WinNinja
Description:
RtlSetProcessIsCritical is an undocumented API that was added in Windows XP. It is a light wrapper around NtSetInformationProcess with the ProcessBreakOnTermination information class. When this flag is enabled on a process, it causes a bugcheck to be raised when the process is terminated. It is used by system processes (for example CSRSS), however, with the right privileges, we can use it too.
To use the API you will need the debug privilege (SeDebugPrivilege), which of course requires your application to be running as Administrator. To ease the testing/implementation process of this code I have provided sample code to request the privilege.
The API is defined as follows (parameter names, parameter types, and the return type are of course educated guesses as no documentation and no symbolic information is available):
NTSTATUS RtlSetProcecssIsCritical(BOOLEAN NewValue, PBOOLEAN OldValue OPTIONAL, BOOLEAN NeedBreaks);
NewValue = The new value to set for the ProcessBreakOnTermination flag.
OldValue = The old value of the ProcessBreakOnTermination flag.
NeedBreaks = If this is set the API will only enable the ProcessBreakOnTermination flag if the 'Enable system critical breaks' flag is also enabled for the process.
I'm sure you've noticed by now that this API does not allow you to choose the process that the code is run on. Because I needed to use this API on an arbitrary process, I reverse engineered it, rewrote it in C, and extended it to support arbitrary processes.
One minor thing I haven't fixed yet is the system critical breaks checks. If you use this custom implementation on an arbitrary process, the NeedBreaks parameter is ignored. It's an easy fix, I just haven't done it yet because I have no need for that particular parameter and I'm lazy. It's on my todo list however so when I do get around to it I'll post an update here.
In case anyone is interested, here is the implementation of the function (in IA32 ASM) as it appears on my machine under a 32-bit process. I'm running Windows 7 x64.
Notes:
- The code snippets are 'incomplete' in the sense that they are pulled from a larger library and hence have minor dependencies on internal libraries I use (such as the EnsureCleanup libraries). Also, the custom structures, enumerations, and API importing code is not provided. None of this should be hard to fix up though.
- My implementation is based off the implementation of the API on Windows 7 x86. It appears to work on both x86 and x64 machines (with both native x86 and x64 implementations/processes), on Windows versions of XP and above. However I give no guarantees as to OS compatibility.
As always, comments and constructive criticisms are appreciated.
This may not appear elsewhere without permission, but may be linked to.
Releases:
1 comments:
What do you use to this? to do the rootkit unloadable?
Post a Comment