Steps to send a IRP to FS

Hi All,

I searched a lot but it seems that either I am confused or somehow not able to see something obvious.

I creates and sent an IRP to NTFS driver but the outcome was not success.

it returns 0xC0000033L, which is invalid object name

before the IoCallDriver call I created source file object and set it like
irpSp->FileObject = Source File Object

My point of confusion is whether this is a appropriate statement or not, Am i assigning source file object to correct field. If not where should it go?

Thanks for any information.
Aditya

So many questions, so little information…

Which major function? What other fields in the IRP have you set up? What
about the irpSp? Any flags? Any buffers?

I would start by trying against a debug build of FAT and walking the code
path until I see why it is whining…

Rod

Actually I posted the code in my last post but that makes the post too long to get some attention. So I thought a small post will be good and in that attempt missed all information.

following is the code, I exclude all error checks to make it short, I am getting device pointer using ObReferenceObjectByName APi.

IrpSize = IoSizeOfIrp( pDevicePre->StackSize+1 );

Irp = ExAllocatePool(NonPagedPool, IrpSize);
IoInitializeIrp(Irp, IrpSize, pDevicePre->StackSize+1);

RtlInitUnicodeString( &TargetStr, L"\Device\HarddiskVolume1\aditya\abc.txt" );
InitializeObjectAttributes( &obj, &TargetStr, OBJ_CASE_INSENSITIVE, 0, 0 );

status = ZwOpenFile (&hFileHandle, STANDARD_RIGHTS_READ|DELETE, &obj, &IoStatus,FILE_SHARE_READ,FILE_NON_DIRECTORY_FILE);

status = ObReferenceObjectByHandle( hFileHandle, GENERIC_READ|DELETE, NULL, KernelMode, &pIrpFileObj, NULL );

Irp->Tail.Overlay.Thread = PsGetCurrentThread();
Irp->RequestorMode = KernelMode;
Irp->UserIosb = &ioStatusBlock;
Irp->UserEvent = NULL;
Irp->Flags = IRP_SYNCHRONOUS_API;
irpSp = IoGetNextIrpStackLocation( Irp );
irpSp->MajorFunction = IRP_MJ_SET_INFORMATION;
irpSp->FileObject = pIrpFileObj /*Set it to soure file object*/;

pRenameInfo = ExAllocatePool( NonPagedPool, sizeof(FILE_RENAME_INFORMATION) +wcslen( L"\Device\HarddiskVolume1\Aditya\abc.txt" )*sizeof(WCHAR) );

pRenameInfo->ReplaceIfExists = FALSE;
pRenameInfo->RootDirectory = NULL;
pRenameInfo->FileNameLength = wcslen( L"\Device\HarddiskVolume1\Aditya\xyz.txt" )*sizeof(WCHAR);
wcscpy( pRenameInfo->FileName, L"\Device\HarddiskVolume1\Aditya\xyz.txt" );

irpSp->Parameters.SetFile.Length = sizeof(FILE_RENAME_INFORMATION)+wcslen( L"\Device\HarddiskVolume1\Aditya\abc.txt" )*sizeof(WCHAR);

irpSp->Parameters.SetFile.FileInformationClass = FileRenameInformation;
irpSp->Parameters.SetFile.FileObject = NULL;
irpSp->Parameters.SetFile.ReplaceIfExists =FALSE;

Irp->AssociatedIrp.SystemBuffer = pRenameInfo /*FileInformation*/;

IoSetCompletionRoutine( Irp, SpyQueryCompletion, &IoEvent,TRUE,TRUE, TRUE );

status = IoCallDriver( pDevicePre, Irp );//This return 0xC0000033L

Any pointers will help,

Thanks
Aditya

Why not use ZwSetInformationFile() with an InformationClass of
FileRenameInformation ? It takes away all the guess work or rolling your own.

Mark.

At 15:58 12/01/2009, xxxxx@gmail.com wrote:

Actually I posted the code in my last post but that makes the post
too long to get some attention. So I thought a small post will be
good and in that attempt missed all information.

following is the code, I exclude all error checks to make it short,
I am getting device pointer using ObReferenceObjectByName APi.

IrpSize = IoSizeOfIrp( pDevicePre->StackSize+1 );

Irp = ExAllocatePool(NonPagedPool, IrpSize);
IoInitializeIrp(Irp, IrpSize, pDevicePre->StackSize+1);

RtlInitUnicodeString( &TargetStr,
L"\Device\HarddiskVolume1\aditya\abc.txt" );
InitializeObjectAttributes( &obj, &TargetStr, OBJ_CASE_INSENSITIVE, 0, 0 );

status = ZwOpenFile (&hFileHandle, STANDARD_RIGHTS_READ|DELETE,
&obj, &IoStatus,FILE_SHARE_READ,FILE_NON_DIRECTORY_FILE);

status = ObReferenceObjectByHandle( hFileHandle,
GENERIC_READ|DELETE, NULL, KernelMode, &pIrpFileObj, NULL );

Irp->Tail.Overlay.Thread = PsGetCurrentThread();
Irp->RequestorMode = KernelMode;
Irp->UserIosb = &ioStatusBlock;
Irp->UserEvent = NULL;
Irp->Flags = IRP_SYNCHRONOUS_API;
irpSp = IoGetNextIrpStackLocation( Irp );
irpSp->MajorFunction = IRP_MJ_SET_INFORMATION;
irpSp->FileObject = pIrpFileObj /*Set it to soure file object*/;

pRenameInfo = ExAllocatePool( NonPagedPool,
sizeof(FILE_RENAME_INFORMATION) +wcslen(
L"\Device\HarddiskVolume1\Aditya\abc.txt" )*sizeof(WCHAR) );

pRenameInfo->ReplaceIfExists = FALSE;
pRenameInfo->RootDirectory = NULL;
pRenameInfo->FileNameLength = wcslen(
L"\Device\HarddiskVolume1\Aditya\xyz.txt" )*sizeof(WCHAR);
wcscpy( pRenameInfo->FileName,
L"\Device\HarddiskVolume1\Aditya\xyz.txt" );

irpSp->Parameters.SetFile.Length =
sizeof(FILE_RENAME_INFORMATION)+wcslen(
L"\Device\HarddiskVolume1\Aditya\abc.txt" )*sizeof(WCHAR);

irpSp->Parameters.SetFile.FileInformationClass = FileRenameInformation;
irpSp->Parameters.SetFile.FileObject = NULL;
irpSp->Parameters.SetFile.ReplaceIfExists =FALSE;

Irp->AssociatedIrp.SystemBuffer = pRenameInfo /*FileInformation*/;

IoSetCompletionRoutine( Irp, SpyQueryCompletion, &IoEvent,TRUE,TRUE, TRUE );

status = IoCallDriver( pDevicePre, Irp );//This return 0xC0000033L

Any pointers will help,

Thanks
Aditya

---

NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: xxxxx@muttsnuts.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

• use IoAllocateIrp function!
• use OBJ_KERNEL_HANDLE in InitializeObjectAttributes
• check error status codes (ExAllocatePool, IoAllocateIrp, ZwOpenFile, …)
• invalid 3rd ObreferenceObjectByHandle parameter (use *IoFileObjectType)
• you didn’t initialize all Irp/IrpSp parameters, or if yes, so incorrectly
  (e.g. Irp->UserEvent, Irp->Tail.Overlay.OriginalFileObject, …)

according to filenames, your rename operation is called “fully qualified
renames”, and your values are:

irpSp->FileObject = pIrpFileObj /*Set it to soure file object*/;
pRenameInfo->RootDirectory = NULL;
irpSp->Parameters.SetFile.FileObject = NULL;

but the latest parameter cannot be NULL; read WDK and “Cracking Rename
Operations” article at OSR Online website

-pk

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: 12. ledna 2009 16:58
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] Steps to send a IRP to FS

Actually I posted the code in my last post but that makes the post too long
to get some attention. So I thought a small post will be good and in that
attempt missed all information.

following is the code, I exclude all error checks to make it short, I am
getting device pointer using ObReferenceObjectByName APi.

IrpSize = IoSizeOfIrp( pDevicePre->StackSize+1 );

Irp = ExAllocatePool(NonPagedPool, IrpSize);
IoInitializeIrp(Irp, IrpSize, pDevicePre->StackSize+1);

RtlInitUnicodeString( &TargetStr,
L"\Device\HarddiskVolume1\aditya\abc.txt" );
InitializeObjectAttributes( &obj, &TargetStr, OBJ_CASE_INSENSITIVE, 0, 0 );

status = ZwOpenFile (&hFileHandle, STANDARD_RIGHTS_READ|DELETE, &obj,
&IoStatus,FILE_SHARE_READ,FILE_NON_DIRECTORY_FILE);

status = ObReferenceObjectByHandle( hFileHandle, GENERIC_READ|DELETE, NULL,
KernelMode, &pIrpFileObj, NULL );

Irp->Tail.Overlay.Thread = PsGetCurrentThread();
Irp->RequestorMode = KernelMode;
Irp->UserIosb = &ioStatusBlock;
Irp->UserEvent = NULL;
Irp->Flags = IRP_SYNCHRONOUS_API;
irpSp = IoGetNextIrpStackLocation( Irp );
irpSp->MajorFunction = IRP_MJ_SET_INFORMATION;
irpSp->FileObject = pIrpFileObj /*Set it to soure file object*/;

pRenameInfo = ExAllocatePool( NonPagedPool, sizeof(FILE_RENAME_INFORMATION)
+wcslen( L"\Device\HarddiskVolume1\Aditya\abc.txt" )*sizeof(WCHAR) );

pRenameInfo->ReplaceIfExists = FALSE;
pRenameInfo->RootDirectory = NULL;
pRenameInfo->FileNameLength = wcslen(
L"\Device\HarddiskVolume1\Aditya\xyz.txt" )*sizeof(WCHAR);
wcscpy( pRenameInfo->FileName, L"\Device\HarddiskVolume1\Aditya\xyz.txt"
);

irpSp->Parameters.SetFile.Length = sizeof(FILE_RENAME_INFORMATION)+wcslen(
L"\Device\HarddiskVolume1\Aditya\abc.txt" )*sizeof(WCHAR);

irpSp->Parameters.SetFile.FileInformationClass = FileRenameInformation;
irpSp->Parameters.SetFile.FileObject = NULL;
irpSp->Parameters.SetFile.ReplaceIfExists =FALSE;

Irp->AssociatedIrp.SystemBuffer = pRenameInfo /*FileInformation*/;

IoSetCompletionRoutine( Irp, SpyQueryCompletion, &IoEvent,TRUE,TRUE, TRUE );

status = IoCallDriver( pDevicePre, Irp );//This return 0xC0000033L

Any pointers will help,

Thanks
Aditya

NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: xxxxx@avast.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

There are lots of reason to not use ZwSetInformationFile, most of them
have to do with implementing or working around/removing rootkits.

Anyways I think there is some business with setting the
‘SetFile.FileObject’ to the parent of the target if conducting a fully
qualified rename.

t.

On Mon, 12 Jan 2009, Mark S. Edwards wrote:

Why not use ZwSetInformationFile() with an InformationClass of
FileRenameInformation ? It takes away all the guess work or rolling your
own.

Mark.

At 15:58 12/01/2009, xxxxx@gmail.com wrote:
> Actually I posted the code in my last post but that makes the post too long
> to get some attention. So I thought a small post will be good and in that
> attempt missed all information.
>
> following is the code, I exclude all error checks to make it short, I am
> getting device pointer using ObReferenceObjectByName APi.
>
> IrpSize = IoSizeOfIrp( pDevicePre->StackSize+1 );
>
> Irp = ExAllocatePool(NonPagedPool, IrpSize);
> IoInitializeIrp(Irp, IrpSize, pDevicePre->StackSize+1);
>
> RtlInitUnicodeString( &TargetStr,
> L"\Device\HarddiskVolume1\aditya\abc.txt" );
> InitializeObjectAttributes( &obj, &TargetStr, OBJ_CASE_INSENSITIVE, 0, 0 );
>
> status = ZwOpenFile (&hFileHandle, STANDARD_RIGHTS_READ|DELETE, &obj,
> &IoStatus,FILE_SHARE_READ,FILE_NON_DIRECTORY_FILE);
>
> status = ObReferenceObjectByHandle( hFileHandle, GENERIC_READ|DELETE, NULL,
> KernelMode, &pIrpFileObj, NULL );
>
> Irp->Tail.Overlay.Thread = PsGetCurrentThread();
> Irp->RequestorMode = KernelMode;
> Irp->UserIosb = &ioStatusBlock;
> Irp->UserEvent = NULL;
> Irp->Flags = IRP_SYNCHRONOUS_API;
> irpSp = IoGetNextIrpStackLocation( Irp );
> irpSp->MajorFunction = IRP_MJ_SET_INFORMATION;
> irpSp->FileObject = pIrpFileObj /*Set it to soure file object*/;
>
> pRenameInfo = ExAllocatePool( NonPagedPool, sizeof(FILE_RENAME_INFORMATION)
> +wcslen( L"\Device\HarddiskVolume1\Aditya\abc.txt" )*sizeof(WCHAR) );
>
> pRenameInfo->ReplaceIfExists = FALSE;
> pRenameInfo->RootDirectory = NULL;
> pRenameInfo->FileNameLength = wcslen(
> L"\Device\HarddiskVolume1\Aditya\xyz.txt" )*sizeof(WCHAR);
> wcscpy( pRenameInfo->FileName,
> L"\Device\HarddiskVolume1\Aditya\xyz.txt" );
>
> irpSp->Parameters.SetFile.Length = sizeof(FILE_RENAME_INFORMATION)+wcslen(
> L"\Device\HarddiskVolume1\Aditya\abc.txt" )*sizeof(WCHAR);
>
> irpSp->Parameters.SetFile.FileInformationClass = FileRenameInformation;
> irpSp->Parameters.SetFile.FileObject = NULL;
> irpSp->Parameters.SetFile.ReplaceIfExists =FALSE;
>
> Irp->AssociatedIrp.SystemBuffer = pRenameInfo /*FileInformation*/;
>
> IoSetCompletionRoutine( Irp, SpyQueryCompletion, &IoEvent,TRUE,TRUE, TRUE
> );
>
> status = IoCallDriver( pDevicePre, Irp );//This return 0xC0000033L
>
> Any pointers will help,
>
> Thanks
> Aditya
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> You are currently subscribed to ntfsd as: xxxxx@muttsnuts.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

---

NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit: http://www.osr.com/seminars

You are currently subscribed to ntfsd as: xxxxx@openmars.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Why not use ZwSetInformationFile()

This code will be used to rename a malware file which may have have hooked this API or have some filter driver on stack to deny the request. We are also checking for NTFS entry points hooking and will use this IRP to send a rename request to NTFS only if it is not hooked.

I hope I made it clear.

Aditya

@Petr Kurtin

>use IoAllocateIrp function!
Ok, So are there any shortcomings of using ExAlloc and InitializeIrp

>use OBJ_KERNEL_HANDLE in InitializeObjectAttributes -
Ok

>check error status codes (ExAllocatePool, IoAllocateIrp, ZwOpenFile, …) -
Its already there, I excluded this to make it readable

>invalid 3rd ObreferenceObjectByHandle parameter (use *IoFileObjectType) -
Ok, i leave it intentionally, as I specified KernelMode

you didn’t initialize all Irp/IrpSp parameters, or if yes, so incorrectly
Yes, even I am suspecting this, according to filenames, your rename operation is called “fully qualified renames”, and your values are:
irpSp->FileObject = pIrpFileObj /*Set it to soure file object*/;
pRenameInfo->RootDirectory = NULL;
irpSp->Parameters.SetFile.FileObject = NULL;
but the latest parameter cannot be NULL;

YES, this is mistake, i interpret WDK incorrectly, Thank you very much for pointing this out.

Thanks for your time
Aditya

>

• invalid 3rd ObreferenceObjectByHandle parameter (use *IoFileObjectType)

Not necessary for requestor mode = Kernel mode.

• you didn’t initialize all Irp/IrpSp parameters, or if yes, so incorrectly
  (e.g.
  Irp->UserEvent, Irp->Tail.Overlay.OriginalFileObject, …)

Irp->UserEvent and Irp->Tail.Overlay.OriginalFileObject belong to I/O
manager, should not modifiy these fields actually.
Look for the documented fields of the IRP in the msdn, this is my
recomandation, it will clear things out.

Look at this article (http://www.osronline.com/article.cfm?id=85 ) to see
more about rename operations.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Petr Kurtin
Sent: Monday, January 12, 2009 6:20 PM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Steps to send a IRP to FS

• use IoAllocateIrp function!
• use OBJ_KERNEL_HANDLE in InitializeObjectAttributes
• check error status codes (ExAllocatePool, IoAllocateIrp, ZwOpenFile, …)
• invalid 3rd ObreferenceObjectByHandle parameter (use *IoFileObjectType)
• you didn’t initialize all Irp/IrpSp parameters, or if yes, so incorrectly
  (e.g. Irp->UserEvent, Irp->Tail.Overlay.OriginalFileObject, …)

according to filenames, your rename operation is called “fully qualified
renames”, and your values are:

irpSp->FileObject = pIrpFileObj /*Set it to soure file object*/;
pRenameInfo->RootDirectory = NULL;
irpSp->Parameters.SetFile.FileObject = NULL;

but the latest parameter cannot be NULL; read WDK and “Cracking Rename
Operations” article at OSR Online website

-pk

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: 12. ledna 2009 16:58
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] Steps to send a IRP to FS

Actually I posted the code in my last post but that makes the post too long
to get some attention. So I thought a small post will be good and in that
attempt missed all information.

following is the code, I exclude all error checks to make it short, I am
getting device pointer using ObReferenceObjectByName APi.

IrpSize = IoSizeOfIrp( pDevicePre->StackSize+1 );

Irp = ExAllocatePool(NonPagedPool, IrpSize);
IoInitializeIrp(Irp, IrpSize, pDevicePre->StackSize+1);

RtlInitUnicodeString( &TargetStr,
L"\Device\HarddiskVolume1\aditya\abc.txt" );
InitializeObjectAttributes( &obj, &TargetStr, OBJ_CASE_INSENSITIVE, 0, 0 );

status = ZwOpenFile (&hFileHandle, STANDARD_RIGHTS_READ|DELETE, &obj,
&IoStatus,FILE_SHARE_READ,FILE_NON_DIRECTORY_FILE);

status = ObReferenceObjectByHandle( hFileHandle, GENERIC_READ|DELETE, NULL,
KernelMode, &pIrpFileObj, NULL );

Irp->Tail.Overlay.Thread = PsGetCurrentThread();
Irp->RequestorMode = KernelMode;
Irp->UserIosb = &ioStatusBlock;
Irp->UserEvent = NULL;
Irp->Flags = IRP_SYNCHRONOUS_API;
irpSp = IoGetNextIrpStackLocation( Irp );
irpSp->MajorFunction = IRP_MJ_SET_INFORMATION;
irpSp->FileObject = pIrpFileObj /*Set it to soure file object*/;

pRenameInfo = ExAllocatePool( NonPagedPool, sizeof(FILE_RENAME_INFORMATION)
+wcslen( L"\Device\HarddiskVolume1\Aditya\abc.txt" )*sizeof(WCHAR) );

pRenameInfo->ReplaceIfExists = FALSE;
pRenameInfo->RootDirectory = NULL;
pRenameInfo->FileNameLength = wcslen(
L"\Device\HarddiskVolume1\Aditya\xyz.txt" )*sizeof(WCHAR);
wcscpy( pRenameInfo->FileName, L"\Device\HarddiskVolume1\Aditya\xyz.txt"
);

irpSp->Parameters.SetFile.Length = sizeof(FILE_RENAME_INFORMATION)+wcslen(
L"\Device\HarddiskVolume1\Aditya\abc.txt" )*sizeof(WCHAR);

irpSp->Parameters.SetFile.FileInformationClass = FileRenameInformation;
irpSp->Parameters.SetFile.FileObject = NULL;
irpSp->Parameters.SetFile.ReplaceIfExists =FALSE;

Irp->AssociatedIrp.SystemBuffer = pRenameInfo /*FileInformation*/;

IoSetCompletionRoutine( Irp, SpyQueryCompletion, &IoEvent,TRUE,TRUE, TRUE );

status = IoCallDriver( pDevicePre, Irp );//This return 0xC0000033L

Any pointers will help,

Thanks
Aditya

NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: xxxxx@avast.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: xxxxx@gmail.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

> Irp = ExAllocatePool(NonPagedPool, IrpSize);

IoInitializeIrp(Irp, IrpSize, pDevicePre->StackSize+1);

IoAllocateIrp is correct instead of both of these.

Irp->UserIosb = &ioStatusBlock;
Irp->UserEvent = NULL;

Do not ever touch these IRP fields.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

> There are lots of reason to not use ZwSetInformationFile, most of them

have to do with implementing or working around/removing rootkits.

??? what if the rootkit have hooked NTFS’s dispatch table?

I do not think it is possible at all to work around existing installed rootkit. The recovery environment boot CD should be used for this.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

Max,

You miss a critical part of modern security - it MUST create the
illusion of doing something useful in order to further its mission in
life. Everyone “in the know” fully understands that this is an arms
race (I call the system call directly, so you patch the SSDT, so I walk
the PE header to find the original function and invoke it, so you patch
the PE header, so I add checksums to detect it and a shadow copy to walk
when you do that, so you figure out how to modify my checksum or spoof
my algorithm and modify my shadow copy, so I figure out how to send it
to a remote machine that I “trust” so you figure out how to virtualize
me and create a “man in the middle” attack so I trust you, etc.)

The absolute beauty of security is that you can justify doing most
anything by invoking it, and you are guaranteed that no matter what you
do, you’ll always have to do more. The ultimate in job security…

Personally, I’m surprised we haven’t seen people asking (yet) about
hooking into the OS enlightenments to build yet more layers of
security/rootkit software (I find it difficult to ascertain the precise
difference at times.) No doubt it’s just a matter of time.

Two units of code operating in the same address space with the same
privileges cannot “outsmart” one another.

Tony
OSR

+1

Sadly, I know a few people who have asked about hooking os
enlightenments and some other similarly self-propagating silliness.

Security is my mind a paradigm of what happens when an academic subject
becomes ‘sexy,’ for lack of better word. The reason I think that it is
academic is because you can’t prove anything either way, so it’s given
to people making bold assertions, based entirely on assumptions that are
never technical and unstated, and when these are pointed out, only then
you hear that ‘more research is required.’ I think it’s ‘sexy’ is just
because it’s in the news, and of course the scare tactics involved
generate huge amounts of capital behind it. The net result, I think, is
a standard at this point - whip everyone it to a frenzy and then bring
in the academics, because there is no answer, and they at least have
credentials, run the scam for as long as you can, and in the end, turn
around and blame them, and go the other way with it. For example,
that’s what I think we’ve been doing with Economists since shortly after
WWII, when the GI Bill - overall a HUGE win here in the States -
inspired Academia to diversify, which turned wonderful Academic subjects
that had potential appeal like Economics, in to ‘science.’ Unless I’m
missing something, no one is able to say what $1 will be worth in 5
minutes, asking the question in the other direction doesn’t even make
sense, so I fail to see how, say, Alan Greenspan or anyone else could
possibly say anything useful about the a totally synergitic system the
size of the ‘Economy.’ He was THE answer for however many years, and
now of course he’s THE cause, at least according to the news. The other
thing is that for the most part, they are employed by the FED and
Academia, which are united by their lack of having to operate for a
profit. As far as security goes, people testify all the time before
Congress about things no one could possibly know the answer to, and
eventually, they to will be labeled the problem, I think.

I think that what will be the inversion point in the absurd spending
that goes on presently in the name of ‘security’ is data privacy.
Unlike, say, putting an AV on a desktop, issues with DP a real, really
happen, really do put out people’s lights, and you really can do
something about them, so eventually, people will see this and be forced
to choose between the two. However, at the moment, at least my
experience has been that people look at me like I’m out of my mind when
I suggest this, and when I give them some examples, then they definitely
don’t want to talk about it, because what they can do about it is all
about policy, which is hard, inconvenient, not sexy, and not fun, or at
least not as fun and sexy as saying that you have some AI based scanner
which will filter everything looking for IP and so forth, so there’s no
need for those that make these sorts of decisions to have to do anything
that they will take a lot of shit for, like making people do their jobs
differently, so I’m not saying it will get better, just different.

There are people out there who I think address these subjects
effectively and most important profitably, but they are few and far
between, because it’s hard, hard to get funded, and pisses people off -
figure out what want to secure; figure out what it’s worth; spend that
much or less. Most people, and almost all ‘security consultants,’ will
balk at doing this, because there is no way to really say what
something’s worth, et. c., which on true to some extent, except that by
writing a check for their services, you have given it a definite cost,
whether or not it is an accurate assessment of its value.

Two units of code operating in the same address space with the same
> privileges cannot “outsmart” one another.

People simply do not believe me when I tell them this, which is fair
enough, but what I just understand is why think both that my opinion is
some form of heresy and that they have a bunch of ‘research’ to back
their opinion. The do have a bunch of academic research, but it all
says the same thing - give me more money. The way I see it, the books
on this one were pretty much closed before the computer was even a
thing. Godel’s theorem - the axioms of system cannot be used to
establish their own self-consistency. That’s the particular flavor of
this problem that I encounter most - determining the integrity of
untrusted code - and they are sure that any day now, they’ll have an
answer. I’m told that they have been working on it since at least 1998.

mm

Tony Mason wrote:

Max,

You miss a critical part of modern security - it MUST create the
illusion of doing something useful in order to further its mission in
life. Everyone “in the know” fully understands that this is an arms
race (I call the system call directly, so you patch the SSDT, so I walk
the PE header to find the original function and invoke it, so you patch
the PE header, so I add checksums to detect it and a shadow copy to walk
when you do that, so you figure out how to modify my checksum or spoof
my algorithm and modify my shadow copy, so I figure out how to send it
to a remote machine that I “trust” so you figure out how to virtualize
me and create a “man in the middle” attack so I trust you, etc.)

The absolute beauty of security is that you can justify doing most
anything by invoking it, and you are guaranteed that no matter what you
do, you’ll always have to do more. The ultimate in job security…

Personally, I’m surprised we haven’t seen people asking (yet) about
hooking into the OS enlightenments to build yet more layers of
security/rootkit software (I find it difficult to ascertain the precise
difference at times.) No doubt it’s just a matter of time.

Two units of code operating in the same address space with the same
privileges cannot “outsmart” one another.

Tony
OSR