www.kernelmode.info/forum/viewto ... ?f=15&t=38

[Tigzy]

How do you will decide what callback to remove with your brute-force (which itself is completely abnormal idea)? Kill them all with long long cycle?

Yes, that's not a such good idea :mrgreen:

http://www.kernelmode.info/forum/viewto ... ?f=15&t=38

Ouah, a whole engine only for that? Why is this necessary?

[EP_X0FF]

Ouah, a whole engine only for that? Why is this necessary?

Not whole, it's just a example. As in fact you need only LDE (Length Disassembler Engine). This is required for searching callbacks data (arrays, linked lists etc).

[Tigzy]

Yes, but why? Can you give me a hint, I'm really in the smog
What is the LDE, and in what is it usefull to get theses data?

[EP_X0FF]

Lets take PsSetCreateProcessNotifyRoutine and old NT5 as example because it's simpler.

Internally it looks like

Code: Select all

for (i=0; i < PSP_MAX_CREATE_PROCESS_NOTIFY; i++) {
        if (Remove) {
            if (PspCreateProcessNotifyRoutine[i] == NotifyRoutine) {
                PspCreateProcessNotifyRoutine[i] = NULL;
                PspCreateProcessNotifyRoutineCount -= 1;
                return STATUS_SUCCESS;
            }

        } else {
            if (PspCreateProcessNotifyRoutine[i] == NULL) {
                PspCreateProcessNotifyRoutine[i] = NotifyRoutine;
                PspCreateProcessNotifyRoutineCount += 1;
                return STATUS_SUCCESS;
            }
        }
    }

where PSP_MAX_CREATE_PROCESS_NOTIFY = 8, this value valid up to current time.

So to operate with callbacks of this type (for example to list them) you need to read PspCreateProcessNotifyRoutine array,

Code: Select all

PCREATE_PROCESS_NOTIFY_ROUTINE PspCreateProcessNotifyRoutine[ PSP_MAX_CREATE_PROCESS_NOTIFY ];

(which is not exported of course) from kernel memory. How to do this? Obviously by finding a valid pointer to this data. And this can be done by disassembling owner PsSetCreateProcessNotifyRoutine function body and looking for a specific pattern describing that array. There you need LDE (of course if you not plan to do any kind of hardcode - BSOD generator).

LoadImage, ThreadCreate also uses similar arrays (valid for NT5 kernels). CmRegistryCallback introduced in Windows XP and it's internals also varies from NT5 to NT6 versions. There is no generic way to get what you want. You need a separate callback handling code for two different kernels and data signatures also can depends from service pack version.

[Tigzy]

Thanks, It's much more clear like that :!:
I will push this aside, this is not part of my level currently ;)

[Brock]

PsX notify routines will be the easiest to locate, version checking is still imperative as EP mentions. Modern ARKs have had this feature for some time as has some malware.