Alternates to ELAM driver in Windows-7

I am new to NTDEV.

I am interested in developing a protected service. I have gone through guidelines from the following links.

https://msdn.microsoft.com/en-us/library/windows/desktop/dn313124(v=vs.85).aspx
https://osronline.com/showThread.CFM?link=284667

Now my service is running in protected mode in Windows-8 and 10.
I need to secure my service for Win-7 and Win-8. I know it’ll be less secure than in win-8.1 & 10 but still I want it to be more secure than a normal service. I have gone through the following link as well but I want to do it in a legal and appropriate way just like that in case of Win-8.1 & 10.

https://security.stackexchange.com/questions/30985/create-a-unterminable-process-in-windows

Thanks in advance

xxxxx@gmail.com wrote:

Now my service is running in protected mode in Windows-8 and 10.
I need to secure my service for Win-7 and Win-8. I know it’ll be less secure than in win-8.1 & 10 but still I want it to be more secure than a normal service.

“More secure” in what sense?  What, exactly, are you trying to protect
against?  About the best you can do is change your service’s owning user
so that an app has to have special permission to access your process.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

By more secure, I mean to make it stable enough that no end user or
unwanted process like a malware could kill my service.

On Tuesday, May 8, 2018, xxxxx@probo.com wrote:

> xxxxx@gmail.com wrote:
> > Now my service is running in protected mode in Windows-8 and 10.
> > I need to secure my service for Win-7 and Win-8. I know it’ll be less
> secure than in win-8.1 & 10 but still I want it to be more secure than a
> normal service.
>
> “More secure” in what sense? What, exactly, are you trying to protect
> against? About the best you can do is change your service’s owning user
> so that an app has to have special permission to access your process.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:></http:>

xxxxx@gmail.com wrote:

By more secure, I mean to make it stable enough that no end user or
unwanted  process like a malware could kill my service.

That, of course, is impossible.  You can make it tedious, but you can’t
prevent it.  As I said, about the best you can do is have your process
be created by a special system user, then change the security access
list so normal user accounts only have read access.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

That is possible in case of win-8 and win-10. I am interested in knowing
what did anti-malware vendors used to do in win-7 to protect their
anti-malware service?

On Wed, May 9, 2018 at 2:16 AM, xxxxx@probo.com wrote:

> xxxxx@gmail.com wrote:
> >
> > By more secure, I mean to make it stable enough that no end user or
> > unwanted process like a malware could kill my service.
>
> That, of course, is impossible. You can make it tedious, but you can’t
> prevent it. As I said, about the best you can do is have your process
> be created by a special system user, then change the security access
> list so normal user accounts only have read access.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:></http:>

Before ELAM, people used the CmRegisterCallback calls to make it harder to attack, the service. Also, there were paired services, where there was a monitoring service that if the primary service went down restarted it. The primary would do the same for the monitoring.

Other than that you are getting into things like hooking system calls, which unfortunately a lot of big name anti-malware companies tried, in some cases with disastrous results such as breaking security completely.

Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Saturday, May 12, 2018 9:06 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Alternates to ELAM driver in Windows-7

That is possible in case of win-8 and win-10. I am interested in knowing what did anti-malware vendors used to do in win-7 to protect their anti-malware service?

On Wed, May 9, 2018 at 2:16 AM, xxxxx@probo.com mailto:xxxxx > wrote:

xxxxx@gmail.com mailto:xxxxx wrote:
>
> By more secure, I mean to make it stable enough that no end user or
> unwanted process like a malware could kill my service.

That, of course, is impossible. You can make it tedious, but you can’t
prevent it. As I said, about the best you can do is have your process
be created by a special system user, then change the security access
list so normal user accounts only have read access.


Tim Roberts, xxxxx@probo.com mailto:xxxxx
Providenza & Boekelheide, Inc.


NTDEV is sponsored by OSR

Visit the list online at: http: >

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at http: >

— NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at To unsubscribe, visit the List Server section of OSR Online at</http:></http:></http:></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx>

> I mean to make it stable enough that no end user or unwanted process

like a malware could kill my service.

Sounds like a classical book definition of malware, don’t you think…

Check the archives for more info on the topic - we had discussed it so many times in this NG that it simply does not seem to make any sense to repeat and rehash the same arguments again and again and again…

I am interested in knowing what did anti-malware vendors used to do in win-7
to protect their anti-malware service?

If you want to see a good comedy, try installing two competing anti-malware products on the same machine. They are quite likely to identify one another as a malware, and try to
kill one another while protecting themselves against termination. Could be a good fun to watch…

Back in the old days they would rely upon the callbacks whenever it was possible, and go hooking otherwise. ELAM seems to be offering some new “exciting” possibilities.

https://docs.microsoft.com/en-us/windows-hardware/drivers/install/elam-driver-requirements

I am particularly impressed with the following excerpt

It sounds fine and dandy, but consider what happens if two competing drivers try to
“monitor and validate the configuration data used as input” for one another. Which of them do you think is going to win?

Now go and read Mr. Roberts’s post again, and you will(hopefully) realise that he is absolutely correct here - there is absolutely nothing that you can do against a module that had been loaded in the kernel and started running.The only thing that you can theoretically do is to try preventing its load and/or initialisation, but there is no guarantee that it is not going to be your driver who gets prevented from loading by its rival who happens to be more lucky in this particular case…

Anton Bassov

I really appreciate all your kind responses. For now I have developed a
ring service type would around in which two services monitor each other and
re-launch the other if stopped/disabled.

On Sun, May 13, 2018 at 12:41 PM, xxxxx@hotmail.com <
xxxxx@lists.osr.com> wrote:

> I mean to make it stable enough that no end user or unwanted process
>like a malware could kill my service.

Sounds like a classical book definition of malware, don’t you think…

Check the archives for more info on the topic - we had discussed it so
many times in this NG that it simply does not seem to make any sense to
repeat and rehash the same arguments again and again and again…

> I am interested in knowing what did anti-malware vendors used to do in
win-7
> to protect their anti-malware service?

If you want to see a good comedy, try installing two competing
anti-malware products on the same machine. They are quite likely to
identify one another as a malware, and try to
kill one another while protecting themselves against termination. Could be
a good fun to watch…

Back in the old days they would rely upon the callbacks whenever it was
possible, and go hooking otherwise. ELAM seems to be offering some new
“exciting” possibilities.

https://docs.microsoft.com/en-us/windows-hardware/drivers/
install/elam-driver-requirements

I am particularly impressed with the following excerpt

It sounds fine and dandy, but consider what happens if two competing
drivers try to
“monitor and validate the configuration data used as input” for one
another. Which of them do you think is going to win?

Now go and read Mr. Roberts’s post again, and you will(hopefully) realise
that he is absolutely correct here - there is absolutely nothing that you
can do against a module that had been loaded in the kernel and started
running.The only thing that you can theoretically do is to try preventing
its load and/or initialisation, but there is no guarantee that it is not
going to be your driver who gets prevented from loading by its rival who
happens to be more lucky in this particular case…

Anton Bassov


NTDEV is sponsored by OSR

Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:></http:>

If you want to implement something productive you could copy some of
the features from grsecurity (now closed source) into Windows. A
company called Cylance already does this. Their product is
horrifyingly annoying.

The gist of it is certain patterns of function calls or memory
accesses will cause the program to be killed. Cygwin’s implementation
of the Unix fork(2) is especially problematic, as it copies code to
executable memory.

On Fri, Jun 1, 2018 at 7:14 PM, xxxxx@gmail.com wrote:
> I really appreciate all your kind responses. For now I have developed a ring
> service type would around in which two services monitor each other and
> re-launch the other if stopped/disabled.
>
> On Sun, May 13, 2018 at 12:41 PM, xxxxx@hotmail.com
> wrote:
>>
>> > I mean to make it stable enough that no end user or unwanted process
>> >like a malware could kill my service.
>>
>> Sounds like a classical book definition of malware, don’t you think…
>>
>> Check the archives for more info on the topic - we had discussed it so
>> many times in this NG that it simply does not seem to make any sense to
>> repeat and rehash the same arguments again and again and again…
>>
>>
>> > I am interested in knowing what did anti-malware vendors used to do in
>> > win-7
>> > to protect their anti-malware service?
>>
>> If you want to see a good comedy, try installing two competing
>> anti-malware products on the same machine. They are quite likely to identify
>> one another as a malware, and try to
>> kill one another while protecting themselves against termination. Could be
>> a good fun to watch…
>>
>>
>> Back in the old days they would rely upon the callbacks whenever it was
>> possible, and go hooking otherwise. ELAM seems to be offering some new
>> “exciting” possibilities.
>>
>>
>>
>> https://docs.microsoft.com/en-us/windows-hardware/drivers/install/elam-driver-requirements
>>
>>
>> I am particularly impressed with the following excerpt
>>
>>


>>
>>
>> It sounds fine and dandy, but consider what happens if two competing
>> drivers try to
>> “monitor and validate the configuration data used as input” for one
>> another. Which of them do you think is going to win?
>>
>>
>> Now go and read Mr. Roberts’s post again, and you will(hopefully) realise
>> that he is absolutely correct here - there is absolutely nothing that you
>> can do against a module that had been loaded in the kernel and started
>> running.The only thing that you can theoretically do is to try preventing
>> its load and/or initialisation, but there is no guarantee that it is not
>> going to be your driver who gets prevented from loading by its rival who
>> happens to be more lucky in this particular case…
>>
>>
>>
>> Anton Bassov
>>
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> Visit the list online at:
>> http:
>>
>> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>> software drivers!
>> Details at http:
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http:
>
>
> — NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars on
> crash dump analysis, WDF, Windows internals and software drivers! Details at
> To unsubscribe, visit the List Server section of OSR Online at</http:></http:></http:>