How to Call Ntxxx APIs from Kernel?
in [Win32 Kernel]
|
From: m on 14 Apr 2010 22:24 What company is it that you work for again? That way I can be sure never to by anything they offer ... Seriously, think about what you want to achieve and how you think that this will help you before proceeding. Take a step back and remember how the OS operates and how security is enforced before trying to write an anti-malware something <sarshah20(a)yahoo.com> wrote in message news:52176d6c-948e-4264-a5d5-7ad18d255363(a)z11g2000yqz.googlegroups.com... > Thanks Roger. For now, i just want to be able to cleanly call a system > routine even if it is hooked. At this stage i want control at user > space (create, add, delete file/process/reg) and i did not want to > hook anything at user space. Therefore, using SSDT seemed like a good > idea. For future, i would prefer to go to a filter driver for files as > suggested earlier. > > About the hooking, yes malware could go to any level. I already have > this info available (through some mechanism) about a software/malware > so it can be dealt with. > > sarshah > > On Apr 13, 6:07 pm, rogero <roger....(a)gmail.com> wrote: >> On Apr 13, 12:24 pm, sarsha...(a)yahoo.com wrote: >> >> > Thanks everyone for your response. >> >> > Jonathan: Thanks for you suggestion. Calling the documented APIs in >> > the ordinary way wont work here. They are already hooked by the >> > malware. >> >> > Don: Thats a better idea to use IoCreateFile (filter drivers). Is >> > there anything similar i can use for process and registry? >> >> Can you explain what you are trying to accomplish? >> >> If you have malware *whatever* mechanism you try to use >> might be hooked. >> >> Roger. >
From: sarshah20 on 15 Apr 2010 04:26 Thanks everyone for their response. I do understand the apprehensions that are being discussed. The problem is that, i cant disclose the entire idea because its IP. Otherwise it would make some sense. I need to conduct some experiments at this stage and there were some issues i am facing. So i really appreciate the feedback (positive or negative, insulting or otherwise). Please do keep them coming. Thanks everyone for their help. sarshah. On Apr 15, 7:24 am, "m" <m...(a)b.c> wrote: > What company is it that you work for again? That way I can be sure never to > by anything they offer ... > > Seriously, think about what you want to achieve and how you think that this > will help you before proceeding. Take a step back and remember how the OS > operates and how security is enforced before trying to write an anti-malware > something > > <sarsha...(a)yahoo.com> wrote in message > > news:52176d6c-948e-4264-a5d5-7ad18d255363(a)z11g2000yqz.googlegroups.com... > > > > > Thanks Roger. For now, i just want to be able to cleanly call a system > > routine even if it is hooked. At this stage i want control at user > > space (create, add, delete file/process/reg) and i did not want to > > hook anything at user space. Therefore, using SSDT seemed like a good > > idea. For future, i would prefer to go to a filter driver for files as > > suggested earlier. > > > About the hooking, yes malware could go to any level. I already have > > this info available (through some mechanism) about a software/malware > > so it can be dealt with. > > > sarshah > > > On Apr 13, 6:07 pm, rogero <roger....(a)gmail.com> wrote: > >> On Apr 13, 12:24 pm, sarsha...(a)yahoo.com wrote: > > >> > Thanks everyone for your response. > > >> > Jonathan: Thanks for you suggestion. Calling the documented APIs in > >> > the ordinary way wont work here. They are already hooked by the > >> > malware. > > >> > Don: Thats a better idea to use IoCreateFile (filter drivers). Is > >> > there anything similar i can use for process and registry? > > >> Can you explain what you are trying to accomplish? > > >> If you have malware *whatever* mechanism you try to use > >> might be hooked. > > >> Roger.- Hide quoted text - > > - Show quoted text -
From: Marvin Landman on 15 Apr 2010 15:47 You are either writing an ordinary malware or a malware that takes over another malware without being noticed by the other malware. On the other hand if are not and you believe that writing a tool that can either detect, disable, or remove malware (more precisely rootkits) is possible while they are online you must be a fool. Since I doubt that you are a fool you are most likely trying to work around hooks of a specific malware (because that's possible) I'm pretty much sure that you are writing malware. Marvin sarshah20(a)yahoo.com wrote: > Thanks everyone for their response. I do understand the apprehensions > that are being discussed. The problem is that, i cant disclose the > entire idea because its IP. Otherwise it would make some sense. I need > to conduct some experiments at this stage and there were some issues i > am facing. So i really appreciate the feedback (positive or negative, > insulting or otherwise). Please do keep them coming. > > Thanks everyone for their help. > sarshah. > > > On Apr 15, 7:24 am, "m" <m...(a)b.c> wrote: >> What company is it that you work for again? That way I can be sure never to >> by anything they offer ... >> >> Seriously, think about what you want to achieve and how you think that this >> will help you before proceeding. Take a step back and remember how the OS >> operates and how security is enforced before trying to write an anti-malware >> something >> >> <sarsha...(a)yahoo.com> wrote in message >> >> news:52176d6c-948e-4264-a5d5-7ad18d255363(a)z11g2000yqz.googlegroups.com... >> >> >> >>> Thanks Roger. For now, i just want to be able to cleanly call a system >>> routine even if it is hooked. At this stage i want control at user >>> space (create, add, delete file/process/reg) and i did not want to >>> hook anything at user space. Therefore, using SSDT seemed like a good >>> idea. For future, i would prefer to go to a filter driver for files as >>> suggested earlier. >>> About the hooking, yes malware could go to any level. I already have >>> this info available (through some mechanism) about a software/malware >>> so it can be dealt with. >>> sarshah >>> On Apr 13, 6:07 pm, rogero <roger....(a)gmail.com> wrote: >>>> On Apr 13, 12:24 pm, sarsha...(a)yahoo.com wrote: >>>>> Thanks everyone for your response. >>>>> Jonathan: Thanks for you suggestion. Calling the documented APIs in >>>>> the ordinary way wont work here. They are already hooked by the >>>>> malware. >>>>> Don: Thats a better idea to use IoCreateFile (filter drivers). Is >>>>> there anything similar i can use for process and registry? >>>> Can you explain what you are trying to accomplish? >>>> If you have malware *whatever* mechanism you try to use >>>> might be hooked. >>>> Roger.- Hide quoted text - >> - Show quoted text - >
From: m on 15 Apr 2010 20:40 So, to put a fine point on it, you would like community help to implement your trade secret! I don't mean to be insulting, but if that doesn't raise alarm bells, then I am not sure what should. Usually, those who have trade secrets don't need to ask for help about fundamental elements of their secret ;) I suspect that you have an idea of how an anti-malware device might be constructed and are seeking to prototype it. I think I can guess what you are trying to do, but for your sake won't post it to usernet. You should know, however, that this kind of design has been tried before and inevitably fails miserably because it can always be circumvented by a malware author with knowledge. Unless you are trying to defend against a specific binary, you can't succeed except probabilistically. <sarshah20(a)yahoo.com> wrote in message news:d79a9629-537e-4c88-8291-b1b94cb730f2(a)z6g2000yqz.googlegroups.com... > Thanks everyone for their response. I do understand the apprehensions > that are being discussed. The problem is that, i cant disclose the > entire idea because its IP. Otherwise it would make some sense. I need > to conduct some experiments at this stage and there were some issues i > am facing. So i really appreciate the feedback (positive or negative, > insulting or otherwise). Please do keep them coming. > > Thanks everyone for their help. > sarshah. > > > On Apr 15, 7:24 am, "m" <m...(a)b.c> wrote: >> What company is it that you work for again? That way I can be sure never >> to >> by anything they offer ... >> >> Seriously, think about what you want to achieve and how you think that >> this >> will help you before proceeding. Take a step back and remember how the >> OS >> operates and how security is enforced before trying to write an >> anti-malware >> something >> >> <sarsha...(a)yahoo.com> wrote in message >> >> news:52176d6c-948e-4264-a5d5-7ad18d255363(a)z11g2000yqz.googlegroups.com... >> >> >> >> > Thanks Roger. For now, i just want to be able to cleanly call a system >> > routine even if it is hooked. At this stage i want control at user >> > space (create, add, delete file/process/reg) and i did not want to >> > hook anything at user space. Therefore, using SSDT seemed like a good >> > idea. For future, i would prefer to go to a filter driver for files as >> > suggested earlier. >> >> > About the hooking, yes malware could go to any level. I already have >> > this info available (through some mechanism) about a software/malware >> > so it can be dealt with. >> >> > sarshah >> >> > On Apr 13, 6:07 pm, rogero <roger....(a)gmail.com> wrote: >> >> On Apr 13, 12:24 pm, sarsha...(a)yahoo.com wrote: >> >> >> > Thanks everyone for your response. >> >> >> > Jonathan: Thanks for you suggestion. Calling the documented APIs in >> >> > the ordinary way wont work here. They are already hooked by the >> >> > malware. >> >> >> > Don: Thats a better idea to use IoCreateFile (filter drivers). Is >> >> > there anything similar i can use for process and registry? >> >> >> Can you explain what you are trying to accomplish? >> >> >> If you have malware *whatever* mechanism you try to use >> >> might be hooked. >> >> >> Roger.- Hide quoted text - >> >> - Show quoted text - >
From: Hector Santos on 15 Apr 2010 21:39 What is it about these darn patent trolls!? At least in the past, they will do things in secret, on their own and write frivolous patents. Now they are in your FACE, in public, and they want your nonchalant HELP in their own work, likes nothing, likes its alright to behave like this. Talk about cajones, being naive and just losers! Its like they have NO other way or capability to do anything but have an "IDEA" they think did not exist in their little world, therefore it must be unique! Disgusting. m wrote: > So, to put a fine point on it, you would like community help to > implement your trade secret! I don't mean to be insulting, but if that > doesn't raise alarm bells, then I am not sure what should. Usually, > those who have trade secrets don't need to ask for help about > fundamental elements of their secret ;) > > I suspect that you have an idea of how an anti-malware device might be > constructed and are seeking to prototype it. I think I can guess what > you are trying to do, but for your sake won't post it to usernet. You > should know, however, that this kind of design has been tried before and > inevitably fails miserably because it can always be circumvented by a > malware author with knowledge. Unless you are trying to defend against > a specific binary, you can't succeed except probabilistically. > > <sarshah20(a)yahoo.com> wrote in message > news:d79a9629-537e-4c88-8291-b1b94cb730f2(a)z6g2000yqz.googlegroups.com... >> Thanks everyone for their response. I do understand the apprehensions >> that are being discussed. The problem is that, i cant disclose the >> entire idea because its IP. Otherwise it would make some sense. I need >> to conduct some experiments at this stage and there were some issues i >> am facing. So i really appreciate the feedback (positive or negative, >> insulting or otherwise). Please do keep them coming. >> >> Thanks everyone for their help. >> sarshah. >> >> >> On Apr 15, 7:24 am, "m" <m...(a)b.c> wrote: >>> What company is it that you work for again? That way I can be sure >>> never to >>> by anything they offer ... >>> >>> Seriously, think about what you want to achieve and how you think >>> that this >>> will help you before proceeding. Take a step back and remember how >>> the OS >>> operates and how security is enforced before trying to write an >>> anti-malware >>> something >>> >>> <sarsha...(a)yahoo.com> wrote in message >>> >>> news:52176d6c-948e-4264-a5d5-7ad18d255363(a)z11g2000yqz.googlegroups.com... >>> >>> >>> >>> >>> > Thanks Roger. For now, i just want to be able to cleanly call a system >>> > routine even if it is hooked. At this stage i want control at user >>> > space (create, add, delete file/process/reg) and i did not want to >>> > hook anything at user space. Therefore, using SSDT seemed like a good >>> > idea. For future, i would prefer to go to a filter driver for files as >>> > suggested earlier. >>> >>> > About the hooking, yes malware could go to any level. I already have >>> > this info available (through some mechanism) about a software/malware >>> > so it can be dealt with. >>> >>> > sarshah >>> >>> > On Apr 13, 6:07 pm, rogero <roger....(a)gmail.com> wrote: >>> >> On Apr 13, 12:24 pm, sarsha...(a)yahoo.com wrote: >>> >>> >> > Thanks everyone for your response. >>> >>> >> > Jonathan: Thanks for you suggestion. Calling the documented APIs in >>> >> > the ordinary way wont work here. They are already hooked by the >>> >> > malware. >>> >>> >> > Don: Thats a better idea to use IoCreateFile (filter drivers). Is >>> >> > there anything similar i can use for process and registry? >>> >>> >> Can you explain what you are trying to accomplish? >>> >>> >> If you have malware *whatever* mechanism you try to use >>> >> might be hooked. >>> >>> >> Roger.- Hide quoted text - >>> >>> - Show quoted text - >> -- HLS
First
|
Prev
|
Next
|
Last
Pages: 1 2 3 4 Prev: "windows error recovery" tigger in Win7? Next: Problem with getting handle to a device |