How to disable a global hook on the specific process

How to disable a global hook on the specific process, the others still valid.
The generally method is Hook KeUserModeCallback in Anti-virus software, It can reach the purpose to prevent the module entry, But You must be harassment, And the performance will be affected if the harassment is frequently enough, Is there a better way to achieve the same purpose and also both the performance?

B.R.
Allen

To disable a global hook, you either run the process on higher integrity level, or under a different account.

I am curious why everyone seems to gravitate to the
let’s-just-hook-the-kernel-call approach.

It has been a long time since Vista was released. Go read about integrity
levels.
joe

How to disable a global hook on the specific process, the others still
valid.
The generally method is Hook KeUserModeCallback in Anti-virus software, It
can reach the purpose to prevent the module entry, But You must be
harassment, And the performance will be affected if the harassment is
frequently enough, Is there a better way to achieve the same purpose and
also both the performance?

B.R.
Allen


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Alex Grig & joe
Thank you for you answer,

Yes, you can run the process on higher integrity level, and the process will be prevented on the lower integrity level, But,
1, It is useless for Windows XP
2, It is useless for the process on higher integrity level.

To joe,
It doesn’t meet the requirements on the application, So the Anti-virus software use driver.

I’m afraid this is another misguided attempt to implement security while not using proper security practices, such as not giving the users administrative privileges.

Leave any hope.

I find that many times when this question is asked, it is by someone who
doesn’t understand what security actually exists, and how to use it, and
wants to implement some single-solution approach to one problem they have
identified, and ignore all the other problems they haven’t thought of yet.

For example, disabling global hooks (threadid == 0) does not solve the
problem of someone determining exactly which thread they want to hook, and
hook only that thread. Integrity level already manages this. When I
taught my security course years ago, it was always fun to hear the ideas
the students would suggest, and then show how I could trivially work
around them.
joe

I’m afraid this is another misguided attempt to implement security while
not using proper security practices, such as not giving the users
administrative privileges.

Leave any hope.


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Are you seriously meditating a new anti-virus product for XP? If so, then
KM hooks are probably a necessity, but what you build won’t work well in
anything newer.

Worrying about an attack from a process running as a fully trusted admin via
a message hook is a lot like worrying about running out of fuel on RMS
Titanic after the iceberg strike: sure it is possible to hook your
antivirus UI, but then there are so many other reasons why the ship is going
down, one finds it hard to care

wrote in message news:xxxxx@ntdev…

Alex Grig & joe
Thank you for you answer,

Yes, you can run the process on higher integrity level, and the process will
be prevented on the lower integrity level, But,
1, It is useless for Windows XP
2, It is useless for the process on higher integrity level.

To joe,
It doesn’t meet the requirements on the application, So the Anti-virus
software use driver.

Alex , joe & Joseph,

Thank you for your answer.
In fact, I was doing a financial security products, the product is to prevent password leakage, so I don’t want any strange modules be loaded in my process, of course, also contains a global hook.
You know, once they enter, the consequences could be catastrophic, the essential difference between my product and not as anti-virus software, to some extent to say to get along in harmony and viruses.

Allen
B.R.

Perhaps you will tell me to use the keyboard driver, or attached to interrupt, but in my opinion, these are not the best solution

B.R.
Allen

>In fact, I was doing a financial security products, the product is to prevent password leakage

In the properly configured financial enterprise network:

  1. The boxes should be properly configured to deny administrative privileges to the users.
  2. They should only be able to access internal network. Ideally they should not be able to communicate between themselves, only to the server. To access external sites, the users should use an isolated virtual machine, which is restored to a fixed snapshot periodically. The VM should use a separate VLAN (enforced by the VM host).
  3. The keyboard cords should be physically fixed to the boxes. All unused USB/firewire connections should be sealed. No external devices are allowed. email should be filtered to only allow selected domains.

Your software will NOT solve this problem.

You’re approaching this from the wrong direction. You see hooks as a
theat, and that’s true, but it is one of many attack vectors, and you seem
to be ignoring most of the others. Note that if you have a general
solution, the hook problem falls out of the general aolution.

For example, if the software runs in a different desktop, you can’t hook
across desktops. So you should look into how to create a separate desktop
session to run your app, and log it in under an account which is not the
user’s normal account, and ACLs have to be established that keep this user
from doing things that could compromise security. For example, an account
under this ID cannot create files anywhere except in a restricted set of
directories (assuming it needs to create files at all), cannot access
files except those it is permitted to access, cannot run any program OTHER
than the financial program (no IE, no Office, etc.). Do this and you
won’t even have to think about hooks, because they will no longer be an
issue.
joe

Alex , joe & Joseph,

Thank you for your answer.
In fact, I was doing a financial security products, the product is to
prevent password leakage, so I don’t want any strange modules be loaded in
my process, of course, also contains a global hook.
You know, once they enter, the consequences could be catastrophic, the
essential difference between my product and not as anti-virus software, to
some extent to say to get along in harmony and viruses.

Allen
B.R.


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

The Trusted Computer Base required that the keyboard use high-order
encryption to send every keystroke, after doing a key-exchange with the
trusted core. All keystrokes would be encrypted. The application sounds
like a perfect match for the TCB, but I haven’t look at it in over eight
years and have no idea what its status is.

Key here is that you are looking at one of several hundred attack vectors,
and think somehow if you fix this one problem, you have achieved security.
You will be so far from being secure that you might as well put the
passwords in neon lights near a major highway.
joe

Perhaps you will tell me to use the keyboard driver, or attached to
interrupt, but in my opinion, these are not the best solution

B.R.
Allen


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

On 5/10/2012 6:51 PM, xxxxx@sina.com wrote:

In fact, I was doing a financial security products, the product is to prevent password leakage, so I don’t want any strange modules be loaded in my process, of course, also contains a global hook.
Better use an open-source operating system and properly harden it.
Giving users lots of freedom in the first place and then trying to make
it more secure by glossing over Windows internals to make it more secure
is like trying to plug a sieve one hole at a time.

Maybe you can use some DRM functionality to achieve what you want. Or
give users no admin rights so they can not install any hook in the
first place. “Adding security later” never works, if it is not designed
into the OS from the beginning, you fight a lost battle.

On 5/11/2012 12:05 AM, xxxxx@flounder.com wrote:

You will be so far from being secure that you might as well put the
passwords in neon lights near a major highway.
…which is actually more secure than having them written on a piece of
paper stuck under the keyboard. :wink:

>Giving users lots of freedom in the first place and then trying to make
it more secure by glossing over Windows internals to make it more secure
is like trying to plug a sieve one hole at a time."

If you claim that “open source OS” is inherently more secure than Windows, you don’t really know neither of them.

I interpreted that remark to mean “There are more things in Heaven and
Earth than are dreamt of in your philosophy”. That is, if you have gaping
secutity holes, and you blithely ignore most of them while focusing on one
little hole, you miss the Big Picture.

I have used the image below to show this.

You have an important secret. So you build a wall, put macine-gun turrets
every 50 feet, dig a moat, cover the space between the moat and the wall
with anti-personnel barbed wire, equip your guards with infrared vision
devices, and have radar, heat sensors, etc protecting the approches.

That’s great, for defending against anyone who is approaching from that
direction.

But if you secret iis kept in a cardboard box, in a tent behind the wall,
and the wall is only a single wall, then there are three unprotected sides
by which someone can approach, and a Swiss Army Knife is sufficient to
capture the secret.

Think of the Maginot Line. google it if you are unfamiliar with the term.

Also, look up “Potemkin village”. I found in my security consulting that
this is the other approach. Show management lots of code, and explain how
effective each piece is. But they are superficial solutions to deep
problems. ACLs were designed to cover a lot of security scenarios, but I
was told, “They’re too complicated, and nobody here understands them, but
we DO understand how THIS code solves ONE problem, so it’s good enough”.
There were a few times where it took me more than ten minutes to figure
out how to bypass their kludge, and one case where I took two weeks’ worth
of thinking before I emailed the workaround, but in all cases, ACLs and
suitably limited login acounts would have been a cheaper and more
effective solution.

ActiveVirus (aka ActiveX by those unwilling to admit how bad it is for
security) remains the most effective vector, and can usually have its
potential for damage considably reduced by proper use of ACLs.

So before you start asking how to disable a global hook, you should first
explain why proper use of the existing security mechanisms cannot do the
job.
joe

>Giving users lots of freedom in the first place and then trying to make
it more secure by glossing over Windows internals to make it more secure
is like trying to plug a sieve one hole at a time."

If you claim that “open source OS” is inherently more secure than Windows,
you don’t really know neither of them.


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

>ActiveVirus (aka ActiveX by those unwilling to admit how bad it is for security) remains the most effective vector,

I don’t think there had been a recent AX-based hole. Wide use of ActiveX fell from favor long ago.

An idea of deploying un-vetted executable code to the target machines was very naive from the security viewpoint. Mainly because it was installed behind your back.

Still, the browser plugins/extensions, however they call it, are used by all leading browsers, including those ran in Linux. They are sanboxed now in Windows somehow, in a separate low-integrity process.

As long as there are browsers that render/execute remote data, there is potential for security exploit. Consider code/data dualism. What we call “code” is just a stream of bytes. When we call “data” can be seen as code for some “machine”. For example, HTML page is code for the renderer. If the renderer is written without care, specially crafted HTML may pierce the sandbox.

> problems. ACLs were designed to cover a lot of security scenarios, but I

was told, "They’re too complicated, and nobody here understands them,

In other words: “we and our personnel are morons, please provide the solution for us intellectually degraded”.

And then the smart (but fraudulent) guys are “cutting the wool off these sheep” by selling them fake solutions which are understandable for morons but do not actually work.

This is like all those unlicensed biologically active food additives, urinotherapy and such.

ActiveVirus (aka ActiveX by those unwilling to admit how bad it is for
security) remains the most effective vector

With proper IE security settings it is not. You will need to sign an OCX for it to be downloaded and executed.


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

>> problems. ACLs were designed to cover a lot of security scenarios, but

> I
> was told, "They’re too complicated, and nobody here understands them,

In other words: “we and our personnel are morons, please provide the
solution for us intellectually degraded”.
******
Yep
*******

And then the smart (but fraudulent) guys are “cutting the wool off these
sheep” by selling them fake solutions which are understandable for
morons but do not actually work.
********
Yep. The worst part of it was the fact that the “perpetrators of the
fraud” are in-house programmers, the same ones who are confused by ACLs,
and who thought that they were actually doing something REASONABLE by
providing such code.

There is nothing more dangerous than a purveyor of fake nostrums who
actually believes they are real!
********

This is like all those unlicensed biologically active food additives,
urinotherapy and such.

> ActiveVirus (aka ActiveX by those unwilling to admit how bad it is for
> security) remains the most effective vector

With proper IE security settings it is not. You will need to sign an OCX
for it to be downloaded and executed.

*****
And if you set it that way, everyone complains that their favorite Web
site no longer works! So most companies have chosen blanket denial,
filtering out the requests at their firewall. What you definitely must
NOT do is give the users te option of executing an unsigned control.

I consider the use of ActiveVirus the work of sociopathic Web designers.
joe
*******


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer