[nullpointer]

hallo,

i try unprotect csrss (wintcb light) for win10.15063+ for small time and restore.
psprotect pointer ok. it must be possible?

Code: Select all

NTSYSCALLAPI
NTSTATUS
NTAPI
ZwQuerySystemInformation(
	_In_ ULONG SystemInformationClass,
	_Out_opt_ PVOID SystemInformation,
	_In_ ULONG SystemInformationLength,
	_Out_opt_ PULONG ReturnLength
);

#define SystemProcessInformation	5

NTSTATUS CsrssTempUnprotect(VOID)
{
	ULONG retLen = 0;
	ULONG spiLen = 128;
	PSYSTEM_PROCESS_INFORMATION spi = NULL;
	NTSTATUS status = STATUS_UNSUCCESSFUL;

	do {
		spiLen *= 2;
		spi = (PSYSTEM_PROCESS_INFORMATION)ExAllocatePoolWithTag(PagedPool, spiLen, 0);
		if (spi != NULL) {
			status = ZwQuerySystemInformation(SystemProcessInformation, spi, spiLen, &retLen);
			if (!NT_SUCCESS(status))
				ExFreePool(spi);
		}
		else status = STATUS_INSUFFICIENT_RESOURCES;
	} while (status == STATUS_INFO_LENGTH_MISMATCH);

	if (NT_SUCCESS(status)) {
		UNICODE_STRING uCsrss;
		PSYSTEM_PROCESS_INFORMATION tmp = spi;

		RtlInitUnicodeString(&uCsrss, L"CSRSS.EXE");
		do {
			if (RtlEqualUnicodeString(&tmp->ImageName, &uCsrss, TRUE))
				ProcessProtection(tmp->UniqueProcessId, FALSE);

			if (tmp->NextEntryOffset == 0)
				break;

			tmp = (PSYSTEM_PROCESS_INFORMATION)((PUCHAR)tmp + tmp->NextEntryOffset);
		} while (TRUE);

		Sleep(10000);

		tmp = spi;
		do {
			if (RtlEqualUnicodeString(&tmp->ImageName, &uCsrss, TRUE))
				ProcessProtection(tmp->UniqueProcessId, TRUE);

			if (tmp->NextEntryOffset == 0)
				break;

			tmp = (PSYSTEM_PROCESS_INFORMATION)((PUCHAR)tmp + tmp->NextEntryOffset);
		} while (TRUE);

		ExFreePool(spi);
	}

	return status;
}

thank you

[Fyyre]

perhaps see https://github.com/Mattiwatti/PPLKiller for example.

[Brock]

@nullpointer,

From a security standpoint this is not a sound practice. Why not just make your own process a protected process instead, assuming you use one? If you do this you can access other protected processes without having to remove their protected process status.