[README|AltSyscallDriver|AltSyscallClient] Added a followup research …

…idea. Fixed some small formatting issues
0xcpu · Oct 21, 2019 · 3676738 · 3676738
1 parent 255c344
commit 3676738
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 15 deletions.
diff --git a/AltSyscallClient/AltSyscallClient.c b/AltSyscallClient/AltSyscallClient.c
@@ -226,8 +226,6 @@ ManageDriver(
 
 int __cdecl main(int argc, char *argv[])
 {
-    UNREFERENCED_PARAMETER(argv);
-
     DWORD       retCode = EXIT_SUCCESS;
     DWORD       dwBufferLength = 0;
     DWORD       dwPid = 0;
@@ -298,8 +296,8 @@ int __cdecl main(int argc, char *argv[])
             } else {
                 fwprintf(stdout, L"Monitor PID: %lu\n", dwPid);
 
-               hDevice = CreateFile(ALTSYSCALL_DEVICE_NAMEW,
-								     GENERIC_READ | GENERIC_WRITE,
+                hDevice = CreateFile(ALTSYSCALL_DEVICE_NAMEW,
+                                     GENERIC_READ | GENERIC_WRITE,
                                      0,
                                      NULL,
                                      CREATE_ALWAYS,

diff --git a/AltSyscallDriver/AltSyscall.c b/AltSyscallDriver/AltSyscall.c
@@ -4,7 +4,6 @@
 #include "AltSyscall.h"
 
 
-// Further investigation showed that the Syscall Handler will receive a pointer to a KTRAP_FRAME as only argument
 typedef
 BOOLEAN
 ALT_SYSCALL_HANDLER(
@@ -53,7 +52,7 @@ NTSTATUS
 DriverEntry(
     _In_ PDRIVER_OBJECT   DriverObject,
     _In_ PUNICODE_STRING  RegistryPath
-    )
+)
 {
     UNREFERENCED_PARAMETER(RegistryPath);
 
@@ -121,8 +120,6 @@ DriverUnload(
     PDEVICE_OBJECT deviceObject = DriverObject->DeviceObject;
     UNICODE_STRING uniWin32NameString;
 
-    // Investigate why is failing when trying to unload
-
     DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, "[AltSyscall] Driver unloading started\n");
 
     RtlInitUnicodeString(&uniWin32NameString, ALT_SYSCALL_DOS_DEVICE_NAME);
@@ -245,9 +242,9 @@ RegisterSyscallHandler(
 {
         PAGED_CODE();
 
-        NTSTATUS						status;
-        UNICODE_STRING					funcName;
-        PsRegisterAltSystemCallHandler	pPsRegisterAltSystemCallHandler;
+        NTSTATUS                        status;
+        UNICODE_STRING                  funcName;
+        PsRegisterAltSystemCallHandler  pPsRegisterAltSystemCallHandler;
 
         DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, "[AltSyscall] Registering Syscall handler\n");
 

diff --git a/README.md b/README.md
@@ -45,13 +45,16 @@ The tool is only for research purpose, this means it is not very well tested and
 
 - ~~There's no simple way(one function) to unregister the syscall handler. That's going back to the observation that it's probably an unfinished feature.~~
 
-## UPDATE
+## UPDATES
 
-Thanks to [Yarden Shafir](https://twitter.com/yarden_shafir) for the info regarding the last two issues. Basically the problem is not that the feature is "incomplete" is rather a design issue. For now, this feature is only intended to be used by Windows Defender. So the Windows Defender driver runs as a core driver, which means that is loaded before PG is activated, so it can register a handler safely, and for this same reason there is no way to unregister the function, because only Windows Defender can register a handler there, so it doesn't need to unregister it.
+1) Thanks to [Yarden Shafir](https://twitter.com/yarden_shafir) for the info regarding the last two issues. Basically the problem is not that the feature is "incomplete" is rather a design issue. For now, this feature is only intended to be used by Windows Defender. So the Windows Defender driver runs as a core driver, which means that is loaded before PG is activated, so it can register a handler safely, and for this same reason there is no way to unregister the function, because only Windows Defender can register a handler there, so it doesn't need to unregister it.
 
-Having this in mind, until Microsoft decide to "open" this feature **the only way to use the tool would be starting the machine under a debugger (WinDbg) or using a tool like [EfiGuard](https://github.com/Mattiwatti/EfiGuard) to disable PatchGuard**
+    Having this in mind, until Microsoft decide to "open" this feature **the only way to use the tool would be starting the machine under a debugger (WinDbg) or using a tool like [EfiGuard](https://github.com/Mattiwatti/EfiGuard) to disable PatchGuard**
+
+    Again big thanks to [Yarden Shafir](https://twitter.com/yarden_shafir) for sharing this info :)
+
+2) In the near future we'll research the idea of detecting by *yourself*(an `user space` executable) the fact that your actions are monitored by an `AltSyscallHandler`. 
 
-Again big thanks to [Yarden Shafir](https://twitter.com/yarden_shafir) for sharing this info :)
 
 ## CONCLUSION