A forum for reverse engineering, OS internals and malware analysis 

New method of reading vad/querying process on 8.1/10?

Forum for discussion about kernel-mode development.

New method of reading vad/querying process on 8.1/10?

 #27044  by kerpow1
 Sat Oct 24, 2015 10:44 am
Hi, I haven't started researching as yet or debugging however there seems to be a different way in which 8.1/10 can query a process protected via obRegisterCallbacks or a module hidden from VAD. Process Hacker is one tool that seems to be able to query process/module on 8.1/10 only (x64) even when the driver is disabled...

Has anyone noticed this change, is it an operating system change or something different? I will post any finding I get.

thanks

Re: New method of reading vad/querying process on 8.1/10?

 #27045  by Vrtule
 Sat Oct 24, 2015 10:54 am
According to the documentation for the VirtualQueryEx routine that may be used to find where PE images are mapped within the target process, you need only the PROCESS_QUERY_INFORMATION access right to get the information. AFAIR this access right cannot be blocked by the OB Filtering Model.

https://msdn.microsoft.com/en-us/librar ... s.85).aspx

Re: New method of reading vad/querying process on 8.1/10?

 #27054  by kerpow1
 Sun Oct 25, 2015 7:40 am
You can restrict whatever is a member of open process really. Process_query is so it works in Windows 7 and 8 but ms have maybe denied this change in 8.1 and 10 but I just need to figure out if that's right and any solution. Thanks

Re: New method of reading vad/querying process on 8.1/10?

 #27056  by kerpow1
 Sun Oct 25, 2015 9:14 am
well it seems 8.1/10 tools can still query memory, 8 and earlier this is not the case. so in terms of vad hiding the tools cannot query the module object but can scan filepath and see strings etc. Solution to this is fill text section with null afterwards, well its the only solution that is working in my case currently.
 Return to “Kernel-Mode Development”