Ring3 Communication #1
Comments
|
Thank you for checking this tool and giving comments. Since the tool was written to satisfy just my purpose, it has very limited intelligence in it currently, and I do not have any specific ideas to extend its functionality in a way you suggested (I sometimes feel that I may want to trigger some code at the time of detentions, but that was not really necessary for my usage). Because I do not have any solid ideas on it, I would be very glad to hear any concrete requests and suggestions that could make the tool more convenient for more users based on your realistic demands. Thanks, |
|
Well...for someone to use it properly he/she needs to probably want to be able to communicate with the driver to get results based on the events fired in case of injection detection. This seems to be a realistic request or a purpose, since outputting the results in DbgPrint is merely for debugging purposes and doesn't really give a nice tool like this much purpose, sorry. Any driver should have the ability to communicate with a Ring-3 app in order to transfer data/results and so on. I think if people wanna use the tool or even automate it with their own, a simple communication would be sufficient. It's not much of a request honestly, Just like in Legacy Drivers when one handle IRP_MJ_DEVICE_CONTROL, same goes for mini-filters. Either using KTM or regular Flt*(Send/Receive) API. |
|
I can definitely use it, but can't make much of the output from DebugView since I can't automate such output for my own needs. I hope I have explained my point properly. |
|
Thank you for explaining the idea. I see your points. As a quick hack, what I have done is polling and parsing a log file (C:\Windows\RemoteWriteMonitor\RemoteWriteMonitor.log), and then did my own work with scripts. That could probably satisfy your needs, although it may neither very powerful nor flexible. Probably, exposing a synchronized object (such as event) from a driver and allowing a client to wait the driver to signal it at the occurrence of injection and to pull hash value via IOCTL could be a possible interface for communication between Ring3 and 0, though I doubt that not many of users want to program for this tool as I do not see any popularity of this tool ;) |
|
I can definitely have ways to pull the log, but I was talking out of complete comfort level. :) Although you don't seem to have many people interested in those 2 tools, probably cause driver development isn't very popular or easily grasped. Anyway, I will modify for my own needs to work with it. Great tool again! |
|
I am glad to hear that at least one person is interested in the tools and may extend it on my own as I published them to share concepts or ideas with security researchers like you at the first place. |
|
Yeah, I found them very useful actually. Please keep up the efforts and good work. :) |
|
Re-opened. It should be kept as a record for the request. For now, any specific actions are planned since similar work can be done using a log file and the author does not see a strong reason to provide the interface in a programming level. |
Would be nice to have the ability to connect to it from a user-land app in order to have some sort of automation in the case of malware analysis as opposed to the infamous DbgPrint. Just an addition, but very handy indeed.
The text was updated successfully, but these errors were encountered: