-
Notifications
You must be signed in to change notification settings - Fork 212
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
What about PsSetLoadImageNotifyRoutine ? #26
Comments
Indeed, those are good indicators that something wonky is happening 😄. That said, you might observe false positives on those indicators alone. Yes, the same can be observed in both image load and process create. There are challenges with respect to preforming inspection during the image load notify routine. Security software has tended to avoid that path due to these challenges. Although it is possible to do so with some careful handling and some security software does. The state of the thread/process is in when the callback is invoked has changed over the years. And for which images it is invoked has also changed. More info in the remarks section of the MSDN documentation. And see SEC_IMAGE_NO_EXECUTE. There is also no trivial/documented way to deny the image load from occurring in that path. In contrast, the process notify routine does expose a documented way to deny process creation. For these reasons most defensive techniques against this type of evasion occurs during inspection at the process creation routine. I'll also add there are some mini-filter callbacks for doing inspection during section creation but struggle with similar caveats/drawbacks as the image load notification (see: IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION). I also recommend giving this blog post from Microsoft a read. They outline a few indicators that I was unfamiliar with during my initial research. |
Thank you! |
Hello!
I apologize at once for the perhaps naive questions.
I am studying your project and found several things:
You can see that WriteAccess is non-zero. In the examples from your documentation I see that WriteAccess is 0.
My example of running a program:
ProcessHerpaderping.exe X.exe Y.exe Z.exe
Am I doing something wrong?
I looked at your code and I don't think there can be
WriteAccess == 0
I am reading the original PE header (not the replaced file).
So I can compare what's currently on the disk with what's at the
ImageBase
address.This will be different when I using your current project.
My question is, are these two items proof that something went wrong with the process? (If we assume that "normal" processes for us are read-only processes)
Thank you. ❤
The text was updated successfully, but these errors were encountered: