NT Kernel Programming

views:

566

answers:

+1 Q:

NT Kernel Programming

Hi,

I would like to know where to get started, or how possible it is to hook into, or patch the windows kernel(XP and up). I am specifically interested in software like McAfee Entercept, or certain antivirus scanners that patch the kernel. I would like to know how feasable it is for a startup to create software that added in functionality to the kernel(I am aware of KPP, and that it can possibly be bypassed), and any remifications of doing this. I was unable to find a simple description, and only have limited experience with Win32. Any help is much appreciated,

Further clarification: I am not after a driver as such, and would be interested in if it was technically possible to port something like PaX to windows for example. It is a bad example as windows already has an implementation, but I am interested if similar technologies could be ported without having access to the NT source.

+2 A:

Yes, it's very possible to hook into the kernel. I strongly suggest the books Windows Internals and Rootkits.

These should give you all of the information you need.

Cody Brocious 2008-10-07 09:55:56

+1 A:

The Microsoft Detours library allows you to intercept API calls from processes, and insert or replace your own code.

Note that successfully doing this sort of thing will likely require somewhat more than limited Win32 experience. As you can imagine, this can be a very complex topic.

Greg Hewgill 2008-10-07 09:56:41

Note: This won't help with patching the kernel, only userspace.

Cody Brocious 2008-10-07 09:59:10

It won't but it's not clear what he is asking may be kernel driver (patching is not a right terminology in windows kernel world) is not what he needed and this library will be enough.

Ilya 2008-10-07 10:27:30

You don't hear "patching" very often but Microsoft does use the term "Kernel Patching Protection" so it is not that strange in the Windows world.

BobbyShaftoe 2008-12-31 03:14:08

Driver development is not an easy task at all. Anti-virus software require dealing with file system ( file system filter driver) that make the life more complex. It would be useful if you try to describe what are you trying to achieve more detailed.

The most recommended resources for driver development is OSR. There is 2 related mailing lists:

ntdev For general driver development
ntfsd For file system drive development

Book list can be found here.

Unless the driver is your core busyness (in this case find the person with kernel experience) i would strongly suggest outsourcing this work. On lists above you can find plenty of consultants.

Windows source basically can't be accessed :) unfortunately. To play with the virtual memory manager you must be in kernel mode, if this is possible at all.

Try asking this question on ntdev, you will ask most of kernel developers in the world. You will need to ask more concrete question to get reasonable answer (i will watch the thread, interesting topic).
If understand correctly what you are you want to do, this is impossible on Windows. At least not without major reverse engineering work, but i mostly work with standard types of drivers so it's i think i don't know enough to make a final conclusion.

Response to comment :

I'm not sure what exactly Entercept doing (did not find anything in product description suggesting they playing the memory or processes permissions). So defining final goal rather specific technology how to achieve this might be more productive way.

Response to comment 2 :

1.1. What is LIDS?

LIDS is an enhancement for the Linux kernel written by Xie Huagang and Philippe Biondi. It implements several security features that are not in the Linux kernel natively. Some of these include:
1. Mandatory access controls (MAC) - Don't know what is really mean.
2. Port scan detector - This is definitely doable look on this site.
3. Pile protection - File system filter driver explained above.
4. Process protection - You can hook process creation in your driver, look in ntdev archives there is a lot of discussions about this.

Ilya 2008-10-07 10:19:05

Hi Ilya,I will of course outsource the work, but first want to establish it is possible, and secondly know what type of programmers to hire. I am guessing what I am asking must be possible, because products like Entercept manage it?

TheSecret 2008-10-07 10:52:56

Entercept is system call interception for windows, which they must have hooked into the kernel somehow. A speicific goal for what I am interested in, would be for example porting something like LIDS, or an implementation of such for windows. is such a thing possible, perhaps with kernel patching?

TheSecret 2008-10-07 11:24:40

Just a side note you don't patch the kernel, you write an extension - kernel mode driver

Ilya 2008-10-07 12:24:28

For MAC see here http://en.wikipedia.org/wiki/Mandatory_access_control I am more interested in the generic kind of functionaly, not any of the specific features, I want to keep the possibility abstract. Lids can be a module but still required patching the kernel AFAIK

TheSecret 2008-10-07 12:25:28

What do you mean good luck? According to this http://en.wikipedia.org/wiki/Kernel_Patch_Protection it happens often enough, but I would like to know to what extent it can be done.

TheSecret 2008-10-07 12:57:00

I meant what i sad, without being sarcastic, just wished you good luck in your task.

Ilya 2008-10-16 20:32:22

You talk about patching the kernel without providing a sensible explanation of why you want to do this and why you think the official API will not get you where you want to get. As a consequence, we have to assume you are planning to write some kind of malware -- do not expect anybody on stackoverflow to help you with this!

Johannes Passing 2008-10-11 15:19:26

ansaurus

tags:

views:

answers:

NT Kernel Programming

related questions