Kernel mode device driver vs. a Windows service

[shlomok]

Hi,
I am currently in the design phase of an open source tool targeted mainly at forensic analysts.
The tool has a backend (e.g. a kernel mode device driver/Windows service) and a frontend, e.g. a UI (this will be implemented much later).   

I am contemplating between writing a KMD using four-f' kit or a regular Windows service.

My chief concern is the communication between the front-end and the backend.
At first sight it seems that a Service would be easier to write/install/debug and the same service code can be integrated  with the actual UI.
The KMD has no such option and communicating with it is quite complex (unless you opt for writing a filter KMD). 

Moreover, since a sys driver would use a different heap, should I be concerned with respect to portability between 32 and 64 bit systems?

Would love to have your view on this,

S.

[vanjast]

Well..
First of all... never mention the word 'Heap' here :wink
If I remember correctly there's not much diff between a driver and a service, It just depends how much work you want to do...
Or how how much you want to hide your app  :wink :wink
:8)

[shlomok]

Well..
First of all... never mention the word 'Heap' here :wink

Hi,
Why not mention the heap? am I missing a common masm joke?
I was referring to the use of ExAllocatePool (deprecated now by ExAllocatePoolWithTag) by a kernel-mode driver, see: http://four-f.webs.com/KmdTut/kmd06.html

from my initial POC's it seems that the Service is much easier to debug and from what I read (and correct me if I am wrong), it would be much easier to port to a 64 bit system later on mainly due to the driver signing restrictions set by Microsoft.
(see this for instance: http://mcdermottcybersecurity.com/articles/64-bit-device-driver-development)
I know they can be disabled, I do not wish to have a cumbersome installer that forces the user to alter advanced windows settings.

Thanks,   

S.

[shlomok]

Hello members,

How come no one participates in the thread?

[dedndave]

welllll.....
"forensics" is kind of frowned upon, because of forum rules
there are probably better assembly language forums for discussing what you want to do

any time you get to services, kmd's, ring 0 - support in here gets weak   :P

[shlomok]

welllll.....
"forensics" is kind of frowned upon, because of forum rules
there are probably better assembly language forums for discussing what you want to do

any time you get to services, kmd's, ring 0 - support in here gets weak   :P

I was afraid this would be the answer, however:

1-I am not a script kid/blackhat warrior I am a digital forensic analyst.   
2-I use my real name here.
3-Microsoft has been very actively advocating device drivers development and their new SDKs are growing bigger and bigger as well as a very big community of developers. 
This is legitimate and logical, so why is this issue banned here?
4-I communicated with the author of the KMD and he was very helpful without patronizing me or my intentions.
5-Anyone who is looking for the other "black" information wouldn't come here to seek advice.
6-I am not going to ask for information about key-loggers, anti-debugging or hooking techniques.
7-Its amazing how someones opinion stems from a negative/accusative assumption without even knowing the person.
8-Yes, I understand that there is no way for you to differentiate between ethical and black-hat threads.

I sent you a private message with a link to the actual open source project with the full description.
If you are contended, then please answer my questions and if not, that would be a shame but I shall have no option but to revert to C/C++ and get real help from people who are really interested in aiding.

S.
:) 



         

[baltoro]

SHLOMOK,   
Hi. Your concept is interesting,...and, quite possibly a legitimate request,...we really have no idea based on your posts.
...But, let's assume that you actually are a digital forensic analyst.   
The sheer complexity of the project you are suggesting is going to make giving you specific advice difficult.
...And, from what I've seen here at the MASM Forum,...there are very few discussions of kernel mode techniques.
You should appreciate the ambiguity here,...writing a kernel mode driver is a key component in creating a Windows rootkit.
Also, assuming you do successfully compile a kernel mode driver, this can be used without any system security in Windows XP,...which is why Microsoft changed it's driver loading management and incorporated the mandatory signing of all kernel components.
An excellent forum for kernel mode programming is: OSR Online

[shlomok]

The sheer complexity of the project you are suggesting is going to make giving you specific advice difficult.

Well,
The back-end (e.g. KMD or Win Service) is just the tip of the iceberg. Other modules include:
1-A full featured UI
2-A complex image processing module that incorporates face detection (see for instance: http://www.naun.org/journals/computers/20-462.pdf)
3-A module that is able to detect key-loggers/other root-kits/anti-debuggers etc. This is for the case in which an abuser gained access to a school/home network and installed his stuff to spy on juveniles.   
(see for instance http://pferrie.tripod.com/papers/unpackers.pdf)
4-Many more :)

Hope you got the idea, once I am ready I shall post here the full specs and ask others to join forces.  :red

I am familiar with the OSR forum, thank you for mentioning it anyways, the new Win DDK is a big step forward for C/C++ developers. 

[dedndave]

also....
you may already know more than many of us do about drivers
i am sure you know more than i do about them   :P

nonetheless, i intend to study them, when i feel i am ready
i wish you the best with your project   :U

[baltoro]

SHLOMOK,
...Well, I'm impressed,...that is a very ambitious project,...especially,...

...a complex image processing module that incorporates face detection,...

I'll be watching for updates, and, so forth,...

...once I am ready I shall post here the full specs and ask others to join forces,...

I would offer some suggestions, but, I get the distinct imprassion that you are a competent programmer,...
...My specialty, here at the MASM Forum is CODE BLOAT,...and, of course, annoying DAVE,... :eek

[shlomok]

baltoro,

...Well, I'm impressed,...that is a very ambitious project,...especially,...

Baltoro,
Thanks for the VERY generous and kind words.
I decided to try the new VC 11 beta preview (which for the first time is integrated with the DDK) and give it a try and I am downloading it as we speak. It has fantastic support for both 32 and 64 bit drivers except there is no support whatsoever for Windows XP.
Don't get me wrong, the KMD kit is EXCELLENT, with loads of information  (one can spend days reading the code and comments) and numerous working examples out of the box however it is a bit outdated and 64 bit support would be an issue.

Before I get to detecting (the existence) of faces, I need to scan the hard drives ... and locate hidden partitions  ... and remove rootkits with an observer process that have self defense code ... which will activated if it detects any attempt to inspect the hidden partition.  :bdg

Step by step, design first :)