NtGetNextProcess, NtGetNextThread

wj32 · May 15, 2009, 8:31am

I think it’s about time D+ hooked NtGetNextProcess and NtGetNextThread (Vista+). These two system calls can completely bypass D+'s process handle protection. I’ve already emailed Matousec about it and unfortunately they cannot test it in SSTS because it is not compatible with Vista. When they do get SSTS on Vista though, it would be a disadvantage for CIS to start getting 50% instead of 100% for all the tests just because SSTS was able to obtain handles to CIS processes!

I couldn’t make a test program for this though because even if you do get handles to CIS processes it is very difficult to terminate them.

Here are their definitions if anyone’s unsure:

NTSTATUS NTAPI NtGetNextProcess(
    HANDLE ProcessHandle,
    ACCESS_MASK DesiredAccess,
    ULONG HandleAttributes,
    ULONG Flags,
    PHANDLE NewProcessHandle
    );

NTSTATUS NTAPI NtGetNextThread(
    HANDLE ProcessHandle,
    HANDLE ThreadHandle,
    ACCESS_MASK DesiredAccess,
    ULONG HandleAttributes,
    ULONG Flags,
    PHANDLE NewThreadHandle
    );

rhgtyink · May 15, 2009, 2:36pm

The “bad” process has to be started first to make use of those hooks correct ?
How much do you need to allow before the process could make those calls ?

wj32 · May 16, 2009, 12:09am

That’s like saying SSTS is not valid simply because you have to allow the execution of the leaktest programs.

rhgtyink · May 16, 2009, 8:35am

No no i was just wondering how and where this would kick in… I’m in no way saying that SSTS is not valid…

wj32 · May 16, 2009, 12:29pm

That was just an analogy :). As you’ll see if you search Google, almost no one knows about these two system calls, so I doubt malware authors would use it.