Need some help with undocumented Windows system calls

Discussion in 'other security issues & news' started by Gullible Jones, Jul 29, 2013.

Thread Status:
Not open for further replies.
  1. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    I'm starting on a project to write a very simple user-space execution blocker, kind of like a stripped down version of SRP. I'm mostly doing this for learning/personal use/comedic value. The idea is to block system calls that could be used to launch a foreign process, or to modify another existing process, e.g. CreateRemoteThread().

    (This being EXE blocking, and from userspace at that, the usual warnings about advanced malware obviously apply.)

    Anyway, the problem I've run into is that there are a ton of undocumented functions that are exported to userspace - NtCreateProcess() and its friends, and probably many more. For my blocker to be remotely useful in practice, these will have to be covered.

    Does there exist any unofficial guide to the undocumented side of Windows?

    Failing that, where can I find the relevant header files, and where in them should I look for the relevant functions?
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Welcome to the wonderful world of Windows. No clue if something like that exists, unfortunately. Haven't touched it myself.

    If you find out, let me know.
     
  3. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    Ah darn, I figured you might know.

    Off to do more research then...

    Edit: one way to do this apparently (that doesn't involve assembly language) is to use Dependency Walker on ntdll.dll. No documentation that way though, hope the names are obvious... I'll set up Vista and see what's what I guess.
     
    Last edited: Jul 29, 2013
  4. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,719
    Location:
    Texas
  5. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    Thank you Ronjor. Also, in case anyone is interested, here is a link I just found to Mark Russinovich's guide to the Native API:

    http://netcode.cz/img/83/nativeapi.html

    Not sure if that's complete but it looks pretty good!

    Edit: wow, nowhere near complete. Dependency Walker lists 1902 functions.

    BTW is there a way to search functions by name in Dependency Walker?
     
    Last edited: Jul 29, 2013
  6. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    7,267
    Location:
    England
  7. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    Hmm. Just realized that the "don't let the browser execute anything" wouldn't work too well against current ITW malware droppers, which typically use Java. Browser loads Java plugin DLL, JVM executes the nasty -> EXE blocking measures are bypassed (unless you disallow JVM from executing binaries).

    I will probably keep working on this anyway, but keep in mind that the finished product will be more a toy than a tool. Meanwhile I will also look into better methods.

    Edit: the more I look into this, the more it looks flat-out irresponsible to use user-mode hooking for security purposes, disclaimer or no disclaimer. Not sure I should continue with this project.
     
    Last edited: Jul 30, 2013
Loading...
Thread Status:
Not open for further replies.