none
zwClose RRS feed

  • Question

  • Hello guys , first of all I am not making rootkit (well I do,but i making security program that works like rootkit). the goal is to encrypt files when they are being closed and to decrypt when they are being read.

    as far as I do . I create a driver module to intercept the functions

    zwClose

    and zwReadFile

    so i would like to know how can i know what file is being closed using zwClose  function??

    i would like to know the file name and its path . to know if I should encrypt it or not .

    can you please help me with this ?

    sorry for my bad English .

    Saturday, June 8, 2013 12:28 AM

Answers

  • Hooking does not work.  It won't work in 64-bit environments, and you will be amazed on how many special cases you have to debug to make it work on 32-bit.  Also, once you place your hook you can never remove it, finally where are you going to get the documentation for all the calls (the undocumented windows sites on the internet mostly are accurate to Windows 2000 or NT4)?

    On your particular question, there is no way to do what you want, by the time the close occurs you can't get the file path.  This is one of those things you need to record on the create of the file object, and use on the close.   Of course there are good examples of how to do this with file system filters, but for what you want you have to do all the work yourself.

    Do yourself, your company, and the rest of us a favor and dump the hooking it won't work.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Saturday, June 8, 2013 10:40 AM
  • Well I am already using hooking techniques (it is legal , due to our software ) we logging what is going on this computer anyway

    If you want your customers to be secure and supported, you want them to use a modern platform. Win7->Win8 on x64. Advises you get here are based on this assumption. Hooking is popular (maybe, even unavoidable) on XP, but think at least one year ahead.

    -- pa

    Saturday, June 8, 2013 1:43 PM
  • They renamed it minispy see http://code.msdn.microsoft.com/windowshardware/Minispy-File-System-97844844

    It will not do keyboard and mouse, just files.  If you want other drivers, you need to create a simple filter using KMDF to handle these.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    • Marked as answer by roma-mt-fdb Saturday, June 8, 2013 9:35 PM
    Saturday, June 8, 2013 9:14 PM
  • You can use the task scheduler in user mode to detect idle, no need for a keyboard or mouse filter. Btw, kbfiltr and moufiltr work on any type of input device, hid or serial or whatever

    d -- This posting is provided "AS IS" with no warranties, and confers no rights.

    • Marked as answer by roma-mt-fdb Saturday, June 8, 2013 10:56 PM
    Saturday, June 8, 2013 10:38 PM
  • hooking is not the right path. you want to write a file system filter manager based filter which will allow you to perform these operations at the appropriate abstraction level.

    d -- This posting is provided "AS IS" with no warranties, and confers no rights.

    Saturday, June 8, 2013 3:36 AM

All replies

  • hooking is not the right path. you want to write a file system filter manager based filter which will allow you to perform these operations at the appropriate abstraction level.

    d -- This posting is provided "AS IS" with no warranties, and confers no rights.

    Saturday, June 8, 2013 3:36 AM
  • hooking is not the right path. you want to write a file system filter manager based filter which will allow you to perform these operations at the appropriate abstraction level.

    d -- This posting is provided "AS IS" with no warranties, and confers no rights.

    Well I am already using hooking techniques (it is legal , due to our software ) we logging what is going on this computer anyway , so I thought to mix it up , every time file opened we log it and if file have to be encrypted why not to use encryption function right on the call of open file?

    all i would know is how to get the file path and name from onZwClose(in handle handle)

    function .

    Saturday, June 8, 2013 4:16 AM
  • Hooking does not work.  It won't work in 64-bit environments, and you will be amazed on how many special cases you have to debug to make it work on 32-bit.  Also, once you place your hook you can never remove it, finally where are you going to get the documentation for all the calls (the undocumented windows sites on the internet mostly are accurate to Windows 2000 or NT4)?

    On your particular question, there is no way to do what you want, by the time the close occurs you can't get the file path.  This is one of those things you need to record on the create of the file object, and use on the close.   Of course there are good examples of how to do this with file system filters, but for what you want you have to do all the work yourself.

    Do yourself, your company, and the rest of us a favor and dump the hooking it won't work.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Saturday, June 8, 2013 10:40 AM
  • Then , how should I log computer activities on x64 ?

    there is any way for making this ?

    I dont need a lot of logs only zwCreatThread

    zwReadFile

    zwClose

    zwWriteFile

    and to know when user is inactive ,(keyboard , mouse wasnt in use for lets say 3 minutes).

    what are the alternatives ?

    Saturday, June 8, 2013 3:39 PM
  • So you use a simple Filesystem mini-filter based on the FileSpy.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Saturday, June 8, 2013 8:35 PM
  • I am sorry I never heard of it , could you please link it ?

    and it can as well detect keyboard and mouse activities ?

    Saturday, June 8, 2013 8:58 PM
  • They renamed it minispy see http://code.msdn.microsoft.com/windowshardware/Minispy-File-System-97844844

    It will not do keyboard and mouse, just files.  If you want other drivers, you need to create a simple filter using KMDF to handle these.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    • Marked as answer by roma-mt-fdb Saturday, June 8, 2013 9:35 PM
    Saturday, June 8, 2013 9:14 PM
  • Thank you very much !

    Do you have any ideas about mouse and keyboard?

    is there any API ?

    I need it as like as screensaver just instead putting an images on the screen i just need to log it .

    if mouse keyboard inactive log the Time and user afk string.

    initially I thought to make it as keyboard logger , to calculate time between the keys pressed

    and if it is more than 3 minutes to log afk at the time of first hit . so we know the exact time user was afk.

    afk stands for away from keyboard.

    actually had no idea about mouse but I was sure there is a table for mouse x and mouse y

    and if i could recognizethe changes i could say if it was moved.

    I am sorry about plenty of questions . I just not experienced with windows programming :(


    Saturday, June 8, 2013 9:34 PM
  • For keyboard and mouse it depends on the type of the device.  HID devices can use http://code.msdn.microsoft.com/windowshardware/FIREFLY-WDF-filter-driver-e8b132c3 for traditional keyboards use http://code.msdn.microsoft.com/windowshardware/Kbfiltr-WDF-Version-685ff5c4 for traditional mice use http://code.msdn.microsoft.com/windowshardware/Moufiltr-WDF-Version-fb57f5de

    If all you need is inactivity, I believe this can be done from user space which would be a better idea.  I am not sure how to do it though, I mainly live in the kernel.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Saturday, June 8, 2013 9:46 PM
  • Thank you very much :)

    Saturday, June 8, 2013 10:25 PM
  • You can use the task scheduler in user mode to detect idle, no need for a keyboard or mouse filter. Btw, kbfiltr and moufiltr work on any type of input device, hid or serial or whatever

    d -- This posting is provided "AS IS" with no warranties, and confers no rights.

    • Marked as answer by roma-mt-fdb Saturday, June 8, 2013 10:56 PM
    Saturday, June 8, 2013 10:38 PM
  • Well touchscreen laptop not supported , also i don't believe we will have to support them in a close future .But I like the point :)

    also we can say that user can press buttons on the screen monitor itself , touching mouse pad etc ;)

    ehh I want back to 95 where we could do such things with a few asm rows .

    what about 95 retail with better GUI ?

    Saturday, June 8, 2013 11:02 PM
  • Also, once you place your hook you can never remove it,

    It won't work in 64-bit environments

    I have a bad news for you guys :))

    a) It can be removed using the same technique as it was hooked

    redirect systemservice as it was before the hooking

    b) There is a way to Hook calls using WoW64.

    Tuesday, June 25, 2013 3:51 PM
  • If you remove a hook and anyone else is hooking you crash.  If you remove a hook in a number of other cases you crash.  Yes you can hook a user space process which is what I assume you mean by WoW64, but kernel hooking which is how this thread started is not supported at all.

    If you are going to try kernel hooking please publish your name, your companies name, and the product so we can avoid it, and if we get a bug report for something we did on a computer with your companies stuff we can point the figure correctly.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Tuesday, June 25, 2013 3:59 PM
  • I dumped it , Dont worry :)).

    Just told that you can.

    I found more elegant way in user mode.

    But I planing to go back to it in a close future for

    malware recognition software like rootkits.

    you can Hook system calls using WoW64

    when user program want to perform some operations you can hook them.

    Tuesday, June 25, 2013 4:21 PM
  • I don't see any way of crashing even if someone else using the same hooks (btw I assume it is malware).

    since their driver just wont get a handle to the the specified system call

    and more likely they will crash.

    Tuesday, June 25, 2013 4:24 PM
  • I don't see any way of crashing even if someone else using the same hooks (btw I assume it is malware).

    since their driver just wont get a handle to the the specified system call

    and more likely they will crash.


    I assume it is malware because I talking about very specified system calls that are frequentlly used by malwares rootkits to hide their selves.


    • Edited by roma-mt-fdb Tuesday, June 25, 2013 4:26 PM grammar
    Tuesday, June 25, 2013 4:25 PM
  • You are talking about user space hooking.  This is a kernel forum, don't confuse people with implying they can do hooking in the kernel when bottom line is you can't.  It is ironic that the security companies that hooked have been shown to open security bugs.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Tuesday, June 25, 2013 4:25 PM
  • You are talking about user space hooking.  This is a kernel forum, don't confuse people with implying they can do hooking in the kernel when bottom line is you can't.  It is ironic that the security companies that hooked have been shown to open security bugs.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Oh ok, I am sorry :)

    BTW just wanted to thank you personally for 1 of that message above

    that made me dump the hooking :)

    Tuesday, June 25, 2013 4:28 PM
  • The crashing is simple, Driver A hooks the kernel call storing the address of the call it found in the table for calling down to the real kernel function.  Then Driver B hooks, but instead of the address of the kernel function it of course picks up Driver A's replacement.  Then Driver A removes its hooks, and the system crashes the next time Driver B tries to call down.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Tuesday, June 25, 2013 4:28 PM
  • The crashing is simple, Driver A hooks the kernel call storing the address of the call it found in the table for calling down to the real kernel function.  Then Driver B hooks, but instead of the address of the kernel function it of course picks up Driver A's replacement.  Then Driver A removes its hooks, and the system crashes the next time Driver B tries to call down.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Driver A doesn't remove a hook .

    it redirects back to the real kernel function 

    and removes the hook so driver B will hook the real kernel function.


    • Edited by roma-mt-fdb Tuesday, June 25, 2013 4:31 PM grammar
    Tuesday, June 25, 2013 4:30 PM