The hook blocking code on x64 systems is disabled if a kernel debugger
is attached to the system at boot time so you can still use IrpTracker
and other hooking type tools in those scenarios.
This has been said by people before but I thought it would be worth
reiterating it. The bottom line reason why Microsoft is working to
prevent hooking is to make the system more reliable. There is no other
reason.
As has been stated when the system crashes people usually blame
Microsoft and it takes time and resource on our part to track down and
resolve these issues. If any of you have examined the OCA data that is
available to 3rd party driver developers you can see the large quantity
of failures that we receive on a daily basis. We have hard evidence
that 80+% of failures are attributable to 3rd party drivers; 10+% to
hardware issues; and about 8% to Microsoft issues.
When we have drivers that use standard supported interfaces we can
provide things like prefast, the driver verifier, and the static driver
verifier to validate that drivers are following the intended rules. It
is much harder to validate correctness when people are directly hooking
random APIs.
Neal Christiansen
Microsoft File System Filter Group Lead
This posting is provided “AS IS” with no warranties, and confers no
Rights
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tony Mason
Sent: Friday, November 11, 2005 9:21 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Hooking and vista
There is a tension here: between those who want to do something
legitimate (think about Irp Tracker - it relies upon system call hooking
in order to observe the system calls) and those who want to use the same
techniques for something illegitimate (think “root kit”.)
There are two ways of looking at the anti-hooking code:
- It is there to prevent ALL hooking (good or benign); or
- Is is there to raise the bar for hooking so that by the time you CAN
hook, you should know enough to make it work right.
Then there are kits (like the Sony DRM product) that “walk the line”
between these two. I had multiple people point out that I had answered
questions for one of the developers of that product (with the
implication that by answering questions for “such people” *I* had done
something wrong.)
And yet, years ago we worked with a large company that wanted a DRM
product that would hide itself and allow them to do many of the same
things that the Sony product did - I insisted that they had to
explicitly indemnify us against their use of this product. Their
lawyer’s balked. In hindsight, it looks like my concerns were not as
radical or ludicrous as it might have seemed at the time.
I do agree that it would behoove Cutler’s team to consider providing an
alternative to the “hooking” interface. But apparently nobody’s been
able to make a convincing case to him thus far (although I have to say
that losing IrpTracker and other diagnostic tools of this type is a
significant loss.)
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Daniel Terhell
Sent: Friday, November 11, 2005 12:06 PM
To: ntfsd redirect
Subject: Re:[ntfsd] Hooking and vista
I know hooking is not at all the fashion these days but in a thread a
few
days ago, it was you admitting that in certain situations hooking is
necessary (although evil according to you) . It is usually only
theoreticians or people writing drivers for hardware devices but never
those
who write real software solutions to the problems we are facing in this
world coming up with these suggestions. Instead of a boot option, I
suggest
a registry value which is set to allow by default. The alternatives that
Microsoft has provided such as the registry callbacks are even much more
operating system dependent and leave a lot to be desired for many
reasons.
What this world really needs is a proper interface for intercepting
kernel
calls and documentation how to do it properly. This will resolve all of
the
possible problems you have managed to sum up so far.
Regards,
Daniel Terhell
Resplendence Software Projects Sp
xxxxx@resplendence.com
http://www.resplendence.com
“Don Burn” wrote in message news:xxxxx@ntfsd…
>I have put this out on one of the beta groups for Vista. With our
>discussions here about hooking, I figured I should repeat it here.
>Hopefully, people will help push Microsoft to do the right thing.
>
>
> With all the stuff about Sony’s DRM rootkit, it seems like a good time
to
> ask Microsoft to reconsider their stance on no hook protection for
32-bit
> systems. Yes I realize there are a number of products that hook, but
with
> the capability being blocked on 64-bit system, hopefully these
products
> are
> changing. Even if they are not, how about making it a boot option,
that
> the
> customer can disable the hook checks if they have a product that does
> this.
>
> Some of us have been asking for the ability to block hooks for years,
it
> is
> time for this to be present in all future versions of the OS.
>
>
—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com