[m5home]

Hi, everyone.

This tutorials is excerpted from my study notes. It include:

0.Begin
|-Hardware preparation
|-Configure environment of driver development
------------------------------
1.HelloWorld In Kernel-Mode
|-Configure environment of driver testing
|-Compile and load kernel-mode HelloWorld
------------------------------
2.Basic Code
|-Basic rule of WIN64 kernel-mode programming
|-Communication between EXE and SYS
|-Use memory in kernel-mode
|-Use string in kernel-mode
|-File operation in kernel-mode
|-Registry operation in kernel-mode
|-Process/Thread operation in kernel-mode
|-Other common code
------------------------------
3.Kernel-Mode Hook And Unhook
|-SYSCALL,WOW64 and Compatibility Mode
|-Disable WIN7 PatchGuard
|-Structure of System Services Descriptor Table
|-SSDT HOOK and UNHOOK
|-SHADOW SSDT HOOK and UNHOOK
|-INLINE HOOK and UNHOOK
------------------------------
4.Monitor Process Behavior Without Hook
|-Monitor Process/Thread startup and exit
|-Monitor Load module (DLL and SYS)
|-Monitor Registry operation
|-Monitor File operation
|-Monitor Process/Thread handle operation
|-Monitor File access by object notify
|-Monitor Internet access
|-Monitor Time change
------------------------------
5.Some Stuff
|-Use ASM code in driver
|-DKOM hide/protect process
|-Enumerate and hide kernel module
|-Kill process by PspTerminateProcess
|-Read/Write process memory enforcement
|-Enumerate message hook
|-Unlock file
|-Preliminary exploration on PE32+ file
------------------------------
6.User-Mode Hook And Unhook
|-Inject DLL to system process
|-RING3 INLINE HOOK and UNHOOK
|-RING3 EAT HOOK and IAT HOOK
------------------------------
7.Anti Notify And Callback
|-Enumerate and Delete CreateProcess/CreateThread notify
|-Enumerate and Delete LoadImage notify
|-Enumerate and Delete Registry callback
|-Enumerate and Anti MiniFilter
|-Enumerate and Delete Object notify

PDF part is written by CHINESE, if you cannot read CHINESE, you can see the code directly.
The code is ugly, but as a demonstration should be no problem.
Download URL: http://pan.baidu.com/s/1bnxQNJh

[Kernal]

Thanks for your share! :D

[Microwave89]

Hi m5home,

Although I don't understand a single char of chinese, Google is helping me translating your pdfs into german.
The effort you put into the pdf tutorial is even more incredible than the one you put in the code examples!
I really appreciate your share, thanks so much, again!


Best regards

Microwave89

[m5home]

Hi m5home,

Although I don't understand a single char of chinese, Google is helping me translating your pdfs into german.
The effort you put into the pdf tutorial is even more incredible than the one you put in the code examples!
I really appreciate your share, thanks so much, again!


Best regards

Microwave89

Thanks for your support!

[spool]

Thanks a lot for the awesome writeup and well organized piece of sample code.

[fsdhook]

Thanks for share.

[kerpow1]

Awesome just a shame it isn't in English :) but I understand the code.

[aleckernel]

Hi m5home,
About the [5-5]ForceProcMemRW. It contains the function listed below. Would you mind to explain a bit about why interrupt has to be disabled then enabled the way you did it.

Code: Select all

void KReadProcessMemory(IN PEPROCESS Process, IN PVOID Address, IN UINT32 Length, OUT PVOID Buffer)
{
	ULONG64 pDTB=0,OldCr3=0,vAddr=0;
	//Get DTB
	pDTB=Get64bitValue((UCHAR*)Process + DIRECTORY_TABLE_BASE);
	if(pDTB==0)
	{
		DbgPrint("[x64Drv] Can not get PDT");
		return;
	}
	//Record old cr3 and set new cr3
	_disable();
	OldCr3=__readcr3();
	__writecr3(pDTB);
	_enable();
	//Read process memory
        //<-----if thread context switching happens here, the thread will be reloaded with the old CR3 value from_KTHREAD.ApcState->Process.DirectoryTableBase
	if(MmIsAddressValid(Address))
	{
		RtlCopyMemory(Buffer,Address,Length);
		DbgPrint("[x64Drv] Date read: %ld", *(PDWORD)Buffer);
	}
	//Restore old cr3
	_disable();
	__writecr3(OldCr3);
	_enable();
}

In particular, I don't understand why interrupt disabling is required before the first __readcr3();. If I understand correctly, you want to disable thread context switching while the CR3 is having a tampered value. But the __readcr3()/__writecr3(pDTB); pair won't be affected even if there is context switching in between them

And why you want to re-enable interrupt so early? After the first _enable(), the thread could be pre-empted and the process context switched. When the execution resumed to this thread, Windows will reload the CR3 using the value in _KTHREAD.ApcState->Process.DirectoryTableBase (my test in Win7 32bit shows this is the case). So at any time after the interrupt is re-enabled, the cr3 value could be changed back to the original one and nullify any modifications you have done

Thirdly, you need to prevent the target process from being terminated first (rundown protection). Otherwise, whatever value in pDTB will become invalid and __writecr3(pDTB); will just hang the system. There won't even be a BSOD

Fourthly, what about raising the IRQL to DISPATCH_LEVEL or higher instead of _disable()?

[fl4shc0d3r]

@m5home,

thank you very much for share.
will be very useful to my studies about x64 drivers, mainly about SSDT/Shadow SSDT ! :)

[TSION]

Thanks very much for the share, also is their any additional resources about WIN64 development.