Monitoring Processes on Windows NT from Usermode (x86 & x64)

Forum for discussion about user-mode development.
User avatar
Mut4nt
Posts: 19
Joined: Wed May 30, 2012 5:41 am
Location: Russian Federation

Re: Monitoring Processes on Windows NT from Usermode (x86 &

Post by Mut4nt » Sun Nov 11, 2012 5:13 pm

kmd wrote:its good doing something mutant, thanks..

but how to say... no offense... if it were posted 10-12 years ago then something like it would be worth.. somehow. But in 2012 year post about inline hook?
Well as we know on Windows NT there is no callback function ( From user mode ) to do this task
thats not true, see above posts..
In this function, we simply call the stub which contains the original 5 bytes from the hooked function
this lame man, what if there hook like this?

ff25 xxxx

then you execute half of instuction and jump over in trash. You need at least length disassembler.
Yes, of course, not a motor is only one POC, use this method only for show, But I think everyone expected an engine :D

I have another method which can monitoring all processes from user mode, so I will post it.

User avatar
R00tKit
Posts: 129
Joined: Tue Nov 16, 2010 8:23 pm
Contact:

Re: Monitoring Processes on Windows NT from Usermode (x86 &

Post by R00tKit » Thu Nov 22, 2012 8:59 pm

he he he
WMI fun system wide callback :
http://weblogs.asp.net/whaggard/archive ... 38006.aspx
@R00tkitSMM

User avatar
Mut4nt
Posts: 19
Joined: Wed May 30, 2012 5:41 am
Location: Russian Federation

Re: Monitoring Processes on Windows NT from Usermode (x86 &

Post by Mut4nt » Fri Nov 23, 2012 10:15 pm

The another one is hook up the CsrCreateProcess from windows Subsystem ( The most of us we know it maintains a structure with information pe each process running on the user account )

On Windows 8, it's created the most in usermode ( on XP from kernel mode ) by the way.

User avatar
EP_X0FF
Global Moderator
Posts: 4882
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Monitoring Processes on Windows NT from Usermode (x86 &

Post by EP_X0FF » Sat Nov 24, 2012 2:48 am

Mut4nt wrote:On Windows 8, it's created the most in usermode ( on XP from kernel mode ) by the way.
Who?
Ring0 - the source of inspiration

User avatar
Mut4nt
Posts: 19
Joined: Wed May 30, 2012 5:41 am
Location: Russian Federation

Re: Monitoring Processes on Windows NT from Usermode (x86 &

Post by Mut4nt » Sat Nov 24, 2012 9:03 pm

EP_X0FF wrote:
Mut4nt wrote:On Windows 8, it's created the most in usermode ( on XP from kernel mode ) by the way.
Who?
Nervermind, sorry I'm talking about some function from windows subsystem.

User avatar
EP_X0FF
Global Moderator
Posts: 4882
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Monitoring Processes on Windows NT from Usermode (x86 &

Post by EP_X0FF » Sun Nov 25, 2012 2:45 am

You mean process creation? If yes then you are completely wrong. If you speak about Csr* client-server win32 subsystem, then you again wrong, Csr* win32 subsystem is pure usermode based on LPC/ALPC communications. So basically I'm interested only in which part you are wrong or in both altogether. In NT 5.x most of "Create Process" routines located in kernel32, in NT6.x huge amount of them moved into kernel mode as NtCreateUserProcess. The only things left in user mode for NT6.x are: basic loader features such as SxS, AppCompat, filename conversion, environment block creation, post-Crs notification via CsrClientCallServer and primary thread resume. Section from file, process object, initial thread object creation + contex initialization all moved to kernel mode. How it works in NT 5.x see here.
On Windows 8, it's created the most in usermode ( on XP from kernel mode ) by the way.
So, no it is not. Maybe instead of posting totally incorrect statement you first become familiar with the basic material? :)
Ring0 - the source of inspiration

User avatar
kmd
Posts: 271
Joined: Mon Mar 15, 2010 4:09 am
Location: Russian Federation

Re: Monitoring Processes on Windows NT from Usermode (x86 &

Post by kmd » Mon Nov 26, 2012 4:50 am

Mut4nt wrote:The another one is hook up the CsrCreateProcess from windows Subsystem ( The most of us we know it maintains a structure with information pe each process running on the user account )

On Windows 8, it's created the most in usermode ( on XP from kernel mode ) by the way.
how about stop lame hooking? :mrgreen:
some more reliable solution?

User avatar
Mut4nt
Posts: 19
Joined: Wed May 30, 2012 5:41 am
Location: Russian Federation

Re: Monitoring Processes on Windows NT from Usermode (x86 &

Post by Mut4nt » Tue Nov 27, 2012 8:09 pm

kmd wrote:
Mut4nt wrote:The another one is hook up the CsrCreateProcess from windows Subsystem ( The most of us we know it maintains a structure with information pe each process running on the user account )

how about stop lame hooking? :mrgreen:
some more reliable solution?
sure, this one: Process thread creation notification :mrgreen:

evelyette
Posts: 38
Joined: Thu Feb 21, 2013 5:51 pm

Re: Monitoring Processes on Windows NT from Usermode (x86 &

Post by evelyette » Wed Jul 20, 2016 5:48 pm

I realize this is an old thread, but I've been experimenting with AppCertDlls technique on Windows 7 and Windows 10 and while the DLL library is injected into some processes, it isn't injected into others.

The library is injected into session 0 processes like the following:

- svchost.exe: only one of these service processes through.

The library is NOT injected into session 1 processes like the following:

- WinDbg
- ImmDbg
- Microsoft Edge

The code implementing this is in the CreateProcessInternalW function (a call to BasepIsProcessAllowed) at https://svn.reactos.org/svn/reactos/tru ... iew=markup.

I'm interested what the rule is in which processes the library gets injected and in which it doesn't. Why isn't it injected in the Microsoft Edge, it's a standard Windows program/process?

Thank you for all the help and comments.

User avatar
EP_X0FF
Global Moderator
Posts: 4882
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Monitoring Processes on Windows NT from Usermode (x86 &

Post by EP_X0FF » Thu Jul 21, 2016 5:34 am

AFAIR integrity level also taken into account. Probably your debugger running on High IL and Egde is AppContainer. Unfortunately this legacy method has too many restrictions and mostly unreliable.
Ring0 - the source of inspiration

Post Reply