Anyone have any source code (WIndows XP / Windows 7 Version) of Driver, for PREVENT KILL PROCESS and PREVENT KILL FILE / FOLDER ?
I know that i lot of anti-virus have this resource.
I?m developing tools for data security, and i need this rich resource.
Thanks guys
Actually, a lot of Malware has this. I know of only a few anti-virus
that try this from the kernel, and most of them should be called
malware.
Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“xxxxx@hotmail.com” wrote in message
news:xxxxx@ntdev:
> Anyone have any source code (WIndows XP / Windows 7 Version) of Driver, for PREVENT KILL PROCESS and PREVENT KILL FILE / FOLDER ?
>
> I know that i lot of anti-virus have this resource.
>
> I4m developing tools for data security, and i need this rich resource.
>
> Thanks guys
Hi Don Burn,
I am based at Bit Defender anti-virus, it perfect because dont do Hook for protect process,
and dont do hook for protect file or folder, i think its using driver …
I?m developing one tools based on VIPRE Anti-Virus API, and this tools need be protect.
my project is not any malware or trojan …
thanks for anything
For later systems look at ObRegisterCallbacks to protect your process.
On the files you need a file system filter that denies access to the
files you care about.
Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“xxxxx@hotmail.com” wrote in message
news:xxxxx@ntdev:
> Hi Don Burn,
>
> I am based at Bit Defender anti-virus, it perfect because dont do Hook for protect process,
> and dont do hook for protect file or folder, i think its using driver …
>
> I4m developing one tools based on VIPRE Anti-Virus API, and this tools need be protect.
>
> my project is not any malware or trojan …
>
> thanks for anything
Why would using of appropriate ACLs be not enough?
xxxxx@hotmail.com wrote:
I am based at Bit Defender anti-virus, it perfect because dont do Hook for protect process,
and dont do hook for protect file or folder, i think its using driver …I?m developing one tools based on VIPRE Anti-Virus API, and this tools need be protect.
There is absolutely nothing you can do to protect yourself from an
infected kernel. NOTHING. You must resign yourself to that fact. If
the kernel is infected, the game is over, the user has lost.
Beyond that, what I have here is MY computer. It is not up to you to
prevent me from killing your process. That’s MY choice, not yours.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Thanks -Don Burn-, i will try with ObRegisterCallbacks , if you remmember more information, i am gratefull if you send it to me.
-Alex Grig-, i tried with ACL, and not have very good results, but i think to use ACL with File/folder protection.
-Tim Roberts-, you are Right about your concerns ! but, my target is not so deep … i need only protection for kill process using Task Manager (or process explorer), and protection of file/folder when del on Windows Explorer.
My project is this http://www.avware.com.br
thanks everyone
If you have processes that should not be killed by an user, start them as a LocalService account, and put appropriate ACL on the service.
Remember, you cannot ptotect your system against an user with Administrative privileges. Abandon the very thought of that.
BS. From a driver, you can control what other drivers are loaded (see also
win8 ELAM) and you should then be able to protect arbitrary resources from
even admin users. Yes this is creating a sort of after the fact security
barrier between kernel and user-mode admin, but its the security barrier
that the hardware is setup to enforce, so no reason it can’t be done. The
general design of windows makes this difficult to do of course in some of
the finer details, especially if you care about user-experience and
application compatibility, but there is no reason you need to abandon the
very thought. All that said, the original op should know better than to ask
such a question here, especially given his corporate affiliation.
t.
On Wed, Sep 12, 2012 at 4:13 PM, wrote:
> If you have processes that should not be killed by an user, start them as
> a LocalService account, and put appropriate ACL on the service.
>
> Remember, you cannot ptotect your system against an user with
> Administrative privileges. Abandon the very thought of that.
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
“BS. From a driver, you can control what other drivers are loaded (see also
win8 ELAM) and you should then be able to protect arbitrary resources from
even admin users. Yes this is creating a sort of after the fact security
barrier between kernel and user-mode admin, but its the security barrier
that the hardware is setup to enforce, so no reason it can’t be done.”
An administrator can take ownership of any securable object. An administrator can disable drivers, including your security driver. An administrator can load other drivers that can compromise kernel and disable your security driver.
You can only protect against an account that absolutely is not allowed to cross the security boundary. An administrator is not such an account.
I would like to point out is that for ELAM you need to be signed with a different certificate and with a specific certification program
d
debt from my phone
From: Tracy Camp
Sent: 9/12/2012 5:00 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Driver: Prevent Kill Process and Kill File/Folder using Driver
BS. From a driver, you can control what other drivers are loaded (see also win8 ELAM) and you should then be able to protect arbitrary resources from even admin users. Yes this is creating a sort of after the fact security barrier between kernel and user-mode admin, but its the security barrier that the hardware is setup to enforce, so no reason it can’t be done. The general design of windows makes this difficult to do of course in some of the finer details, especially if you care about user-experience and application compatibility, but there is no reason you need to abandon the very thought. All that said, the original op should know better than to ask such a question here, especially given his corporate affiliation.
t.
On Wed, Sep 12, 2012 at 4:13 PM, > wrote:
If you have processes that should not be killed by an user, start them as a LocalService account, and put appropriate ACL on the service.
Remember, you cannot ptotect your system against an user with Administrative privileges. Abandon the very thought of that.
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
And always remember that if there is malware in the kernel,
“Administrator” privileges look wimpy by comparison.
joe
If you have processes that should not be killed by an user, start them as
a LocalService account, and put appropriate ACL on the service.Remember, you cannot ptotect your system against an user with
Administrative privileges. Abandon the very thought of that.
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
BS². If the goal is to prevent killing a process, any malware running at
kernel level (say, a bogus driver), is free to do anything, any time, any
way it wants, and all the efforts in the world to “protect” the resource
will be rendered inoperative. So using ACLs is just a way to prevent the
ordinary, non-privileged user from screwing the process. An administrator
has the rights to kill a process because that is the role of
administrators: to fix things that are broken. If you “fix” it so the
admin cannot protect the system by removing a process, you only cause
inconvenience. The admin will boot in safe mode, which means that
start-after-boot processes will not start. The admin will then locate the
executable file, and delete it, then reboot the system. The
only-slightly-above-average 12-year-old can figure this out. So all
you’ve done is piss off the administrator, and get your process removed,
and lose all future sales. Plus lose sales to anyone he talks to, or who
reads his blog, etc.
Oh, note, I’ve had to do this. That’s why I know how to do it. It was a
poorly-written piece of malware on a client’s machine. It took me
practically zero time to figure out how to do it. Once I removed it, one
of the minions was sent around to fix each of the couple dozen machines
are the local network. And the product vendor was blacklisted (yes, it
was a product, which felt that to do its work, it had to hook system
calls. It interfered with proper operation of the system. That made it
malware).
joe
BS. From a driver, you can control what other drivers are loaded (see
also
win8 ELAM) and you should then be able to protect arbitrary resources from
even admin users. Yes this is creating a sort of after the fact security
barrier between kernel and user-mode admin, but its the security barrier
that the hardware is setup to enforce, so no reason it can’t be done. The
general design of windows makes this difficult to do of course in some of
the finer details, especially if you care about user-experience and
application compatibility, but there is no reason you need to abandon the
very thought. All that said, the original op should know better than to
ask
such a question here, especially given his corporate affiliation.t.
On Wed, Sep 12, 2012 at 4:13 PM, wrote:
>
>> If you have processes that should not be killed by an user, start them
>> as
>> a LocalService account, and put appropriate ACL on the service.
>>
>> Remember, you cannot ptotect your system against an user with
>> Administrative privileges. Abandon the very thought of that.
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
OT: You’d think this would be fixed after so many years 
Doron Holan wrote:
debt from my phone
–
Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
http://www.alfasp.com
File system audit, security and encryption kits.
Strangely, there are customers who ASK for this sort of BS…
–
Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
http://www.alfasp.com
File system audit, security and encryption kits.
This is true…
Mm
On Sep 13, 2012 3:47 AM, “Dejan Maksimovic” wrote:
>
> Strangely, there are customers who ASK for this sort of BS…
>
> –
> Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
> http://www.alfasp.com
> File system audit, security and encryption kits.
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>And always remember that if there is malware in the kernel,
“Administrator” privileges look wimpy by comparison.
joe
But an unqualified used with admin privileges is the most convenient channel for planting the malware, including kernel compromise.
> Strangely, there are customers who ASK for this sort of BS…
Actually, there is nothing particularly strange here…
The thing is, if someone asks you for something it does not necessarily imply that he/she/it actually
needs it - there is a good chance that this person just believes that the thing in question is needed,
and believes so simply due to lack of in-depth knowledge in the particular field. In fact, ignorance is just
an amazing driving force when it comes to sales.Just look at computer security products - this entire multi-billion dollar industry is largely based on exploiting average Joe’s ignorance in the area. One may be quite successful in selling products of quite limited practical usefulness, so to say. For example, I remember doing a feasibility study of enforcing user-NIC relationship on multi-homed machine. The most interesting thing is that the company who had requested this study seemed to realize that, from the technical standpoint, this feature per se does not make any particular sense because it contradicts the very principles of IP.
However, according to them, quite a few of their customers considered such a feature desirable…
Therefore, when it comes to discussions like this one you have to look at the things from both technical and commercial perspectives, and there is a good chance you will come across quite a few contradictions - a commercially-sound argument like “my customer wants it” may make no sense from the technical standpoint, and a technically-sound one like “it can be done but it makes no sense because it contradicts the very principles that the OS is built on” may sound not-so-attractive from the commercial standpoint…
Anton Bassov
This again brings a failure of microsoft to get rid of an administrator account. Sure, MS disabled “Administrator” in Windows 7, at the same time forcing the first or only user to be an administrator - a member of Administrators. This is very inconvenient if you want to follow the proper security practices - NOT work routinely as an administrator.
These days an application can supposedly have its own security principal. I haven’t read on that. Frankly, I’m afraid if I read it will aggravate me and bring more bitterness about Microsoft and Windows. He who increases knowledge increases sorrow.
I hate to explore Server 2012, because its management console has become so horrible, it’s just a clusterfuck. Even such simple things as the event viewer are getting worse and worse from XP to 2008, its UI horribly crouded, while not fixing such obvious problems as slow sorting and unstable sorting (stable sort doesn’t reorder items with identical key). If there ever will be Windows 9, I’m afraid the Device Manager will get “enhanced”, too, for someone will think that’s the part that haven’t been touched for a while.
I’ve been holding with IE, not switching to Firefox or Chrome. I’m afraid the day will soon come. The frickin IE9 just can’t go back from “no-plugin” to normal mode without having me to turn on ActiveX filtering. Bye bye videos and other Flashy shit. Microsoft is not fixing IE8/9 bugs anymore. Do I have to switch to Win8 with IE10? Maybe I’ll just switch to a competing browser. Maybe I’ll like Linux one day. Microsoft is making that day to come sooner.
From a driver, you can deny the administrator’s ability to modify the ACL
and you can also deny the administrators effort to load other drivers.
Administrators are not by default on the other side of a security boundary
from the kernel in the windows security model, but they certainly can be
placed there. Administrators are not by default granted unchecked
abilities to load drivers on modern windows releases either (driver signing
etc.). What makes the kernel the kernel is that it is code executing in
ring0. Its absurd to argue that it can’t be done and in most respects the
modern windows kernel assists and facilitates the creation of such security
boundaries. Kernel and user run at different privilege levels and ring0 is
more privileged than ring3 regardless of what you are in the systems
security model. So yes, security software and malware can be similar in
implementation, they just differ in intent and the level of user opt-in.
t.
On Wed, Sep 12, 2012 at 5:08 PM, wrote:
> “BS. From a driver, you can control what other drivers are loaded (see
> also
> win8 ELAM) and you should then be able to protect arbitrary resources from
> even admin users. Yes this is creating a sort of after the fact security
> barrier between kernel and user-mode admin, but its the security barrier
> that the hardware is setup to enforce, so no reason it can’t be done.”
>
> An administrator can take ownership of any securable object. An
> administrator can disable drivers, including your security driver. An
> administrator can load other drivers that can compromise kernel and disable
> your security driver.
>
> You can only protect against an account that absolutely is not allowed to
> cross the security boundary. An administrator is not such an account.
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>