Injecting a DLL without a Remote Thread

Tuesday, March 14, 2017

A well-known technique for injecting a DLL into another process involves using the CreateRemoteThread(Ex) function to create a thread in another process and point the thread function to the LoadLibraryA or LoadLibraryW, since these functions have the same signature (on the binary level) as a thread function. Before calling CreateRemoteThread, the caller uses VirtualAllocEx to allocate some memory to hold the path to the DLL. This technique is simple and reliable, but has a couple of drawbacks: 1. The target process must be opened with a relatively broad access mask that includes PROCESS_CREATE_THREAD. 2. Anti-malware agents typically...
no comments

Hiding Named Objects

Thursday, March 2, 2017

A common technique in Windows for sharing kernel objects between processes is by using a name. The cooperating processes call the appropriate Create function (e.g. CreateMutex) and specify a simple string name. The first process to make the call actually creates the object, and subsequent processes get another handle to the exact same object. Whether that's a new object or not does not usually matter; however, that piece of information is returned with a GetLastError() code of ERROR_ALREADY_EXISTS. Another option is to call the corresponding Open (e.g. OpenMutex) function in cases where it's known that the intended object has...
no comments

Monitoring ALPC Messages

Sunday, February 12, 2017

The Advanced (or Asynchronous if you prefer) Local Procedure Calls (ALPC) is the internal communication mechanism Windows components use as an inter-process communication (IPC) mechanism for message exchange. Conceptually, it's similar in principle to Remote Procedure Calls (RPC), with client and server ports, but does not use any networking, and is optimized for different message sizes. ALPC messages can reveal the hidden communication between various processes that are almost invisible otherwise. Conceptually, hooking ALPC messages is possible but not easy. First, the user mode and kernel mode APIs are undocumented. Second, hooking would likely involve all processes for which...
no comments

MEF Tip: Initializing Objects

Monday, December 5, 2016

I like MEF. Maybe it's because of the default way MEF binds – using custom attributes; I like the declarative nature of attributes. Anyway, MEF exports declare their dependencies through the Import attribute. Here is a simple class export that has some imports:class AppManager {         ILogger _logger;         IFileService _fileService;     public AppManager() {        _logger.LogMessage("AppManager created");    }     public void DoWork() {        var filename = _fileService.GetFileForOpen();        if (filename == null)            return;         _logger.LogMessage("Opening file...");         var lines = File.ReadAllLines(filename);        _logger.LogMessage("Reading done.");         Console.WriteLine($"Read {lines.Length} lines of text.");    }} The AppManager class has two dependencies – an ILogger implementation and...
no comments

Using (Modern) C++ in Driver Development

Wednesday, November 30, 2016

When most developers think of writing a driver, they think of hard core C programming, with C99/C11 usage as a bonus - if they’re lucky. However, C++ can be used today in driver development, but not just for the ability to declare variables at any point in a function (available in C99 as well), but use more useful C++ features, both old and new, available with the C++ 11 and C++14 standards. In the kernel, there is no standard library nor C++ runtime library, which means most types used in user mode are simply unavailable, such as std::string, std::vector,...
no comments

NTFS Alternate Streams

Thursday, October 13, 2016

A little known feature of the NTFS file system is the ability to add “streams”, which are much like files, but hidden within a “normal” file. This can serve as a way to add custom metadata to a file without any standard tool noticing – the file size reported by standard APIs does not change, even though the added streams consume disk space. This is also a possible technique for malware to hide literally “in plain sight”, as these streams can be added to any file (PE or not), without anything looking suspicious with most standard tools. To create...
no comments

Kernel Pool Monitor – the GUI Version

Wednesday, September 14, 2016

The Windows Driver Kit (WDK) comes with a well known and pretty old tool called PoolMon. PoolMon shows kernel allocations done with ExAllocatePoolWithTag, where the pool type is typically Paged or NonPaged and each allocations is attached by a ‘tag’ – a four byte value that should indicate the component making the allocation. This is useful for finding memory leaks, since kernel memory is never automatically freed (as opposed to user mode processes). If a kernel component or driver sees its tag with increasing memory consumption – that would indicate a leak (unless it’s a transient burst of allocations...
no comments

BgInfo – WPF Style

Sunday, August 28, 2016

The well-known BgInfo Sysinternals tool can be used to display on the desktop a configurable set of information items regarding the system, such as physical memory size, CPU type, machine name, domain, volumes, network information and much more. BgInfo writes "its thing" on the desktop by replacing the wallpaper with a custom one that can be simply a layering over the user selected one, or configured with some color or image, etc. Once BgInfo sets the wallpaper, it exits. Just for fun, I wanted to create a similar tool, but take a different approach. Changing the wallpaper is a cool approach,...
no comments

PE Explorer (Work in progress)

Saturday, July 16, 2016

The other day I wanted to take a look at a DLL file and see its imports, exports, resources and other interesting information. There are several tools out there that show part of this information, some of which are not free, so I thought why not create a Portable Executable (PE) Viewer for myself? If nothing else, at least to gain a better understanding of the PE format. The PE format is called "Portable" because it's not essentially tied to Windows and can represent files on any OS. The format has evolved over the years but still retains its backwards...
no comments

Enhanced CPU Stress Tool

Saturday, June 11, 2016

The old (but still useful) tool called CPUSTRES (notice the 8-character name) allows simulating CPU activity with up to 4 threads, which can be controlled with activity level and priority. The tool can be downloaded from http://live.sysinternals.com/windowsinternals. Here's a screenshot: Old timers may recognize the tool's icon as the default MFC icon used with Visual C++ 6. The tool still works, but its age is showing (the binary has been modified in 1999). It has no minimize button, no way to create more threads, no way to change settings for multiple threads at a time, and lacks some other features that...
no comments