Injecting a DLL without a Remote Thread

Tuesday, March 14, 2017

A well-known technique for injecting a DLL into another process involves using the CreateRemoteThread(Ex) function to create a thread in another process and point the thread function to the LoadLibraryA or LoadLibraryW, since these functions have the same signature (on the binary level) as a thread function. Before calling CreateRemoteThread, the caller uses VirtualAllocEx to allocate some memory to hold the path to the DLL. This technique is simple and reliable, but has a couple of drawbacks: 1. The target process must be opened with a relatively broad access mask that includes PROCESS_CREATE_THREAD. 2. Anti-malware agents typically...
no comments

Using (Modern) C++ in Driver Development

Wednesday, November 30, 2016

When most developers think of writing a driver, they think of hard core C programming, with C99/C11 usage as a bonus - if they’re lucky. However, C++ can be used today in driver development, but not just for the ability to declare variables at any point in a function (available in C99 as well), but use more useful C++ features, both old and new, available with the C++ 11 and C++14 standards. In the kernel, there is no standard library nor C++ runtime library, which means most types used in user mode are simply unavailable, such as std::string, std::vector,...
no comments

NTFS Alternate Streams

Thursday, October 13, 2016

A little known feature of the NTFS file system is the ability to add “streams”, which are much like files, but hidden within a “normal” file. This can serve as a way to add custom metadata to a file without any standard tool noticing – the file size reported by standard APIs does not change, even though the added streams consume disk space. This is also a possible technique for malware to hide literally “in plain sight”, as these streams can be added to any file (PE or not), without anything looking suspicious with most standard tools. To create...
no comments

Kernel Pool Monitor – the GUI Version

Wednesday, September 14, 2016

The Windows Driver Kit (WDK) comes with a well known and pretty old tool called PoolMon. PoolMon shows kernel allocations done with ExAllocatePoolWithTag, where the pool type is typically Paged or NonPaged and each allocations is attached by a ‘tag’ – a four byte value that should indicate the component making the allocation. This is useful for finding memory leaks, since kernel memory is never automatically freed (as opposed to user mode processes). If a kernel component or driver sees its tag with increasing memory consumption – that would indicate a leak (unless it’s a transient burst of allocations...
no comments

Enhanced CPU Stress Tool

Saturday, June 11, 2016

The old (but still useful) tool called CPUSTRES (notice the 8-character name) allows simulating CPU activity with up to 4 threads, which can be controlled with activity level and priority. The tool can be downloaded from http://live.sysinternals.com/windowsinternals. Here's a screenshot: Old timers may recognize the tool's icon as the default MFC icon used with Visual C++ 6. The tool still works, but its age is showing (the binary has been modified in 1999). It has no minimize button, no way to create more threads, no way to change settings for multiple threads at a time, and lacks some other features that...
no comments

Code Injection with Image File Execution Options

Saturday, April 9, 2016

A well-known features of Windows is the Image File Execution Options registry key located in HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options. Under that key, key names with executable files (e.g. Notepad.exe) can be created and various options can be set. These options are observed when a process with the key name (from any directory) is about to be created. A convenient tool to set these options is the Gflags.exe utility, available as part of the Debugging Tools for Windows. One of the useful values is "Debugger" that allows another process (typically a debugger) to be launched when the specific executable is...
3 comments

The many ways of getting process information

Sunday, November 29, 2015

Processes are one of the most fundamental building blocks in Windows (and most other operating systems for that matter, even if the term is differently named). These are management objects, managing various resources such as memory and handles, to be used by actual executing threads within that process. Various tools, such as Task Manager and Process Explorer show information about processes, but how can we get that information programmatically? At first, it seems rather easy. If we’re working in .NET, then all we have to do is call the static Process.GetProcesses method and receive back an array of...
no comments

Build 2015 Impressions

Saturday, May 2, 2015

The Build 2015 conference just ended. It was one of the most important Build/PDC conferences since the Build/PDC inception. Most (if not all) sessions are available on channel 9, and even those that attended Build (myself included) were in only a fraction of the sessions since there were about 10 of them in each time slot. To get a good overview of the various announcements and get links to important downloads, you should head to this post in the Visual Studio blog. What follows are my own impressions and opinions on some of what I experienced at this year’s...
no comments

Making COM Collections Easily Consumable by .NET

Monday, April 13, 2015

In .NET, developers are accustomed to using constructs such as foreach to iterate over collections. In .NET, “Collection” refers to two types of objects: 1. Those that implement the IEnumerable or IEnumerable<T> interface.2. objects that don’t implement these interfaces, but have a method called GetEnumerator that return some object that has the following: a. Has a MoveNext method that returns a boolean and accepts nothing.b. Has a Current property that returns the type of object that the collection provides. Notice that no IEnumerator interface implementation is required. All this means that the (e.g. C#) compiler does pattern matching...
no comments

Introduction to Win2D

Wednesday, November 19, 2014

The Windows Runtime UI stack uses XAML for general 2D layout and graphics. It provides various controls, such as TextBox, ItemsControl and DatePicker. It even provides shape-like elements such as Line, Ellipse, Rectangle and Path. However, the XAML layout and rendering engine, while flexible, may not be performant enough for certain kind of applications and games. Also, it does not support general “drawing” functions (WPF for example, does provide that with the DrawingContext class). Win2D is a new Windows Runtime library that is currently in development by Microsoft that provides a WinRT wrapper over Direct2D. Direct2D is a DirectX...
2 comments