Driver: Prevent Kill Process and Kill File/Folder using Driver

From sci-fi movies we know that human emotions are
a great power that can overcome any computer
When annoyed enough, administrators (humans) become very dangerous.
They may reboot the machine to a recovery OS and wipe out the offending
piece of software.
Or even do this online, with using something like Intel’s AMT.
– pa

On 13-Sep-2012 07:49, Tracy Camp wrote:

From a driver, you can deny the administrator’s ability to modify the
ACL and you can also deny the administrators effort to load other
drivers. Administrators are not by default on the other side of a
security boundary from the kernel in the windows security model, but
they certainly can be placed there. Administrators are not by default
granted unchecked abilities to load drivers on modern windows releases
either (driver signing etc.). What makes the kernel the kernel is that
it is code executing in ring0. Its absurd to argue that it can’t be
done and in most respects the modern windows kernel assists and
facilitates the creation of such security boundaries. Kernel and user
run at different privilege levels and ring0 is more privileged than
ring3 regardless of what you are in the systems security model. So yes,
security software and malware can be similar in implementation, they
just differ in intent and the level of user opt-in.

t.

On Wed, Sep 12, 2012 at 5:08 PM, > mailto:xxxxx> wrote:
>
> “BS. From a driver, you can control what other drivers are loaded
> (see also
> win8 ELAM) and you should then be able to protect arbitrary
> resources from
> even admin users. Yes this is creating a sort of after the fact
> security
> barrier between kernel and user-mode admin, but its the security barrier
> that the hardware is setup to enforce, so no reason it can’t be done.”
>
> An administrator can take ownership of any securable object. An
> administrator can disable drivers, including your security driver.
> An administrator can load other drivers that can compromise kernel
> and disable your security driver.
>
> You can only protect against an account that absolutely is not
> allowed to cross the security boundary. An administrator is not such
> an account.
>
></mailto:xxxxx>

Device Manager has been “enhanced”. Viewing hidden devices does not show any
of the non-pnp devices anymore.

Bill Wandel

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@broadcom.com
Sent: Thursday, September 13, 2012 12:44 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Driver: Prevent Kill Process and Kill File/Folder using
Driver

This again brings a failure of microsoft to get rid of an administrator
account. Sure, MS disabled “Administrator” in Windows 7, at the same time
forcing the first or only user to be an administrator - a member of
Administrators. This is very inconvenient if you want to follow the proper
security practices - NOT work routinely as an administrator.

These days an application can supposedly have its own security principal. I
haven’t read on that. Frankly, I’m afraid if I read it will aggravate me and
bring more bitterness about Microsoft and Windows. He who increases
knowledge increases sorrow.

I hate to explore Server 2012, because its management console has become so
horrible, it’s just a clusterfuck. Even such simple things as the event
viewer are getting worse and worse from XP to 2008, its UI horribly crouded,
while not fixing such obvious problems as slow sorting and unstable sorting
(stable sort doesn’t reorder items with identical key). If there ever will
be Windows 9, I’m afraid the Device Manager will get “enhanced”, too, for
someone will think that’s the part that haven’t been touched for a while.

I’ve been holding with IE, not switching to Firefox or Chrome. I’m afraid
the day will soon come. The frickin IE9 just can’t go back from “no-plugin”
to normal mode without having me to turn on ActiveX filtering. Bye bye
videos and other Flashy shit. Microsoft is not fixing IE8/9 bugs anymore. Do
I have to switch to Win8 with IE10? Maybe I’ll just switch to a competing
browser. Maybe I’ll like Linux one day. Microsoft is making that day to come
sooner.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

IF your point is that “once in kernel mode, assuming you have a willingness to do what you want regardless of its architectural congruence with Windows or its stability, you can do anything you want”… I think that is a point with which it is impossible to disagree. Ring 0 trumps Ring 3 every day, all day.

Modify that statement slightly to demand that which is done in kernel mode is reasonable and supported within the Windows architecture, and I think we have a debate.

The only other point I’d like to make is that just because the OP says:

Doesn’t make it so. He posts from a Hotmail account, but otherwise has no problem identifying his corporate affiliation? No saying he is or is not legit. Just saying…

Peter
OSR

Legit or not, he should know better than to ask such questions here. The
normal pattern of response seems to go something like ‘you can’t do
that/what are you really trying to do/security sucks/you can’t do that’
pattern of response. A better response might be cold silence or ‘if you
have to ask, you personally shouldn’t be doing that’.

t.

Doesn’t make it so. He posts from a Hotmail account, but otherwise has no
problem identifying his corporate affiliation? No saying he is or is not
legit. Just saying…

Peter
OSR

---

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

That is not a change in device manager, that is a change in how the kernel side of pnp represented a legacy driver. That representation was removed so device manager no longer sees them

d

debt from my phone

From: Bill Wandel
Sent: 9/13/2012 5:34 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Driver: Prevent Kill Process and Kill File/Folder using Driver

Device Manager has been “enhanced”. Viewing hidden devices does not show any
of the non-pnp devices anymore.

Bill Wandel

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@broadcom.com
Sent: Thursday, September 13, 2012 12:44 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Driver: Prevent Kill Process and Kill File/Folder using
Driver

This again brings a failure of microsoft to get rid of an administrator
account. Sure, MS disabled “Administrator” in Windows 7, at the same time
forcing the first or only user to be an administrator - a member of
Administrators. This is very inconvenient if you want to follow the proper
security practices - NOT work routinely as an administrator.

These days an application can supposedly have its own security principal. I
haven’t read on that. Frankly, I’m afraid if I read it will aggravate me and
bring more bitterness about Microsoft and Windows. He who increases
knowledge increases sorrow.

I hate to explore Server 2012, because its management console has become so
horrible, it’s just a clusterfuck. Even such simple things as the event
viewer are getting worse and worse from XP to 2008, its UI horribly crouded,
while not fixing such obvious problems as slow sorting and unstable sorting
(stable sort doesn’t reorder items with identical key). If there ever will
be Windows 9, I’m afraid the Device Manager will get “enhanced”, too, for
someone will think that’s the part that haven’t been touched for a while.

I’ve been holding with IE, not switching to Firefox or Chrome. I’m afraid
the day will soon come. The frickin IE9 just can’t go back from “no-plugin”
to normal mode without having me to turn on ActiveX filtering. Bye bye
videos and other Flashy shit. Microsoft is not fixing IE8/9 bugs anymore. Do
I have to switch to Win8 with IE10? Maybe I’ll just switch to a competing
browser. Maybe I’ll like Linux one day. Microsoft is making that day to come
sooner.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

>That is not a change in device manager, that is a change in how the kernel side
of pnp represented a legacy driver. That representation was removed so device
manager no longer sees them

It used to be, that if a boot-loaded driver didn’t get any PNP-devnode for it at the time of DriverEntry call, a root-enumerated devnode was created. This could mess WHQL/WHCK tests, if you don’t choose the startup order carefully. Similar root-enum devnode was/is created for non-PNP kernel modules.

I disagree. I think.

While I agree we could do without the digressions and off-hand absolutist statements, I think it’s important to provide an innocently unknowing but well intentioned engineer some guidance.

I think it’s appropriate to be careful about the types of replies provided. While we all (I think) want to help legitimate driver developers, we do not want to be a forum that aids in the development of malware or advocates architecturally unsound solutions in production products.

It is not always clear to devs who are not experienced in the Windows kernel what is and what is not architecturally appropriate – or possible – under Windows. Many things that can be done in operating system Z or in embedded system Y or using computer architecture X are simply not technically compatible with Windows stability… or view of the world.

Peter
OSR

Absolutely. Which is why any sane organization reserves “administrator”
privilege for administrators doing administrative tasks, and why these
administrative users performing administrative tasks will be annoyed by
features that are intended to interfere with their work. Personally, I
run my own machine with an alias that does not have admin privileges
(“flounder”) and, while I occasionally get asked by some software to run
as admin, or some things just don’t work, it is worth the price for peace
of mind.

Therefore, I assume that having admin privileges is an exceptional case.
joe

>And always remember that if there is malware in the kernel,
“Administrator” privileges look wimpy by comparison.
joe

But an unqualified used with admin privileges is the most convenient
channel for planting the malware, including kernel compromise.

---

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Let’s see if we can recast this into other problem domains.

I want my house to be more secure, so I rig up a 12-gauge sawed-off
shotgun to fire at anyone who comes in the front door. It will stop a
burglar using that path. It is also highly illegal, and if it shoots the
wrong person, I could life-without-parole.

This is a lousy implementation of an abstraction “Make my house safer and
thwart any burglar”.

I can install an alarm system, which sounds a siren if anyone goes into
the house. This is legal. However, depending on the locality, the siren
must stop after a certain duration (in Pittsburgh, it is five minutes).
So the burglar waits five minutes in hiding (while all the neighbors are
watching the house, and someone is calling 911), dashes in, steals
something portable and expensive, and gets out before the police arrive.
So it was a partial solution to the problem.

What about putting steel bars across all the windows? This works until
there is a fire, and people have to escape using the windows. Oh, wait a
minute. They’re barred. Oops.

The problem with customers demanding implementations is that they see
nothing beyond the implementation. The design is deeply flawed for a
large number of reasons (the shotgun, the alarm, the steel bars) but they
don’t see that; they just say “Do it!” and we are supposed to do it. I
never have. I study the problem, explain the issues, the risks, and
ultimately try to derive what problem they are trying to solve. Does the
solution of the problem create more problems? Is it technically feasible?
Yes, I could hire three armed guards to watch my house, and they would
work eight-hour shifts, but that means nine people per day I have to pay.
An excellent solution, but not feasible within my budget. Each solution
has its own problems. What we are seeing here is a solution that makes it
impossible for an administrator to remove a program which might actually
be interfering with proper use of the machine (the software that is being
protected is perfect, of course, and will never, ever do anything that
interferes with proper usage of the computer. Like the software that
would not allow .exe files to be written to the machine, and I was trying
to teach a programming course in that lab…the linker kept failing with
“access denied”). And if the process cannot be killed, how, exactly, is
it evern going to be updated to a new release?

Many years ago, I had a package that came with a 3.5" floppy and a null
modem cable. I could boot a box from the floppy, and from another machine
run their app, which would mount the first computer’s NTFS system over the
serial port, and let me manipulate it. I needed to do this because there
was a defective program which could not be stopped and which could not be
killed, but in fact caused a bluescreen after about two minutes. Yes, it
was an old NT4 system, Back In The Day, but it shows what happens when you
have such code. Booting in “safe” mode wouldn’t defeat it, either,
because it had been carefully designed to always run.

So I’m not sure why the OP wants to do something like this, other than
someone who had no understanding of the OS, or its proper configuration,
said “Make It So”.
joe

BTW, guys, I would suggest checking the link below:

http://www.bbc.com/news/technology-19585433

I really love it

Anton Bassov

I understand that among many business people, it is common practice on visiting China to bring a newly installed laptop, never connect via VPN to the home network, and flatten the machine before attaching it to a network on returning home.

Makes sense to me…

Peter
OSR

Actually, this discussion starts reminding me of the one where Mr.Kyler made his “famous” statements,
but I would like to remind you that quite a large share of PCs/laptops that are sold in the West ( at least in the Western Europe) happens to be produced in China. Certainly they all come with Windows pre - installed. Therefore, it would be a HUGE mistake to believe that the problem is confined only to certain geographic locations - it may manifest itself anywhere as long as you are using Windows . …

In any case, the guys you have mentioned above seem to have a wrong understanding of the
term “defenestration” - they throw computers out of a window where throwing Windows out of a computer suffices…

Anton Bassov

“they throw computers out of a window where throwing Windows out of a computer suffices…”

… as if there are no rootkits for Linux…

> … as if there are no rootkits for Linux…

Certainly quite a few malware titles (in fact, hundreds of them) for Linux had been developed - who would even argue about it. However, none of them seems to be in the wild, because it either gets rendered obsolete by frequent Linux updates, or is never a threat anyway due to impossibility of installing itself. In order to install anything on Linux you need root privileges, and routinely running the system with root-level privileges is quite uncommon thing under Linux. To make things even worse for rootkit developers, insmod is not going to load a module that is not linked against the current kernel version( unless it does not use any kernel exports, of course) -you are going to get “symbol mismatch” error if you attempt something like that.

In general, Unix-like systems are regarded as very well-protected, compared to Windows, although certainly not immune to all threats…

Anton Bassov

It is worth remembering why these exploits are called “root”-kits, and not
“administrator”-kits.
joe

> … as if there are no rootkits for Linux…

Certainly quite a few malware titles (in fact, hundreds of them) for Linux
had been developed - who would even argue about it. However, none of them
seems to be in the wild, because it either gets rendered obsolete by
frequent Linux updates, or is never a threat anyway due to impossibility
of installing itself. In order to install anything on Linux you need root
privileges, and routinely running the system with root-level privileges is
quite uncommon thing under Linux. To make things even worse for rootkit
developers, insmod is not going to load a module that is not linked
against the current kernel version( unless it does not use any kernel
exports, of course) -you are going to get “symbol mismatch” error if you
attempt something like that.

In general, Unix-like systems are regarded as very well-protected,
compared to Windows, although certainly not immune to all threats…

Anton Bassov

---

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

> It is worth remembering why these exploits are called “root”-kits, and not “administrator”-kits.

I think the best response to that would be a quotation from Symantec document

As you can see, attacking the system involved replacing the system tools. However, as long as the intruder had no root privileges it had no chance to write to the folder containing system tools(i.e. /bin or /sbin) on any properly-configured system, so that attack could not take place until some vulnerability in system configuration was found…

Anton Bassov

…also please tell me how Linux is better than Windows in thwarting a physical access to your laptop left in the Chinese hotel room…

Oh, that’s easy. Nobody wants a laptop with Linux, so they won’t steal it.

Anybody who knows what it is knows that it only partially works at the best of times, so they won’t bother with infecting it. It’s running some desktop Linux, it’s already self-infected.

Peter
OSR

As if it isn’t possible to embed malicious things into hardware/firmware.
But this is another story…
– pa

wrote in message news:xxxxx@ntdev…
>
> BTW, guys, I would suggest checking the link below:
>
> http://www.bbc.com/news/technology-19585433
>
>
> I really love it
>
>

>
>
> Anton Bassov
>

wrote in message news:xxxxx@ntdev…
> It is worth remembering why these exploits are called “root”-kits, and not
> “administrator”-kits.
> joe

Few of my younger coworkers believe that rootkits are named after Ms.
Rutkowska.

– pa