- Copying a kernel routine
- Posted by Hummingbird on December 29th, 2007
Hi everyone.
I wants to make some changes to a kernel routine and use it by myself (which
means other drivers in the system can not use this new routine and those
chages will not affect other drivers)
What i am thinking is i can allocate a non-paged pool, and copy the whole
routine to this pool, modify it and call it by the pointer to the pool.
I don't know if i am right. And here is another problem: how can i know the
size of the whole routine? Do i need a small disassembler in my driver or
something?
Many Thanks.
- Posted by Don Burn on December 29th, 2007
Bad idea in general, first if this is a modern processor it won't work since
the paged area will not have the execute bit. Second, the code is linked
to a location, how are you going to determine the reloc's (this is where a
full disassembler comes in handy). Third how do you know if the code does
not depend on external factors that you cannot control.
Why do you think you need this? What function do you think you will be able
to diddle at the binary level?
--
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply
"Hummingbird" <Hummingbird@discussions.microsoft.com> wrote in message
news:BCB81727-C855-4B33-9F06-FB7C62377923@microsoft.com...
- Posted by Volodymyr Shcherbyna on December 29th, 2007
If you want to hide implementation of some algorithm, I would reccomend
using obfuscator for partial part of code.
--
Volodymyr
NG tips:
http://msmvps.com/blogs/v_scherbina/...oups-tips.aspx
"Don Burn" <burn@stopspam.windrvr.com> wrote in message
news:%23vK86ehSIHA.5104@TK2MSFTNGP05.phx.gbl...
- Posted by Hummingbird on December 29th, 2007
Hi, Thanks for respond.
Well, i am writing a anti-malware software actually. As you know, they use
hooks and modify the Windows kernel to hide and protect themself.
You are right, Relocation is a problem. I can use something like
LdrRelocateImageWithBias (I mean write another one myself since it's not
exported), but that's means I have to copy the whole ntoskrnl.exe to the pool.
About the execute bit, I guess we can set it manually since we are in Ring
0, just like the CR0 register. I don't know if i am right. But maybe that's
not recommanded by Microsoft.
"Don Burn" wrote:
- Posted by Don Burn on December 29th, 2007
OH, lets see, you are going to modify the page table, but not the internal
databases the OS creates with them, that is great MALWARE that will likely
crash the system, so you don't need to be stopping MALWARE you are that
CRAP.
If you need a kernel like routine, design your own, but of course as I said
in the first message it is not just code, you have to worry about global
data. Sorry from what I have seen approaches like yours destabilize the
system worse than the junk they are supposed to protect us from.
--
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply
"Hummingbird" <Hummingbird@discussions.microsoft.com> wrote in message
news
B563E74-2151-4636-9201-B3FDAAEDD8B3@microsoft.com...
- Posted by Vetzak on December 31st, 2007
Bad idea. Stay off the CR0 register or any other processor state. The
OS manages this state.
I would try this method: Extend the size of the .text segment in your
driver .sys file. The .text segment is marked as executable by the OS.
Once loaded into memory, you can use the extra, unused bytes and fill
them up with your own subroutine(s).
You may want to write such routines in assembler. Relocations: you can
extract them from the .obj file, or write assembler code that does not
depend on fixed addresses.
On Dec 29, 11:41 pm, Hummingbird
<Hummingb...@discussions.microsoft.com> wrote:
- Posted by Hummingbird on December 31st, 2007
That's a good idea. Thanks a lot.
I can create a dummy function like
_asm
{
nop;
nop;
nop;
....
}
and copy the kernel routine into this address.
I'll try it. Thanks again.
"Vetzak" wrote:
- Posted by Alexander Grigoriev on January 1st, 2008
Again,
moving an arbitrary code to different location is BAD idea.
"Hummingbird" <Hummingbird@discussions.microsoft.com> wrote in message
newsC1E26FF-936F-4147-B0EC-6DDC099FC312@microsoft.com...
- Posted by Vetzak on January 2nd, 2008
On Jan 1, 4:42 pm, "Alexander Grigoriev" <al...@earthlink.net> wrote:
Why is that? If it works, it's okay.
- Posted by Tim Roberts on January 3rd, 2008
Hummingbird <Hummingbird@discussions.microsoft.com> wrote:
Since you will have to disassemble and understand the routine in order to
copy and modify it, why don't you just reengineer the routine in your own
code?
--
Tim Roberts, timr@probo.com
Providenza & Boekelheide, Inc.
