Hooking COM Classes

Monday, August 7, 2017

There are some common scenarios that benefit from the ability to hook operations. The canonical example is hooking Windows API functions for debugging purposes, or for malware detection. In this scenario, some DLL is injected into a target process and then hooks relevant functions. There are several ways to do that, but that is not the focus of this post; the interested reader can search the web for more information. In the Component Object Model (COM) world, things are not so easy. Since COM is object based, it's not generally possible to get the address of a COM interface method,...
tags: , , , ,
no comments

C++ enum class Tip: Bitwise operator support

One of the nice features of C++ 11 is scoped enums ("enum class"). This solves a few issues with the classic C++ enums: Scoped enums don't "leak" into the enclosing scope as classic C++ enums do. Scoped enums don't automatically convert to integers, helping with type safety. Scoped enums can be declared with the size of the underlying integer. However, there is one feature that I believe was overlooked, or at least deemed unimportant to get into the standard: the automatic support for bitwise operations. For example, suppose I'm writing a class called Process that wraps a Windows process handle and provides convenient access...
no comments

Injecting a DLL without a Remote Thread

Tuesday, March 14, 2017

A well-known technique for injecting a DLL into another process involves using the CreateRemoteThread(Ex) function to create a thread in another process and point the thread function to the LoadLibraryA or LoadLibraryW, since these functions have the same signature (on the binary level) as a thread function. Before calling CreateRemoteThread, the caller uses VirtualAllocEx to allocate some memory to hold the path to the DLL. This technique is simple and reliable, but has a couple of drawbacks: 1. The target process must be opened with a relatively broad access mask that includes PROCESS_CREATE_THREAD. 2. Anti-malware agents typically...
2 comments

Using (Modern) C++ in Driver Development

Wednesday, November 30, 2016

When most developers think of writing a driver, they think of hard core C programming, with C99/C11 usage as a bonus - if they’re lucky. However, C++ can be used today in driver development, but not just for the ability to declare variables at any point in a function (available in C99 as well), but use more useful C++ features, both old and new, available with the C++ 11 and C++14 standards. In the kernel, there is no standard library nor C++ runtime library, which means most types used in user mode are simply unavailable, such as std::string, std::vector,...
one comment

NTFS Alternate Streams

Thursday, October 13, 2016

A little known feature of the NTFS file system is the ability to add “streams”, which are much like files, but hidden within a “normal” file. This can serve as a way to add custom metadata to a file without any standard tool noticing – the file size reported by standard APIs does not change, even though the added streams consume disk space. This is also a possible technique for malware to hide literally “in plain sight”, as these streams can be added to any file (PE or not), without anything looking suspicious with most standard tools. To create...
no comments

Kernel Pool Monitor – the GUI Version

Wednesday, September 14, 2016

The Windows Driver Kit (WDK) comes with a well known and pretty old tool called PoolMon. PoolMon shows kernel allocations done with ExAllocatePoolWithTag, where the pool type is typically Paged or NonPaged and each allocations is attached by a ‘tag’ – a four byte value that should indicate the component making the allocation. This is useful for finding memory leaks, since kernel memory is never automatically freed (as opposed to user mode processes). If a kernel component or driver sees its tag with increasing memory consumption – that would indicate a leak (unless it’s a transient burst of allocations...
one comment

Enhanced CPU Stress Tool

Saturday, June 11, 2016

The old (but still useful) tool called CPUSTRES (notice the 8-character name) allows simulating CPU activity with up to 4 threads, which can be controlled with activity level and priority. The tool can be downloaded from http://live.sysinternals.com/windowsinternals. Here's a screenshot: Old timers may recognize the tool's icon as the default MFC icon used with Visual C++ 6. The tool still works, but its age is showing (the binary has been modified in 1999). It has no minimize button, no way to create more threads, no way to change settings for multiple threads at a time, and lacks some other features that...
no comments

Code Injection with Image File Execution Options

Saturday, April 9, 2016

A well-known features of Windows is the Image File Execution Options registry key located in HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options. Under that key, key names with executable files (e.g. Notepad.exe) can be created and various options can be set. These options are observed when a process with the key name (from any directory) is about to be created. A convenient tool to set these options is the Gflags.exe utility, available as part of the Debugging Tools for Windows. One of the useful values is "Debugger" that allows another process (typically a debugger) to be launched when the specific executable is...
3 comments

The many ways of getting process information

Sunday, November 29, 2015

Processes are one of the most fundamental building blocks in Windows (and most other operating systems for that matter, even if the term is differently named). These are management objects, managing various resources such as memory and handles, to be used by actual executing threads within that process. Various tools, such as Task Manager and Process Explorer show information about processes, but how can we get that information programmatically? At first, it seems rather easy. If we’re working in .NET, then all we have to do is call the static Process.GetProcesses method and receive back an array of...
no comments

Build 2015 Impressions

Saturday, May 2, 2015

The Build 2015 conference just ended. It was one of the most important Build/PDC conferences since the Build/PDC inception. Most (if not all) sessions are available on channel 9, and even those that attended Build (myself included) were in only a fraction of the sessions since there were about 10 of them in each time slot. To get a good overview of the various announcements and get links to important downloads, you should head to this post in the Visual Studio blog. What follows are my own impressions and opinions on some of what I experienced at this year’s...
no comments