Re: Questions about inside the API CreateProcess!
- From: 东皇钟 <jsniperwyc@xxxxxxxxxxxx>
- Date: Sun, 16 Dec 2007 07:30:02 -0800
Thank you very much.
How about verifying a process's EPROCESS's(process object) object header,
getting its opened handle table.(objectheader->handleinfooffset),to know
which user mode processes is taking my process handle (or other handle)now,
and kill them.
this kownledge is given from <<windows internals>>, chapter "object manager".
and deleting the protected EPROCESS entry from the PsActiveProcessHead list
to hide it in kernel mode. By searching the wrk I find that this information
is only used in create step and the delete step.
Regards.
--
天若有情天亦老,人间正道是沧桑。
"Don Burn" wrote:
Forget this approach, the steps to create a process in the kernel are hard.
and undocumented. A number of people have tried things like this and most
of the miss many edge consitions.
About all yo can do is have a file system filter that catches the memory
mapping and decrypts, but that means anyone who writes a program to memory
map the exe can get at the code. Of course since your original idea,
ignores the fact that unless you disable kernel debuggers and user debuggers
you can have problems. Also, better watch out about DLL injection since
then I can write out you encrypted data.
--
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply
"???" <jsniperwyc@xxxxxxxxxxxx> wrote in message
news:8F696F4C-F6A6-4966-8D14-5E5E1FC068C3@xxxxxxxxxxxxxxxx
Thank you for answering. I have that book of Chinese edtion, and I have
read
that chapter before post this question to here.
But I think that the information given in that book is very simple. It is
fit for lerning rather than for using in program. I don't konw where to
get
the further information, source code is best. I have tried to track its
call
stack during debugging,but failed.
My idea is this: The book says that the API CreateProcess first open the
image file and then create a memory section in order to map it to the
process's address space. I want to make the excutable image file encrypted
stored to disk. when it loaded, my devicedriver first decrypt it and then
create memory section myself, and then call the system service to create a
process. Doing this can stop from being cracked. To make sure it dosn't
take
mistake, I want to know detail information about the CreateProcess.
Thank you!
--
???????,????????
"Kerem Gümrükcü" wrote:
Hi,
you should read this in order to get a detailed question to your answer:
"Microsoft Windows Internals (fourth edition) Microsoft Windows
Server 2003, Windows XP, and Windows 2000"
It is a great book and it has a chapter named number 6 and a
subchapter called "Flow of CreateProcess". It is a great exploration
of the call from user mode to kernel mode,...
This book is highly recommended and a must for kernel devlopers!
Regards
Kerem
--
-----------------------
Beste Grüsse / Best regards / Votre bien devoue
Kerem Gümrükcü
Microsoft Live Space: http://kerem-g.spaces.live.com/
Latest Open-Source Projects: http://entwicklung.junetz.de
-----------------------
"This reply is provided as is, without warranty express or implied."
- Follow-Ups:
- Re: Questions about inside the API CreateProcess!
- From: Don Burn
- Re: Questions about inside the API CreateProcess!
- References:
- Re: Questions about inside the API CreateProcess!
- From: Kerem Gümrükcü
- Re: Questions about inside the API CreateProcess!
- From: 东皇钟
- Re: Questions about inside the API CreateProcess!
- From: Don Burn
- Re: Questions about inside the API CreateProcess!
- Prev by Date: Re: Questions about inside the API CreateProcess!
- Next by Date: Re: Questions about inside the API CreateProcess!
- Previous by thread: Re: Questions about inside the API CreateProcess!
- Next by thread: Re: Questions about inside the API CreateProcess!
- Index(es):
Relevant Pages
|
