A forum for reverse engineering, OS internals and malware analysis 

Forum for discussion about user-mode development.
 #10841  by wealllbe20
 Thu Jan 05, 2012 4:30 pm
I was wondering if anybody has any example code in the userland of course on how to prevent a process or thread from reading the memory of another thread or process.

Any ideas?
 #10852  by EP_X0FF
 Fri Jan 06, 2012 4:09 am
With only UM and on the same execution level, presumably - nohow. Of course you can try hooks, this will require however mapping your code into potential intruder address space and this easily can be bypassed.
 #11175  by everdox
 Fri Jan 20, 2012 11:43 pm
like he said, if you in user-mode you don't have many options.. besides maybe a global hook. maybe even remote handle closing on process_all_access or process_vm :D
 #11186  by redp
 Sat Jan 21, 2012 8:53 am
everdox wrote:like he said, if you in user-mode you don't have many options.. besides maybe a global hook. maybe even remote handle closing on process_all_access or process_vm :D
Since vista EPROCESS has flag ProtectedProcess for DRM related processes like audiodg.exe
This flag can be setted in UM
 #11194  by Vrtule
 Sat Jan 21, 2012 5:01 pm
redp wrote:
everdox wrote:like he said, if you in user-mode you don't have many options.. besides maybe a global hook. maybe even remote handle closing on process_all_access or process_vm :D
Since vista EPROCESS has flag ProtectedProcess for DRM related processes like audiodg.exe
This flag can be setted in UM
I do not think the article says that the ProtectedProcess flag can be changed from usermode. It only says that you can create protected processes when you own a special crtificate. And Microsoft writes about the certificate the following:
To activate a protected process, the binary must have a special signature. This signature is provided by Microsoft but not currently available for non-Microsoft binaries. There are currently four protected processes: media foundation, audio engine, Windows error reporting, and system. Components that load into these binaries must also be signed. Multimedia companies can leverage the first two protected processes. For more information, see Overview of the Protected Media Path.
hence it seems taht normal guys are unable to create processes of that kind. However, I might be wrong. If so, please correct me.

Modification of ProtectedProcess flag in EPROCESS structure works perfectly. However, keep in mind that protected processes are not allowed to create chikd processes.
 #11198  by redp
 Sat Jan 21, 2012 5:33 pm
Vrtule wrote: hence it seems taht normal guys are unable to create processes of that kind.
In original post man asked for any example code in the userland
My answer fall on this category :lol: