Hello all,
Is it possible to prevent any .exe file from getting executed?I want to
monitor the any exe file execution.What exactly happens when I double
click the .exe file? Can we make a poll mode driver which will detect the
start of .exe file and it will terminate that process at that point of
time.I know that prevention of execution of exe file is possible if I
remove the .exe file entry from the registry.But can we do it
programatically I mean through drivers?I am using winDbg 6.0.
Anand.
> Is it possible to prevent any .exe file from getting executed?I want to
monitor the any exe file execution.What exactly happens when I double
click the .exe file? Can we make a poll mode driver which will detect the
start of .exe file and it will terminate that process at that point of
time.I know that prevention of execution of exe file is possible if I
remove the .exe file entry from the registry.But can we do it
programatically I mean through drivers?I am using winDbg 6.0.
- You can follow the filemon ( www.sysinternals.com ) or sfilter ( IFS Kit
sample ) sample to do filtering the Executable - API like CreateProcess, ShellExecute ( may be other ), can execute the
file without having the extension also, it merly depends on the Header of
the binary, for example : Win32 EXE will have first MZ header ( Dos Stub )
and later PE header. Windows will detect wheather the file is win32 or not
using PE Header.
Hope this will give u some info.
Regards,
int3
Assuming the .EXE lives on an NTFS partition, the easiest way to
allow/prevent execution is to attach a suitable access-control list to the
file.
Writing a driver for this purpose seems a bit like recreating something that
the operating system will already do for you…
Regards,
Art Baker
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Anand
Sent: Friday, August 09, 2002 3:02 AM
To: NT Developers Interest List
Subject: [ntdev] Is it possible to prevent any .exe file from getting
executed?Hello all,
Is it possible to prevent any .exe file from getting executed?I want to
monitor the any exe file execution.What exactly happens when I double
click the .exe file? Can we make a poll mode driver which will detect the
start of .exe file and it will terminate that process at that point of
time.I know that prevention of execution of exe file is possible if I
remove the .exe file entry from the registry.But can we do it
programatically I mean through drivers?I am using winDbg 6.0.
Anand.
You are currently subscribed to ntdev as: xxxxx@nfr.com
To unsubscribe send a blank email to %%email.unsub%%
Agreed, NT’s SID/ACL security model is showing its age. Keep in mind that
it’s based substantially on the VAX/VMS v5.0 security architecture (ca
1988). Intrusion prevention was a much simpler task in that environment:
Don’t give out the wrong privileges, limit dial-in user accounts, and don’t
let anyone do anything funny with DECnet. Things have changed since then…
-Art Baker
Yes, I know. Yet one of the users of an authorization mechanism
is intrusion
prevention ! It would be nice to have a bit more control over who
runs what
in my machine.Alberto.
“Moreira, Alberto” wrote in message
news:xxxxx@ntdev…
>
> What’s needed is an authorization mechanism that is attached to contexts,
> not to specific files or pathnames. “No running certain .exe files from
the
> network, please”. “No executing anything from inside an unzip operation”.
> “No executing certain files from inside .bat files”. “No running
executables
> by doubleclicking on some website links”.
>
> And so on, user- or admin-selectable. Can Windows do that ?
>
Absolutely! Windows doesn’t include any free software that does that… but
it could certainly be written with the fundamental tools the operating
system provides.
Sounds like a the start of a business plan, Albereto! Hey, I know a company
that can you a cool file system filter driver for ya…
Peter
OSR
While you may be able to block certain .exe’s from executing, you are
still vulnerable to execution of what we call malicious mobile code.
Even though code may be executed from an executable (*.exe), it does not
have to originate from such. Think of an attacker being able to create
a buffer-overrun and then executing his/her code on your machine. How
could you protect against that?
What we really need is a method for marking trusted / un-trusted code
and a way of “monitoring” or “supervising” this un-trusted code. If the
execution of any un-trusted code performs malicious events, we simply
undo such actions.
Good news is that this is the focus of our security research here at
Florida Tech. We’ve developed methods for placing ourselves between the
OS and the user process (both user-mode and kernel-mode) and we’ve even
been able to intercept machine-level instructions and disallow a process
of performing such machine instructions. By our methods of “sandboxing”
the OS, we have been able to implement an undo engine which allows us to
run un-trusted code and monitor its behavior. We’re still working on
this as there’s much more work to be done on the behavioral aspect of
it. Our site is currently under serious work but feel free to check us
out at: http://se.fit.edu
My two cents,
Jorge E. Coll
Florida Institute of Technology
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Peter Viscarola
Sent: Friday, August 09, 2002 4:19 PM
To: NT Developers Interest List
Subject: [ntdev] Re: Is it possible to prevent any .exe file from
getting executed?
“Moreira, Alberto” wrote in message
news:xxxxx@ntdev…
>
> What’s needed is an authorization mechanism that is attached to
contexts,
> not to specific files or pathnames. “No running certain .exe files
from
the
> network, please”. “No executing anything from inside an unzip
operation”.
> “No executing certain files from inside .bat files”. “No running
executables
> by doubleclicking on some website links”.
>
> And so on, user- or admin-selectable. Can Windows do that ?
>
Absolutely! Windows doesn’t include any free software that does that…
but
it could certainly be written with the fundamental tools the operating
system provides.
Sounds like a the start of a business plan, Albereto! Hey, I know a
company
that can you a cool file system filter driver for ya…
Peter
OSR
—
You are currently subscribed to ntdev as: xxxxx@fit.edu
To unsubscribe send a blank email to %%email.unsub%%
>> Good news is that this is the focus of our security research here at
> Florida Tech
Ok , thats very cool. Please explain those good news.
> performing such machine instructions.
What are you talking about ? Which is the extent your code can protect
against buffer overflows ? Do you protect against exec in heaps, or only in
stacks ? BO techniques spawns an extremly wide range of methods. Do you
ensure address space randomization in any way ? How do you protect against
perfectly legitimate ntdll.dll code , runed as a malicous intent after a
buffer overflow (return to libc style) ? Please , shed more light on this.
----- Original Message -----
From: “Jorge E. Coll”
To: “NT Developers Interest List”
Sent: Saturday, August 10, 2002 12:35 AM
Subject: [ntdev] Re: Is it possible to prevent any .exe file from getting
executed?
> While you may be able to block certain .exe’s from executing, you are
> still vulnerable to execution of what we call malicious mobile code.
> Even though code may be executed from an executable (*.exe), it does not
> have to originate from such. Think of an attacker being able to create
> a buffer-overrun and then executing his/her code on your machine. How
> could you protect against that?
>
> What we really need is a method for marking trusted / un-trusted code
> and a way of “monitoring” or “supervising” this un-trusted code. If the
> execution of any un-trusted code performs malicious events, we simply
> undo such actions.
>
> Good news is that this is the focus of our security research here at
> Florida Tech. We’ve developed methods for placing ourselves between the
> OS and the user process (both user-mode and kernel-mode) and we’ve even
> been able to intercept machine-level instructions and disallow a process
> of performing such machine instructions. By our methods of “sandboxing”
> the OS, we have been able to implement an undo engine which allows us to
> run un-trusted code and monitor its behavior. We’re still working on
> this as there’s much more work to be done on the behavioral aspect of
> it. Our site is currently under serious work but feel free to check us
> out at: http://se.fit.edu
>
> My two cents,
>
> Jorge E. Coll
> Florida Institute of Technology
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Peter Viscarola
> Sent: Friday, August 09, 2002 4:19 PM
> To: NT Developers Interest List
> Subject: [ntdev] Re: Is it possible to prevent any .exe file from
> getting executed?
>
> “Moreira, Alberto” wrote in message
> news:xxxxx@ntdev…
> >
> > What’s needed is an authorization mechanism that is attached to
> contexts,
> > not to specific files or pathnames. “No running certain .exe files
> from
> the
> > network, please”. “No executing anything from inside an unzip
> operation”.
> > “No executing certain files from inside .bat files”. “No running
> executables
> > by doubleclicking on some website links”.
> >
> > And so on, user- or admin-selectable. Can Windows do that ?
> >
>
> Absolutely! Windows doesn’t include any free software that does that…
> but
> it could certainly be written with the fundamental tools the operating
> system provides.
>
> Sounds like a the start of a business plan, Albereto! Hey, I know a
> company
> that can you a cool file system filter driver for ya…
>
> Peter
> OSR
>
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@fit.edu
> To unsubscribe send a blank email to %%email.unsub%%
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to %%email.unsub%%
>
Peter,
Somthing like Mandatory Access Control lists ? Enough rope to hang the
developer , in the first place, the burn at stake the end user. But it
would be so cool… I doubt MS will doit. they are too busy making better
looking icons for Internet Explorer " +NET +COM +whatever enabled"
Considering they have such cool devlopers , its a pitty .
Ciao, Dan
----- Original Message -----
From: “Peter Viscarola”
Newsgroups: ntdev
To: “NT Developers Interest List”
Sent: Friday, August 09, 2002 11:19 PM
Subject: [ntdev] Re: Is it possible to prevent any .exe file from getting
executed?
> “Moreira, Alberto” wrote in message
> news:xxxxx@ntdev…
> >
> > What’s needed is an authorization mechanism that is attached to
contexts,
> > not to specific files or pathnames. “No running certain .exe files from
> the
> > network, please”. “No executing anything from inside an unzip
operation”.
> > “No executing certain files from inside .bat files”. “No running
> executables
> > by doubleclicking on some website links”.
> >
> > And so on, user- or admin-selectable. Can Windows do that ?
> >
>
> Absolutely! Windows doesn’t include any free software that does that…
but
> it could certainly be written with the fundamental tools the operating
> system provides.
>
> Sounds like a the start of a business plan, Albereto! Hey, I know a
company
> that can you a cool file system filter driver for ya…
>
> Peter
> OSR
>
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to %%email.unsub%%
>