Comments on: You Won’t Learn This in School: Disabling Kernel Functions in Your Process

By: Chad Austin

Chad Austin — Wed, 02 Sep 2009 20:34:03 +0000

Hm, I’m referring to hooking IATs before libraries are loaded. We use a library called “APIHook” to patch up IATs at application start, but we load Flash and Direct3D dynamically. After loading d3d.dll or flash10b.ocx, we’d have to remember to modify their IATs too.

Or maybe my terminology is screwed up and we’re talking about different things?

By: Paul Betts

Paul Betts — Wed, 02 Sep 2009 20:21:37 +0000

@Chad No you don’t – LL will not overwrite your change once the library is loaded, it’ll just increment the refcount on the DLL. Once you rig the IAT, it’ll stay rigged. This is the main mechanism as to how AppCompat shims work

By: Chad Austin

Chad Austin — Wed, 02 Sep 2009 18:10:04 +0000

Hi Paul,

I agree, and we patch the IAT for a ton of other functions (including HeapAlloc and some of the mm APIs for our Flash integration) but you have to remember to patch the IAT after you LoadLibrary every dynamic component.

If you modify the function directly, the change will persist for all dynamically-loaded libraries.

Cheers,
Chad

By: Paul Betts

Paul Betts — Wed, 02 Sep 2009 16:55:18 +0000

This trick works, but it’s actually better to patch the IAT (http://sandsprite.com/CodeStuff/Understanding_imports.html) instead of actually editing the code to SetUnhandledExceptionFilter.

By: Duong

Duong — Mon, 20 Apr 2009 10:08:30 +0000

It works with 3rd party dlls, but doesn’t work with MS CRT dlls (I tested with msvcr71d.dll). When a function in msvcr71d.dll generates an exception, Windows error report still displays.
This code snippet will generate an exception in msvcr71d.dll:
char * str1=”";
char str2[20];
strncpy(str2, str1,strlen(str1)-10);

By: Chad Austin

Chad Austin — Fri, 10 Apr 2009 19:53:44 +0000

Yeah, it works on Vista too. There are lots of programs that depend on techniques like that, so I can’t imagine it would go away anytime soon.

This is not a security violation or anything. It just affects the user-mode portion of system API calls in your process.

By: tb

tb — Fri, 10 Apr 2009 19:39:14 +0000

But does that technique work on the latest versions of Windows (Vista, Server 2008, Win7)??
I thought for sure they had updated that functionality to prevent that sort of thing (unless you’re in the .NET runtime or something). I’m not sure that code-signing would be very effective against it, but isn’t there a way for a DLL to force read-only loading? or for the OS to monitor for that sort of behavior on DLLs that it knows are critical for the OS? I thought that was the whole reason why Vista was dog-slow.

The next edition of Windows Internals won’t be available until May, so I don’t have a text reference to look, and my searches online are turning up bupkis.
…I guess I’ll just have to try it myself when I get home.

By: Chad Austin

Chad Austin — Fri, 10 Apr 2009 16:51:12 +0000

On Win9x, kernel DLLs (and maybe all DLLs?) are mapped into the process read-only, so this technique wouldn’t work. On NT, DLLs are mapped copy-on-write, so this modification makes a private copy of that page in your process. Thus, whenever your process calls SetUnhandledExceptionFilter, it will run the modified code, not the original.

By: tb

tb — Fri, 10 Apr 2009 14:31:33 +0000

How does the OS let you get away with this? I would think that this kind of behavior would have been prohibited by the same class of security measures implemented with DEP (though, DEP clearly doesn’t apply in this case). I could have sworn I read something about how later versions of Windows don’t allow a process to write into the executable space of a loaded module, but I can’t find the references…

By: Chris

Chris — Wed, 01 Apr 2009 20:11:58 +0000

Actually, yeah, that’s really obvious. But I’ll pass on working at IMVU ;)