Sunday, September 27, 2015

KPROCESS - InstrumentationCallback - Get callbacks on return from kernel mode

Long time no see everybody!

I was pointed at a really interesting article this week and thought I'd share.

It turns out in Windows Vista x64 and later you can ask the kernel to invoke a callback on transition out of kernel mode. KPROCESS has a field called InstrumentationCallback that you can set with a call to NtSetInformationProcess with a ProcessInfoClass of 0x28 and a InputBuffer that contains the pointer to your callback.

Advantages:

  • User mode only, no driver or kernel debugger required
  • Affects the entire process (including injected threads)

Disadvantages:

  • Windows x64 only
  • Apparently doesn't work on WOW64 (though maybe some jiggery-pokery could get it done)
  • Required Dr7 to be set in most cases so not great at catching malicious actors

The original article: Windows x64 system service hooks and advanced debugging and check out the author's blog http://everdox.blogspot.com/ for other interesting RE posts.