Driver Introspection with DriverMon

Saturday, November 18, 2017

In the past few weeks I've been working in my non-existent spare time on DriverMon - a driver monitoring tool for Windows. The tool is far from complete, but it's already quite useful. In this post I'll describe how to use it and some of the challenges of building such a tool. Initially I wanted to be able to track every I/O Request Packet (IRP) targeted to monitored devices. The term "devices" here is important, as the Windows I/O system is device-centric rather than driver-centric. That is, requests are delivered to devices, not drivers. A device can be thought of...
no comments

Integrating COM IPC into Existing Executables

Friday, October 6, 2017

A few days ago at work, a requirement arouse to create some form of inter-process communication (IPC) between two cooperating processes where the source code for the executables themselves already existed, so such mechanism should integrate into the existing code as easily as possible, while providing bi-directional communication. Several options were brought up, including pipes and sockets. The processes are services and have no UI, so Window messages were not an option. Other ideas included shared memory with notifications using kernel event objects... and then I suggested COM. There was a brief silence and then people started murmuring things like "COM...
tags: , , ,
no comments

DLL Injection with SetThreadContext

Tuesday, September 5, 2017

There are several techniques available for injecting a DLL into a process. Each has its own strengths and drawbacks. The simplest one uses the CreateRemoteThread function to create a new thread in the target process and point the thread's start function to the the LoadLibrary function, as LoadLibray and a thread's starting function have the same prototype from a binary perspective (both accept a pointer). This method is the easiest to use but also the most visible. Creating a new thread can be "noticed" in several ways, such as with an ETW event. If a driver is present and is hooking...
no comments

Hooking COM Classes

Monday, August 7, 2017

There are some common scenarios that benefit from the ability to hook operations. The canonical example is hooking Windows API functions for debugging purposes, or for malware detection. In this scenario, some DLL is injected into a target process and then hooks relevant functions. There are several ways to do that, but that is not the focus of this post; the interested reader can search the web for more information. In the Component Object Model (COM) world, things are not so easy. Since COM is object based, it's not generally possible to get the address of a COM interface method,...
tags: , , , ,
no comments

C++ enum class Tip: Bitwise operator support

One of the nice features of C++ 11 is scoped enums ("enum class"). This solves a few issues with the classic C++ enums: Scoped enums don't "leak" into the enclosing scope as classic C++ enums do. Scoped enums don't automatically convert to integers, helping with type safety. Scoped enums can be declared with the size of the underlying integer. However, there is one feature that I believe was overlooked, or at least deemed unimportant to get into the standard: the automatic support for bitwise operations. For example, suppose I'm writing a class called Process that wraps a Windows process handle and provides convenient access...
no comments

Injecting a DLL without a Remote Thread

Tuesday, March 14, 2017

A well-known technique for injecting a DLL into another process involves using the CreateRemoteThread(Ex) function to create a thread in another process and point the thread function to the LoadLibraryA or LoadLibraryW, since these functions have the same signature (on the binary level) as a thread function. Before calling CreateRemoteThread, the caller uses VirtualAllocEx to allocate some memory to hold the path to the DLL. This technique is simple and reliable, but has a couple of drawbacks: 1. The target process must be opened with a relatively broad access mask that includes PROCESS_CREATE_THREAD. 2. Anti-malware agents typically...
2 comments

Using (Modern) C++ in Driver Development

Wednesday, November 30, 2016

When most developers think of writing a driver, they think of hard core C programming, with C99/C11 usage as a bonus - if they’re lucky. However, C++ can be used today in driver development, but not just for the ability to declare variables at any point in a function (available in C99 as well), but use more useful C++ features, both old and new, available with the C++ 11 and C++14 standards. In the kernel, there is no standard library nor C++ runtime library, which means most types used in user mode are simply unavailable, such as std::string, std::vector,...
one comment

NTFS Alternate Streams

Thursday, October 13, 2016

A little known feature of the NTFS file system is the ability to add “streams”, which are much like files, but hidden within a “normal” file. This can serve as a way to add custom metadata to a file without any standard tool noticing – the file size reported by standard APIs does not change, even though the added streams consume disk space. This is also a possible technique for malware to hide literally “in plain sight”, as these streams can be added to any file (PE or not), without anything looking suspicious with most standard tools. To create...
no comments

Kernel Pool Monitor – the GUI Version

Wednesday, September 14, 2016

The Windows Driver Kit (WDK) comes with a well known and pretty old tool called PoolMon. PoolMon shows kernel allocations done with ExAllocatePoolWithTag, where the pool type is typically Paged or NonPaged and each allocations is attached by a ‘tag’ – a four byte value that should indicate the component making the allocation. This is useful for finding memory leaks, since kernel memory is never automatically freed (as opposed to user mode processes). If a kernel component or driver sees its tag with increasing memory consumption – that would indicate a leak (unless it’s a transient burst of allocations...
one comment

Enhanced CPU Stress Tool

Saturday, June 11, 2016

The old (but still useful) tool called CPUSTRES (notice the 8-character name) allows simulating CPU activity with up to 4 threads, which can be controlled with activity level and priority. The tool can be downloaded from http://live.sysinternals.com/windowsinternals. Here's a screenshot: Old timers may recognize the tool's icon as the default MFC icon used with Visual C++ 6. The tool still works, but its age is showing (the binary has been modified in 1999). It has no minimize button, no way to create more threads, no way to change settings for multiple threads at a time, and lacks some other features that...
no comments