From: KJK::Hyperion [noog@libero.it] Sent: Tuesday, April 02, 2002 10:45 AM To: NT Developers Interest List Subject: [ntdev] Re: Embedding a user mode program in the driver At 10.45 24/03/2002, you wrote: > > For what? To write a trojan? :-) >Yup...it's the final stage of my final year project...my final year >project is about spyware implementation, detection and removal... > > Surely HTTP is possible to implement in the driver, but prepare to have > difficult times with TDI or purchase one of the kernel mode > > socket libraries on the market. >Are there any easier solutions? Create a thread in the System special process (I don't remember what function does this), and execute the program by loading it with ZwOpenFile + ZwCreateSection (or with ZwOpenFile + ZwAllocateVirtualMemory + ZwReadFile to copy it completely in memory: it won't appear in the global module list, the disk file will be deletable: even more stealth :-) and jumping to its entry point (you get the address to it with ZwQuerySection, or by directly overlaying the PE format structures on the memory image if you use the "stealth loading"), kind of like the Unix exec() system call. Be warned, though: - only a device driver can start a system thread. And a device driver *will* have an entry in the global module list (not that it's likely that any normal human being will be able to find out :-) - you will have to manually relocate the image at whatever address you actually load it, if you use the stealth loading. And remember that the process image must be loaded at an address below 2 GB (I don't know if this restriction applies to the System process, but it's better not to risk), so set the ZwAllocateVirtualMemory address mask accordingly - you will have to manually resolve DLL dependencies in any case (I suggest you to use only functions from NTDLL in your program, if possible - all the TCP stuff will have to be done with I/O calls, it won't be easy), and believe me, it's a pain. At least, the most common DLLs will be already loaded as named image sections, you will find them in the object directory \KnownDlls - personal firewalls will catch your attempt anyway (System, after all, is a process like any other), provided that you don't rewrite the network stack (as personal firewalls hook only the default packet driver, not the actual network device - after all, this is what they're meant to do). I know because I verified personally that AtGuard and ZoneAlarm do. This doesn't mean that the user will have a clue on what the connection attempt means :-) You will find a complete (almost - it doesn't do debug symbols yet) and working implementation of a NT-based user mode PE loader, and some other stuff that can help you, including a(n almost) working NT-compatible kernel, a fairly complete Win32-on-NT implementation and a preliminar POSIX-on-NT implementation, in the ReactOS source code: (the code is under the GPL license, so if you use it in your app, you must re-release it under the same license) --- You are currently subscribed to ntdev as: GlennEverhart@FirstUSA.com To unsubscribe send a blank email to leave-ntdev-247T@lists.osr.com