Is it possible to prevent ZwTerminateProcess and ZwTerminateThread?

Daniel_Cowx · November 9, 2009, 7:30pm

Hi there,
Is it possible to prevent a kernel mode driver from killing a user-mode process via a call to [Nt]ZwTerminateProcess or [Nt]ZwTerminateThread? I’m currently employing user-mode hooking to intercept NtOpenProcess/NtOpenThread and that works fine, but I want to prevent drivers from killing our process. What would be the equivalent way of doing this in kernel mode? I’ve heard that this can be done by denying access to our handles via ObOpenObjectByPointer?
== Platforms ==* Minimum OS: Windows XP SP3* x86 and x64
== Background ==I’m writing a platform for computer-based examination. During an exam session, a security manager runs as a service and is responsible for sandboxing the examinee so that they cannot access online/offline content that could allow them to cheat (filter driver is also used). There are other pieces to the solution, but they probably aren’t relevant to this discussion. I need to prevent the security manager from exiting though until a) the user selects “Finish Exam”, b) the exam session expires. In other words, we need to control shutdown of the security manager.
Note that I can’t just use ACLs as the user could be an admin and may have SeDebugPrivilege and/or SeTakeOwnership. Also, it’s not sufficient to simply restart the security manager if it is terminated, so please don’t suggest the SCM’s restart function or similar.
Yes, I’m aware that it is impossible to completely lockdown the user’s *own* computer. Suffice to say, our customer feels that the existing security measures are sufficient for their users if we can prevent the security manager from being terminated (where “sufficient” is measured in terms of the time required to subvert the security measures versus the time required to simply study for the exam). Also note that they won’t have access to the lockdown binaries until exam day, so they won’t be able to reverse engineer a workaround weeks in advance of the exam.
Thanks,Daniel

Windows Live: Friends get your Flickr, Yelp, and Digg updates when they e-mail you.
http://go.microsoft.com/?linkid=9691817

Ken_Johnson · November 9, 2009, 7:41pm

All kernel mode code is fully trusted. Even if you could sabatoge the system call “successfully” (likely also risking sataboging your user’s system stability and data integrity as a byproduct), a kernel mode driver could just poke at the process object directly.

This is not solveable if you allow untrusted code to run in kernel mode.

S

From: Daniel Cowx
Sent: Monday, November 09, 2009 16:30
To: Windows System Software Devs Interest List
Subject: [ntdev] Is it possible to prevent ZwTerminateProcess and ZwTerminateThread?

Hi there,

Is it possible to prevent a kernel mode driver from killing a user-mode process via a call to [Nt]ZwTerminateProcess or [Nt]ZwTerminateThread? I’m currently employing user-mode hooking to intercept NtOpenProcess/NtOpenThread and that works fine, but I want to prevent drivers from killing our process. What would be the equivalent way of doing this in kernel mode? I’ve heard that this can be done by denying access to our handles via ObOpenObjectByPointer?

== Platforms ==
* Minimum OS: Windows XP SP3
* x86 and x64

== Background ==
I’m writing a platform for computer-based examination. During an exam session, a security manager runs as a service and is responsible for sandboxing the examinee so that they cannot access online/offline content that could allow them to cheat (filter driver is also used). There are other pieces to the solution, but they probably aren’t relevant to this discussion. I need to prevent the security manager from exiting though until a) the user selects “Finish Exam”, b) the exam session expires. In other words, we need to control shutdown of the security manager.

Note that I can’t just use ACLs as the user could be an admin and may have SeDebugPrivilege and/or SeTakeOwnership. Also, it’s not sufficient to simply restart the security manager if it is terminated, so please don’t suggest the SCM’s restart function or similar.

Yes, I’m aware that it is impossible to completely lockdown the user’s own computer. Suffice to say, our customer feels that the existing security measures are sufficient for their users if we can prevent the security manager from being terminated (where “sufficient” is measured in terms of the time required to subvert the security measures versus the time required to simply study for the exam). Also note that they won’t have access to the lockdown binaries until exam day, so they won’t be able to reverse engineer a workaround weeks in advance of the exam.

Thanks,
Daniel

________________________________
Get a great deal on Windows 7 and see how it works the way you want. Check out the offers on Windows 7now.http:
—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer</http:>

anton_bassov · November 9, 2009, 9:31pm

> Is it possible to prevent a kernel mode driver from killing a user-mode process

via a call to [Nt]ZwTerminateProcess or [Nt]ZwTerminateThread?

IIRC, [Nt]ZwTerminateProcess and [Nt]ZwTerminateThread are not exported by ntoskrnl.exe’s IAT, which implies that drivers should not use these functions, and that calls to them by KM code may be “rather problematic” This is how it works under XP and below. AFAIK, in newer OS versions they made ntoskrn’exe export quite a few functions that were exported only via SSDT under XP and below (and even documented some of them ). I am not sure whether your target calls among them. You can check it by running dumpbin …

I’m currently employing
user-mode hooking to intercept NtOpenProcess/NtOpenThread and that works fine,
but I want to prevent drivers from killing our process.

We are not helping malware writers here, do we??? Look - any process that disallows a user with Admin rights to terminate itself automatically qualifies for being a piece of malware…

Anton Bassov

Daniel_Cowx · November 10, 2009, 2:04am

I understand your concern Anton. However, malware by definition is software that is designed to a) inflict damage to a user’s computer and, b) is installed without their consent.

This is not the case here. Users can choose to install our software or not. If they don’t, they’re free to write their exam with a pen and paper. However, if they wish to write their exam electronically, they acknowledge that certain restrictions will be enforced *during that exam* to ensure the security and integrity of the exam session.

Is your concern that you don’t wish to publicize the solution for fear that others may use it for nefarious reasons? If so, could you please email me directly and I will keep it confidential?

I know that such a solution is possible because I can’t kill AVG’s Resident Shield (avgrsx.exe) on my computer even with a kernel mode call to ZwTerminateProcess. I just don’t know how they do it.

OSR_Community_User · November 10, 2009, 7:11am

On 11/10/2009 1:29 AM, Daniel Cowx wrote:

Also note that they
won’t have access to the lockdown binaries until exam day, so they won’t
be able to reverse engineer a workaround weeks in advance of the exam.

Also note that this is only true for the first-ever batch of exam
takers… after that, the exam executable will certainly “leak”.

Suggestion:
Make sure the people taking the exam do this on sufficiently secured
computers (no access to USB/FD/HD, no network connection during exam.

Or use a different operating system, e.g. Linux or WinCE, booted from a
CD, from network or from USB, where you can exactly determine which
drivers and applications are present and which are not.

anton_bassov · November 11, 2009, 12:57am

> 'm writing a platform for computer-based examination. During an exam session, a security

manager runs as a service and is responsible for sandboxing the examinee so that they
cannot access online/offline content that could allow them to cheat (filter driver is also used).
There are other pieces to the solution, but they probably aren’t relevant to this discussion.
I need to prevent the security manager from exiting though until a) the user selects “Finish Exam”,
b) the exam session expires. In other words, we need to control shutdown of the security manager.

The above paragraph should be prefixed with “I am wasting my time on…”…

As long as user is not physically present at the tester’s site you are fighting a battle that just cannot be won, no matter how you look at it - he can simply install tester’s software on machine X and use machine Y to search the web for the answers to all questions. Seems to be more reasonable approach, compared to hacking tester’s software, don’t you think. It never occurred to you to think this way???

If he is physically present at the tester’s site…well, then the battle does not make sense in itself, because in this case he is (obviously) not going to have Admin rights. Therefore, he will have no chance to use the system in any configuration other than the one defined by testers, and he will most definitely have no chance to install anything that hacks the tester’s software…

Anton Bassov