Author Topic: NtGetNextProcess, NtGetNextThread  (Read 20873 times)

Offline wj32

  • Comodo's Hero
  • *****
  • Posts: 387
    • Process Hacker
NtGetNextProcess, NtGetNextThread
« on: May 15, 2009, 04:31:44 AM »
I think it's about time D+ hooked NtGetNextProcess and NtGetNextThread (Vista+). These two system calls can completely bypass D+'s process handle protection. I've already emailed Matousec about it and unfortunately they cannot test it in SSTS because it is not compatible with Vista. When they do get SSTS on Vista though, it would be a disadvantage for CIS to start getting 50% instead of 100% for all the tests just because SSTS was able to obtain handles to CIS processes!

I couldn't make a test program for this though because even if you do get handles to CIS processes it is very difficult to terminate them.

Here are their definitions if anyone's unsure:

Code: [Select]
NTSTATUS NTAPI NtGetNextProcess(
    HANDLE ProcessHandle,
    ACCESS_MASK DesiredAccess,
    ULONG HandleAttributes,
    ULONG Flags,
    PHANDLE NewProcessHandle
    );

NTSTATUS NTAPI NtGetNextThread(
    HANDLE ProcessHandle,
    HANDLE ThreadHandle,
    ACCESS_MASK DesiredAccess,
    ULONG HandleAttributes,
    ULONG Flags,
    PHANDLE NewThreadHandle
    );
MCTS: Windows Internals
Process Hacker, a free and open source process viewer.

Offline Ronny

  • Retired - Product Translator
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 13541
  • Retired - Volunteer Moderator
Re: NtGetNextProcess, NtGetNextThread
« Reply #1 on: May 15, 2009, 10:36:47 AM »
The "bad" process has to be started first to make use of those hooks correct ?
How much do you need to allow before the process could make those calls ?
Retired - Volunteer Moderator
Any concerns? Please send me a PM or review the Forum Policy -  update Jan 3rd 2013!

Offline wj32

  • Comodo's Hero
  • *****
  • Posts: 387
    • Process Hacker
Re: NtGetNextProcess, NtGetNextThread
« Reply #2 on: May 15, 2009, 08:09:06 PM »
The "bad" process has to be started first to make use of those hooks correct ?
How much do you need to allow before the process could make those calls ?

That's like saying SSTS is not valid simply because you have to allow the execution of the leaktest programs.
MCTS: Windows Internals
Process Hacker, a free and open source process viewer.

Offline Ronny

  • Retired - Product Translator
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 13541
  • Retired - Volunteer Moderator
Re: NtGetNextProcess, NtGetNextThread
« Reply #3 on: May 16, 2009, 04:35:46 AM »
That's like saying SSTS is not valid simply because you have to allow the execution of the leaktest programs.
No no i was just wondering how and where this would kick in... I'm in no way saying that SSTS is not valid...
Retired - Volunteer Moderator
Any concerns? Please send me a PM or review the Forum Policy -  update Jan 3rd 2013!

Offline wj32

  • Comodo's Hero
  • *****
  • Posts: 387
    • Process Hacker
Re: NtGetNextProcess, NtGetNextThread
« Reply #4 on: May 16, 2009, 08:29:55 AM »
No no i was just wondering how and where this would kick in... I'm in no way saying that SSTS is not valid...

That was just an analogy :). As you'll see if you search Google, almost no one knows about these two system calls, so I doubt malware authors would use it.
MCTS: Windows Internals
Process Hacker, a free and open source process viewer.

 

Seo4Smf 2.0 © SmfMod.Com Smf Destek