OSR's ntdev List: How to disable a global hook on the specific process

Message 1 of 19

05 May 12 09:22

allen zhang

xxxxxx@sina.com

Join Date: 22 Jul 2008

Posts To This List: 256

How to disable a global hook on the specific process

How to disable a global hook on the specific process, the others still valid. The generally method is Hook KeUserModeCallback in Anti-virus software, It can reach the purpose to prevent the module entry, But You must be harassment, And the performance will be affected if the harassment is frequently enough, Is there a better way to achieve the same purpose and also both the performance? B.R. Allen

Message 2 of 19

05 May 12 11:11

Alex Grig

xxxxxx@broadcom.com

Join Date: 14 Apr 2008

Posts To This List: 1840

RE: How to disable a global hook on the specific process

To disable a global hook, you either run the process on higher integrity level, or under a different account.

Message 3 of 19

05 May 12 16:55

Joseph M. Newcomer

xxxxxx@flounder.com

Join Date: 20 Nov 2008

Posts To This List: 1893

Re: How to disable a global hook on the specific process

I am curious why everyone seems to gravitate to the let's-just-hook-the-kernel-call approach. It has been a long time since Vista was released. Go read about integrity levels. joe > How to disable a global hook on the specific process, the others still > valid. > The generally method is Hook KeUserModeCallback in Anti-virus software, It > can reach the purpose to prevent the module entry, But You must be > harassment, And the performance will be affected if the harassment is > frequently enough, Is there a better way to achieve the same purpose and > also both the performance? > > > B.R. <...excess quoted lines suppressed...>

Message 4 of 19

05 May 12 20:36

allen zhang

xxxxxx@sina.com

Join Date: 22 Jul 2008

Posts To This List: 256

RE: How to disable a global hook on the specific process

Alex Grig & joe Thank you for you answer, Yes, you can run the process on higher integrity level, and the process will be prevented on the lower integrity level, But, 1, It is useless for Windows XP 2, It is useless for the process on higher integrity level. To joe, It doesn't meet the requirements on the application, So the Anti-virus software use driver.

Message 5 of 19

06 May 12 00:23

Alex Grig

xxxxxx@broadcom.com

Join Date: 14 Apr 2008

Posts To This List: 1840

RE: How to disable a global hook on the specific process

I'm afraid this is another misguided attempt to implement security while not using proper security practices, such as not giving the users administrative privileges. Leave any hope.

Message 6 of 19

07 May 12 12:17

Joseph M. Newcomer

xxxxxx@flounder.com

Join Date: 20 Nov 2008

Posts To This List: 1893

RE:How to disable a global hook on the specific process

I find that many times when this question is asked, it is by someone who doesn't understand what security actually exists, and how to use it, and wants to implement some single-solution approach to one problem they have identified, and ignore all the other problems they haven't thought of yet. For example, disabling global hooks (threadid == 0) does not solve the problem of someone determining exactly which thread they want to hook, and hook only that thread. Integrity level already manages this. When I taught my security course years ago, it was always fun to hear the ideas the students would suggest, and then show how I could trivially work around them. joe > I'm afraid this is another misguided attempt to implement security while > not using proper security practices, such as not giving the users > administrative privileges. > > Leave any hope. > > > --- > NTDEV is sponsored by OSR > <...excess quoted lines suppressed...>

Message 7 of 19

08 May 12 17:46

M M

xxxxxx@hotmail.com

Join Date: 21 Oct 2010

Posts To This List: 221

Re: How to disable a global hook on the specific process

Are you seriously meditating a new anti-virus product for XP? If so, then KM hooks are probably a necessity, but what you build won't work well in anything newer. Worrying about an attack from a process running as a fully trusted admin via a message hook is a lot like worrying about running out of fuel on RMS Titanic after the iceberg strike: sure it is possible to hook your antivirus UI, but then there are so many other reasons why the ship is going down, one finds it hard to care wrote in message news:176805@ntdev... Alex Grig & joe Thank you for you answer, Yes, you can run the process on higher integrity level, and the process will be prevented on the lower integrity level, But, 1, It is useless for Windows XP 2, It is useless for the process on higher integrity level. To joe, It doesn't meet the requirements on the application, So the Anti-virus software use driver.

Message 8 of 19

10 May 12 12:51

allen zhang

xxxxxx@sina.com

Join Date: 22 Jul 2008

Posts To This List: 256

RE: How to disable a global hook on the specific process

Alex , joe & Joseph, Thank you for your answer. In fact, I was doing a financial security products, the product is to prevent password leakage, so I don't want any strange modules be loaded in my process, of course, also contains a global hook. You know, once they enter, the consequences could be catastrophic, the essential difference between my product and not as anti-virus software, to some extent to say to get along in harmony and viruses. Allen B.R.

Message 9 of 19

10 May 12 12:55

allen zhang

xxxxxx@sina.com

Join Date: 22 Jul 2008

Posts To This List: 256

RE: How to disable a global hook on the specific process

Perhaps you will tell me to use the keyboard driver, or attached to interrupt, but in my opinion, these are not the best solution B.R. Allen

Message 10 of 19

10 May 12 13:13

Alex Grig

xxxxxx@broadcom.com

Join Date: 14 Apr 2008

Posts To This List: 1840

RE: How to disable a global hook on the specific process

>In fact, I was doing a financial security products, the product is to prevent password leakage In the properly configured financial enterprise network: 1. The boxes should be properly configured to deny administrative privileges to the users. 2. They should only be able to access internal network. Ideally they should not be able to communicate between themselves, only to the server. To access external sites, the users should use an isolated virtual machine, which is restored to a fixed snapshot periodically. The VM should use a separate VLAN (enforced by the VM host). 3. The keyboard cords should be physically fixed to the boxes. All unused USB/firewire connections should be sealed. No external devices are allowed. email should be filtered to only allow selected domains. Your software will NOT solve this problem.

Message 11 of 19

10 May 12 18:02

Joseph M. Newcomer

xxxxxx@flounder.com

Join Date: 20 Nov 2008

Posts To This List: 1893

RE:How to disable a global hook on the specific process

You're approaching this from the wrong direction. You see hooks as a theat, and that's true, but it is one of many attack vectors, and you seem to be ignoring most of the others. Note that if you have a general solution, the hook problem falls out of the general aolution. For example, if the software runs in a different desktop, you can't hook across desktops. So you should look into how to create a separate desktop session to run your app, and log it in under an account which is not the user's normal account, and ACLs have to be established that keep this user from doing things that could compromise security. For example, an account under this ID cannot create files anywhere except in a restricted set of directories (assuming it needs to create files at all), cannot access files except those it is permitted to access, cannot run any program OTHER than the financial program (no IE, no Office, etc.). Do this and you won't even have to think about hooks, because they will no longer be an issue. joe > Alex , joe & Joseph, > > Thank you for your answer. > In fact, I was doing a financial security products, the product is to > prevent password leakage, so I don't want any strange modules be loaded in > my process, of course, also contains a global hook. > You know, once they enter, the consequences could be catastrophic, the > essential difference between my product and not as anti-virus software, to > some extent to say to get along in harmony and viruses. <...excess quoted lines suppressed...>

Message 12 of 19

10 May 12 18:06

Joseph M. Newcomer

xxxxxx@flounder.com

Join Date: 20 Nov 2008

Posts To This List: 1893

RE:How to disable a global hook on the specific process

The Trusted Computer Base required that the keyboard use high-order encryption to send every keystroke, after doing a key-exchange with the trusted core. All keystrokes would be encrypted. The application sounds like a perfect match for the TCB, but I haven't look at it in over eight years and have no idea what its status is. Key here is that you are looking at one of several hundred attack vectors, and think somehow if you fix this one problem, you have achieved security. You will be so far from being secure that you might as well put the passwords in neon lights near a major highway. joe > Perhaps you will tell me to use the keyboard driver, or attached to > interrupt, but in my opinion, these are not the best solution > > B.R. > Allen > > --- > NTDEV is sponsored by OSR > <...excess quoted lines suppressed...>

Message 13 of 19

11 May 12 02:02

ntdev member 32323

xxxxxx@hotmail.com

Join Date:

Posts To This List: 843

Re: How to disable a global hook on the specific process

On 5/10/2012 6:51 PM, xxxxx@sina.com wrote: > In fact, I was doing a financial security products, the product is to prevent password leakage, so I don't want any strange modules be loaded in my process, of course, also contains a global hook. Better use an open-source operating system and properly harden it. Giving users lots of freedom in the first place and then trying to make it more secure by glossing over Windows internals to make it more secure is like trying to plug a sieve one hole at a time. Maybe you can use some DRM functionality to achieve what you want. Or give users _no_ admin rights so they can not install any hook in the first place. "Adding security later" never works, if it is not designed into the OS from the beginning, you fight a lost battle.

Message 14 of 19

11 May 12 02:05

ntdev member 32323

xxxxxx@hotmail.com

Join Date:

Posts To This List: 843

Re: How to disable a global hook on the specific process

On 5/11/2012 12:05 AM, xxxxx@flounder.com wrote: > You will be so far from being secure that you might as well put the > passwords in neon lights near a major highway. ...which is actually more secure than having them written on a piece of paper stuck under the keyboard. ;-)

Message 15 of 19

11 May 12 09:40

Alex Grig

xxxxxx@broadcom.com

Join Date: 14 Apr 2008

Posts To This List: 1840

RE: How to disable a global hook on the specific process

>Giving users lots of freedom in the first place and then trying to make it more secure by glossing over Windows internals to make it more secure is like trying to plug a sieve one hole at a time." If you claim that "open source OS" is inherently more secure than Windows, you don't really know neither of them.

Message 16 of 19

13 May 12 23:29

Joseph M. Newcomer

xxxxxx@flounder.com

Join Date: 20 Nov 2008

Posts To This List: 1893

RE:How to disable a global hook on the specific process

I interpreted that remark to mean "There are more things in Heaven and Earth than are dreamt of in your philosophy". That is, if you have gaping secutity holes, and you blithely ignore most of them while focusing on one little hole, you miss the Big Picture. I have used the image below to show this. You have an important secret. So you build a wall, put macine-gun turrets every 50 feet, dig a moat, cover the space between the moat and the wall with anti-personnel barbed wire, equip your guards with infrared vision devices, and have radar, heat sensors, etc protecting the approches. That's great, for defending against anyone who is approaching from that direction. But if you secret iis kept in a cardboard box, in a tent behind the wall, and the wall is only a single wall, then there are three unprotected sides by which someone can approach, and a Swiss Army Knife is sufficient to capture the secret. Think of the Maginot Line. google it if you are unfamiliar with the term. Also, look up "Potemkin village". I found in my security consulting that this is the other approach. Show management lots of code, and explain how effective each piece is. But they are superficial solutions to deep problems. ACLs were designed to cover a lot of security scenarios, but I was told, "They're too complicated, and nobody here understands them, but we DO understand how THIS code solves ONE problem, so it's good enough". There were a few times where it took me more than ten minutes to figure out how to bypass their kludge, and one case where I took two weeks' worth of thinking before I emailed the workaround, but in all cases, ACLs and suitably limited login acounts would have been a cheaper and more effective solution. ActiveVirus (aka ActiveX by those unwilling to admit how bad it is for security) remains the most effective vector, and can usually have its potential for damage considably reduced by proper use of ACLs. So before you start asking how to disable a global hook, you should first explain why proper use of the existing security mechanisms cannot do the job. joe >>Giving users lots of freedom in the first place and then trying to make > it more secure by glossing over Windows internals to make it more secure > is like trying to plug a sieve one hole at a time." > > If you claim that "open source OS" is inherently more secure than Windows, > you don't really know neither of them. > > --- > NTDEV is sponsored by OSR > <...excess quoted lines suppressed...>

Message 17 of 19

13 May 12 23:56

Alex Grig

xxxxxx@broadcom.com

Join Date: 14 Apr 2008

Posts To This List: 1840

RE: How to disable a global hook on the specific process

>ActiveVirus (aka ActiveX by those unwilling to admit how bad it is for security) remains the most effective vector, I don't think there had been a recent AX-based hole. Wide use of ActiveX fell from favor long ago. An idea of deploying un-vetted executable code to the target machines was very naive from the security viewpoint. Mainly because it was installed behind your back. Still, the browser plugins/extensions, however they call it, are used by all leading browsers, including those ran in Linux. They are sanboxed now in Windows somehow, in a separate low-integrity process. As long as there are browsers that render/execute remote data, there is potential for security exploit. Consider code/data dualism. What we call "code" is just a stream of bytes. When we call "data" can be seen as code for some "machine". For example, HTML page is code for the renderer. If the renderer is written without care, specially crafted HTML may pierce the sandbox.

Message 18 of 19

14 May 12 08:28

Maxim S. Shatskih

xxxxxx@storagecraft.com

Join Date: 20 Feb 2003

Posts To This List: 8630

Re: RE:How to disable a global hook on the specific process

> problems. ACLs were designed to cover a lot of security scenarios, but I > was told, "They're too complicated, and nobody here understands them, In other words: "we and our personnel are morons, please provide the solution for us intellectually degraded". And then the _smart_ (but fraudulent) guys are "cutting the wool off these sheep" by selling them _fake_ solutions which are understandable for morons _but do not actually work_. This is like all those unlicensed biologically active food additives, urinotherapy and such. > ActiveVirus (aka ActiveX by those unwilling to admit how bad it is for > security) remains the most effective vector With proper IE security settings it is not. You will need to sign an OCX for it to be downloaded and executed. -- Maxim S. Shatskih Windows DDK MVP xxxxx@storagecraft.com http://www.storagecraft.com

Message 19 of 19

14 May 12 09:46

Joseph M. Newcomer

xxxxxx@flounder.com

Join Date: 20 Nov 2008

Posts To This List: 1893

Re:RE:How to disable a global hook on the specific process

>> problems. ACLs were designed to cover a lot of security scenarios, but >> I >> was told, "They're too complicated, and nobody here understands them, > > In other words: "we and our personnel are morons, please provide the > solution for us intellectually degraded". ****** Yep ******* > > And then the _smart_ (but fraudulent) guys are "cutting the wool off these > sheep" by selling them _fake_ solutions which are understandable for > morons _but do not actually work_. ******** Yep. The worst part of it was the fact that the "perpetrators of the fraud" are in-house programmers, the same ones who are confused by ACLs, and who thought that they were actually doing something REASONABLE by providing such code. There is nothing more dangerous than a purveyor of fake nostrums who actually believes they are real! ******** > > This is like all those unlicensed biologically active food additives, > urinotherapy and such. > >> ActiveVirus (aka ActiveX by those unwilling to admit how bad it is for >> security) remains the most effective vector > > With proper IE security settings it is not. You will need to sign an OCX > for it to be downloaded and executed. > ***** And if you set it that way, everyone complains that their favorite Web site no longer works! So most companies have chosen blanket denial, filtering out the requests at their firewall. What you definitely must NOT do is give the users te option of executing an unsigned control. I consider the use of ActiveVirus the work of sociopathic Web designers. joe ******* > -- > Maxim S. Shatskih > Windows DDK MVP > xxxxx@storagecraft.com > http://www.storagecraft.com > > > --- > NTDEV is sponsored by OSR > <...excess quoted lines suppressed...>

Posting Rules
You may not post new threads You may not post replies You may not post attachments	You must login to OSR Online AND be a member of the ntdev list to be able to post.

All times are GMT -5. The time now is 01:17.

Contact Us - Osr Online Homepage - Top