Strange behavior of injected app

[Davita]

Hi madshi.

We are developing an internal auditing software. We are hooking several suspicious windows api and log it for internal use. We are using madCodeHook 3 and I want to mention that your library works perfectly as usual
However, we have a little problem that we can't resolve. When we hook several apis in different applications, we see that the app is calling quite often WriteFile on an executable file (*.exe). And the most strange thing here is that nothing is written to the file at all. Neither date modified attribute is not updated nor file size/content after the write, however the function succeeds. I'm aware that WriteFile is used not only for files, but for mailslot, named pipes and so on, but in such case, the name of the file (passed to CreateFile/OpenFile) should start with something like \\.\ if I remember correctly, and this is not the case for me, but I may be wrong and I don't exclude the possibility that it could be something but a file that I don't know about. Do you have any idea what it could be? We want to filter as many unnecessary alerts as we can. I suspect that this issue should be related with IPC functionality, because it happens most often with multi-process browsers, such as chrome or IE9 (which runs every tab in different process, so in case of crash, only the tab will crash and not the app), but it also happens with single process apps, such as uTorrent for example (when it's not doewnloading exe file of course).

Another problem we are facing is that, very often, we see that a legitimate process calls WriteProcessMemory. We also log every process memory modifications and just like first issue, this one also happens most often with web browsers. Take a look at the screenshot http://dl.dropbox.com/u/3055964/writeprocessmemory.png . As you can see, chrome is calling WriteProcessMemory on explorer.exe. I don't understand why it should need to do that, there is a stacktrace on the screenshot, maybe one of the api calls WriteProcessMemory/NtWriteVirtualMemory?

Do you have any idea what we are dealing with? Anything would be a great help now

Thank you

[madshi]

About the WriteFile problem: I'd suggest to use the SysInternals FileMonitor to double check whether the writing really goes to a file.

About the WriteProcessMemory: I don't know why a browser should write memory to the Explorer. The only thing that comes to my mind right now is IPC (inter process communication). But why would a browser try to communicate with the Explorer? Maybe chrome has a shell extension registered? And what you're seeing is communication between the chrome browser instance and the shell extension? I can only guess here...

You could try to dump the WriteProcessMemory data to a binary file. Maybe looking at the contents could give you an idea what kind of data is written?

[Davita]

Thanks madshi, I will try that. It's hard to reproduce the problem because it happens randomly.
I will post the results here

[iconic]

If you're running a 32-bit OS try this tool located here and is Freeware http://www.novirusthanks.org/product/wr ... y-monitor/

It's common for Explorer.exe to call WPM/NtWriteVirtualMemory on created processes but a browser to be doing this to Explorer.exe is odd. Regardless, should answer your question

--Iconic