Dear all ,
Is there a simple but legal way how a driver can know ( read ) the checksum of his own *.sys driver file ?
I was thinking about an export that the linker fills , and that the driver could read.
Christiaan
I give up, why would you want to do this?
=====================
Mark Roddy
-----Original Message-----
From: Christiaan Ghijselinck [mailto:xxxxx@CompaqNet.be]
Sent: Tuesday, July 27, 2004 8:44 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Driver File checksum
Dear all ,
Is there a simple but legal way how a driver can know ( read ) the checksum
of his own *.sys driver file ?
I was thinking about an export that the linker fills , and that the driver
could read.
Christiaan
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@stratus.com To
unsubscribe send a blank email to xxxxx@lists.osr.com
The checksum is in the driver’s PE header.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: “Christiaan Ghijselinck”
To: “Windows System Software Devs Interest List”
Sent: Tuesday, July 27, 2004 4:44 PM
Subject: [ntdev] Driver File checksum
>
> Dear all ,
>
>
> Is there a simple but legal way how a driver can know ( read ) the checksum
of his own *.sys driver file ?
> I was thinking about an export that the linker fills , and that the driver
could read.
>
> Christiaan
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
Why ? I am trying to “invent” a way that the driver can detect if it has been patched
by a cracker. I don’t know exactly myself how I will do this, but at least I could change
the checksum by patching myself some data into a predefinded area of the driver
( say marked with a know pattern ) by means of a little program. The program patches
the area in a way that the resulting checksum accords with another unique value that
the driver know about …
----- Original Message -----
From: “Roddy, Mark”
To: “Windows System Software Devs Interest List”
Sent: Tuesday, July 27, 2004 3:22 PM
Subject: RE: [ntdev] Driver File checksum
> I give up, why would you want to do this?
>
>
>
> =====================
> Mark Roddy
>
> -----Original Message-----
> From: Christiaan Ghijselinck [mailto:xxxxx@CompaqNet.be]
> Sent: Tuesday, July 27, 2004 8:44 AM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] Driver File checksum
>
>
> Dear all ,
>
>
> Is there a simple but legal way how a driver can know ( read ) the checksum
> of his own *.sys driver file ?
> I was thinking about an export that the linker fills , and that the driver
> could read.
>
> Christiaan
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@stratus.com To
> unsubscribe send a blank email to xxxxx@lists.osr.com
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@compaqnet.be
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
Depends on when you checksum yourself IIRC. The checksum takes into
account the import table, so once it is fixed up by the loader to point
to the real functions, the checksum changes. And what happens when the
cracker patches your binary after you check for it? That is a viable
workaround for this.
d
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Christiaan
Ghijselinck
Sent: Tuesday, July 27, 2004 7:17 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Driver File checksum
Why ? I am trying to “invent” a way that the driver can detect if it
has been patched
by a cracker. I don’t know exactly myself how I will do this, but at
least I could change
the checksum by patching myself some data into a predefinded area of the
driver
( say marked with a know pattern ) by means of a little program. The
program patches
the area in a way that the resulting checksum accords with another
unique value that
the driver know about …
----- Original Message -----
From: “Roddy, Mark”
To: “Windows System Software Devs Interest List”
Sent: Tuesday, July 27, 2004 3:22 PM
Subject: RE: [ntdev] Driver File checksum
> I give up, why would you want to do this?
>
>
>
> =====================
> Mark Roddy
>
> -----Original Message-----
> From: Christiaan Ghijselinck
[mailto:xxxxx@CompaqNet.be]
> Sent: Tuesday, July 27, 2004 8:44 AM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] Driver File checksum
>
>
> Dear all ,
>
>
> Is there a simple but legal way how a driver can know ( read ) the
checksum
> of his own *.sys driver file ?
> I was thinking about an export that the linker fills , and that the
driver
> could read.
>
> Christiaan
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@stratus.com To
> unsubscribe send a blank email to xxxxx@lists.osr.com
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as:
xxxxx@compaqnet.be
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Well that is what I suspected. So how about deferring this activity to
Microsoft, where they are busy implementing and deploying system wide
solutions for all critical software, not just your driver? Besides I suspect
that if you alter the image of your driver it will get caught in traps set
by the other agents out there looking for altered images of critical system
software.
=====================
Mark Roddy
-----Original Message-----
From: Christiaan Ghijselinck [mailto:xxxxx@CompaqNet.be]
Sent: Tuesday, July 27, 2004 10:17 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Driver File checksum
Why ? I am trying to “invent” a way that the driver can detect if it has
been patched by a cracker. I don’t know exactly myself how I will do this,
but at least I could change the checksum by patching myself some data into a
predefinded area of the driver ( say marked with a know pattern ) by means
of a little program. The program patches the area in a way that the
resulting checksum accords with another unique value that the driver know
about …
----- Original Message -----
From: “Roddy, Mark”
To: “Windows System Software Devs Interest List”
Sent: Tuesday, July 27, 2004 3:22 PM
Subject: RE: [ntdev] Driver File checksum
> I give up, why would you want to do this?
>
>
>
> =====================
> Mark Roddy
>
> -----Original Message-----
> From: Christiaan Ghijselinck [mailto:xxxxx@CompaqNet.be]
> Sent: Tuesday, July 27, 2004 8:44 AM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] Driver File checksum
>
>
> Dear all ,
>
>
> Is there a simple but legal way how a driver can know ( read ) the
checksum
> of his own *.sys driver file ?
> I was thinking about an export that the linker fills , and that the driver
> could read.
>
> Christiaan
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@stratus.com To
> unsubscribe send a blank email to xxxxx@lists.osr.com
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as:
xxxxx@compaqnet.be
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@stratus.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
> Well that is what I suspected. So how about deferring this activity to
Microsoft, where they are busy implementing and deploying system wide
solutions for all critical software, not just your driver? Besides I suspect
I would suggest Microsoft to create a tool which will combine the
kernel+HAL+boot drivers in a single image file compressed by LZ or such. This
will a) speed up boot a lot b) 100% prohibit all attempts to hack the essential
system modules.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: “Doron Holan”
To: “Windows System Software Devs Interest List”
Sent: Tuesday, July 27, 2004 4:44 PM
Subject: RE: [ntdev] Driver File checksum
> Depends on when you checksum yourself IIRC. The checksum takes into
> account the import table, so once it is fixed up by the loader to point
> to the real functions, the checksum changes.
Do you mean the driver binary value at offset 0x128 ? Then indeed, I can forget
my intention.
And what happens when the
> cracker patches your binary after you check for it? That is a viable
> workaround for this.
First goal is to prevent that a patched driver file will work !
When the cracker patches , he has to adapt the checksum too, otherwise, the driver
doesn’t load. And this new checksum would not be the value that I expect …
Then … and to prevent that this check would be partched too … is still to be “invented” 
>
> d
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Christiaan
> Ghijselinck
> Sent: Tuesday, July 27, 2004 7:17 AM
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] Driver File checksum
>
>
>
> Why ? I am trying to “invent” a way that the driver can detect if it
> has been patched
> by a cracker. I don’t know exactly myself how I will do this, but at
> least I could change
> the checksum by patching myself some data into a predefinded area of the
> driver
> ( say marked with a know pattern ) by means of a little program. The
> program patches
> the area in a way that the resulting checksum accords with another
> unique value that
> the driver know about …
>
>
>
>
> ----- Original Message -----
> From: “Roddy, Mark”
> To: “Windows System Software Devs Interest List”
> Sent: Tuesday, July 27, 2004 3:22 PM
> Subject: RE: [ntdev] Driver File checksum
>
>
> > I give up, why would you want to do this?
> >
> >
> >
> > =====================
> > Mark Roddy
> >
> > -----Original Message-----
> > From: Christiaan Ghijselinck
> [mailto:xxxxx@CompaqNet.be]
> > Sent: Tuesday, July 27, 2004 8:44 AM
> > To: Windows System Software Devs Interest List
> > Subject: [ntdev] Driver File checksum
> >
> >
> > Dear all ,
> >
> >
> > Is there a simple but legal way how a driver can know ( read ) the
> checksum
> > of his own *.sys driver file ?
> > I was thinking about an export that the linker fills , and that the
> driver
> > could read.
> >
> > Christiaan
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@stratus.com To
> > unsubscribe send a blank email to xxxxx@lists.osr.com
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as:
> xxxxx@compaqnet.be
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@compaqnet.be
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
Uh, doesn’t this assume you are booting with only drivers from the Microsoft
image? Otherwise I can allways roll my own.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
“Maxim S. Shatskih” wrote in message
news:xxxxx@ntdev…
> > Well that is what I suspected. So how about deferring this activity to
> > Microsoft, where they are busy implementing and deploying system wide
> > solutions for all critical software, not just your driver? Besides I
suspect
>
> I would suggest Microsoft to create a tool which will combine the
> kernel+HAL+boot drivers in a single image file compressed by LZ or such.
This
> will a) speed up boot a lot b) 100% prohibit all attempts to hack the
essential
> system modules.
>
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
>
> Well that is what I suspected. So how about deferring this activity to
Microsoft, where they are busy implementing and deploying system wide
solutions for all critical software, not just your driver? Besides I suspect
that if you alter the image of your driver it will get caught in traps set
by the other agents out there looking for altered images of critical system
software.=====================
Mark Roddy
Driver signing may trap this, or the hacker should *sign* his patched version +
all satellite files once again. Is this correct ?
-----Original Message-----
From: Christiaan Ghijselinck [mailto:xxxxx@CompaqNet.be]
Sent: Tuesday, July 27, 2004 10:17 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Driver File checksumWhy ? I am trying to “invent” a way that the driver can detect if it has
been patched by a cracker. I don’t know exactly myself how I will do this,
but at least I could change the checksum by patching myself some data into a
predefinded area of the driver ( say marked with a know pattern ) by means
of a little program. The program patches the area in a way that the
resulting checksum accords with another unique value that the driver know
about …----- Original Message -----
From: “Roddy, Mark”
> To: “Windows System Software Devs Interest List”
> Sent: Tuesday, July 27, 2004 3:22 PM
> Subject: RE: [ntdev] Driver File checksum
>
>
> > I give up, why would you want to do this?
> >
> >
> >
> > =====================
> > Mark Roddy
> >
> > -----Original Message-----
> > From: Christiaan Ghijselinck [mailto:xxxxx@CompaqNet.be]
> > Sent: Tuesday, July 27, 2004 8:44 AM
> > To: Windows System Software Devs Interest List
> > Subject: [ntdev] Driver File checksum
> >
> >
> > Dear all ,
> >
> >
> > Is there a simple but legal way how a driver can know ( read ) the
> checksum
> > of his own *.sys driver file ?
> > I was thinking about an export that the linker fills , and that the driver
> > could read.
> >
> > Christiaan
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@stratus.com To
> > unsubscribe send a blank email to xxxxx@lists.osr.com
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as:
> xxxxx@compaqnet.be
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@stratus.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@compaqnet.be
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
the hacker will patch your check with NOP's
did the dog ever catched his tail ?
Norbert.
"A little inaccuracy sometimes saves tons of explanations."
---- snip ----
> Well that is what I suspected. So how about deferring this activity to
> Microsoft, where they are busy implementing and deploying system wide
> solutions for all critical software, not just your driver? Besides I suspect
> that if you alter the image of your driver it will get caught in traps set
> by the other agents out there looking for altered images of critical system
> software.
>
>
>
> =====================
> Mark Roddy
Driver signing may trap this, or the hacker should *sign* his patched version +
all satellite files once again. Is this correct ?
>
> -----Original Message-----
> From: Christiaan Ghijselinck
> [mailto:xxxxx@CompaqNet.be]
> Sent: Tuesday, July 27, 2004 10:17 AM
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] Driver File checksum
>
>
>
> Why ? I am trying to "invent" a way that the driver can detect if it has
> been patched by a cracker. I don't know exactly myself how I will do this,
> but at least I could change the checksum by patching myself some data into a
> predefinded area of the driver ( say marked with a know pattern ) by means
> of a little program. The program patches the area in a way that the
> resulting checksum accords with another unique value that the driver know
> about ...
>
>
>
>
> ----- Original Message -----
> From: "Roddy, Mark"
>> To: "Windows System Software Devs Interest List"
>> Sent: Tuesday, July 27, 2004 3:22 PM
>> Subject: RE: [ntdev] Driver File checksum
>>
>>
>> > I give up, why would you want to do this?
>> >
>> >
>> >
>> > =====================
>> > Mark Roddy
>> >
>> > -----Original Message-----
>> > From: Christiaan Ghijselinck
>> [mailto:xxxxx@CompaqNet.be]
>> > Sent: Tuesday, July 27, 2004 8:44 AM
>> > To: Windows System Software Devs Interest List
>> > Subject: [ntdev] Driver File checksum
>> >
>> >
>> > Dear all ,
>> >
>> >
>> > Is there a simple but legal way how a driver can know ( read ) the
>> checksum
>> > of his own *.sys driver file ?
>> > I was thinking about an export that the linker fills , and that the driver
>> > could read.
>> >
>> > Christiaan
>> >
>> >
>> > ---
>> > Questions? First check the Kernel Driver FAQ at
>> > http://www.osronline.com/article.cfm?id=256
>> >
>> > You are currently subscribed to ntdev as: xxxxx@stratus.com To
>> > unsubscribe send a blank email to xxxxx@lists.osr.com
>> >
>> > ---
>> > Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>> >
>> > You are currently subscribed to ntdev as:
>> xxxxx@compaqnet.be
>> > To unsubscribe send a blank email to xxxxx@lists.osr.com
>> >
>>
>> ---
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: xxxxx@stratus.com
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>> ---
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as:
>> xxxxx@compaqnet.be
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
> ---
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
> You are currently subscribed to ntdev as: xxxxx@stollmann.de
> To unsubscribe send a blank email to xxxxx@lists.osr.com
---- snip ----
May be I should cryout loud: Dot Net, Dot Net, Dot Net, …
If anyone patches code on runtime we are out of luck. A legitimate way of doing it is what a debugger does to insert " Hey folks I want to break you…" Assumming that is very difficult for laymen, what could we do if an image is corrupted before loading … firewalls and other security software tries to do it, but only for the known ones, and those that gets loaded after those security softwares are operative. What could we do if something gets loaded before those security sw is loaded and operative, PLACE THEM IN A FOLDER THAT PRACTICALLY NOONE CAN TOUCH EASILY, goes on and on …
Also compression and crypotography does not necessarily provides fool proof anti-hacking and cracking, surely it makes it harder, but there are others cracking cryptography, and others hiding viruses (specially the evolutionary one ) under yet different com &crypto technologies.
DOT NET GOES A VERY LONG WAY in this area. And if I recall, it might even have a caller and callee contract ( auth based 2 way CHAPS).
Now just to track image sanity, Wsj had articles about checksumming PE, that is comparable we used it with fairly good success.
The hardest part is if something gets changed at runtime. If anyone can solve it deterministically it would be a complete breakthru of the century. It is in fact reducible to Halting problem.
A dll, an exe are equally dangerous, so just having sanity of the driver(s) and MS provided module is not good enough. On the otherhand, millions of apps and devices being built by third parties, so the problem should be solved ( whatever is solvalbe) with a tight integration of the build process, that is DOT DOT DOT NET.
-pro
>
Driver signing may trap this, or the hacker should *sign* his patched version +
all satellite files once again. Is this correct ?
If you are trying to ensure that the binary you ship is the binary that
gets installed, yes. Driver signing will catch this. As well as any
changes to the associated INF file.
Peter
OSR
Since you have to have the certificate used to sign the driver.
–
Gary G. Little
Seagate Technologies, LLC
“PeterGV” wrote in message news:xxxxx@ntdev…
> >
> > Driver signing may trap this, or the hacker should sign his patched
version +
> > all satellite files once again. Is this correct ?
> >
>
> If you are trying to ensure that the binary you ship is the binary that
> gets installed, yes. Driver signing will catch this. As well as any
> changes to the associated INF file.
>
> Peter
> OSR
>
>
The problem is however that a *hacker* may spread an unsigned version, and the
users of it DO KNOW that is a patched version and don’t give a damn about that
the driver is signed or not …
----- Original Message -----
From: “Gary G. Little”
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”
Sent: Tuesday, July 27, 2004 7:18 PM
Subject: Re:[ntdev] Driver File checksum
> Since you have to have the certificate used to sign the driver.
>
> –
> Gary G. Little
> Seagate Technologies, LLC
>
> “PeterGV” wrote in message news:xxxxx@ntdev…
> > >
> > > Driver signing may trap this, or the hacker should sign his patched
> version +
> > > all satellite files once again. Is this correct ?
> > >
> >
> > If you are trying to ensure that the binary you ship is the binary that
> > gets installed, yes. Driver signing will catch this. As well as any
> > changes to the associated INF file.
> >
> > Peter
> > OSR
> >
> >
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@compaqnet.be
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
> Uh, doesn’t this assume you are booting with only drivers from the Microsoft
image? Otherwise I can allways roll my own.
No, my idea is to provide the image generating tool with the OS, so that the
user will be able to generate the Boot Image and then boot from it. In this
mode, there will be no chances of making any updates to any kernel-mode
drivers. The whole kernel world will be “sealed”.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
> When the cracker patches , he has to adapt the checksum too, otherwise, the
driver
doesn’t load.
Execute EDITBIN /RELEASE or LINK /EDIT /RELEASE - and this will be done.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
A real solution is to have more debug registers, so that one can have enough
breakpoints without having to hook. Lots more, like 32 or 64 registers.
Also, have some “user” MSRs and have a few debug bits and fields in the MSR,
so that we can set up memory breakpoints, again, without hooking. Intel,
AMD, are you listening ?
Alberto.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of xxxxx@garlic.com
Sent: Tuesday, July 27, 2004 12:23 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Driver File checksum
May be I should cryout loud: Dot Net, Dot Net, Dot Net, …
If anyone patches code on runtime we are out of luck. A legitimate way of
doing it is what a debugger does to insert " Hey folks I want to break
you…" Assumming that is very difficult for laymen, what could we do if an
image is corrupted before loading … firewalls and other
security software tries to do it, but only for the known ones, and those
that gets loaded after those security softwares are operative. What could we
do if something gets loaded before those security sw is loaded and
operative, PLACE THEM IN A FOLDER THAT PRACTICALLY NOONE CAN TOUCH EASILY,
goes on and on …
Also compression and crypotography does not necessarily provides fool proof
anti-hacking and cracking, surely it makes it harder, but there are others
cracking cryptography, and others hiding viruses (specially the evolutionary
one ) under yet different com &crypto technologies.
DOT NET GOES A VERY LONG WAY in this area. And if I recall, it might even
have a caller and callee contract ( auth based 2 way CHAPS).
Now just to track image sanity, Wsj had articles about checksumming PE, that
is comparable we used it with fairly good success.
The hardest part is if something gets changed at runtime. If anyone can
solve it deterministically it would be a complete breakthru of the century.
It is in fact reducible to Halting problem.
A dll, an exe are equally dangerous, so just having sanity of the driver(s)
and MS provided module is not good enough. On the otherhand, millions of
apps and devices being built by third parties, so the problem should be
solved ( whatever is solvalbe) with a tight integration of the build
process, that is DOT DOT DOT NET.
-pro
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@compuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
The contents of this e-mail are intended for the named addressee only. It
contains information that may be confidential. Unless you are the named
addressee or an authorized designee, you may not copy or use it, or disclose
it to anyone else. If you received it in error please notify us immediately
and then destroy it.
Alberto,
Yes they should give plenty of registers! Also I’m waiting to see at least the DOT NET SECURITY part on to the kernel env…
-pro
> ----------
From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Maxim S. Shatskih[SMTP:xxxxx@storagecraft.com]
Reply To: Windows System Software Devs Interest List
Sent: Tuesday, July 27, 2004 7:32 PM
To: Windows System Software Devs Interest List
Subject: Re: Re:[ntdev] Driver File checksumNo, my idea is to provide the image generating tool with the OS, so that the
user will be able to generate the Boot Image and then boot from it. In this
mode, there will be no chances of making any updates to any kernel-mode
drivers. The whole kernel world will be “sealed”.
Um, where I saw something like this? Ah, UNIX kernel which has to be relinked after any driver installation. Really user/administrator friendly. Also Novell kernel; in fact, a several modules packed (with compression) to one image. Do you believe it stopped hackers from modifying? It was matter of unpack/change/pack. No easy but possible. Security by obscurity.
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http:://www.upek.com]