Driver Problems? Questions? Issues?
Put OSR's experience to work for you! Contact us for assistance with:
  • Creating the right design for your requirements
  • Reviewing your existing driver code
  • Analyzing driver reliability/performance issues
  • Custom training mixed with consulting and focused directly on your specific areas of interest/concern.
Check us out. OSR, the Windows driver experts.

OSR Seminars


Go Back   OSR Online Lists > ntdev
Welcome, Guest
You must login to post to this list
  Message 1 of 7  
08 May 18 06:44
Berouz Afzal
xxxxxx@gmail.com
Join Date: 06 Mar 2018
Posts To This List: 3
Alternates to ELAM driver in Windows-7

I am new to NTDEV. I am interested in developing a protected service. I have gone through guidelines from the following links. https://msdn.microsoft.com/en-us/library/windows/desktop/dn313124(v=vs.85).aspx https://osronline.com/showThread.CFM?link=284667 Now my service is running in protected mode in Windows-8 and 10. I need to secure my service for Win-7 and Win-8. I know it'll be less secure than in win-8.1 & 10 but still I want it to be more secure than a normal service. I have gone through the following link as well but I want to do it in a legal and appropriate way just like that in case of Win-8.1 & 10. https://security.stackexchange.com/questions/30985/create-a-unterminable-process- in-windows Thanks in advance
  Message 2 of 7  
08 May 18 13:55
Tim Roberts
xxxxxx@probo.com
Join Date: 28 Jan 2005
Posts To This List: 11925
Alternates to ELAM driver in Windows-7

xxxxx@gmail.com wrote: > Now my service is running in protected mode in Windows-8 and 10. > I need to secure my service for Win-7 and Win-8. I know it'll be less secure than in win-8.1 & 10 but still I want it to be more secure than a normal service. "More secure" in what sense?  What, exactly, are you trying to protect against?  About the best you can do is change your service's owning user so that an app has to have special permission to access your process. -- Tim Roberts, xxxxx@probo.com Providenza & Boekelheide, Inc.
  Message 3 of 7  
08 May 18 15:24
Berouz Afzal
xxxxxx@gmail.com
Join Date: 06 Mar 2018
Posts To This List: 3
Alternates to ELAM driver in Windows-7

By more secure, I mean to make it stable enough that no end user or unwanted process like a malware could kill my service. On Tuesday, May 8, 2018, xxxxx@probo.com <xxxxx@lists.osr.com> wrote: > xxxxx@gmail.com wrote: > > Now my service is running in protected mode in Windows-8 and 10. > > I need to secure my service for Win-7 and Win-8. I know it'll be less > secure than in win-8.1 & 10 but still I want it to be more secure than a > normal service. > > "More secure" in what sense? What, exactly, are you trying to protect > against? About the best you can do is change your service's owning user > so that an app has to have special permission to access your process. > <...excess quoted lines suppressed...> --
  Message 4 of 7  
08 May 18 17:34
Tim Roberts
xxxxxx@probo.com
Join Date: 28 Jan 2005
Posts To This List: 11925
Alternates to ELAM driver in Windows-7

xxxxx@gmail.com wrote: > > By more secure, I mean to make it stable enough that no end user or > unwanted  process like a malware could kill my service. That, of course, is impossible.  You can make it tedious, but you can't prevent it.  As I said, about the best you can do is have your process be created by a special system user, then change the security access list so normal user accounts only have read access. -- Tim Roberts, xxxxx@probo.com Providenza & Boekelheide, Inc.
  Message 5 of 7  
12 May 18 09:06
Berouz Afzal
xxxxxx@gmail.com
Join Date: 06 Mar 2018
Posts To This List: 3
Alternates to ELAM driver in Windows-7

That is possible in case of win-8 and win-10. I am interested in knowing what did anti-malware vendors used to do in win-7 to protect their anti-malware service? On Wed, May 9, 2018 at 2:16 AM, xxxxx@probo.com <xxxxx@lists.osr.com> wrote: > xxxxx@gmail.com wrote: > > > > By more secure, I mean to make it stable enough that no end user or > > unwanted process like a malware could kill my service. > > That, of course, is impossible. You can make it tedious, but you can't > prevent it. As I said, about the best you can do is have your process > be created by a special system user, then change the security access > list so normal user accounts only have read access. > <...excess quoted lines suppressed...> --
  Message 6 of 7  
12 May 18 09:35
Don Burn
xxxxxx@windrvr.com
Join Date: 23 Feb 2011
Posts To This List: 1406
Alternates to ELAM driver in Windows-7

Before ELAM, people used the CmRegisterCallback calls to make it harder to attack, the service. Also, there were paired services, where there was a monitoring service that if the primary service went down restarted it. The primary would do the same for the monitoring. Other than that you are getting into things like hooking system calls, which unfortunately a lot of big name anti-malware companies tried, in some cases with disastrous results such as breaking security completely. Don Burn Windows Driver Consulting Website: http://www.windrvr.com -----Original Message----- From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com Sent: Saturday, May 12, 2018 9:06 AM To: Windows System Software Devs Interest List <xxxxx@lists.osr.com> Subject: Re: [ntdev] Alternates to ELAM driver in Windows-7 That is possible in case of win-8 and win-10. I am interested in knowing what did anti-malware vendors used to do in win-7 to protect their anti-malware service? On Wed, May 9, 2018 at 2:16 AM, xxxxx@probo.com <mailto:xxxxx@probo.com> <xxxxx@lists.osr.com <mailto:xxxxx@lists.osr.com> > wrote: xxxxx@gmail.com <mailto:xxxxx@gmail.com> wrote: > > By more secure, I mean to make it stable enough that no end user or > unwanted process like a malware could kill my service. That, of course, is impossible. You can make it tedious, but you can't prevent it. As I said, about the best you can do is have your process be created by a special system user, then change the security access list so normal user accounts only have read access. -- Tim Roberts, xxxxx@probo.com <mailto:xxxxx@probo.com> Providenza & Boekelheide, Inc. --- NTDEV is sponsored by OSR Visit the list online at: <http://www.osronline.com/showlists.cfm?list=ntdev <http://www.osronline.com/showlists.cfm?list=ntdev> > MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at <http://www.osr.com/seminars> To unsubscribe, visit the List Server section of OSR Online at <http://www.osronline.com/page.cfm?name=ListServer <http://www.osronline.com/page.cfm?name=ListServer> > --- NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at To unsubscribe, visit the List Server section of OSR Online at
  Message 7 of 7  
13 May 18 03:42
anton bassov
xxxxxx@hotmail.com
Join Date: 16 Jul 2006
Posts To This List: 4472
Alternates to ELAM driver in Windows-7

> I mean to make it stable enough that no end user or unwanted process >like a malware could kill my service. Sounds like a classical book definition of malware, don't you think..... Check the archives for more info on the topic - we had discussed it so many times in this NG that it simply does not seem to make any sense to repeat and rehash the same arguments again and again and again.... > I am interested in knowing what did anti-malware vendors used to do in win-7 > to protect their anti-malware service? If you want to see a good comedy, try installing two competing anti-malware products on the same machine. They are quite likely to identify one another as a malware, and try to kill one another while protecting themselves against termination. Could be a good fun to watch.... Back in the old days they would rely upon the callbacks whenever it was possible, and go hooking otherwise. ELAM seems to be offering some new "exciting" possibilities. https://docs.microsoft.com/en-us/windows-hardware/drivers/install/elam-driver-req uirements I am particularly impressed with the following excerpt <quote> The Early Launch drivers can use registry callbacks to monitor and validate the configuration data used as input for each boot-start driver. </quote> It sounds fine and dandy, but consider what happens if two competing drivers try to "monitor and validate the configuration data used as input" for one another. Which of them do you think is going to win? Now go and read Mr. Roberts's post again, and you will(hopefully) realise that he is absolutely correct here - there is absolutely nothing that you can do against a module that had been loaded in the kernel and started running.The only thing that you can theoretically do is to try preventing its load and/or initialisation, but there is no guarantee that it is not going to be your driver who gets prevented from loading by its rival who happens to be more lucky in this particular case.. Anton Bassov
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the ntdev list to be able to post.

All times are GMT -5. The time now is 15:34.


Copyright ©2015, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license