RE: process signing checking in kernel

NTDEV
1

You should make this a new topic. Offhand this seems to be the wrong level
to do this sort of checking. The system policy should allow/deny unsigned
processes and the system security policy should control which users/groups
have access to which devices. Obviously you could write a service that
collected the information you needed and provided this information on demand
to your driver. A cache of some sort available to the driver would probably
be a good idea.

=====================
Mark Roddy DDK MVP
Windows 2003/XP/2000 Consulting
Hollis Technology Solutions 603-321-1032
www.hollistech.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@bitdefender.com
Sent: Wednesday, November 08, 2006 4:53 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] spinlock & event question

Hi all,

Can anyone tell me if and how could I check from a driver,
that a process which tries to connect to a communication port
of the driver is digitally signed or not, if the signature if
valid, who signed that process and so on. This could be a
quite effective way to prevent unauthorized processes to
connect to the driver.

Any comments on this subject are welcomed.

thank you very much,

Sandor LUKACS
Virus Analyst, SOFTWIN

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online
at http://www.osronline.com/page.cfm?name=ListServer

2

thank you for your reply,

  • I really can’t afford to require that every process to be signed in the system, so I must run all those things on systems with both signed and unsigned processes

  • I can and do restrict access to the device to only SYSTEM and (maybe) ADMINISTRATOR acounts; and yes, I can write a service that collects this info and provides on demand to my driver; but, that service itself shall be checked somehow; and if I assume that the service is not-alterable/not-altered than I just reduced the problem of signature/authenticity check from N process to 1 process/service;

however, the solution with the service might be the safest possible, if the following is true: once any user/malicious software has the power (as Administrator for example) to alter the service, it also has the power to remove the driver from the system or alter it; so, if this is true, than it has no more sense to try to lower the signature check into the driver, as a service shall do very well; can I ask you to confirm this or comment on this idea?

thank you very much,

Sandor LUKACS
Virus Analyst, SOFTWIN

btw. I did started a new topic from the web inteface, but for some reasons just doesn’t goes into mails received also :frowning: