Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting... Please check out the Community Guidelines in the
Announcements and Administration Category.

Alternates to ELAM driver in Windows-7

Berouz_AfzalBerouz_Afzal Posts: 16
I am new to NTDEV.

I am interested in developing a protected service. I have gone through guidelines from the following links.

https://msdn.microsoft.com/en-us/library/windows/desktop/dn313124(v=vs.85).aspx
https://osronline.com/showThread.CFM?link=284667

Now my service is running in protected mode in Windows-8 and 10.
I need to secure my service for Win-7 and Win-8. I know it'll be less secure than in win-8.1 & 10 but still I want it to be more secure than a normal service. I have gone through the following link as well but I want to do it in a legal and appropriate way just like that in case of Win-8.1 & 10.

https://security.stackexchange.com/questions/30985/create-a-unterminable-process-in-windows

Thanks in advance

Comments

  • Tim_RobertsTim_Roberts Posts: 12,623
    xxxxx@gmail.com wrote:
    > Now my service is running in protected mode in Windows-8 and 10.
    > I need to secure my service for Win-7 and Win-8. I know it'll be less secure than in win-8.1 & 10 but still I want it to be more secure than a normal service.

    "More secure" in what sense?  What, exactly, are you trying to protect
    against?  About the best you can do is change your service's owning user
    so that an app has to have special permission to access your process.

    --
    Tim Roberts, xxxxx@probo.com
    Providenza & Boekelheide, Inc.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Berouz_AfzalBerouz_Afzal Posts: 16
    By more secure, I mean to make it stable enough that no end user or
    unwanted process like a malware could kill my service.


    On Tuesday, May 8, 2018, xxxxx@probo.com wrote:

    > xxxxx@gmail.com wrote:
    > > Now my service is running in protected mode in Windows-8 and 10.
    > > I need to secure my service for Win-7 and Win-8. I know it'll be less
    > secure than in win-8.1 & 10 but still I want it to be more secure than a
    > normal service.
    >
    > "More secure" in what sense? What, exactly, are you trying to protect
    > against? About the best you can do is change your service's owning user
    > so that an app has to have special permission to access your process.
    >
    > --
    > Tim Roberts, xxxxx@probo.com
    > Providenza & Boekelheide, Inc.
    >
    >
    > ---
    > NTDEV is sponsored by OSR
    >
    > Visit the list online at: showlists.cfm?list=ntdev>
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > software drivers!
    > Details at
    >
    > To unsubscribe, visit the List Server section of OSR Online at <
    > http://www.osronline.com/page.cfm?name=ListServer>;
    >
  • Tim_RobertsTim_Roberts Posts: 12,623
    xxxxx@gmail.com wrote:
    >
    > By more secure, I mean to make it stable enough that no end user or
    > unwanted  process like a malware could kill my service.

    That, of course, is impossible.  You can make it tedious, but you can't
    prevent it.  As I said, about the best you can do is have your process
    be created by a special system user, then change the security access
    list so normal user accounts only have read access.

    --
    Tim Roberts, xxxxx@probo.com
    Providenza & Boekelheide, Inc.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Berouz_AfzalBerouz_Afzal Posts: 16
    That is possible in case of win-8 and win-10. I am interested in knowing
    what did anti-malware vendors used to do in win-7 to protect their
    anti-malware service?

    On Wed, May 9, 2018 at 2:16 AM, xxxxx@probo.com wrote:

    > xxxxx@gmail.com wrote:
    > >
    > > By more secure, I mean to make it stable enough that no end user or
    > > unwanted process like a malware could kill my service.
    >
    > That, of course, is impossible. You can make it tedious, but you can't
    > prevent it. As I said, about the best you can do is have your process
    > be created by a special system user, then change the security access
    > list so normal user accounts only have read access.
    >
    > --
    > Tim Roberts, xxxxx@probo.com
    > Providenza & Boekelheide, Inc.
    >
    >
    > ---
    > NTDEV is sponsored by OSR
    >
    > Visit the list online at: showlists.cfm?list=ntdev>
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > software drivers!
    > Details at
    >
    > To unsubscribe, visit the List Server section of OSR Online at <
    > http://www.osronline.com/page.cfm?name=ListServer>;
    >
  • Don_BurnDon_Burn Posts: 1,623
    Before ELAM, people used the CmRegisterCallback calls to make it harder to attack, the service. Also, there were paired services, where there was a monitoring service that if the primary service went down restarted it. The primary would do the same for the monitoring.

    Other than that you are getting into things like hooking system calls, which unfortunately a lot of big name anti-malware companies tried, in some cases with disastrous results such as breaking security completely.


    Don Burn
    Windows Driver Consulting
    Website: http://www.windrvr.com



    -----Original Message-----
    From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
    Sent: Saturday, May 12, 2018 9:06 AM
    To: Windows System Software Devs Interest List <xxxxx@lists.osr.com>
    Subject: Re: [ntdev] Alternates to ELAM driver in Windows-7

    That is possible in case of win-8 and win-10. I am interested in knowing what did anti-malware vendors used to do in win-7 to protect their anti-malware service?

    On Wed, May 9, 2018 at 2:16 AM, xxxxx@probo.com <mailto:xxxxx@probo.com> <xxxxx@lists.osr.com wrote:


    xxxxx@gmail.com <mailto:xxxxx@gmail.com> wrote:
    >
    > By more secure, I mean to make it stable enough that no end user or
    > unwanted process like a malware could kill my service.

    That, of course, is impossible. You can make it tedious, but you can't
    prevent it. As I said, about the best you can do is have your process
    be created by a special system user, then change the security access
    list so normal user accounts only have read access.


    --
    Tim Roberts, xxxxx@probo.com <mailto:xxxxx@probo.com>
    Providenza & Boekelheide, Inc.


    ---
    NTDEV is sponsored by OSR

    Visit the list online at: <http://www.osronline.com/showlists.cfm?list=ntdev

    MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
    Details at <http://www.osr.com/seminars>;

    To unsubscribe, visit the List Server section of OSR Online at <http://www.osronline.com/page.cfm?name=ListServer



    --- NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at To unsubscribe, visit the List Server section of OSR Online at
  • anton_bassovanton_bassov Posts: 4,800
    > I mean to make it stable enough that no end user or unwanted process
    >like a malware could kill my service.

    Sounds like a classical book definition of malware, don't you think.....

    Check the archives for more info on the topic - we had discussed it so many times in this NG that it simply does not seem to make any sense to repeat and rehash the same arguments again and again and again....


    > I am interested in knowing what did anti-malware vendors used to do in win-7
    > to protect their anti-malware service?

    If you want to see a good comedy, try installing two competing anti-malware products on the same machine. They are quite likely to identify one another as a malware, and try to
    kill one another while protecting themselves against termination. Could be a good fun to watch....


    Back in the old days they would rely upon the callbacks whenever it was possible, and go hooking otherwise. ELAM seems to be offering some new "exciting" possibilities.


    https://docs.microsoft.com/en-us/windows-hardware/drivers/install/elam-driver-requirements


    I am particularly impressed with the following excerpt

    <quote>

    The Early Launch drivers can use registry callbacks to monitor and validate the configuration data used as input for each boot-start driver.

    </quote>


    It sounds fine and dandy, but consider what happens if two competing drivers try to
    "monitor and validate the configuration data used as input" for one another. Which of them do you think is going to win?


    Now go and read Mr. Roberts's post again, and you will(hopefully) realise that he is absolutely correct here - there is absolutely nothing that you can do against a module that had been loaded in the kernel and started running.The only thing that you can theoretically do is to try preventing its load and/or initialisation, but there is no guarantee that it is not going to be your driver who gets prevented from loading by its rival who happens to be more lucky in this particular case..



    Anton Bassov
  • Berouz_AfzalBerouz_Afzal Posts: 16
    I really appreciate all your kind responses. For now I have developed a
    ring service type would around in which two services monitor each other and
    re-launch the other if stopped/disabled.

    On Sun, May 13, 2018 at 12:41 PM, xxxxx@hotmail.com <
    xxxxx@lists.osr.com> wrote:

    > > I mean to make it stable enough that no end user or unwanted process
    > >like a malware could kill my service.
    >
    > Sounds like a classical book definition of malware, don't you think.....
    >
    > Check the archives for more info on the topic - we had discussed it so
    > many times in this NG that it simply does not seem to make any sense to
    > repeat and rehash the same arguments again and again and again....
    >
    >
    > > I am interested in knowing what did anti-malware vendors used to do in
    > win-7
    > > to protect their anti-malware service?
    >
    > If you want to see a good comedy, try installing two competing
    > anti-malware products on the same machine. They are quite likely to
    > identify one another as a malware, and try to
    > kill one another while protecting themselves against termination. Could be
    > a good fun to watch....
    >
    >
    > Back in the old days they would rely upon the callbacks whenever it was
    > possible, and go hooking otherwise. ELAM seems to be offering some new
    > "exciting" possibilities.
    >
    >
    > https://docs.microsoft.com/en-us/windows-hardware/drivers/
    > install/elam-driver-requirements
    >
    >
    > I am particularly impressed with the following excerpt
    >
    >
    >
    > The Early Launch drivers can use registry callbacks to monitor and
    > validate the configuration data used as input for each boot-start driver.
    >
    >
    >
    >
    > It sounds fine and dandy, but consider what happens if two competing
    > drivers try to
    > "monitor and validate the configuration data used as input" for one
    > another. Which of them do you think is going to win?
    >
    >
    > Now go and read Mr. Roberts's post again, and you will(hopefully) realise
    > that he is absolutely correct here - there is absolutely nothing that you
    > can do against a module that had been loaded in the kernel and started
    > running.The only thing that you can theoretically do is to try preventing
    > its load and/or initialisation, but there is no guarantee that it is not
    > going to be your driver who gets prevented from loading by its rival who
    > happens to be more lucky in this particular case..
    >
    >
    >
    > Anton Bassov
    >
    >
    > ---
    > NTDEV is sponsored by OSR
    >
    > Visit the list online at: showlists.cfm?list=ntdev>
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > software drivers!
    > Details at
    >
    > To unsubscribe, visit the List Server section of OSR Online at <
    > http://www.osronline.com/page.cfm?name=ListServer>;
    >
  • R0b0t1R0b0t1 Posts: 130
    If you want to implement something productive you could copy some of
    the features from grsecurity (now closed source) into Windows. A
    company called Cylance already does this. Their product is
    horrifyingly annoying.

    The gist of it is certain patterns of function calls or memory
    accesses will cause the program to be killed. Cygwin's implementation
    of the Unix fork(2) is especially problematic, as it copies code to
    executable memory.

    On Fri, Jun 1, 2018 at 7:14 PM, xxxxx@gmail.com <xxxxx@lists.osr.com> wrote:
    > I really appreciate all your kind responses. For now I have developed a ring
    > service type would around in which two services monitor each other and
    > re-launch the other if stopped/disabled.
    >
    > On Sun, May 13, 2018 at 12:41 PM, xxxxx@hotmail.com
    > <xxxxx@lists.osr.com> wrote:
    >>
    >> > I mean to make it stable enough that no end user or unwanted process
    >> >like a malware could kill my service.
    >>
    >> Sounds like a classical book definition of malware, don't you think.....
    >>
    >> Check the archives for more info on the topic - we had discussed it so
    >> many times in this NG that it simply does not seem to make any sense to
    >> repeat and rehash the same arguments again and again and again....
    >>
    >>
    >> > I am interested in knowing what did anti-malware vendors used to do in
    >> > win-7
    >> > to protect their anti-malware service?
    >>
    >> If you want to see a good comedy, try installing two competing
    >> anti-malware products on the same machine. They are quite likely to identify
    >> one another as a malware, and try to
    >> kill one another while protecting themselves against termination. Could be
    >> a good fun to watch....
    >>
    >>
    >> Back in the old days they would rely upon the callbacks whenever it was
    >> possible, and go hooking otherwise. ELAM seems to be offering some new
    >> "exciting" possibilities.
    >>
    >>
    >>
    >> https://docs.microsoft.com/en-us/windows-hardware/drivers/install/elam-driver-requirements
    >>
    >>
    >> I am particularly impressed with the following excerpt
    >>
    >> <quote>
    >>
    >> The Early Launch drivers can use registry callbacks to monitor and
    >> validate the configuration data used as input for each boot-start driver.
    >>
    >> </quote>
    >>
    >>
    >> It sounds fine and dandy, but consider what happens if two competing
    >> drivers try to
    >> "monitor and validate the configuration data used as input" for one
    >> another. Which of them do you think is going to win?
    >>
    >>
    >> Now go and read Mr. Roberts's post again, and you will(hopefully) realise
    >> that he is absolutely correct here - there is absolutely nothing that you
    >> can do against a module that had been loaded in the kernel and started
    >> running.The only thing that you can theoretically do is to try preventing
    >> its load and/or initialisation, but there is no guarantee that it is not
    >> going to be your driver who gets prevented from loading by its rival who
    >> happens to be more lucky in this particular case..
    >>
    >>
    >>
    >> Anton Bassov
    >>
    >>
    >> ---
    >> NTDEV is sponsored by OSR
    >>
    >> Visit the list online at:
    >> <http://www.osronline.com/showlists.cfm?list=ntdev>;
    >>
    >> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    >> software drivers!
    >> Details at <http://www.osr.com/seminars>;
    >>
    >> To unsubscribe, visit the List Server section of OSR Online at
    >> <http://www.osronline.com/page.cfm?name=ListServer>;
    >
    >
    > --- NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars on
    > crash dump analysis, WDF, Windows internals and software drivers! Details at
    > To unsubscribe, visit the List Server section of OSR Online at
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!