![]() ![]() They used what we call “Hooks” (API detours for filtering purpose). On Vista+, Microsoft provided APIs to insert our low level driver between userland calls and kernel APIs.That way, it’s easy to register an antivirus product into the kernel. More, that kind registration based system allows us to dispatch our system security into layers, where several products with different aims can cohabit. #Basic notepad antivirus code registration This was not the case for hooks, as the implementation was totally product dependant. NOTE: I will not cover the workarounds with hooks for pre-Vista systems, because it’s easy to find on the internet, and because it would need a whole chapter to explain how to hook, where to hook and so… But you have to know it’s the same idea than the kernel APIs, except that you have to implement yourself what Microsoft provided on Vista+ systems. To learn about hooks, you can check that basic example: To learn about coding drivers, you can check that useful links: #Basic notepad antivirus code how to The first thing to protect the user from, is the launching of malicious processes. ![]() Antivirus should register a PsSetCreateProcessNotifyRoutineEx callback. By doing this, on each process creation, and before the main thread starts to run (and cause malicious things) the antivirus callback is notified and receives all the necessary information. It receives the process name, the file object, the PID, and so. As the process is pending, the driver can tell its service to analyse the process’s memory for anything malicious. It it founds something, the driver will simply set CreationStatus to FALSE and return. } PS_CREATE_NOTIFY_INFO, *PPS_CREATE_NOTIFY_INFO _In_opt_ PPS_CREATE_NOTIFY_INFO CreateInfo _In_ PCREATE_PROCESS_NOTIFY_ROUTINE_EX NotifyRoutine, NTSTATUS PsSetCreateProcessNotifyRoutineEx( #Basic notepad antivirus code driver In the same idea than for processes, threads can be a way for malicious things to cause damages. ![]() #Basic notepad antivirus code codeįor example, one can inject some code into a legit process, and start a remote thread on that code inside the process’s context (easy to follow? ). That way, a legit process can do malicious things. We can filter new threads with the PsSetCreateThreadNotifyRoutine callback. Each time a thread is created, the antivirus is notified with the TID and the PID. _In_ PCREATE_THREAD_NOTIFY_ROUTINE NotifyRoutine Thus, it’s able to look into the thread’s start address code, analyse it and either stop the thread or resume it. The third dynamic threat is about images that can be loaded into memory. An image is a PE file, either a EXE, a DLL or SYS file. To be notified of loaded images, simply register PsSetLoadImageNotifyRoutine. That callback allows us to be notified when the image is loaded into virtual memory, even it’s never executed. We can then detect when a process attempts to load a DLL, to load a driver, or to fire a new process. #Basic notepad antivirus code registration. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |