NT Kernel Programming

Question

I would like to know where to get started, or how possible it is to hook into, or patch the windows kernel(XP and up). I am specifically interested in software like McAfee Entercept, or certain antivirus scanners that patch the kernel. I would like to know how feasable it is for a startup to create software that added in functionality to the kernel(I am aware of KPP, and that it can possibly be bypassed), and any remifications of doing this. I was unable to find a simple description, and only have limited experience with Win32. Any help is much appreciated,

J

Further clarification: I am not after a driver as such, and would be interested in if it was technically possible to port something like PaX to windows for example. It is a bad example as windows already has an implementation, but I am interested if similar technologies could be ported without having access to the NT source.

Answer 1

Yes, it's very possible to hook into the kernel. I strongly suggest the books Windows Internals and Rootkits.

These should give you all of the information you need.

Answer 2

The Microsoft Detours library allows you to intercept API calls from processes, and insert or replace your own code.

Note that successfully doing this sort of thing will likely require somewhat more than limited Win32 experience. As you can imagine, this can be a very complex topic.

Answer 3

Driver development is not an easy task at all. Anti-virus software require dealing with file system ( file system filter driver) that make the life more complex. It would be useful if you try to describe what are you trying to achieve more detailed.

The most recommended resources for driver development is OSR. There is 2 related mailing lists:

1. ntdev For general driver development
2. ntfsd For file system drive development

Book list can be found here.

Unless the driver is your core busyness (in this case find the person with kernel experience) i would strongly suggest outsourcing this work. On lists above you can find plenty of consultants.

Windows source basically can't be accessed :) unfortunately. To play with the virtual memory manager you must be in kernel mode, if this is possible at all.

Try asking this question on ntdev, you will ask most of kernel developers in the world. You will need to ask more concrete question to get reasonable answer (i will watch the thread, interesting topic).
If understand correctly what you are you want to do, this is impossible on Windows. At least not without major reverse engineering work, but i mostly work with standard types of drivers so it's i think i don't know enough to make a final conclusion.

Response to comment :

I'm not sure what exactly Entercept doing (did not find anything in product description suggesting they playing the memory or processes permissions). So defining final goal rather specific technology how to achieve this might be more productive way.

Response to comment 2 :

1.1. What is LIDS?

LIDS is an enhancement for the Linux kernel written by Xie Huagang and Philippe Biondi. It implements several security features that are not in the Linux kernel natively. Some of these include:
1. Mandatory access controls (MAC) - Don't know what is really mean.
2. Port scan detector - This is definitely doable look on this site.
3. Pile protection - File system filter driver explained above.
4. Process protection - You can hook process creation in your driver, look in ntdev archives there is a lot of discussions about this.

Answer 4

You talk about patching the kernel without providing a sensible explanation of why you want to do this and why you think the official API will not get you where you want to get. As a consequence, we have to assume you are planning to write some kind of malware -- do not expect anybody on stackoverflow to help you with this!