Public Remote Windows Internals Training!

Tuesday, April 3, 2018

This is the first public remote class that I will be delivering. It's Windows Internals this time (other classes will be provided in the future). Here are the basic details: Windows Internals Training Instructor: Pavel Yosifovich Public 5-day remote class Dates (updated): June 19, 20, 21, 25, 26 Time: 8 hours / day. Exact hours TBD Price: 1950 USD Register by emailing and specifying “Windows Internals Training” in the title and provide names of participants (discount available for multiple participants from the same company), company name and time zone. You’ll receive instructions for payment and other details. Virtual space is limited! Note the changed dates! Objectives: Understand the Windows system...
no comments

Intercepting COM Objects with CoGetInterceptor

Wednesday, February 28, 2018

A while back I wrote about COM interception with CoTreatAsClass. The idea there is to redirect a CLSID to another CLSID implemented by the interceptor. This has the advantage of automatic redirection in cases where a different implementation is desired. However, it makes it difficult to just wrap the original class because its creation becomes masked as well, and so CoTreatAsClass needs to be called again, removing the redirection just enough time to create the original object. This creates an inherent race condition, where new instances could be created in between and the interception "missed". The COM infrastructure includes other...
tags: , , , ,
no comments

ProcMon vs. ProcMonX

Wednesday, January 17, 2018

The (now classic) Process Monitor tool from Sysinternals allows watching important activities on a system: process and thread creation/termination, image loading/unloading, file system operations and registry operations (and some profiling events). This tool helped me many times in diagnosing issues or just understanding what's going on in a particular scenario. Yesterday I released the first preview of a tool called Process Monitor X (ProcMonX), as a possible alternative to ProcMon. ProcMonX provides information on similar activities to ProcMon, but adds many more events, such as networking, ALPC and memory. In fact, the number of possible events is staggering, since there...
no comments

Driver Introspection with DriverMon

Saturday, November 18, 2017

In the past few weeks I've been working in my non-existent spare time on DriverMon - a driver monitoring tool for Windows. The tool is far from complete, but it's already quite useful. In this post I'll describe how to use it and some of the challenges of building such a tool. Initially I wanted to be able to track every I/O Request Packet (IRP) targeted to monitored devices. The term "devices" here is important, as the Windows I/O system is device-centric rather than driver-centric. That is, requests are delivered to devices, not drivers. A device can be thought of...
no comments

DLL Injection with SetThreadContext

Tuesday, September 5, 2017

There are several techniques available for injecting a DLL into a process. Each has its own strengths and drawbacks. The simplest one uses the CreateRemoteThread function to create a new thread in the target process and point the thread's start function to the the LoadLibrary function, as LoadLibray and a thread's starting function have the same prototype from a binary perspective (both accept a pointer). This method is the easiest to use but also the most visible. Creating a new thread can be "noticed" in several ways, such as with an ETW event. If a driver is present and is hooking...
no comments

Enumerating Job Objects

Saturday, June 17, 2017

Job objects have been around since Windows 2000, providing a convenient way to set limits and otherwise manage a set of processes. Up until Windows 8 job objects were used sparingly, because a process could only be associated with a single job at most. That would mean an application wanting to set some limits on a process it does not create explicitly had no way of knowing whether that process was already part of a job. If it were, assigning it to another job would simply fail. Starting with Windows 8, jobs can be nested, effectively creating a job hierarchy...
no comments

Enhanced GFlags Tool

Monday, April 3, 2017

The well-known GFlags tool, part of the Debugging tools for Windows package allows manipulating a 32-bit flags value maintained by the kernel and per-process. Strictly speaking, Gflags allows changing more than just these flags, such as adding the Debugger value to an image file entry that indicates which executable should be activated whenever the original image is executed. GFlags has a crude user interface that has not been updated for ages. The first annoyance with its UI is the lack of a minimize button. Here's a screenshot: The tool provides a way to change flags for three...
no comments

Injecting a DLL without a Remote Thread

Tuesday, March 14, 2017

A well-known technique for injecting a DLL into another process involves using the CreateRemoteThread(Ex) function to create a thread in another process and point the thread function to the LoadLibraryA or LoadLibraryW, since these functions have the same signature (on the binary level) as a thread function. Before calling CreateRemoteThread, the caller uses VirtualAllocEx to allocate some memory to hold the path to the DLL. This technique is simple and reliable, but has a couple of drawbacks: 1. The target process must be opened with a relatively broad access mask that includes PROCESS_CREATE_THREAD. 2. Anti-malware agents typically...

Hiding Named Objects

Thursday, March 2, 2017

A common technique in Windows for sharing kernel objects between processes is by using a name. The cooperating processes call the appropriate Create function (e.g. CreateMutex) and specify a simple string name. The first process to make the call actually creates the object, and subsequent processes get another handle to the exact same object. Whether that's a new object or not does not usually matter; however, that piece of information is returned with a GetLastError() code of ERROR_ALREADY_EXISTS. Another option is to call the corresponding Open (e.g. OpenMutex) function in cases where it's known that the intended object has...
no comments

Monitoring ALPC Messages

Sunday, February 12, 2017

The Advanced (or Asynchronous if you prefer) Local Procedure Calls (ALPC) is the internal communication mechanism Windows components use as an inter-process communication (IPC) mechanism for message exchange. Conceptually, it's similar in principle to Remote Procedure Calls (RPC), with client and server ports, but does not use any networking, and is optimized for different message sizes. ALPC messages can reveal the hidden communication between various processes that are almost invisible otherwise. Conceptually, hooking ALPC messages is possible but not easy. First, the user mode and kernel mode APIs are undocumented. Second, hooking would likely involve all processes for which...
no comments