NT 内核编程
我想知道从哪里开始,或者如何连接或修补 Windows 内核(XP 及更高版本)。 我对 McAfee Entercept 等软件或某些修补内核的防病毒扫描程序特别感兴趣。 我想知道对于一家初创公司来说,创建向内核添加功能的软件有多可行(我知道 KPP,并且它可能会被绕过),以及这样做的任何补救措施。 我无法找到简单的描述,并且对 Win32 的经验也很有限。 非常感谢任何帮助,
J
进一步说明:我并不追求这样的驱动程序,并且对技术上是否可以将 PaX 之类的东西移植到 Windows 感兴趣。 这是一个糟糕的例子,因为 Windows 已经有了一个实现,但我很感兴趣是否可以在无需访问 NT 源代码的情况下移植类似的技术。
I would like to know where to get started, or how possible it is to hook into, or patch the windows kernel(XP and up). I am specifically interested in software like McAfee Entercept, or certain antivirus scanners that patch the kernel. I would like to know how feasable it is for a startup to create software that added in functionality to the kernel(I am aware of KPP, and that it can possibly be bypassed), and any remifications of doing this. I was unable to find a simple description, and only have limited experience with Win32. Any help is much appreciated,
J
Further clarification: I am not after a driver as such, and would be interested in if it was technically possible to port something like PaX to windows for example. It is a bad example as windows already has an implementation, but I am interested if similar technologies could be ported without having access to the NT source.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
Microsoft Detours 库允许您拦截来自进程的 API 调用,并插入或替换您自己的 API代码。
请注意,成功完成此类操作可能需要的 Win32 经验不只是有限的经验。 正如您可以想象的,这可能是一个非常复杂的话题。
The Microsoft Detours library allows you to intercept API calls from processes, and insert or replace your own code.
Note that successfully doing this sort of thing will likely require somewhat more than limited Win32 experience. As you can imagine, this can be a very complex topic.
驱动程序开发根本不是一件容易的事。 防病毒软件需要处理文件系统(文件系统过滤驱动程序),这使工作变得更加复杂。 如果您尝试更详细地描述您想要实现的目标,这将会很有用。
最推荐的驱动程序开发资源是 OSR。 有 2 个相关的邮件列表:
书籍列表可以在此处找到。
除非驱动程序是您的核心业务(在这种情况下找到具有内核经验的人),否则我强烈建议外包这项工作。 在上面的列表中,您可以找到很多顾问。
Windows 源基本上无法访问:) 不幸的是。 要使用虚拟内存管理器,您必须处于内核模式(如果可能的话)。
尝试在 ntdev 上问这个问题,你会问世界上大多数内核开发人员。 您需要提出更具体的问题才能获得合理的答案(我会观看该主题,有趣的主题)。
如果正确理解你想要做什么,这在 Windows 上是不可能的。 至少不是没有主要的逆向工程工作,但我主要使用标准类型的驱动程序,所以我认为我不知道足够的信息来做出最终结论。
对评论的回应:
我不确定 Entercept 到底在做什么(在产品描述中没有找到任何表明他们播放内存或进程权限的内容)。
因此,定义最终目标而不是具体技术如何实现这一目标可能是更有效的方法。
对评论 2 的回应:
1.1。 什么是 LIDS?
LIDS 是谢华刚和Philippe Biondi 编写的Linux 内核的增强版。 它实现了 Linux 内核本身不具备的多项安全功能。
其中一些包括:
1. 强制访问控制 (MAC) - 不知道真正的含义是什么。
2. 端口扫描检测器 - 这在此网站上绝对可行。
3. 桩保护 - 文件系统过滤驱动程序如上所述。
4. 进程保护 - 您可以在驱动程序中挂钩进程创建,查看 ntdev 档案有很多 关于此的讨论。
Driver development is not an easy task at all. Anti-virus software require dealing with file system ( file system filter driver) that make the life more complex. It would be useful if you try to describe what are you trying to achieve more detailed.
The most recommended resources for driver development is OSR. There is 2 related mailing lists:
Book list can be found here.
Unless the driver is your core busyness (in this case find the person with kernel experience) i would strongly suggest outsourcing this work. On lists above you can find plenty of consultants.
Windows source basically can't be accessed :) unfortunately. To play with the virtual memory manager you must be in kernel mode, if this is possible at all.
Try asking this question on ntdev, you will ask most of kernel developers in the world. You will need to ask more concrete question to get reasonable answer (i will watch the thread, interesting topic).
If understand correctly what you are you want to do, this is impossible on Windows. At least not without major reverse engineering work, but i mostly work with standard types of drivers so it's i think i don't know enough to make a final conclusion.
Response to comment :
I'm not sure what exactly Entercept doing (did not find anything in product description suggesting they playing the memory or processes permissions).
So defining final goal rather specific technology how to achieve this might be more productive way.
Response to comment 2 :
1.1. What is LIDS?
LIDS is an enhancement for the Linux kernel written by Xie Huagang and Philippe Biondi. It implements several security features that are not in the Linux kernel natively.
Some of these include:
1. Mandatory access controls (MAC) - Don't know what is really mean.
2. Port scan detector - This is definitely doable look on this site.
3. Pile protection - File system filter driver explained above.
4. Process protection - You can hook process creation in your driver, look in ntdev archives there is a lot of discussions about this.
您谈论了修补内核,但没有提供合理的解释来说明为什么要这样做以及为什么您认为官方 API 无法让您到达您想要的位置。 因此,我们必须假设您正在计划编写某种恶意软件——不要指望 stackoverflow 上的任何人可以帮助您!
You talk about patching the kernel without providing a sensible explanation of why you want to do this and why you think the official API will not get you where you want to get. As a consequence, we have to assume you are planning to write some kind of malware -- do not expect anybody on stackoverflow to help you with this!
是的,它很有可能挂接到内核中。 我强烈推荐书籍 Windows Internals 和 Rootkit。
这些应该为您提供所需的所有信息。
Yes, it's very possible to hook into the kernel. I strongly suggest the books Windows Internals and Rootkits.
These should give you all of the information you need.