[ThatReallyFatDude]

Hi guys,

I am currently building a little driver to intercept file execution (including DLL loading). Since Windows itself doesn't offer a documented way to do so (PsSetCreateProcessNotifyRoutineEx only exists on Vista SP1+ and only works for process creation - not DLL loading). I had several approaches to this:

• Use a file system filter with IRP_MJ_CREATE callbacks and check for the FILE_EXECUTE flag. That works but unfortunately Explorer essentially opens all files with maximum flags including FILE_EXECUTE. So while browsing directories there are a shit load of "detected executions". Unfortunately all flags are the same no matter whether you browse a directory, get the file properties or execute the file. So there is no easy way to filter those requests. Doing a user mode stack trace of the thread issuing the request may be possible. But I have no idea if that is at all doable.
• Use a file system filter with IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION callbacks to intercept the creation of file mappings and check if the mapping is created with execution rights. This works quite well. Unfortunately there is a strange bug within the CreateProces APIs: When I deny access using one of those callbacks the application issuing the CreateProcess call will leak a handle to the file it tried to execute. So essentially I can't delete it. There are some false positives as well but they are far less then the first method so in general they are acceptable. If I could prevent the handle from being leaked this method would be great.

My next step would be to combine the PsSetCreateImageNotifyRoutine with a file system driver. Essentially issuing a callback into user mode from the Notification Routine and if the execution should be blocked put it on a blacklist and prevent all further access to it using the file system filter. Or is there a method to unmap the image from within the Notification Callback?

Since the driver is intended to run on x64 Kernel Mode Hooks aren't really an option.

[EP_X0FF]

Hello,

filter driver with FsRtlRegisterFileSystemFilterCallbacks -> PreAcquireForSectionSynchronization?
Then you can analyze PageProtection field for PAGE_EXECUTE. Or it is also causing problems with Explorer?

For dll there also was some user mode undocumented loader callback, but it was removed in Windows 7.

Regards.

[ThatReallyFatDude]

filter driver with FsRtlRegisterFileSystemFilterCallbacks -> PreAcquireForSectionSynchronization?
Then you can analyze PageProtection field for PAGE_EXECUTE. Or it is also causing problems with Explorer?

That is essentially the same as the IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION filter solution and causes the handle to leak. I could forcefully close the handle but I think that may cause more harm then good. Maybe someone else has an additional idea.

[Cr4sh]

You can try to use PsSetCreateProcessNotifyRoutine/PsSetLoadImageNotifyRoutine with entry point patching of loaded image (xor eax,eax/ret - if user decides to block execution). This is a little dirty solution, but very simple, stable and reliable.

[jackinthebox1]

You can try to use PsSetCreateProcessNotifyRoutine/PsSetLoadImageNotifyRoutine with entry point patching of loaded image (xor eax,eax/ret - if user decides to block execution)

I wanted to experiment with this, so I called PsSetLoadImageNotifyRoutine. When my callback is triggered, I can page the code in using MmProbeAndLockPages with IoReadAccess but I don't know how to change it to write access. If I supply ioWriteAccess, I get an access denied error code. How do I change the page permissions to write access? I am sure this is a basic question, but I don't know the answer. So, I thought I would ask the gurus.

[Vrtule]

Hello,

I think that you can try the following:
1) Lock the pages of the image in the physical memory via MProbeAndLockPages with IoReadAccess.
2) Use MmGetAddressForMdlSafe to map the image into the kernel memory. I think that this mapping should be read-write. However, it might cause problems with images that are shared accross multiple processes (via copy on write optimization).

You can also try to find addresses of ZwProtectVirtualMemory or ZwWriteVirtualMemory and use these routines to make the entry point area writable.

Unfortunately, I seem to be unable to think up a better solution .

[KK_]

map it by creating a new mdl via mmallocatemdl??

[listito]

you should really think about hooking explorer.exe's createprocess

[EP_X0FF]

My 5 cents - send APC to user mode with TerminateProcess, do this from LoadImageNotify callback, maybe additional thread will be required. Documented way http://msdn.microsoft.com/en-us/library ... s.85).aspx

[jackinthebox1]

send APC to user mode with TerminateProcess

Is this easy to do? I have been experimenting with sending APC's in Win7 x64 but it keeps crashing. Does anyone have sample code? Also, how do you debug APC code?