Jump to content
Can't remember your login details? Read more... ×
Sign in to follow this  
TheSecret

Windows kernel programming

Recommended Posts

Hiyo..,

 

Would anybody be able to explain, or point to some good resources(assuming it is possible) how to interface or add on to the Windows kernel? Now, I don't mean for example drivers, but rather certain rootkits, or system call wrappers such as McAfee Enterceptor. If the kernel is propietary, and there is no equivilant to writing a module, how can you add on to it, and how good would the end result be?

Share this post


Link to post
Share on other sites

Ok lets start at the beginning.

 

What are the requirements?

Then we can owrk on what the best tools and appraoches would be.

 

I want to hack this propritery os kernal is not a requirement.

 

I need to stop usres from having raw access to copywritted material is a requirement.

Share this post


Link to post
Share on other sites

I don't have specific requirements, or a need to modify anything, I am just wondering how software such as Entercept and certain rootkits get hooked in at such a low level, when I thought this would be prevented. I can not find decent information on how this is possible, and thought there may be some programmers in here with relevant experience. For example, Entercept seems to be almost kernel level, and at least work by having some higher power than a tradditional application, so what is to stop something block calls by entercept..does this make sense?

Share this post


Link to post
Share on other sites

I don't have specific requirements, or a need to modify anything, I am just wondering how software such as Entercept and certain rootkits get hooked in at such a low level, when I thought this would be prevented. I can not find decent information on how this is possible, and thought there may be some programmers in here with relevant experience. For example, Entercept seems to be almost kernel level, and at least work by having some higher power than a tradditional application, so what is to stop something block calls by entercept..does this make sense?

I imagine entercept would need to be installed on whats assumed to be a clean system. That would give it an advantage over any rootkit that would try to install itself afterwards. Nothing is foolproof though.. for example vista 64bit included 'patchguard', basically protection for the kernel designed to stop rootkits. This was famously defeated by Joanna Rutkowska at the Black Hat USA 2006 conference, by forcing a driver to be paged out to disk, gaining raw access to the partition, and then overwriting the driver code with her own.

Patchguard has since been improved, however some researches claim to know of other workarounds..

 

The higher power you speak of would be a series of kernel mode drivers.

 

As for hooking the kernel, that parts easy.. heres some random hooking code I scouted:

#define SYSCALL_INDEX(_Function) *(PULONG)((PUCHAR)_Function+1)
#define HOOK_SYSCALL(_Function, _Hook, _Orig )  \
	   _Orig = (PVOID) InterlockedExchange( (PLONG) &MappedSystemCallTable[SYSCALL_INDEX(_Function)], (LONG) _Hook)
Or..

__asm {
	mov ecx, 0x176
	rdmsr						  // read the value of the IA32_SYSENTER_EIP register
	mov d_origKiFastCallEntry, eax
	mov eax, MyKiFastCallEntry	 // Hook function address
	wrmsr						  // Write to the IA32_SYSENTER_EIP register
}
But getting it to do something useful, not as much.

 

Alot of the work is often done in assembly, and requires quite an intimate knowledge of the target kernels inner workings.

There is usually very little or no documentation available, debugging is nothing like working in Visual C, and it's time consuming.

 

Some links to explore:

 

Good article on rootkits, technical

securityfocus article

 

Sign up here, you get access to plenty of sample code, etc

rootkit.com

 

Some analysis of particular rootkits and things

antirootkit.com

 

Be aware though, you may loose several hours of your day..

Share this post


Link to post
Share on other sites

Hmm, thanks for that dxg.

 

Is it possible because McAfee is such a big company, MS may have granted them access to the windows source, giving them an advantage?

Share this post


Link to post
Share on other sites

So it is possible, but rare.

 

Is patching the kernel very hard, and would require a lot of reverse engineering, or is it rather straightforward, and there are a lot of people with the know how? It looks like it can't happen anymore anyway with KPP unless it can be gotten around or MS grants an exception...

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×