none
API Instrumentation on Windows 10 RS3 and later RRS feed

  • Question

  • What API instrumentation features will Microsoft provide to developers who want to inspect process API usage in Windows 10 and beyond? For example, Windows Defender ATP has its own ETW providers such as:

    <provider name="Microsoft-Windows-Threat-Intelligence" guid="{f4e1897c-bb5d-5668-f1d8-040f4d8dd344}" resourceFileName="Microsoft-Windows-Threat-Intelligence" messageFileName="Microsoft-Windows-Threat-Intelligence" symbol="MicrosoftWindowsThreatIntelligence" source="Xml" >
        <keywords>
         <keyword name="KERNEL_THREATINT_KEYWORD_ALLOCVM" message="$(string.keyword_KERNEL_THREATINT_KEYWORD_ALLOCVM)" mask="0x10"/>
         <keyword name="KERNEL_THREATINT_KEYWORD_PROTECTVM" message="$(string.keyword_KERNEL_THREATINT_KEYWORD_PROTECTVM)" mask="0x20"/>
         <keyword name="KERNEL_THREATINT_KEYWORD_MAPVIEW" message="$(string.keyword_KERNEL_THREATINT_KEYWORD_MAPVIEW)" mask="0x40"/>
         <keyword name="KERNEL_THREATINT_KEYWORD_QUEUEUSERAPC" message="$(string.keyword_KERNEL_THREATINT_KEYWORD_QUEUEUSERAPC)" mask="0x80"/>
         <keyword name="KERNEL_THREATINT_KEYWORD_SETTHREADCONTEXT" message="$(string.keyword_KERNEL_THREATINT_KEYWORD_SETTHREADCONTEXT)" mask="0x100"/>
         <keyword name="KERNEL_THREATINT_KEYWORD_LOCAL_CALLS" message="$(string.keyword_KERNEL_THREATINT_KEYWORD_LOCAL_CALLS)" mask="0x200"/>
         <keyword name="KERNEL_THREATINT_KEYWORD_CONTEXT_PARSE" message="$(string.keyword_KERNEL_THREATINT_KEYWORD_CONTEXT_PARSE)" mask="0x400"/>
         <keyword name="KERNEL_THREATINT_KEYWORD_EXECUTION_ADDRESS_VAD_PROBE" message="$(string.keyword_KERNEL_THREATINT_KEYWORD_EXECUTION_ADDRESS_VAD_PROBE)" mask="0x800"/>
         <keyword name="KERNEL_THREATINT_KEYWORD_EXECUTION_ADDRESS_MMF_NAME_PROBE" message="$(string.keyword_KERNEL_THREATINT_KEYWORD_EXECUTION_ADDRESS_MMF_NAME_PROBE)" mask="0x1000"/>
         <keyword name="KERNEL_THREATINT_KEYWORD_READVM" message="$(string.keyword_KERNEL_THREATINT_KEYWORD_READVM)" mask="0x2000"/>
         <keyword name="KERNEL_THREATINT_KEYWORD_WRITEVM" message="$(string.keyword_KERNEL_THREATINT_KEYWORD_WRITEVM)" mask="0x4000"/>
         <keyword name="KERNEL_THREATINT_KEYWORD_READWRITEVM_NO_SIGNATURE_RESTRICTION" message="$(string.keyword_KERNEL_THREATINT_KEYWORD_READWRITEVM_NO_SIGNATURE_RESTRICTION)" mask="0x8000"/>
        </keywords>

    However, it would appear that this is only accessible to protected processes such as Defender ATP, thus preventing access from normal SYSTEM-level services that would attempt to subscribe to it. 

    Since you can no longer instrument APIs in the kernel through hooking, the only method for getting this data would be to load code into every process as it starts and then hook in user space. This is a poor choice, however. Obviously the hooks in user space can be evaded or removed and there is now code integrity guard and arbitrary code guard. 

    What is the recommended approach to inspect process API usage in Windows 10 RS3 and beyond? Without visibility in this area, behavioral analysis is nearly impossible. 

    Tuesday, February 27, 2018 7:26 PM

All replies

  • Well hooking was always a disaster.  I hooked the whole native API for a project for a government agency in the early Windows 2000 days, and it truly is a disaster since things change in those interfaces.

    You basically have the standard set of things:

    1. File system filters to monitor file access
    2. CmRegisterCallbackEx to monitor registry access
    3. Device filters to monitor specific device access
    4. ObRegisterCallbacks and PsSetXXXNotifyRoutine to monitor process related stuff
    5. WFP drivers to monitor network access
    6. Various SeXXX functions to aid in tracking users and permissions

    That is a lot checking capability you can do, and yes if you want more you can apply a Detours like model in user space.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Friday, March 2, 2018 10:50 PM
  • Have you looked at Microsoft's Detours package?

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Saturday, March 3, 2018 1:01 AM
    Moderator