Ring3 Communication

[halsten]

Would be nice to have the ability to connect to it from a user-land app in order to have some sort of automation in the case of malware analysis as opposed to the infamous DbgPrint. Just an addition, but very handy indeed.

[tandasat]

Thank you for checking this tool and giving comments.

Since the tool was written to satisfy just my purpose, it has very limited intelligence in it currently, and I do not have any specific ideas to extend its functionality in a way you suggested (I sometimes feel that I may want to trigger some code at the time of detentions, but that was not really necessary for my usage).

Because I do not have any solid ideas on it, I would be very glad to hear any concrete requests and suggestions that could make the tool more convenient for more users based on your realistic demands.

Thanks,

[halsten]

Well...for someone to use it properly he/she needs to probably want to be able to communicate with the driver to get results based on the events fired in case of injection detection. This seems to be a realistic request or a purpose, since outputting the results in DbgPrint is merely for debugging purposes and doesn't really give a nice tool like this much purpose, sorry.

Any driver should have the ability to communicate with a Ring-3 app in order to transfer data/results and so on. I think if people wanna use the tool or even automate it with their own, a simple communication would be sufficient. It's not much of a request honestly, Just like in Legacy Drivers when one handle IRP_MJ_DEVICE_CONTROL, same goes for mini-filters. Either using KTM or regular Flt*(Send/Receive) API.

[halsten]

I can definitely use it, but can't make much of the output from DebugView since I can't automate such output for my own needs. I hope I have explained my point properly.

[tandasat]

Thank you for explaining the idea. I see your points.

As a quick hack, what I have done is polling and parsing a log file (C:\Windows\RemoteWriteMonitor\RemoteWriteMonitor.log), and then did my own work with scripts. That could probably satisfy your needs, although it may neither very powerful nor flexible.

Probably, exposing a synchronized object (such as event) from a driver and allowing a client to wait the driver to signal it at the occurrence of injection and to pull hash value via IOCTL could be a possible interface for communication between Ring3 and 0, though I doubt that not many of users want to program for this tool as I do not see any popularity of this tool ;)

[halsten]

I can definitely have ways to pull the log, but I was talking out of complete comfort level. :)

Although you don't seem to have many people interested in those 2 tools, probably cause driver development isn't very popular or easily grasped. Anyway, I will modify for my own needs to work with it. Great tool again!

[tandasat]

I am glad to hear that at least one person is interested in the tools and may extend it on my own as I published them to share concepts or ideas with security researchers like you at the first place.

[halsten]

Yeah, I found them very useful actually. Please keep up the efforts and good work. :)

[tandasat]

Re-opened. It should be kept as a record for the request. For now, any specific actions are planned since similar work can be done using a log file and the author does not see a strong reason to provide the interface in a programming level.