Add x64 support

Author: tandasat

README.md

@@ -9,12 +9,18 @@ thread context manipulation.
 A supporting tool 'injector' is a sample program doing that type of code
 injection.
 
-A related blog entory can be found [here](http://standa-note.blogspot.ca/2015/03/section-based-code-injection-and-its.html).
+A related blog entory can be found here:
+
+    http://standa-note.blogspot.ca/2015/03/section-based-code-injection-and-its.html).
 
 Installation and Uninstallation
 -----------------
 
-Use the 'sc' command, for example, for installation:
+Get an archive file for compiled files form this link:
+
+    https://github.com/tandasat/RemoteWriteMonitor/releases/latest
+
+Then use the 'sc' command. For installation:
 
     >sc create rwmon type= kernel binPath= C:\Users\user\Desktop\RemoteWriteMonitor.sys
     >sc start rwmon
@@ -23,6 +29,16 @@ For uninstallation:
 
     >sc stop rwmon
     >sc delete rwmon
+    
+On the x64 bit platform, you have to enable test signing to install the driver.
+To do that, open the command prompt with the administrator privilege and type 
+the following command:
+
+   >bcdedit /set {current} testsigning on
+    
+Then, reboot the system to activate the change. You also have to disable the 
+Kernel Patch Protection (PatchGuard), and Google helps you do that work.
+
 
 Usage
 -------
@@ -36,8 +52,8 @@ what was written or mapped into the remote process. Output can be seen with
 DebugView and are all saved under the C:\Windows\RemoteWriteMonitor\ 
 directory. Written and mapped data is stored as \<SHA1\>.bin apart from a log file.
 
-'injector' could be used to test the driver's function. Injecting and executing code into
-notepad.exe could be done by the following commands:
+'injector' could be used to test the driver's function. Injecting and executing 
+code into notepad.exe can be done by the following commands:
 
     >notepad && tasklist | findstr notepad
     notepad.exe                   3368 Console                    1      4,564 K
@@ -54,6 +70,9 @@ notepad.exe could be done by the following commands:
 Output on DebugView would look like this:
 ![DebugView](/img/injector.png)
 
+Note that the injector only works against 32 bit processes.
+
+
 Caveats
 -------
 - It reports all those API calls regardless of its memory protection, contents
@@ -62,7 +81,7 @@ output related to the sample you are analyzing as it reports a lot of legit
 activities too.
 
  - It was designed so because it is far more difficult to track all written
-regions and reports only when it is executed (I wrote [it](https://sites.google.com/site/tandasat/home/egg) long time ago, and it was hell).
+regions and reports only when it is executed.
 
 - It does not monitor any of processes existed when the driver was installed.
 Thus, the second injection will not be reported if the sample injects code
@@ -79,7 +98,7 @@ may be happening.
 
 Supported Platform(s)
 -----------------
-- Windows 7 SP1 x86
+- Windows 7 SP1 and 8.1 (x86/x64)
 
 
 License

RemoteWriteMonitor/Release/RemoteWriteMonitor.sys

@@ -1,28 +1,71 @@
-
-Microsoft Visual Studio Solution File, Format Version 12.00
-# Visual Studio 2013
-VisualStudioVersion = 12.0.31101.0
-MinimumVisualStudioVersion = 10.0.40219.1
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "RemoteWriteMonitor", "RemoteWriteMonitor\RemoteWriteMonitor.vcxproj", "{287B2687-2894-4AA5-A5A9-686AE6C5F34A}"
-EndProject
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "injector", "injector\injector.vcxproj", "{FEE34C62-A273-4557-BF93-360BDA2855E5}"
-EndProject
-Global
-	GlobalSection(SolutionConfigurationPlatforms) = preSolution
-		Debug|Win32 = Debug|Win32
-		Release|Win32 = Release|Win32
-	EndGlobalSection
-	GlobalSection(ProjectConfigurationPlatforms) = postSolution
-		{287B2687-2894-4AA5-A5A9-686AE6C5F34A}.Debug|Win32.ActiveCfg = Debug|Win32
-		{287B2687-2894-4AA5-A5A9-686AE6C5F34A}.Debug|Win32.Build.0 = Debug|Win32
-		{287B2687-2894-4AA5-A5A9-686AE6C5F34A}.Release|Win32.ActiveCfg = Release|Win32
-		{287B2687-2894-4AA5-A5A9-686AE6C5F34A}.Release|Win32.Build.0 = Release|Win32
-		{FEE34C62-A273-4557-BF93-360BDA2855E5}.Debug|Win32.ActiveCfg = Debug|Win32
-		{FEE34C62-A273-4557-BF93-360BDA2855E5}.Debug|Win32.Build.0 = Debug|Win32
-		{FEE34C62-A273-4557-BF93-360BDA2855E5}.Release|Win32.ActiveCfg = Release|Win32
-		{FEE34C62-A273-4557-BF93-360BDA2855E5}.Release|Win32.Build.0 = Release|Win32
-	EndGlobalSection
-	GlobalSection(SolutionProperties) = preSolution
-		HideSolutionNode = FALSE
-	EndGlobalSection
-EndGlobal
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 2013
+VisualStudioVersion = 12.0.31101.0
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "RemoteWriteMonitor", "RemoteWriteMonitor\RemoteWriteMonitor.vcxproj", "{987A0E0D-CF4E-4DC8-A5FE-1CCCC3D75082}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "injector", "injector\injector.vcxproj", "{FEE34C62-A273-4557-BF93-360BDA2855E5}"
+EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{94B67B9C-4EA6-4F4D-A1B2-51035E1CF277}"
+	ProjectSection(SolutionItems) = preProject
+		..\README.md = ..\README.md
+	EndProjectSection
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Win7 Debug|Win32 = Win7 Debug|Win32
+		Win7 Debug|x64 = Win7 Debug|x64
+		Win7 Release|Win32 = Win7 Release|Win32
+		Win7 Release|x64 = Win7 Release|x64
+		Win8.1 Debug|Win32 = Win8.1 Debug|Win32
+		Win8.1 Debug|x64 = Win8.1 Debug|x64
+		Win8.1 Release|Win32 = Win8.1 Release|Win32
+		Win8.1 Release|x64 = Win8.1 Release|x64
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{987A0E0D-CF4E-4DC8-A5FE-1CCCC3D75082}.Win7 Debug|Win32.ActiveCfg = Win7 Debug|Win32
+		{987A0E0D-CF4E-4DC8-A5FE-1CCCC3D75082}.Win7 Debug|Win32.Build.0 = Win7 Debug|Win32
+		{987A0E0D-CF4E-4DC8-A5FE-1CCCC3D75082}.Win7 Debug|Win32.Deploy.0 = Win7 Debug|Win32
+		{987A0E0D-CF4E-4DC8-A5FE-1CCCC3D75082}.Win7 Debug|x64.ActiveCfg = Win7 Debug|x64
+		{987A0E0D-CF4E-4DC8-A5FE-1CCCC3D75082}.Win7 Debug|x64.Build.0 = Win7 Debug|x64
+		{987A0E0D-CF4E-4DC8-A5FE-1CCCC3D75082}.Win7 Debug|x64.Deploy.0 = Win7 Debug|x64
+		{987A0E0D-CF4E-4DC8-A5FE-1CCCC3D75082}.Win7 Release|Win32.ActiveCfg = Win7 Release|Win32
+		{987A0E0D-CF4E-4DC8-A5FE-1CCCC3D75082}.Win7 Release|Win32.Build.0 = Win7 Release|Win32
+		{987A0E0D-CF4E-4DC8-A5FE-1CCCC3D75082}.Win7 Release|Win32.Deploy.0 = Win7 Release|Win32
+		{987A0E0D-CF4E-4DC8-A5FE-1CCCC3D75082}.Win7 Release|x64.ActiveCfg = Win7 Release|x64
+		{987A0E0D-CF4E-4DC8-A5FE-1CCCC3D75082}.Win7 Release|x64.Build.0 = Win7 Release|x64
+		{987A0E0D-CF4E-4DC8-A5FE-1CCCC3D75082}.Win7 Release|x64.Deploy.0 = Win7 Release|x64
+		{987A0E0D-CF4E-4DC8-A5FE-1CCCC3D75082}.Win8.1 Debug|Win32.ActiveCfg = Win8.1 Debug|Win32
+		{987A0E0D-CF4E-4DC8-A5FE-1CCCC3D75082}.Win8.1 Debug|Win32.Build.0 = Win8.1 Debug|Win32
+		{987A0E0D-CF4E-4DC8-A5FE-1CCCC3D75082}.Win8.1 Debug|Win32.Deploy.0 = Win8.1 Debug|Win32
+		{987A0E0D-CF4E-4DC8-A5FE-1CCCC3D75082}.Win8.1 Debug|x64.ActiveCfg = Win8.1 Debug|x64
+		{987A0E0D-CF4E-4DC8-A5FE-1CCCC3D75082}.Win8.1 Debug|x64.Build.0 = Win8.1 Debug|x64
+		{987A0E0D-CF4E-4DC8-A5FE-1CCCC3D75082}.Win8.1 Debug|x64.Deploy.0 = Win8.1 Debug|x64
+		{987A0E0D-CF4E-4DC8-A5FE-1CCCC3D75082}.Win8.1 Release|Win32.ActiveCfg = Win8.1 Release|Win32
+		{987A0E0D-CF4E-4DC8-A5FE-1CCCC3D75082}.Win8.1 Release|Win32.Build.0 = Win8.1 Release|Win32
+		{987A0E0D-CF4E-4DC8-A5FE-1CCCC3D75082}.Win8.1 Release|Win32.Deploy.0 = Win8.1 Release|Win32
+		{987A0E0D-CF4E-4DC8-A5FE-1CCCC3D75082}.Win8.1 Release|x64.ActiveCfg = Win8.1 Debug|x64
+		{987A0E0D-CF4E-4DC8-A5FE-1CCCC3D75082}.Win8.1 Release|x64.Build.0 = Win8.1 Debug|x64
+		{987A0E0D-CF4E-4DC8-A5FE-1CCCC3D75082}.Win8.1 Release|x64.Deploy.0 = Win8.1 Debug|x64
+		{FEE34C62-A273-4557-BF93-360BDA2855E5}.Win7 Debug|Win32.ActiveCfg = Debug|Win32
+		{FEE34C62-A273-4557-BF93-360BDA2855E5}.Win7 Debug|Win32.Build.0 = Debug|Win32
+		{FEE34C62-A273-4557-BF93-360BDA2855E5}.Win7 Debug|Win32.Deploy.0 = Debug|Win32
+		{FEE34C62-A273-4557-BF93-360BDA2855E5}.Win7 Debug|x64.ActiveCfg = Debug|x64
+		{FEE34C62-A273-4557-BF93-360BDA2855E5}.Win7 Release|Win32.ActiveCfg = Release|Win32
+		{FEE34C62-A273-4557-BF93-360BDA2855E5}.Win7 Release|Win32.Build.0 = Release|Win32
+		{FEE34C62-A273-4557-BF93-360BDA2855E5}.Win7 Release|Win32.Deploy.0 = Release|Win32
+		{FEE34C62-A273-4557-BF93-360BDA2855E5}.Win7 Release|x64.ActiveCfg = Release|x64
+		{FEE34C62-A273-4557-BF93-360BDA2855E5}.Win8.1 Debug|Win32.ActiveCfg = Debug|Win32
+		{FEE34C62-A273-4557-BF93-360BDA2855E5}.Win8.1 Debug|Win32.Build.0 = Debug|Win32
+		{FEE34C62-A273-4557-BF93-360BDA2855E5}.Win8.1 Debug|Win32.Deploy.0 = Debug|Win32
+		{FEE34C62-A273-4557-BF93-360BDA2855E5}.Win8.1 Debug|x64.ActiveCfg = Debug|x64
+		{FEE34C62-A273-4557-BF93-360BDA2855E5}.Win8.1 Release|Win32.ActiveCfg = Release|Win32
+		{FEE34C62-A273-4557-BF93-360BDA2855E5}.Win8.1 Release|Win32.Build.0 = Release|Win32
+		{FEE34C62-A273-4557-BF93-360BDA2855E5}.Win8.1 Release|Win32.Deploy.0 = Release|Win32
+		{FEE34C62-A273-4557-BF93-360BDA2855E5}.Win8.1 Release|x64.ActiveCfg = Release|x64
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal

RemoteWriteMonitor/Release/injector.exe

@@ -0,0 +1,68 @@
+;
+; This module implements the lowest part of hook handlers
+;
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+.CONST
+
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+.DATA
+
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+.CODE
+
+
+; Implements jump to an arbitrary location without modifying registers.
+; 0ffffffffffffffffh is used as a mark to be replaced with a correct address.
+JMP_TEMPLATE MACRO 
+    nop     ; This is space for implanting int 3 for debugging
+    jmp     qword ptr [jmp_address]
+jmp_address:
+    dq      0ffffffffffffffffh
+ENDM
+
+
+
+AsmNtMapViewOfSection_Win81_7 PROC
+    mov     qword ptr [rsp+10h], rbx
+    mov     qword ptr [rsp+18h], rsi
+    mov     qword ptr [rsp+8h], rcx
+    push    rdi
+    JMP_TEMPLATE 
+AsmNtMapViewOfSection_Win81_7 ENDP
+AsmNtMapViewOfSection_Win81_7End PROC
+    nop
+AsmNtMapViewOfSection_Win81_7End ENDP
+
+
+; For Win 8.1
+AsmNtWriteVirtualMemory_Win81 PROC
+    sub     rsp, 38h
+    mov     rax, [rsp+60h]
+    mov     dword ptr [rsp+28h], 20h 
+    mov     [rsp+20h], rax 
+    JMP_TEMPLATE 
+AsmNtWriteVirtualMemory_Win81 ENDP
+AsmNtWriteVirtualMemory_Win81End PROC
+    nop
+AsmNtWriteVirtualMemory_Win81End ENDP
+
+
+; For Win 7
+AsmNtWriteVirtualMemory_Win7 PROC
+    mov     rax, rsp
+    mov     qword ptr [rax+8h], rbx
+    mov     qword ptr [rax+10h], rsi
+    mov     qword ptr [rax+18h], rdi
+    mov     qword ptr [rax+20h], r12
+    JMP_TEMPLATE 
+AsmNtWriteVirtualMemory_Win7 ENDP
+AsmNtWriteVirtualMemory_Win7End PROC
+    nop
+AsmNtWriteVirtualMemory_Win7End ENDP
+
+
+
+END

RemoteWriteMonitor/RemoteWriteMonitor.sln

@@ -0,0 +1,51 @@
+// Copyright (c) 2015, tandasat. All rights reserved.
+// Use of this source code is governed by a MIT-style license that can be
+// found in the LICENSE file.
+
+//
+//
+//
+#include "stdafx.h"
+#include "../../asm.h"
+
+////////////////////////////////////////////////////////////////////////////////
+//
+// macro utilities
+//
+
+////////////////////////////////////////////////////////////////////////////////
+//
+// constants and macros
+//
+
+////////////////////////////////////////////////////////////////////////////////
+//
+// types
+//
+
+////////////////////////////////////////////////////////////////////////////////
+//
+// prototypes
+//
+
+////////////////////////////////////////////////////////////////////////////////
+//
+// variables
+//
+
+////////////////////////////////////////////////////////////////////////////////
+//
+// implementations
+//
+
+EXTERN_C void AsmNtMapViewOfSection_Win81_7(){};
+
+EXTERN_C void AsmNtMapViewOfSection_Win81_7End(){};
+
+EXTERN_C void AsmNtWriteVirtualMemory_Win81(){};
+
+EXTERN_C void AsmNtWriteVirtualMemory_Win81End(){};
+
+EXTERN_C void AsmNtWriteVirtualMemory_Win7(){};
+
+EXTERN_C void AsmNtWriteVirtualMemory_Win7End(){};