is there any way to receive a notification that a new image was loaded into a desired task?
i know that in user mode I can use
_dyld_register_func_for_add_image
but is there any way to do that from kernel?
I know that it seems pretty impossible since dyld is responsible for all the loading process and it's all in the user space.
but maybe someone ever done that before?
This tutorial provides an example of how to detect dyld load events; see the "Monitor Dylib Loading Event" section. It does so using a Mandatory Access Control Framework (MACF) kext to inspect mpo_file_check_mmap events.
It's not the most friendly or complete tutorial about MACF, so you might want to read this MACF tutorial first if you're new to MACF.
Related
I am writing a game hack and want to run cheat engine while the game is running, the anti hack currently detects both the user mode and kernel mode components and terminates the game. I wrote a device driver to hook ZwQuerySystemInformation to hide the process. I would also like to hide the device driver since it is currently still detected.i know i could do this with DKOM but id prefer to use a SSDT hook, does anyone know what api i should hook to filter the list of services/drivers?
You can follow this article from the beginning to the start and use its supplied code and customize it to fit your own needs: http://www.codeproject.com/Articles/46670/Service-Hiding
Word of advice, if you don't know what you are doing, its best to not play with such stuff.
On a side note, they tend to over complicate their architecture and compilation process so expect some hiccups as its not going to be straightforward solution. But, this should address and solves your question and needs.
EDIT:
You would need to hook the services API that is responsible for showing you what services are running currently on your computer. An example for this is "services.exe" this is where all the data structure(s) you would need to modifiy/alter to properly hide your driver. In specific the SERVICE_RECORD structure and the following members needs to be modified as well: Prev, Next and ServiceName. Once you have found such structure inside services.exe its back to basic algorithm 101. Which is to drop the required driver that you want to hide from those doubly-linked list. The following image is courtesy of the article mentioned before.
This is the basic or general rule behind hiding the service.
I am new to device driver programming. I've followed the available tutorials on the web which has provided helpful information to get started. However now I have embarked on a new project where the exclusive goal is to search for functions which have been hooked by malware or keyloggers. So I think I have sorted out what I need to accomplish this though I still need to be able to locate the load address of the system dll's (i.e. kernel32.dll, user32.dll and the like) that are already loaded in memory. I need the load address so that I can parse their PE to get to the export and import sections. Furthermore adding the load address to the file size will give me a address range to cross reference the addresses of the export functions no ? Cross referencing the the IMPORT address will be a little more involved but it can be done according to my estimates. I thought that building a kernel mode driver would be the right way to go since accessing memory outside the kernel driver's address range would not be an issue for the driver as opposed to a user mode app. How else will I be able to access the addresses located in the EAT and IAT of the target dll ? I know there exist a user mode API that can provide the load address mainly being GetModuleHandle but I would like to find the equivalent in kernel mode. I could write a user mode application that could relay this information to the driver but prefer that this all be done in kernel mode if possible. Any suggestions or comments would be most welcome.
Thanks in advance
Victor
p.s This post has been edited for more clarity. Hopefully it will make it more clear as what I am trying to accomplish.
This is probably not a very good idea to do in kernel mode. When are you going to actually do this and guarantee the process is in a state where you could walk the IAT?
What if the process is in the middle of loading a DLL? If you're executing in-thread (i.e. from a syscall or device IOCTL), what if other threads are executing too? Doing this when you're not the OS is a very difficult proposition to correctly do, and it's very easy to destabilize your customers' machines (hell, it's reasonably hard to do even if you are the OS)
Take a look at LdrGetProcedureAddress and the rest of the gang.
Edit:
MmGetSystemRoutineAddress might also be helpful.
Just wanted to thank everyone for their contribution. I did manage to some further research and discovered that there is a kernel mode API called PsLoadImageNotifyCallback that is able to find the base addresss of any process.
I have a WPF app that uses a non-WPF vendor library. My app does not receive any events that the library fires. I've been told that this is because I need a message pump.
In another (very similar) question, the accepted answer suggested using System.Windows.Threading.Dispatcher.Run().
When I add in that call, however, my window won't pop up-- the app is effectively backgrounded and I have to shut it down with Task Manager.
I'm really stumped here, and I'm not even sure how to investigate it. Any help would be greatly appreciated.
You already have one if you use WPF, there's no other way that it can get any Windows notifications. Every WPF app starts life with a call to Application.Run() on the main thread. It is usually well hidden, auto-generated in the bin\debug\app.g.cs source code file. Application.Run() in turn calls Dispatcher.Run()
Your vendor is correct, without a message loop many COM components go catatonic. But since you have one you need to look for the problem elsewhere. Don't use the component on threads.
Basically, I have two applications that run sequentially (second is started by the first, and the first exits immediately after.) I'd like to pass ownership of a window the first application created to the second application. The actual contents of the window don't need to be passed along, it's just being drawn in by DirectX.
Alternatively, but less desirably, is it possible to at least disable the window closing/opening animation, so it at least looks like the desired effect is achieved?
(This is in C, using the vanilla Win32 API.)
Instead of separated application make a DLL that will be loaded by the first application and run within it.
I suspect that you're going to run into problems because the WindowProc function is located in the memory address space of the program that you're closing.
Also, a quick look at the second remark at the bottom of the documentation for RegisterClass doesn't seem to offer up much hope.
The only work around that I can suggest for what you've described is to not close the first application until the second application is finished with the window in question.
you can use API hooking to make your DLL capture API windows calls sent by the application window and respond as if your DLL is the windows DLL
for more information about hooking check :
Hooks Overview
I am kind of lost here, and I don't know what to do
I have a problem that I don't know what the source of it.
We have a large wpf application, that is built similar to prism (composite application)
Actually we are using lots of prism library.
I wrote a module to replace an existing module.
And the application now is loading my module, instead of the old module.
I start to notice, with the new module, that sometimes the application freeze for 20-30 seconds without any response, and then it work smoothly after that.
The freeze is not consistent, and there is no pattern or a specific reason that cause it.
I am suspecting that could be my module that is causing that freeze.
But at the same time, many other developers introduced new code to the application.
My question is there a way to trace that freeze?
Is there a way to compare the old module and the new module that I wrote?
I can run the application with my module, and trace the application, and then I can change the config file to load the old module.
Is there a way to compare between the two?
Should I do profiling?
and if profiling will help, then what should I look for?
any other tool could help?
Thanks a lot for any reply
It sounds like you are doing a long running operation on your UI thread. Are you making any database / webservice calls from the main thread? I think one of the easiest things to do is run it in the debugger, and when it freezes, hit the "pause" button. Visual Studio will pause execution at the current location, and you can examine what is taking so long.
If the problem isn't immediately obvious there, I would definitely start profiling the application to track this down.