A forum for reverse engineering, OS internals and malware analysis 

Forum for discussion about kernel-mode development.
 #31803  by Sagaantheepic
 Tue Jul 10, 2018 12:01 pm
well, i am basically developing a driver of sort, which acts like my personal anti virus and such. Was wanting to move onto process protecting, where i can use my anti virus to protect a program. So far i am using ObRegisterCallback for both threads and process handles. Stripping their permissions. I also have setup a signature scan in my usermode program so i can scan for any potential viruses or programs with ill intent. I am also using other callbacks to monitor process creation and threads creation together with modules loaded. So the last step would be test mode. I really have nothing against drivers from just screwing up my programs.

Well, searched abit, couldnt really find a way. Remember that i do have a signed driver ( not a mini filter ) so i can load it normally. would love it if it works for both 64 bit and 32 bit even though 32 bit doesnt have DSE so it would be alright if it doesnt really work for 32 bit. Other then that, if there are ways of maybe checking for loaded driver's digital signatures properly, that would be lovely as well. Other things such as anti read / write would be great as well, remember that i am stripping read and write permissions from programs but i am just worried about people abusing lsass or csrss to gain a handle with full permissions.

Thank you for any help!
 #31806  by tangptr
 Wed Jul 11, 2018 5:57 am
The most "quick-and-dirty" way is to load a test-signed-only driver for detection.
In addition, 32-bit NT6 system do have DSE. It is disabled on default, but you may dynamically enable it by patching "Code-Integrity Driver".
 #31809  by Vrtule
 Wed Jul 11, 2018 11:04 am
even though 32 bit doesnt have DSE
It is still good to have your 32-bit driver binary signed in order to avoid troubles witch routines such as ObRegisterCallbacks or PsSetCreateProcessNotifyRoutineEx. They can be called even from an unsigned driver but it is quite a dirty hack.
if there are ways of maybe checking for loaded driver's digital signatures
Well, you need to find driver's file and check its signature (WinVerifyTrust may be helpful). As far as I know, this cannot be simply done from kernelmode, so you would need a service collaborating closely with your driver. You probably should be able to launch it as a protected process if you sign it by your certificate.
 #31810  by tangptr
 Thu Jul 12, 2018 10:12 am
I shall emphasize that THERE IS DSE component on 32-bit Windows, albeit it is disabled at kernel initialization.
Therefore, you may enable DSE in 32-bit Windows by hacking "Code-Integrity driver". It can be done by ways in opposite of disabling DSE on Win64.
 #31811  by EP_X0FF
 Thu Jul 12, 2018 7:11 pm
Sagaantheepic wrote: Tue Jul 10, 2018 12:01 pm well, i am basically developing a driver of sort, which acts like my personal anti virus and such. Was wanting to move onto process protecting, where i can use my anti virus to protect a program. So far i am using ObRegisterCallback for both threads and process handles. Stripping their permissions. I also have setup a signature scan in my usermode program so i can scan for any potential viruses or programs with ill intent. I am also using other callbacks to monitor process creation and threads creation together with modules loaded. So the last step would be test mode. I really have nothing against drivers from just screwing up my programs.

Well, searched abit, couldnt really find a way. Remember that i do have a signed driver ( not a mini filter ) so i can load it normally. would love it if it works for both 64 bit and 32 bit even though 32 bit doesnt have DSE so it would be alright if it doesnt really work for 32 bit. Other then that, if there are ways of maybe checking for loaded driver's digital signatures properly, that would be lovely as well. Other things such as anti read / write would be great as well, remember that i am stripping read and write permissions from programs but i am just worried about people abusing lsass or csrss to gain a handle with full permissions.

Thank you for any help!
You can detect Test Mode by calling ZwQuerySystemInformation with SystemCodeIntegrityInformation flag and check returned flags in SYSTEM_CODEINTEGRITY_INFORMATION.state to have CODEINTEGRITY_OPTION_ENABLED and CODEINTEGRITY_OPTION_TESTSIGN. However this maybe unavailable on old Windows versions.
 #31821  by EP_X0FF
 Fri Jul 13, 2018 4:52 pm
All other ways are stupid.