Developing an application whitelisting mechanism

Hi All,

I’m basically trying to develop an application control/whitelisting security mechanism.

The basic idea is to have a list of trusted applications, and if any untrusted applications try to run I’ll block its execution.

Basically this commercial product is pretty much the jist of what I’m trying to achieve:
http://www.bit9.com/products/parity.php

Right now, I have a kernel mode driver which sets notification routines using PsSetLoadImageNotifyRoutine and PsSetCreateProcessNotifyRoutine.

In my LoadImageNotifyRoutine, I’m able to get the full path to the executable file and verify if it belongs on my white list.

Now, my only difficult is figuring out how to stop the process from being executed.

I’m thinking of creating a worker thread from my LoadImageNotifyRoutine which will then call ZwOpenProcess followed by a zwterminateprocess. However, I’m afraid that this might be too late, and that the process would already have been created. So the user will see the application open for a split second and then close.

Has anybody done something like this before? Or have any ideas on how to proceed?

Appreciate the advice,
Thanks in advance

• Kelvin

Check the document “kernal data and filtering support” which explains how to
get this done with a minifilter. There are several posts about this on
ntfsd.

//Daniel

wrote in message news:xxxxx@ntdev…
> Hi All,
>
> I’m basically trying to develop an application control/whitelisting
> security mechanism.
>
> The basic idea is to have a list of trusted applications, and if any
> untrusted applications try to run I’ll block its execution.
>
> Basically this commercial product is pretty much the jist of what I’m
> trying to achieve:
> http://www.bit9.com/products/parity.php
>
> Right now, I have a kernel mode driver which sets notification routines
> using PsSetLoadImageNotifyRoutine and PsSetCreateProcessNotifyRoutine.
>
> In my LoadImageNotifyRoutine, I’m able to get the full path to the
> executable file and verify if it belongs on my white list.
>
> Now, my only difficult is figuring out how to stop the process from being
> executed.
>
> I’m thinking of creating a worker thread from my LoadImageNotifyRoutine
> which will then call ZwOpenProcess followed by a zwterminateprocess.
> However, I’m afraid that this might be too late, and that the process
> would already have been created. So the user will see the application open
> for a split second and then close.
>
> Has anybody done something like this before? Or have any ideas on how to
> proceed?
>
> Appreciate the advice,
> Thanks in advance
> - Kelvin
>
>
>

As already has been posted, this has been discussed on NTFSD. Also please
read the archives on all the problems of spoofing names, which is fairly
easy to do, so your mechanism needs much more than a pathname to verify an
application.

–
Don Burn (MVP, Windows DDK)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

wrote in message news:xxxxx@ntdev…
> Hi All,
>
> I’m basically trying to develop an application control/whitelisting
> security mechanism.
>
> The basic idea is to have a list of trusted applications, and if any
> untrusted applications try to run I’ll block its execution.
>
> Basically this commercial product is pretty much the jist of what I’m
> trying to achieve:
> http://www.bit9.com/products/parity.php
>
> Right now, I have a kernel mode driver which sets notification routines
> using PsSetLoadImageNotifyRoutine and PsSetCreateProcessNotifyRoutine.
>
> In my LoadImageNotifyRoutine, I’m able to get the full path to the
> executable file and verify if it belongs on my white list.
>
> Now, my only difficult is figuring out how to stop the process from being
> executed.
>
> I’m thinking of creating a worker thread from my LoadImageNotifyRoutine
> which will then call ZwOpenProcess followed by a zwterminateprocess.
> However, I’m afraid that this might be too late, and that the process
> would already have been created. So the user will see the application open
> for a split second and then close.
>
> Has anybody done something like this before? Or have any ideas on how to
> proceed?
>
> Appreciate the advice,
> Thanks in advance
> - Kelvin
>
>
>

On Wed, Jan 21, 2009 at 7:54 PM, wrote:

> Hi All,
>
> I’m basically trying to develop an application control/whitelisting
> security mechanism.
>
> The basic idea is to have a list of trusted applications, and if any
> untrusted applications try to run I’ll block its execution.
>
> Basically this commercial product is pretty much the jist of what I’m
> trying to achieve:
> http://www.bit9.com/products/parity.php
>
> Right now, I have a kernel mode driver which sets notification routines
> using PsSetLoadImageNotifyRoutine and PsSetCreateProcessNotifyRoutine.
>

> In my LoadImageNotifyRoutine, I’m able to get the full path to the
> executable file and verify if it belongs on my white list.
>
> Now, my only difficult is figuring out how to stop the process from being
> executed.
>
> I’m thinking of creating a worker thread from my LoadImageNotifyRoutine
> which will then call ZwOpenProcess followed by a zwterminateprocess.
> However, I’m afraid that this might be too late, and that the process would
> already have been created. So the user will see the application open for a
> split second and then close.

You will need to do some hooking there (Mind you hooking in kernel is always
risky and usually exercised by viruses and anti viruses).
Either hook NtCreateSection (See Anton’s example on codeproject).

http://www.codeproject.com/KB/system/soviet_protector.aspx

Other methods which will confine to user mode are hooking NtCreateProcess of
NTDLL.

People have done hell lot of work on code injection, So i think other gurus
might also suggest something more stealthier.

If you want to do it legal way, then I don’t think Windows supports a timely
notification of CreateProcess.
There is one more thing, you can hook CreateProcess and create processes in
DEBUG flag ON and wait in your application for CONTINUE_DEBUG_EVENT. This
event will be sent before executing the first instruction of remote process.
But again, I am not sure of feasibility of this method on all versions of
Windows.

>
> Has anybody done something like this before? Or have any ideas on how to
> proceed?
>
> Appreciate the advice,
> Thanks in advance
> - Kelvin
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Why you don’t want to use software restriction policies, already available in Windows XP+? What you hope to achieve, that those policies don’t?

Please search the archives. Yes, it’s been done before, and it will typically also be trivially easy to bypass.

? S

-----Original Message-----
From: xxxxx@gmail.com
Sent: Wednesday, January 21, 2009 06:23
To: Windows System Software Devs Interest List
Subject: [ntdev] Developing an application whitelisting mechanism

Hi All,

I’m basically trying to develop an application control/whitelisting security mechanism.

The basic idea is to have a list of trusted applications, and if any untrusted applications try to run I’ll block its execution.

Basically this commercial product is pretty much the jist of what I’m trying to achieve:
http://www.bit9.com/products/parity.php

Right now, I have a kernel mode driver which sets notification routines using PsSetLoadImageNotifyRoutine and PsSetCreateProcessNotifyRoutine.

In my LoadImageNotifyRoutine, I’m able to get the full path to the executable file and verify if it belongs on my white list.

Now, my only difficult is figuring out how to stop the process from being executed.

I’m thinking of creating a worker thread from my LoadImageNotifyRoutine which will then call ZwOpenProcess followed by a zwterminateprocess. However, I’m afraid that this might be too late, and that the process would already have been created. So the user will see the application open for a split second and then close.

Has anybody done something like this before? Or have any ideas on how to proceed?

Appreciate the advice,
Thanks in advance
- Kelvin

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Daniel and Don,

Could you post some of the relevant threads for me to read through?

I don’t really know what key words to search for.

Thanks alot!

• Kelvin

Ken,

Could you post some of the relevant threads.

I tried searching, but didn’t find many useful topics. Which is why I posted.

Thanks!

• Kelvin

PsSetProcessImageNotifyRoutine might be worth looking for. As with Don, I also have a recollection of the most recent of these discussions being (probably wrongly) on ntfsd and not ntdev, so be sure to search there, too.

? S

-----Original Message-----
From: xxxxx@gmail.com
Sent: Wednesday, January 21, 2009 08:08
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Developing an application whitelisting mechanism

Ken,

Could you post some of the relevant threads.

I tried searching, but didn’t find many useful topics. Which is why I posted.

Thanks!
- Kelvin

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Whoops. Make that PsSetCreateProcessNotifyRoutine. Sorry.

? S

-----Original Message-----
From: Skywing
Sent: Wednesday, January 21, 2009 08:18
To: Windows System Software Devs Interest List
Subject: RE: RE:[ntdev] Developing an application whitelisting mechanism

PsSetProcessImageNotifyRoutine might be worth looking for. As with Don, I also have a recollection of the most recent of these discussions being (probably wrongly) on ntfsd and not ntdev, so be sure to search there, too.

? S

-----Original Message-----
From: xxxxx@gmail.com
Sent: Wednesday, January 21, 2009 08:08
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Developing an application whitelisting mechanism

Ken,

Could you post some of the relevant threads.

I tried searching, but didn’t find many useful topics. Which is why I posted.

Thanks!
- Kelvin

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

> I’m basically trying to develop an application control/whitelisting security mechanism.

1. Run desktop users as non-admins.
2. Assign file ACLs to EXE files.

Job done.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

Maxim S. Shatskih wrote:

> I’m basically trying to develop an application control/whitelisting security mechanism.

1. Run desktop users as non-admins.
2. Assign file ACLs to EXE files.

Job done.

No, not done. A job is done when the client is happy
Non-org users (unmanaged / self managed) are very unhappy
with the ACLs and “contact the administrator” message.
This explains proliferation of all those strange startups and er…
weird solutions.

WinCE’s certificate-based app security seems more suitable
for unmanaged users - but isn’t compatibile with
legacy Windows, and has it’s own woes
(complaints that devices are locked down, jailbreaks,
cracks => malware again…)

–pa

Indeed. Very true, though I’d say that’s only half of the reason for
the, well, strange solutions. The other half is a lot of IT folks and
managers have come to the conclusion that there is something to being
gained by attempting to monitor and limit what those that they otherwise
authorize to do admin things do, I think so that they don’t really have
to be accountable for any of it, so long as they and anyone to whom they
try and sell these policies to don’t look in the mirror and realize that
it’s just more of the same, viewed through an additional layer of
complexity, and no matter how you approach it, you’ve got trust some
people, and if your’re in charge, that’s on you, not some piece of
software, in my opinion.

Also, I think in many cases, these techniques and policies are so
complicated and expensive that when scaled over even a moderate number
of users, they end up being much worse than nothing, because no one has
any idea of what’s really going on. I have a client who is all about
SELinux, for example, and I still can’t understand how they haven’t
observed that when they apply to the wrong situatuions, they spent a
huge percentage of their time labeling, et. c., as well as trying to
figure out what the hell they did before, only to commonly either have
to circumvent it in a really ugly way in order to get something done, or
just have eat the lost time.

mm

Pavel A. wrote:

Maxim S. Shatskih wrote:
>> I’m basically trying to develop an application control/whitelisting
>> security mechanism.
>
> 1) Run desktop users as non-admins.
> 2) Assign file ACLs to EXE files.
>
> Job done.

No, not done. A job is done when the client is happy
Non-org users (unmanaged / self managed) are very unhappy
with the ACLs and “contact the administrator” message.
This explains proliferation of all those strange startups and er…
weird solutions.

WinCE’s certificate-based app security seems more suitable
for unmanaged users - but isn’t compatibile with
legacy Windows, and has it’s own woes
(complaints that devices are locked down, jailbreaks,
cracks => malware again…)

–pa