Do you think “ring0 hook” and “native API” such as ZwXxx functions are good enough to be used in a product?
And safe enough to be used in a commercial product?
If you want to support Vista 64bit and above then it is not a good idea.
Regards
Deepak
On Fri, Mar 13, 2009 at 1:22 PM, wrote:
> Do you think “ring0 hook” and “native API” such as ZwXxx functions are
> good enough to be used in a product?
> And safe enough to be used in a commercial product?
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
Thanks !
I find some famous commercial product will call ZwOpenSymbolicLinkObject() just as mine. So I guess these functions are safe enough.
But I will test my product in Vista 64bit.
I find ZwOpenSymbolicLinkObject() is in DDK document, so it is too safe
There are reasons to hook, but they are quite limited. As Deepak already
pointed out this will not work on x64 since Microsoft will block the hook.
Also, if you hook your driver will automatically be labeled MALWARE by a
number of commercial tools.
As to whether you should hook, you can’t just ask about hooking the native
API, you need to tell us what you are doing. For instance, if you said you
were hooking file system calls, most of us would call your product garbage.
If you said in older OS’es you needed to hook process creation to control
certain things, we would probably try to understand what you are doing, but
recognize that you probably do not have a choice.
–
Don Burn (MVP, Windows DDK)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
wrote in message news:xxxxx@ntdev…
> Do you think “ring0 hook” and “native API” such as ZwXxx functions are
> good enough to be used in a product?
> And safe enough to be used in a commercial product?
>
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 3934 (20090313)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
Information from ESET NOD32 Antivirus, version of virus signature database 3934 (20090313)
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
> Do you think “ring0 hook” and “native API” such as ZwXxx functions are good enough to be used in a
Will not work on x64 Windows.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
Don Burn wrote:
Also, if you hook your driver will automatically be labeled MALWARE
by a number of commercial tools.
Every time DB shouts “MALWARE” in all caps … take a drink.
Chris,
Did you even read this post or just stupidly react??? I didn’t say
the guy should not do it, but that he would have problems, really get a clue
or shut up.
–
Don Burn (MVP, Windows DDK)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
wrote in message news:xxxxx@ntdev…
> Don Burn wrote:
>
>> Also, if you hook your driver will automatically be labeled MALWARE
>> by a number of commercial tools.
>
> Every time DB shouts “MALWARE” in all caps … take a drink.
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 3934 (20090313)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
Information from ESET NOD32 Antivirus, version of virus signature database 3934 (20090313)
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
>…if you hook your driver will automatically be labeled MALWARE by a number of commercial tools.
It is really funny when two commercial tools label one another as a malware, because both rely upon hooking. It is even more funny ( although not from the end user’s perspective, of course) when they start their “competition” - each of them wants to be the first (or last) in a call chain…
Anton Bassov
Thanks.
You mean Vista 64bit will prohibit programmers to hook native API? It is bad news for many software tools. However fortunately my product need not hook native API.
I mean some native API and even some c runtime API are not documented in DDK/WDK help documents. So can a commercial product call them? e.g. “mbstowbs(…)” ?
I have now just tested my core technology on Windows XP and Windows 2003, I am very glad to see that it has solved a big security flaw of many other security software tools. And it was not reported as a “virus” by Kaspersky.
So maybe my product will be safe. That is my hope.
> It is really funny when two commercial tools label one another as a malware
This is rather rare story. The only example I know is that Kaspersky was considering Themida copy-protection as malware, and thus all EXEs guarded by Themida.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
> You mean Vista 64bit will prohibit programmers to hook native API? It is bad news for many software
tools.
Yes, google for PatchGuard
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
Actually it is good news for the most part. If you have ever had to spend
weeks tracking down that a problem was not your driver or user space
software, but some hook by a person who did not do it right (and most of the
samples do not do it right), then you appreciate what Microsoft is trying to
do. Unfortunately, they did not involve the community well enough on
providing kernel API’s for the common reasons to hook, and so they created
problems that still are present.
–
Don Burn (MVP, Windows DDK)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
wrote in message news:xxxxx@ntdev…
> Thanks.
> You mean Vista 64bit will prohibit programmers to hook native API? It is
> bad news for many software tools. However fortunately my product need not
> hook native API.
> I mean some native API and even some c runtime API are not documented in
> DDK/WDK help documents. So can a commercial product call them? e.g.
> “mbstowbs(…)” ?
> I have now just tested my core technology on Windows XP and Windows 2003,
> I am very glad to see that it has solved a big security flaw of many other
> security software tools. And it was not reported as a “virus” by
> Kaspersky.
> So maybe my product will be safe. That is my hope.
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 3936 (20090313)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
Information from ESET NOD32 Antivirus, version of virus signature database 3936 (20090313)
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
Your question is silly.
Basically you are asking: is it OK to to both
- something well known to be a source of endless system stability
problems and completely unsupported
AND - something that is well documented and supported.
Everyone is responding to (1).
Using the kernel Zw interfaces as documented is supported. Hooking is crap.
Mark Roddy
On Fri, Mar 13, 2009 at 3:52 AM, wrote:
> Do you think “ring0 hook” and “native API” such as ZwXxx functions ?are good enough to be used in a product?
> And safe enough to be used in a commercial product?
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
Sorry Don, with all due respect if you need weeks rather than minutes to
track down a poorly implemented hook that says something about your own
qualities. There are tools around which bring such probems to the surface at
once.
//Daniel
“Don Burn” wrote in message news:xxxxx@ntdev…
> If you have ever had to spend weeks tracking down that a problem was not
> your driver or user space software, but some hook by a person who did not
> do it right …
You are assuming a heck of a lot in this. I have had customers
unfortunately who will not allow access to their systems, so you spend time
trying to repo it. Then you keep bugging them and they go gee we forgot we
had X installed. Then of course X does not mess up every time, but only in
certain conditions which you find hard to reproduce.
Daniel if you assume that these are always simple, I really have to wonder
on your experience level.,
–
Don Burn (MVP, Windows DDK)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
wrote in message news:xxxxx@ntdev…
> Sorry Don, with all due respect if you need weeks rather than minutes to
> track down a poorly implemented hook that says something about your own
> qualities. There are tools around which bring such probems to the surface
> at once.
>
> //Daniel
>
>
> “Don Burn” wrote in message news:xxxxx@ntdev…
>> If you have ever had to spend weeks tracking down that a problem was not
>> your driver or user space software, but some hook by a person who did not
>> do it right …
>
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 3936 (20090313)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
Information from ESET NOD32 Antivirus, version of virus signature database 3936 (20090313)
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
Daniel,
What you speak about is VERY poorly implemented hooking scheme that crashes on every other run. Indeed, as long as we speak about a bug like that, it does not take that long to detect it. However, the vast majority of poorly implemented hooking schemes are not implemented THAT poorly, and reveal their bugs only once in a while. This is what makes them so insidious, and this is what Don speaks about - indeed, weeks may pass before a bug reveals itself …
Anton Bassov
> Daniel,
What you speak about is VERY poorly implemented hooking scheme that
crashes on every other run. Indeed, as long as we speak about a bug
like
that, it does not take that long to detect it. However, the vast
majority
of poorly implemented hooking schemes are not implemented THAT
poorly,
and reveal their bugs only once in a while. This is what makes them so
insidious, and this is what Don speaks about - indeed, weeks may pass
before a bug reveals itself …
My least favourite type of bug. Something that only fails when a whole
bunch of conditions are just right (or wrong, depending on how you look
at it), and one of those conditions is that you - the developer trying
to fix the problem - aren’t actually watching it. The classic heisenbug.
Even worse is when one of those conditions involves another party’s
product and they aren’t interested in helping because ‘their product
works just fine unless used in conjunction with your product’, so you
can’t even know for sure if the problem is in your code or their code or
some bug(/undocumented feature) in windows itself that only becomes
apparent under the specific set of circumstances.
Insanity is sure to follow!
James
You know a while ago, Dejan ( sorry if I mispelled), mentioned that when
an engineer is hired to do just that, there is no option or choices.
Either (s)he will have to be on unemployment line ( provided the govt.
has one) or whatever. But I know, that is not to say hooking is good.
Most of the security software people doing it (and as someone said, it
is years of investment to do that - does not come easy - sweat first,
then make sure the person have a handy bottle of anti-acids, because
that’s probably going to be the after meal ice-cream or pudding or …).
Even no one knows how much of these softwares are practically useful, or
where it is useful… The subject of hooking is very confusing, and it
would not have been if the whole software thingy started today.
In any case, while the religion might be the only cause of the highest
killing, this is one of the highest cause of polluting ntdev.
If it is to release stress, or just trolling, or just get into something
that is endlessly debatable then it is okay, othewise nothing make sense
here…
-pro
xxxxx@hotmail.com wrote:
Daniel,
What you speak about is VERY poorly implemented hooking scheme that crashes on every other run. Indeed, as long as we speak about a bug like that, it does not take that long to detect it. However, the vast majority of poorly implemented hooking schemes are not implemented THAT poorly, and reveal their bugs only once in a while. This is what makes them so insidious, and this is what Don speaks about - indeed, weeks may pass before a bug reveals itself …
Anton Bassov
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Pro,
If that was only the case, too many of the secutity folks I have met
said it was easy (in fact mention starting with the regmon sources and
looking blank when someone asks did you pay sysinternals?), so why not do it
versus a file system filter? The other claim is that it gives them more
security than other schemes that work.
Yes there are times that it is needed, but I have seen too many
products that did it because the developers didn’t give a damm, and some of
them are well known firms.
–
Don Burn (MVP, Windows DDK)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“Prokash Sinha” wrote in message news:xxxxx@ntdev…
> You know a while ago, Dejan ( sorry if I mispelled), mentioned that when
> an engineer is hired to do just that, there is no option or choices.
> Either (s)he will have to be on unemployment line ( provided the govt. has
> one) or whatever. But I know, that is not to say hooking is good. Most of
> the security software people doing it (and as someone said, it is years of
> investment to do that - does not come easy - sweat first, then make sure
> the person have a handy bottle of anti-acids, because that’s probably
> going to be the after meal ice-cream or pudding or …).
>
> Even no one knows how much of these softwares are practically useful, or
> where it is useful… The subject of hooking is very confusing, and it
> would not have been if the whole software thingy started today.
>
> In any case, while the religion might be the only cause of the highest
> killing, this is one of the highest cause of polluting ntdev.
>
> If it is to release stress, or just trolling, or just get into something
> that is endlessly debatable then it is okay, othewise nothing make sense
> here…
>
> -pro
>
> xxxxx@hotmail.com wrote:
>> Daniel,
>>
>> What you speak about is VERY poorly implemented hooking scheme that
>> crashes on every other run. Indeed, as long as we speak about a bug like
>> that, it does not take that long to detect it. However, the vast majority
>> of poorly implemented hooking schemes are not implemented THAT poorly,
>> and reveal their bugs only once in a while. This is what makes them so
>> insidious, and this is what Don speaks about - indeed, weeks may pass
>> before a bug reveals itself …
>>
>>
>> Anton Bassov
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>>
>
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 3937 (20090314)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
Information from ESET NOD32 Antivirus, version of virus signature database 3937 (20090314)
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com