Regmon(a new puzzle)

Hello all tops,

Maybe you ignore the latest post in the topic (Regmon). I hope you can pay
attention to this topic again.

I reall wonder if you understand my new puzzle clearly.

For example, if we want to do File Monitor, we can hook the system service
table as what Regmon has done, alternately we can attach our driver to the
physical disks as what Filemon has done.

Now my question is if I follow the Regmon way to protect my registry, it
is possible to bypass Regmon? and how to bypass? How to defeat “bypass”?

Anthony

///
///The following is the previous letter:
///
Now I am beated by a problem someting related to Registry Monitor.

Could I build a kernel driver or an app program to access the registry(or
certain files) directly without calling the funcs in System Service Table???
If so, the Regmon will face some problems in certain cases. Right?

Any sense?

Anthony

As has been pointed out there are many ways to bypass your efforts, and as I
pointed out in a previous posting, regmon does not monitor all the
systemcalls that modify the registry.

On your implied model for files, things will get very messy if you try the
regmon route. You will have to handle a very large number of calls
including file mapping calls to protect filesystems. Note you are wrong in
your statement on FileMon it attaches to file systems not physical disks.

This has been asked before but you did not answer: What problem are you
really trying to solve with these protection efforts? This list can
probably give you a solution (or point out why it is impossible to solve),
if you state your problem cleanly.

Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting

----- Original Message -----
From: “Anthony”
Newsgroups: ntdev
To: “Windows System Software Developers Interest List”
Sent: Thursday, July 31, 2003 9:28 PM
Subject: [ntdev] Regmon(a new puzzle)

> Hello all tops,
>
> Maybe you ignore the latest post in the topic (Regmon). I hope you can
pay
> attention to this topic again.
>
> I reall wonder if you understand my new puzzle clearly.
>
> For example, if we want to do File Monitor, we can hook the system
service
> table as what Regmon has done, alternately we can attach our driver to the
> physical disks as what Filemon has done.
>
> Now my question is if I follow the Regmon way to protect my registry,
it
> is possible to bypass Regmon? and how to bypass? How to defeat “bypass”?
>
> Anthony
>
> ///
> ///The following is the previous letter:
> ///
> Now I am beated by a problem someting related to Registry Monitor.
>
> Could I build a kernel driver or an app program to access the
registry(or
> certain files) directly without calling the funcs in System Service
Table???
> If so, the Regmon will face some problems in certain cases. Right?
>
> Any sense?
>
> Anthony
>
>
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@acm.org
> To unsubscribe send a blank email to xxxxx@lists.osr.com

Helle Don,

Thanks for your comments. It’s valuable.

Yep, I want to program a driver to protect my own computer’s registry.
Do you use TINY firewall ever? (www.tinysoftware.com). I want to do what
they have done about Registry Protection.

As you said, Regmon can not filter ALL registry operations. Why??? and
how?

As you said, Filemon does not attach to file systems. Yep, it’s true.
What I mean is that all the IRP packet sent to certain disks are filter by
Filemon. Right?

Any other hints about Registry Protection?

Anthony

“Don Burn” ??? news:xxxxx@ntdev…
>
> As has been pointed out there are many ways to bypass your efforts, and as
I
> pointed out in a previous posting, regmon does not monitor all the
> systemcalls that modify the registry.
>
> On your implied model for files, things will get very messy if you try the
> regmon route. You will have to handle a very large number of calls
> including file mapping calls to protect filesystems. Note you are wrong
in
> your statement on FileMon it attaches to file systems not physical disks.
>
> This has been asked before but you did not answer: What problem are you
> really trying to solve with these protection efforts? This list can
> probably give you a solution (or point out why it is impossible to solve),
> if you state your problem cleanly.
>
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
>
> ----- Original Message -----
> From: “Anthony”
> Newsgroups: ntdev
> To: “Windows System Software Developers Interest List”

> Sent: Thursday, July 31, 2003 9:28 PM
> Subject: [ntdev] Regmon(a new puzzle)
>
>
> > Hello all tops,
> >
> > Maybe you ignore the latest post in the topic (Regmon). I hope you can
> pay
> > attention to this topic again.
> >
> > I reall wonder if you understand my new puzzle clearly.
> >
> > For example, if we want to do File Monitor, we can hook the system
> service
> > table as what Regmon has done, alternately we can attach our driver to
the
> > physical disks as what Filemon has done.
> >
> > Now my question is if I follow the Regmon way to protect my registry,
> it
> > is possible to bypass Regmon? and how to bypass? How to defeat “bypass”?
> >
> > Anthony
> >
> > ///
> > ///The following is the previous letter:
> > ///
> > Now I am beated by a problem someting related to Registry Monitor.
> >
> > Could I build a kernel driver or an app program to access the
> registry(or
> > certain files) directly without calling the funcs in System Service
> Table???
> > If so, the Regmon will face some problems in certain cases. Right?
> >
> > Any sense?
> >
> > Anthony
> >
> >
> >
> >
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@acm.org
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
>

Protect registry against against what? If not “against the rules” , you can use “hidden keys” as described at www.sysinternals.com
to increase safety.

Christiaan

----- Original Message -----
From: “Anthony”
Newsgroups: ntdev
To: “Windows System Software Developers Interest List”
Sent: Monday, August 04, 2003 3:15 AM
Subject: [ntdev] Re: Regmon(a new puzzle)

> Helle Don,
>
> Thanks for your comments. It’s valuable.
>
> Yep, I want to program a driver to protect my own computer’s registry.
> Do you use TINY firewall ever? (www.tinysoftware.com). I want to do what
> they have done about Registry Protection.
>
> As you said, Regmon can not filter ALL registry operations. Why??? and
> how?
>
> As you said, Filemon does not attach to file systems. Yep, it’s true.
> What I mean is that all the IRP packet sent to certain disks are filter by
> Filemon. Right?
>
> Any other hints about Registry Protection?
>
> Anthony
>
> “Don Burn” ??? news:xxxxx@ntdev…
> >
> > As has been pointed out there are many ways to bypass your efforts, and as
> I
> > pointed out in a previous posting, regmon does not monitor all the
> > systemcalls that modify the registry.
> >
> > On your implied model for files, things will get very messy if you try the
> > regmon route. You will have to handle a very large number of calls
> > including file mapping calls to protect filesystems. Note you are wrong
> in
> > your statement on FileMon it attaches to file systems not physical disks.
> >
> > This has been asked before but you did not answer: What problem are you
> > really trying to solve with these protection efforts? This list can
> > probably give you a solution (or point out why it is impossible to solve),
> > if you state your problem cleanly.
> >
> > Don Burn (MVP, Windows DDK)
> > Windows 2k/XP/2k3 Filesystem and Driver Consulting
> >
> > ----- Original Message -----
> > From: “Anthony”
> > Newsgroups: ntdev
> > To: “Windows System Software Developers Interest List”
>
> > Sent: Thursday, July 31, 2003 9:28 PM
> > Subject: [ntdev] Regmon(a new puzzle)
> >
> >
> > > Hello all tops,
> > >
> > > Maybe you ignore the latest post in the topic (Regmon). I hope you can
> > pay
> > > attention to this topic again.
> > >
> > > I reall wonder if you understand my new puzzle clearly.
> > >
> > > For example, if we want to do File Monitor, we can hook the system
> > service
> > > table as what Regmon has done, alternately we can attach our driver to
> the
> > > physical disks as what Filemon has done.
> > >
> > > Now my question is if I follow the Regmon way to protect my registry,
> > it
> > > is possible to bypass Regmon? and how to bypass? How to defeat “bypass”?
> > >
> > > Anthony
> > >
> > > ///
> > > ///The following is the previous letter:
> > > ///
> > > Now I am beated by a problem someting related to Registry Monitor.
> > >
> > > Could I build a kernel driver or an app program to access the
> > registry(or
> > > certain files) directly without calling the funcs in System Service
> > Table???
> > > If so, the Regmon will face some problems in certain cases. Right?
> > >
> > > Any sense?
> > >
> > > Anthony
> > >
> > >
> > >
> > >
> > >
> > >
> > > —
> > > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> > >
> > > You are currently subscribed to ntdev as: xxxxx@acm.org
> > > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
> >
> >
> >
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@compaqnet.be
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

What???

At least, I know some virus and most trojans invade PCs by Registry
Opertions!

Anthony

“Christiaan Ghijselinck” ???
news:xxxxx@ntdev…
>
>
>
> Protect registry against against what? If not “against the rules” , you
can use “hidden keys” as described at www.sysinternals.com
> to increase safety.
>
> Christiaan
>
>
> ----- Original Message -----
> From: “Anthony”
> Newsgroups: ntdev
> To: “Windows System Software Developers Interest List”

> Sent: Monday, August 04, 2003 3:15 AM
> Subject: [ntdev] Re: Regmon(a new puzzle)
>
>
> > Helle Don,
> >
> > Thanks for your comments. It’s valuable.
> >
> > Yep, I want to program a driver to protect my own computer’s
registry.
> > Do you use TINY firewall ever? (www.tinysoftware.com). I want to do what
> > they have done about Registry Protection.
> >
> > As you said, Regmon can not filter ALL registry operations. Why???
and
> > how?
> >
> > As you said, Filemon does not attach to file systems. Yep, it’s true.
> > What I mean is that all the IRP packet sent to certain disks are filter
by
> > Filemon. Right?
> >
> > Any other hints about Registry Protection?
> >
> > Anthony
> >
> > “Don Burn” ??? news:xxxxx@ntdev…
> > >
> > > As has been pointed out there are many ways to bypass your efforts,
and as
> > I
> > > pointed out in a previous posting, regmon does not monitor all the
> > > systemcalls that modify the registry.
> > >
> > > On your implied model for files, things will get very messy if you try
the
> > > regmon route. You will have to handle a very large number of calls
> > > including file mapping calls to protect filesystems. Note you are
wrong
> > in
> > > your statement on FileMon it attaches to file systems not physical
disks.
> > >
> > > This has been asked before but you did not answer: What problem are
you
> > > really trying to solve with these protection efforts? This list can
> > > probably give you a solution (or point out why it is impossible to
solve),
> > > if you state your problem cleanly.
> > >
> > > Don Burn (MVP, Windows DDK)
> > > Windows 2k/XP/2k3 Filesystem and Driver Consulting
> > >
> > > ----- Original Message -----
> > > From: “Anthony”
> > > Newsgroups: ntdev
> > > To: “Windows System Software Developers Interest List”
> >
> > > Sent: Thursday, July 31, 2003 9:28 PM
> > > Subject: [ntdev] Regmon(a new puzzle)
> > >
> > >
> > > > Hello all tops,
> > > >
> > > > Maybe you ignore the latest post in the topic (Regmon). I hope you
can
> > > pay
> > > > attention to this topic again.
> > > >
> > > > I reall wonder if you understand my new puzzle clearly.
> > > >
> > > > For example, if we want to do File Monitor, we can hook the system
> > > service
> > > > table as what Regmon has done, alternately we can attach our driver
to
> > the
> > > > physical disks as what Filemon has done.
> > > >
> > > > Now my question is if I follow the Regmon way to protect my
registry,
> > > it
> > > > is possible to bypass Regmon? and how to bypass? How to defeat
“bypass”?
> > > >
> > > > Anthony
> > > >
> > > > ///
> > > > ///The following is the previous letter:
> > > > ///
> > > > Now I am beated by a problem someting related to Registry
Monitor.
> > > >
> > > > Could I build a kernel driver or an app program to access the
> > > registry(or
> > > > certain files) directly without calling the funcs in System Service
> > > Table???
> > > > If so, the Regmon will face some problems in certain cases. Right?
> > > >
> > > > Any sense?
> > > >
> > > > Anthony
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > —
> > > > Questions? First check the Kernel Driver FAQ at
> > > http://www.osronline.com/article.cfm?id=256
> > > >
> > > > You are currently subscribed to ntdev as: xxxxx@acm.org
> > > > To unsubscribe send a blank email to xxxxx@lists.osr.com
> > >
> > >
> > >
> > >
> >
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as:
xxxxx@compaqnet.be
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
>
>
>
>

OK, I thought you wanted to protect your own registry keys against hacking …

----- Original Message -----
From: “Anthony”
Newsgroups: ntdev
To: “Windows System Software Developers Interest List”
Sent: Monday, August 04, 2003 7:22 AM
Subject: [ntdev] Re: Regmon(a new puzzle)

> What???
>
> At least, I know some virus and most trojans invade PCs by Registry
> Opertions!
>
> Anthony
>
> “Christiaan Ghijselinck” ???
> news:xxxxx@ntdev…
> >
> >
> >
> > Protect registry against against what? If not “against the rules” , you
> can use “hidden keys” as described at www.sysinternals.com
> > to increase safety.
> >
> > Christiaan
> >
> >
> > ----- Original Message -----
> > From: “Anthony”
> > Newsgroups: ntdev
> > To: “Windows System Software Developers Interest List”
>
> > Sent: Monday, August 04, 2003 3:15 AM
> > Subject: [ntdev] Re: Regmon(a new puzzle)
> >
> >
> > > Helle Don,
> > >
> > > Thanks for your comments. It’s valuable.
> > >
> > > Yep, I want to program a driver to protect my own computer’s
> registry.
> > > Do you use TINY firewall ever? (www.tinysoftware.com). I want to do what
> > > they have done about Registry Protection.
> > >
> > > As you said, Regmon can not filter ALL registry operations. Why???
> and
> > > how?
> > >
> > > As you said, Filemon does not attach to file systems. Yep, it’s true.
> > > What I mean is that all the IRP packet sent to certain disks are filter
> by
> > > Filemon. Right?
> > >
> > > Any other hints about Registry Protection?
> > >
> > > Anthony
> > >
> > > “Don Burn” ??? news:xxxxx@ntdev…
> > > >
> > > > As has been pointed out there are many ways to bypass your efforts,
> and as
> > > I
> > > > pointed out in a previous posting, regmon does not monitor all the
> > > > systemcalls that modify the registry.
> > > >
> > > > On your implied model for files, things will get very messy if you try
> the
> > > > regmon route. You will have to handle a very large number of calls
> > > > including file mapping calls to protect filesystems. Note you are
> wrong
> > > in
> > > > your statement on FileMon it attaches to file systems not physical
> disks.
> > > >
> > > > This has been asked before but you did not answer: What problem are
> you
> > > > really trying to solve with these protection efforts? This list can
> > > > probably give you a solution (or point out why it is impossible to
> solve),
> > > > if you state your problem cleanly.
> > > >
> > > > Don Burn (MVP, Windows DDK)
> > > > Windows 2k/XP/2k3 Filesystem and Driver Consulting
> > > >
> > > > ----- Original Message -----
> > > > From: “Anthony”
> > > > Newsgroups: ntdev
> > > > To: “Windows System Software Developers Interest List”
> > >
> > > > Sent: Thursday, July 31, 2003 9:28 PM
> > > > Subject: [ntdev] Regmon(a new puzzle)
> > > >
> > > >
> > > > > Hello all tops,
> > > > >
> > > > > Maybe you ignore the latest post in the topic (Regmon). I hope you
> can
> > > > pay
> > > > > attention to this topic again.
> > > > >
> > > > > I reall wonder if you understand my new puzzle clearly.
> > > > >
> > > > > For example, if we want to do File Monitor, we can hook the system
> > > > service
> > > > > table as what Regmon has done, alternately we can attach our driver
> to
> > > the
> > > > > physical disks as what Filemon has done.
> > > > >
> > > > > Now my question is if I follow the Regmon way to protect my
> registry,
> > > > it
> > > > > is possible to bypass Regmon? and how to bypass? How to defeat
> “bypass”?
> > > > >
> > > > > Anthony
> > > > >
> > > > > ///
> > > > > ///The following is the previous letter:
> > > > > ///
> > > > > Now I am beated by a problem someting related to Registry
> Monitor.
> > > > >
> > > > > Could I build a kernel driver or an app program to access the
> > > > registry(or
> > > > > certain files) directly without calling the funcs in System Service
> > > > Table???
> > > > > If so, the Regmon will face some problems in certain cases. Right?
> > > > >
> > > > > Any sense?
> > > > >
> > > > > Anthony
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > —
> > > > > Questions? First check the Kernel Driver FAQ at
> > > > http://www.osronline.com/article.cfm?id=256
> > > > >
> > > > > You are currently subscribed to ntdev as: xxxxx@acm.org
> > > > > To unsubscribe send a blank email to xxxxx@lists.osr.com
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> > >
> > > —
> > > Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
> > >
> > > You are currently subscribed to ntdev as:
> xxxxx@compaqnet.be
> > > To unsubscribe send a blank email to xxxxx@lists.osr.com
> > >
> >
> >
> >
> >
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@compaqnet.be
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

First I’ve never seen a study that shows the registry is truly the target, I
have heard a lot of “wives tales” from the Linux crowd that they are
superior since they don’t have a registry that can be attacked. Second,
while I haven’t used the personal firewall software there is a lot things
out there that do need to modify the registry what will you do in that case
(please don’t say popup a dialog box, between terminal server with multiple
desktops and Win2k3 with headless operation this is highly broken).

Now some experiments I did while trying to do a product with some of the
same ideas:

  1. There are save and restore registry key calls that have no kernel
    export, so you are going to have to go the hack of looking up the number in
    user space and passing it to your driver (oops for security you should be
    one of the first drivers loaded, so you have a pain). These routines will
    overwrite a registry key without showing up in regmon.

  2. Microsoft loads things at the same place so it is fairly easy to
    call the entry points directly without going through the call table from a
    driver.

You are still getting things wrong on Filemon it is a filesystem filter not
a disk filter. It does attach to filesystems, and this is some of the
toughest programming in the Windows kernel to get right.

Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting

“Anthony” wrote in message
news:LYRIS-796-127199-2003.08.04-01.22.25–burn#xxxxx@lists.osr.com…
> What???
>
> At least, I know some virus and most trojans invade PCs by Registry
> Opertions!
>
> Anthony
>
> “Christiaan Ghijselinck” ???
> news:xxxxx@ntdev…
> >
> >
> >
> > Protect registry against against what? If not “against the rules” , you
> can use “hidden keys” as described at www.sysinternals.com
> > to increase safety.
> >
> > Christiaan
> >
> >
> > ----- Original Message -----
> > From: “Anthony”
> > Newsgroups: ntdev
> > To: “Windows System Software Developers Interest List”
>
> > Sent: Monday, August 04, 2003 3:15 AM
> > Subject: [ntdev] Re: Regmon(a new puzzle)
> >
> >
> > > Helle Don,
> > >
> > > Thanks for your comments. It’s valuable.
> > >
> > > Yep, I want to program a driver to protect my own computer’s
> registry.
> > > Do you use TINY firewall ever? (www.tinysoftware.com). I want to do
what
> > > they have done about Registry Protection.
> > >
> > > As you said, Regmon can not filter ALL registry operations. Why???
> and
> > > how?
> > >
> > > As you said, Filemon does not attach to file systems. Yep, it’s
true.
> > > What I mean is that all the IRP packet sent to certain disks are
filter
> by
> > > Filemon. Right?
> > >
> > > Any other hints about Registry Protection?
> > >
> > > Anthony
> > >
> > > “Don Burn” ??? news:xxxxx@ntdev…
> > > >
> > > > As has been pointed out there are many ways to bypass your efforts,
> and as
> > > I
> > > > pointed out in a previous posting, regmon does not monitor all the
> > > > systemcalls that modify the registry.
> > > >
> > > > On your implied model for files, things will get very messy if you
try
> the
> > > > regmon route. You will have to handle a very large number of calls
> > > > including file mapping calls to protect filesystems. Note you are
> wrong
> > > in
> > > > your statement on FileMon it attaches to file systems not physical
> disks.
> > > >
> > > > This has been asked before but you did not answer: What problem are
> you
> > > > really trying to solve with these protection efforts? This list can
> > > > probably give you a solution (or point out why it is impossible to
> solve),
> > > > if you state your problem cleanly.
> > > >
> > > > Don Burn (MVP, Windows DDK)
> > > > Windows 2k/XP/2k3 Filesystem and Driver Consulting
> > > >
> > > > ----- Original Message -----
> > > > From: “Anthony”
> > > > Newsgroups: ntdev
> > > > To: “Windows System Software Developers Interest List”
> > >
> > > > Sent: Thursday, July 31, 2003 9:28 PM
> > > > Subject: [ntdev] Regmon(a new puzzle)
> > > >
> > > >
> > > > > Hello all tops,
> > > > >
> > > > > Maybe you ignore the latest post in the topic (Regmon). I hope
you
> can
> > > > pay
> > > > > attention to this topic again.
> > > > >
> > > > > I reall wonder if you understand my new puzzle clearly.
> > > > >
> > > > > For example, if we want to do File Monitor, we can hook the
system
> > > > service
> > > > > table as what Regmon has done, alternately we can attach our
driver
> to
> > > the
> > > > > physical disks as what Filemon has done.
> > > > >
> > > > > Now my question is if I follow the Regmon way to protect my
> registry,
> > > > it
> > > > > is possible to bypass Regmon? and how to bypass? How to defeat
> “bypass”?
> > > > >
> > > > > Anthony
> > > > >
> > > > > ///
> > > > > ///The following is the previous letter:
> > > > > ///
> > > > > Now I am beated by a problem someting related to Registry
> Monitor.
> > > > >
> > > > > Could I build a kernel driver or an app program to access the
> > > > registry(or
> > > > > certain files) directly without calling the funcs in System
Service
> > > > Table???
> > > > > If so, the Regmon will face some problems in certain cases. Right?
> > > > >
> > > > > Any sense?
> > > > >
> > > > > Anthony
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > —
> > > > > Questions? First check the Kernel Driver FAQ at
> > > > http://www.osronline.com/article.cfm?id=256
> > > > >
> > > > > You are currently subscribed to ntdev as: xxxxx@acm.org
> > > > > To unsubscribe send a blank email to
xxxxx@lists.osr.com
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> > >
> > > —
> > > Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
> > >
> > > You are currently subscribed to ntdev as:
> xxxxx@compaqnet.be
> > > To unsubscribe send a blank email to xxxxx@lists.osr.com
> > >
> >
> >
> >
> >
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@acm.org
> To unsubscribe send a blank email to xxxxx@lists.osr.com

“Don Burn” ??? news:xxxxx@ntdev…
>
> First I’ve never seen a study that shows the registry is truly the target,
I
> have heard a lot of “wives tales” from the Linux crowd that they are
> superior since they don’t have a registry that can be attacked. Second,
> while I haven’t used the personal firewall software there is a lot things
> out there that do need to modify the registry what will you do in that
case
> (please don’t say popup a dialog box, between terminal server with
multiple
> desktops and Win2k3 with headless operation this is highly broken).
>
But most trojans and some virus will do some modification at Run or Runex
key. If I monitor these keys, I can find them. Right? Of coz, I need get
the modification database of trojans and virus. Then I can match them
dynamically just like a packet filter.
> Now some experiments I did while trying to do a product with some of the
> same ideas:
>
> 1. There are save and restore registry key calls that have no kernel
> export, so you are going to have to go the hack of looking up the number
in
> user space and passing it to your driver (oops for security you should be
> one of the first drivers loaded, so you have a pain). These routines will
> overwrite a registry key without showing up in regmon.
>
Could you give me an exact example? Which call in user space can bypass
Regmon?

> 2. Microsoft loads things at the same place so it is fairly easy to
> call the entry points directly without going through the call table from a
> driver.
>

If so, and I really want to protect my registry (only monitor some run
keys), what can I do? Is it useless?

> You are still getting things wrong on Filemon it is a filesystem filter
not
> a disk filter. It does attach to filesystems, and this is some of the
> toughest programming in the Windows kernel to get right.
>
I am really puzzled. I read the code of Filemon. I find the driver builds
26 devices to attach to the original 26 file devices if there are 26 file
devices. I think the 26 file devices means the 26 physical file disks or
partitions. Then all the IRQ packet sent to them will be filtered by my
driver firstly. Right?

Filemon is programmed by DDK nor IFS.

>
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
>
> “Anthony” wrote in message
> news:LYRIS-796-127199-2003.08.04-01.22.25–burn#xxxxx@lists.osr.com…
> > What???
> >
> > At least, I know some virus and most trojans invade PCs by Registry
> > Opertions!
> >
> > Anthony
> >
> > “Christiaan Ghijselinck” ???
> > news:xxxxx@ntdev…
> > >
> > >
> > >
> > > Protect registry against against what? If not “against the rules” ,
you
> > can use “hidden keys” as described at www.sysinternals.com
> > > to increase safety.
> > >
> > > Christiaan
> > >
> > >
> > > ----- Original Message -----
> > > From: “Anthony”
> > > Newsgroups: ntdev
> > > To: “Windows System Software Developers Interest List”
> >
> > > Sent: Monday, August 04, 2003 3:15 AM
> > > Subject: [ntdev] Re: Regmon(a new puzzle)
> > >
> > >
> > > > Helle Don,
> > > >
> > > > Thanks for your comments. It’s valuable.
> > > >
> > > > Yep, I want to program a driver to protect my own computer’s
> > registry.
> > > > Do you use TINY firewall ever? (www.tinysoftware.com). I want to do
> what
> > > > they have done about Registry Protection.
> > > >
> > > > As you said, Regmon can not filter ALL registry operations.
Why???
> > and
> > > > how?
> > > >
> > > > As you said, Filemon does not attach to file systems. Yep, it’s
> true.
> > > > What I mean is that all the IRP packet sent to certain disks are
> filter
> > by
> > > > Filemon. Right?
> > > >
> > > > Any other hints about Registry Protection?
> > > >
> > > > Anthony
> > > >
> > > > “Don Burn” ??? news:xxxxx@ntdev…
> > > > >
> > > > > As has been pointed out there are many ways to bypass your
efforts,
> > and as
> > > > I
> > > > > pointed out in a previous posting, regmon does not monitor all the
> > > > > systemcalls that modify the registry.
> > > > >
> > > > > On your implied model for files, things will get very messy if you
> try
> > the
> > > > > regmon route. You will have to handle a very large number of
calls
> > > > > including file mapping calls to protect filesystems. Note you are
> > wrong
> > > > in
> > > > > your statement on FileMon it attaches to file systems not physical
> > disks.
> > > > >
> > > > > This has been asked before but you did not answer: What problem
are
> > you
> > > > > really trying to solve with these protection efforts? This list
can
> > > > > probably give you a solution (or point out why it is impossible to
> > solve),
> > > > > if you state your problem cleanly.
> > > > >
> > > > > Don Burn (MVP, Windows DDK)
> > > > > Windows 2k/XP/2k3 Filesystem and Driver Consulting
> > > > >
> > > > > ----- Original Message -----
> > > > > From: “Anthony”
> > > > > Newsgroups: ntdev
> > > > > To: “Windows System Software Developers Interest List”
> > > >
> > > > > Sent: Thursday, July 31, 2003 9:28 PM
> > > > > Subject: [ntdev] Regmon(a new puzzle)
> > > > >
> > > > >
> > > > > > Hello all tops,
> > > > > >
> > > > > > Maybe you ignore the latest post in the topic (Regmon). I hope
> you
> > can
> > > > > pay
> > > > > > attention to this topic again.
> > > > > >
> > > > > > I reall wonder if you understand my new puzzle clearly.
> > > > > >
> > > > > > For example, if we want to do File Monitor, we can hook the
> system
> > > > > service
> > > > > > table as what Regmon has done, alternately we can attach our
> driver
> > to
> > > > the
> > > > > > physical disks as what Filemon has done.
> > > > > >
> > > > > > Now my question is if I follow the Regmon way to protect my
> > registry,
> > > > > it
> > > > > > is possible to bypass Regmon? and how to bypass? How to defeat
> > “bypass”?
> > > > > >
> > > > > > Anthony
> > > > > >
> > > > > > ///
> > > > > > ///The following is the previous letter:
> > > > > > ///
> > > > > > Now I am beated by a problem someting related to Registry
> > Monitor.
> > > > > >
> > > > > > Could I build a kernel driver or an app program to access the
> > > > > registry(or
> > > > > > certain files) directly without calling the funcs in System
> Service
> > > > > Table???
> > > > > > If so, the Regmon will face some problems in certain cases.
Right?
> > > > > >
> > > > > > Any sense?
> > > > > >
> > > > > > Anthony
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > —
> > > > > > Questions? First check the Kernel Driver FAQ at
> > > > > http://www.osronline.com/article.cfm?id=256
> > > > > >
> > > > > > You are currently subscribed to ntdev as: xxxxx@acm.org
> > > > > > To unsubscribe send a blank email to
> xxxxx@lists.osr.com
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > > >
> > > >
> > > > —
> > > > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> > > >
> > > > You are currently subscribed to ntdev as:
> > xxxxx@compaqnet.be
> > > > To unsubscribe send a blank email to xxxxx@lists.osr.com
> > > >
> > >
> > >
> > >
> > >
> >
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@acm.org
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
>

“Is it useless”?

Yes,

It is useless.

If a nasty can run a process with admin access, there is nothing you can do
that they can’t do better. It’s a red queen’s race.

Humor!

Could I filter all regitry opertions, which are called from user space, by
registry?

Anthony

“benson” ??? news:xxxxx@ntdev…
>
> “Is it useless”?
>
> Yes,
>
> It is useless.
>
> If a nasty can run a process with admin access, there is nothing you can
do
> that they can’t do better. It’s a red queen’s race.
>
>
>
>

You can filter them, and your opponent can install another filter to fool
your filter. You can try to intercept in the kernel, and she can intercept
your interception.

I’m perfectly serious, even if I can’t resist a humorous presentation. Look
up ‘red queen’s race.’ It’s a technical term in evolutionary biology.

If you have control of physical security and the admin account(s), then
there’s no need for any of this – you just set ACLs on the keys.

If you don’t have control of physical security and the admin account(s),
then you can’t guarantee any monitor or filter, since your opponent can lurk
behind a timer, repatching any filter that you install.

Hello Benson,

Thanks for your valuable comments.
The following is my idea:

“You can filter them, and your opponent can install another filter to fool
your filter. You can try to intercept in the kernel, and she can intercept
your interception.”

Yep, it is true. But how do you know my driver can NOT fool other drivers?
At least, I can set a timer in user space, then my app can check the state
of my kernel driver dynamically, such as if the hooked address is correct.
If I can be sure that my driver is the last one of the drivers to accesss
the registry, I think it is what I aim. (
DrivreA->DriverB->…MyDriver->Registry)

“I’m perfectly serious, even if I can’t resist a humorous presentation. Look
up ‘red queen’s race.’ It’s a technical term in evolutionary biology.”

Could you tell me the slang’s meaning? I have no idea about biology though I
know evolutionary theory.

“If you have control of physical security and the admin account(s), then
there’s no need for any of this – you just set ACLs on the keys.”

Yep, I can do it for I am an computer expert. If I am a layman about pc, how
can I do? I want to program a software to protect the regisry whatever you
know registry techinique.

“If you don’t have control of physical security and the admin account(s),
then you can’t guarantee any monitor or filter, since your opponent can lurk
behind a timer, repatching any filter that you install.”

As I said, I can build an app to monitor my driver!

----- Original Message -----
From: “Anthony”
Newsgroups: ntdev
To: “Windows System Software Developers Interest List”
Sent: Wednesday, August 06, 2003 3:20 AM
Subject: [ntdev] Re: Regmon(a new puzzle)


>
> Yep, it is true. But how do you know my driver can NOT fool other drivers?
> At least, I can set a timer in user space, then my app can check the state
> of my kernel driver dynamically, such as if the hooked address is correct.
> If I can be sure that my driver is the last one of the drivers to accesss
> the registry, I think it is what I aim. (
> DrivreA->DriverB->…MyDriver->Registry)
>


How will you be 100 % sure of that. Assume someone patches the OS code … inserts his own code at the point where you hook … etc
… You will never reveal those hacks with means of “legal” operations. I am thinking now about the “Kernel Scope” from “Sybera”
and how they hack into the OS.

> I’m perfectly serious, even if I can’t resist a humorous presentation. Look

up ‘red queen’s race.’ It’s a technical term in evolutionary biology.

Sorry, but what does it mean? :slight_smile:

Max

> > I’m perfectly serious, even if I can’t resist a humorous presentation.
Look

> up ‘red queen’s race.’ It’s a technical term in evolutionary biology.

Sorry, but what does it mean? :slight_smile:

It means you are in a situation where you have to run/work as fast as you
possibly can just to maintain your current position. Not sure of its
applicability here though.

I believe the term originated in the story of “Through The Looking Glass”
where Alice is with the Red Queen:

“A slow sort of country!’ said the Queen. `Now, HERE, you see, it takes all
the running YOU can do, to keep in the same place. If you want to get
somewhere else, you must run at least twice as fast as that!'”


Bill McKenzie
Compuware Corporation
Watch your IRPs/IRBs/URBs/SRBs/NDIS pkts with our free WDMSniffer tool:
http://frontline.compuware.com/nashua/patches/utility.htm

“Maxim S. Shatskih” wrote in message
news:xxxxx@ntdev…
>
> > I’m perfectly serious, even if I can’t resist a humorous presentation.
Look
> > up ‘red queen’s race.’ It’s a technical term in evolutionary biology.
>
> Sorry, but what does it mean? :slight_smile:
>
> Max
>
>
>
>

I think this is the area where CLR would sign!!!.

There are a host of problems like this. And to get a mutual trust between
caller and callee seems to be another hack as of now, but if CLR or .net
plays the security in the kernel as well, then these questions seems to rest
afterwards…

Under .CLR managed object has crytographics hash, has a strong contracts,
etc. etc. This should be down in the krnl too…

-prokash

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Christiaan
Ghijselinck
Sent: Tuesday, August 05, 2003 10:29 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] Re: Regmon(a new puzzle)

----- Original Message -----
From: “Anthony”
Newsgroups: ntdev
To: “Windows System Software Developers Interest List”
Sent: Wednesday, August 06, 2003 3:20 AM
Subject: [ntdev] Re: Regmon(a new puzzle)


>
> Yep, it is true. But how do you know my driver can NOT fool other drivers?
> At least, I can set a timer in user space, then my app can check the state
> of my kernel driver dynamically, such as if the hooked address is correct.
> If I can be sure that my driver is the last one of the drivers to accesss
> the registry, I think it is what I aim. (
> DrivreA->DriverB->…MyDriver->Registry)
>


How will you be 100 % sure of that. Assume someone patches the OS code …
inserts his own code at the point where you hook … etc
… You will never reveal those hacks with means of “legal” operations. I
am thinking now about the “Kernel Scope” from “Sybera”
and how they hack into the OS.


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@vormetric.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

The OP implements some hook scheme to watch for registry activities.

The opponent implements a scheme that hooks his hook.

The OP implements a more elaborate scheme to unhook the hook hook.

The opponent …

Just like predator and prey. Seems to me that it is more or less the classic
Red Queen scenario.

It’s coming, in the new MS trusted computing initiative.

If so, I think many companies will be out of bussiness. It seems like a NP
puzzle.

But at least I can do sth to fool other driver. Of course, there are always
tops who can fool my driver. I think it is the reason that all of softwares
need to be UPDATED!!!
LOL

Anthony

“benson” ??? news:xxxxx@ntdev…

The OP implements some hook scheme to watch for registry activities.

The opponent implements a scheme that hooks his hook.

The OP implements a more elaborate scheme to unhook the hook hook.

The opponent …

Just like predator and prey. Seems to me that it is more or less the classic
Red Queen scenario.

I have wondered if you are real or just trolling. No professional device
driver developer would spend so much time chasing a solution to the
non-existent problem. If you have a redistributable license to the
Microsoft source code, you might be able in a few years to modify the OS to
meet your requirements.

“Anthony” wrote in message news:xxxxx@ntdev…
>
> If so, I think many companies will be out of bussiness. It seems like a NP
> puzzle.
>
> But at least I can do sth to fool other driver. Of course, there are
always
> tops who can fool my driver. I think it is the reason that all of
softwares
> need to be UPDATED!!!
> LOL
>
> Anthony
>
> “benson” ??? news:xxxxx@ntdev…
>
> The OP implements some hook scheme to watch for registry activities.
>
> The opponent implements a scheme that hooks his hook.
>
> The OP implements a more elaborate scheme to unhook the hook hook.
>
> The opponent …
>
> Just like predator and prey. Seems to me that it is more or less the
classic
> Red Queen scenario.
>
>
>
>
>
>
>