Detecting Test Mode

Forum for discussion about kernel-mode development.
Post Reply
Sagaantheepic
Posts: 3
Joined: Mon Jul 09, 2018 7:15 am

Detecting Test Mode

Post by Sagaantheepic » Tue Jul 10, 2018 12:01 pm

well, i am basically developing a driver of sort, which acts like my personal anti virus and such. Was wanting to move onto process protecting, where i can use my anti virus to protect a program. So far i am using ObRegisterCallback for both threads and process handles. Stripping their permissions. I also have setup a signature scan in my usermode program so i can scan for any potential viruses or programs with ill intent. I am also using other callbacks to monitor process creation and threads creation together with modules loaded. So the last step would be test mode. I really have nothing against drivers from just screwing up my programs.

Well, searched abit, couldnt really find a way. Remember that i do have a signed driver ( not a mini filter ) so i can load it normally. would love it if it works for both 64 bit and 32 bit even though 32 bit doesnt have DSE so it would be alright if it doesnt really work for 32 bit. Other then that, if there are ways of maybe checking for loaded driver's digital signatures properly, that would be lovely as well. Other things such as anti read / write would be great as well, remember that i am stripping read and write permissions from programs but i am just worried about people abusing lsass or csrss to gain a handle with full permissions.

Thank you for any help!

User avatar
tangptr
Posts: 28
Joined: Mon Nov 14, 2016 11:14 am
Location: People Republic of China
Contact:

Re: Detecting Test Mode

Post by tangptr » Wed Jul 11, 2018 5:57 am

The most "quick-and-dirty" way is to load a test-signed-only driver for detection.
In addition, 32-bit NT6 system do have DSE. It is disabled on default, but you may dynamically enable it by patching "Code-Integrity Driver".
At long last, the jumping hands of time will be halted by a weakling cast in eternal solitude.

Sagaantheepic
Posts: 3
Joined: Mon Jul 09, 2018 7:15 am

Re: Detecting Test Mode

Post by Sagaantheepic » Wed Jul 11, 2018 6:46 am

ahhhh. is there any other way to do it via kernel? there has to be something.

User avatar
Vrtule
Posts: 461
Joined: Sat Mar 13, 2010 9:14 pm
Location: Czech Republic
Contact:

Re: Detecting Test Mode

Post by Vrtule » Wed Jul 11, 2018 11:04 am

even though 32 bit doesnt have DSE
It is still good to have your 32-bit driver binary signed in order to avoid troubles witch routines such as ObRegisterCallbacks or PsSetCreateProcessNotifyRoutineEx. They can be called even from an unsigned driver but it is quite a dirty hack.
if there are ways of maybe checking for loaded driver's digital signatures
Well, you need to find driver's file and check its signature (WinVerifyTrust may be helpful). As far as I know, this cannot be simply done from kernelmode, so you would need a service collaborating closely with your driver. You probably should be able to launch it as a protected process if you sign it by your certificate.

User avatar
tangptr
Posts: 28
Joined: Mon Nov 14, 2016 11:14 am
Location: People Republic of China
Contact:

Re: Detecting Test Mode

Post by tangptr » Thu Jul 12, 2018 10:12 am

I shall emphasize that THERE IS DSE component on 32-bit Windows, albeit it is disabled at kernel initialization.
Therefore, you may enable DSE in 32-bit Windows by hacking "Code-Integrity driver". It can be done by ways in opposite of disabling DSE on Win64.
At long last, the jumping hands of time will be halted by a weakling cast in eternal solitude.

User avatar
EP_X0FF
Global Moderator
Posts: 4812
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Detecting Test Mode

Post by EP_X0FF » Thu Jul 12, 2018 7:11 pm

Sagaantheepic wrote:
Tue Jul 10, 2018 12:01 pm
well, i am basically developing a driver of sort, which acts like my personal anti virus and such. Was wanting to move onto process protecting, where i can use my anti virus to protect a program. So far i am using ObRegisterCallback for both threads and process handles. Stripping their permissions. I also have setup a signature scan in my usermode program so i can scan for any potential viruses or programs with ill intent. I am also using other callbacks to monitor process creation and threads creation together with modules loaded. So the last step would be test mode. I really have nothing against drivers from just screwing up my programs.

Well, searched abit, couldnt really find a way. Remember that i do have a signed driver ( not a mini filter ) so i can load it normally. would love it if it works for both 64 bit and 32 bit even though 32 bit doesnt have DSE so it would be alright if it doesnt really work for 32 bit. Other then that, if there are ways of maybe checking for loaded driver's digital signatures properly, that would be lovely as well. Other things such as anti read / write would be great as well, remember that i am stripping read and write permissions from programs but i am just worried about people abusing lsass or csrss to gain a handle with full permissions.

Thank you for any help!
You can detect Test Mode by calling ZwQuerySystemInformation with SystemCodeIntegrityInformation flag and check returned flags in SYSTEM_CODEINTEGRITY_INFORMATION.state to have CODEINTEGRITY_OPTION_ENABLED and CODEINTEGRITY_OPTION_TESTSIGN. However this maybe unavailable on old Windows versions.
Ring0 - the source of inspiration

Sagaantheepic
Posts: 3
Joined: Mon Jul 09, 2018 7:15 am

Re: Detecting Test Mode

Post by Sagaantheepic » Fri Jul 13, 2018 2:24 am

Any other ways?

User avatar
EP_X0FF
Global Moderator
Posts: 4812
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Detecting Test Mode

Post by EP_X0FF » Fri Jul 13, 2018 4:52 pm

All other ways are stupid.
Ring0 - the source of inspiration

Post Reply