Trapping

Hi all,

I want to get control if anybody sets the BreakPoint Dynamically in Any Debugger ? Is it possible to trap the int 3 interrupt for checking these?

Regards,
Satish K.S


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Hook interrupt 3 directly in IDT, overwriting debugger hook. Be careful at chaining , if need. Watch out for SMP , every CPU has it’s own IDT in NT.
----- Original Message -----
From: Satish
To: File Systems Developers
Sent: Wednesday, May 02, 2001 1:52 PM
Subject: [ntfsd] Trapping

Hi all,

I want to get control if anybody sets the BreakPoint Dynamically in Any Debugger ? Is it possible to trap the int 3 interrupt for checking these?

Regards,
Satish K.S

You are currently subscribed to ntfsd as: danp@jb.rdsor.ro
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Can u give me some sample or link for this please.

Regards,
Satish K.S

----- Original Message -----
From: danp
To: File Systems Developers
Sent: Wednesday, May 02, 2001 5:48 PM
Subject: [ntfsd] Re: Trapping

Hook interrupt 3 directly in IDT, overwriting debugger hook. Be careful at chaining , if need. Watch out for SMP , every CPU has it’s own IDT in NT.
----- Original Message -----
From: Satish
To: File Systems Developers
Sent: Wednesday, May 02, 2001 1:52 PM
Subject: [ntfsd] Trapping

Hi all,

I want to get control if anybody sets the BreakPoint Dynamically in Any Debugger ? Is it possible to trap the int 3 interrupt for checking these?

Regards,
Satish K.S

You are currently subscribed to ntfsd as: danp@jb.rdsor.ro
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: xxxxx@aalayance.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

http://www.wdj.com/articles/2000/0002/0002a/0002a.htm

There are better ways to hook interrupts in a SMP compliant way than this , but this is on the edge of “legality” and does not uses any undocumented hacks.
----- Original Message -----
From: Satish
To: File Systems Developers
Sent: Wednesday, May 02, 2001 3:27 PM
Subject: [ntfsd] Re: Trapping

Can u give me some sample or link for this please.

Regards,
Satish K.S

----- Original Message -----
From: danp
To: File Systems Developers
Sent: Wednesday, May 02, 2001 5:48 PM
Subject: [ntfsd] Re: Trapping

Hook interrupt 3 directly in IDT, overwriting debugger hook. Be careful at chaining , if need. Watch out for SMP , every CPU has it’s own IDT in NT.
----- Original Message -----
From: Satish
To: File Systems Developers
Sent: Wednesday, May 02, 2001 1:52 PM
Subject: [ntfsd] Trapping

Hi all,

I want to get control if anybody sets the BreakPoint Dynamically in Any Debugger ? Is it possible to trap the int 3 interrupt for checking these?

Regards,
Satish K.S

You are currently subscribed to ntfsd as: danp@jb.rdsor.ro
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: xxxxx@aalayance.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: danp@jb.rdsor.ro
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Thank u i will try this.

Regards,
Satish K.S

----- Original Message -----
From: danp
To: File Systems Developers
Sent: Wednesday, May 02, 2001 6:39 PM
Subject: [ntfsd] Re: Trapping

http://www.wdj.com/articles/2000/0002/0002a/0002a.htm

There are better ways to hook interrupts in a SMP compliant way than this , but this is on the edge of “legality” and does not uses any undocumented hacks.
----- Original Message -----
From: Satish
To: File Systems Developers
Sent: Wednesday, May 02, 2001 3:27 PM
Subject: [ntfsd] Re: Trapping

Can u give me some sample or link for this please.

Regards,
Satish K.S

----- Original Message -----
From: danp
To: File Systems Developers
Sent: Wednesday, May 02, 2001 5:48 PM
Subject: [ntfsd] Re: Trapping

Hook interrupt 3 directly in IDT, overwriting debugger hook. Be careful at chaining , if need. Watch out for SMP , every CPU has it’s own IDT in NT.
----- Original Message -----
From: Satish
To: File Systems Developers
Sent: Wednesday, May 02, 2001 1:52 PM
Subject: [ntfsd] Trapping

Hi all,

I want to get control if anybody sets the BreakPoint Dynamically in Any Debugger ? Is it possible to trap the int 3 interrupt for checking these?

Regards,
Satish K.S

You are currently subscribed to ntfsd as: danp@jb.rdsor.ro
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: xxxxx@aalayance.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: danp@jb.rdsor.ro
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: xxxxx@aalayance.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Hello Satish,
You can get hardware breakpoints to by using the protection bit (I
forget it’s name (GD?) of dr7. This will allow you to control access
to the breakpoint registers. Alternatively you could hook interupt 1
as well as 3.

Regards,
Anders
Wednesday, May 02, 2001, 7:19:55 AM, you wrote:

S> Thank u i will try this.

S> Regards,
S> Satish K.S

S> ----- Original Message -----
S> From: danp
S> To: File Systems Developers
S> Sent: Wednesday, May 02, 2001 6:39 PM
S> Subject: [ntfsd] Re: Trapping

S> http://www.wdj.com/articles/2000/0002/0002a/0002a.htm

S> There are better ways to hook interrupts in a SMP compliant way than this , but this is on the edge of “legality” and does not uses any undocumented hacks.
S> ----- Original Message -----
S> From: Satish
S> To: File Systems Developers
S> Sent: Wednesday, May 02, 2001 3:27 PM
S> Subject: [ntfsd] Re: Trapping

S> Can u give me some sample or link for this please.

S> Regards,
S> Satish K.S

S> ----- Original Message -----
S> From: danp
S> To: File Systems Developers
S> Sent: Wednesday, May 02, 2001 5:48 PM
S> Subject: [ntfsd] Re: Trapping

S> Hook interrupt 3 directly in IDT, overwriting debugger hook. Be careful at chaining , if need. Watch out for SMP , every CPU has it’s own IDT in NT.
S> ----- Original Message -----
S> From: Satish
S> To: File Systems Developers
S> Sent: Wednesday, May 02, 2001 1:52 PM
S> Subject: [ntfsd] Trapping

S> Hi all,

S> I want to get control if anybody sets the BreakPoint Dynamically in Any Debugger ? Is it possible to trap the int 3 interrupt for checking these?

S> Regards,
S> Satish K.S
S> —
S> You are currently subscribed to ntfsd as: danp@jb.rdsor.ro
S> To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
S> —
S> You are currently subscribed to ntfsd as: xxxxx@aalayance.com
S> To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
S> —
S> You are currently subscribed to ntfsd as: danp@jb.rdsor.ro
S> To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
S> —
S> You are currently subscribed to ntfsd as: xxxxx@aalayance.com
S> To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

S> —
S> You are currently subscribed to ntfsd as: xxxxx@flaffer.com
S> To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com


Best regards,
Anders mailto:xxxxx@flaffer.com


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Anders, and especially Satish:

what kind of encryption is that that relies on an attacker being unable
to debug the driver? First law of cryptography: Always assume that your
attacker has access to everything except the secret (key, whatever)
itself. Attempts to fool with the IDT or the DR regs, for instance, will
be a waste of time against an ICE; even if one is only being debugged in
the regular manner, it is a bit cheeky to assume that one’s attacker is
so stupid as to permit you to overwrite the IDT. That works on the first
attempt, but from then on …

IMNSHO, you (Satish in this case) would be much better served by
concentrating your efforts where they do count – selecting a decent
encryption algorithm suited to your users’ needs, and making sure that
your implementation doesn’t leak secrets. Any time saved can be
profitably invested into making sure that your FSF or FSD doesn’t fail
when stacked with notorious offenders like anti-virus software.

Cheers,
Felix.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Anders Fogh
Sent: Thursday, May 03, 2001 7:17 AM
To: File Systems Developers
Subject: [ntfsd] Re: Trapping

Hello Satish,
You can get hardware breakpoints to by using the protection bit (I
forget it’s name (GD?) of dr7. This will allow you to control access
to the breakpoint registers. Alternatively you could hook interupt 1
as well as 3.

Regards,
Anders
Wednesday, May 02, 2001, 7:19:55 AM, you wrote:

S> Thank u i will try this.

S> Regards,
S> Satish K.S

S> ----- Original Message -----
S> From: danp
S> To: File Systems Developers
S> Sent: Wednesday, May 02, 2001 6:39 PM
S> Subject: [ntfsd] Re: Trapping

S> http://www.wdj.com/articles/2000/0002/0002a/0002a.htm

S> There are better ways to hook interrupts in a SMP compliant way
than this , but this is on the edge of “legality” and does not uses any
undocumented hacks.
S> ----- Original Message -----
S> From: Satish
S> To: File Systems Developers
S> Sent: Wednesday, May 02, 2001 3:27 PM
S> Subject: [ntfsd] Re: Trapping

S> Can u give me some sample or link for this please.

S> Regards,
S> Satish K.S

S> ----- Original Message -----
S> From: danp
S> To: File Systems Developers
S> Sent: Wednesday, May 02, 2001 5:48 PM
S> Subject: [ntfsd] Re: Trapping

S> Hook interrupt 3 directly in IDT, overwriting debugger hook.
Be careful at chaining , if need. Watch out for SMP , every CPU has it’s
own IDT in NT.
S> ----- Original Message -----
S> From: Satish
S> To: File Systems Developers
S> Sent: Wednesday, May 02, 2001 1:52 PM
S> Subject: [ntfsd] Trapping

S> Hi all,

S> I want to get control if anybody sets the BreakPoint
Dynamically in Any Debugger ? Is it possible to trap the int 3 interrupt
for checking these?

S> Regards,
S> Satish K.S
S> —
S> You are currently subscribed to ntfsd as: danp@jb.rdsor.ro
S> To unsubscribe send a blank email to
leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
S> —
S> You are currently subscribed to ntfsd as:
xxxxx@aalayance.com
S> To unsubscribe send a blank email to
leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
S> —
S> You are currently subscribed to ntfsd as: danp@jb.rdsor.ro
S> To unsubscribe send a blank email to
leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
S> —
S> You are currently subscribed to ntfsd as: xxxxx@aalayance.com
S> To unsubscribe send a blank email to
leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

S> —
S> You are currently subscribed to ntfsd as: xxxxx@flaffer.com
S> To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com


Best regards,
Anders mailto:xxxxx@flaffer.com


You are currently subscribed to ntfsd as: xxxxx@mvps.org
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Thank u. I will continue after my Encryption Implementation.

Can u me some link which explain me from Basic about Encryption Algorithm ?

Regards,
Satish K.S

Anders, and especially Satish:

what kind of encryption is that that relies on an attacker being unable
to debug the driver? First law of cryptography: Always assume that your
attacker has access to everything except the secret (key, whatever)
itself. Attempts to fool with the IDT or the DR regs, for instance, will
be a waste of time against an ICE; even if one is only being debugged in
the regular manner, it is a bit cheeky to assume that one’s attacker is
so stupid as to permit you to overwrite the IDT. That works on the first
attempt, but from then on …

IMNSHO, you (Satish in this case) would be much better served by
concentrating your efforts where they do count – selecting a decent
encryption algorithm suited to your users’ needs, and making sure that
your implementation doesn’t leak secrets. Any time saved can be
profitably invested into making sure that your FSF or FSD doesn’t fail
when stacked with notorious offenders like anti-virus software.

Cheers,
Felix.


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Schneier, Bruce
Applied Cryptography, Second Edition, 1996
John Wiley and Sons


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Oh, there’s a lot of them out there.

Try:
http://www.counterpane.com
http://www.rsa.com
http://www.cerias.purdue.edu/coast/hotlist/ (HUGE!)


Bartjan.

At 06:05 PM 5/3/01 +0530, you wrote:

Can u me some link which explain me from Basic about Encryption Algorithm ?


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

A decent starting point is:

Applied Cryptography: Protocols, Algorithms, and Source Code in C, 2nd
Edition
Bruce Schneier
ISBN: 0471117099
John Wiley & Sons


Dan

-----Original Message-----
From: Satish [mailto:xxxxx@aalayance.com]
Sent: Thursday, May 03, 2001 8:35 AM
To: File Systems Developers
Subject: [ntfsd] Re: Trapping

Thank u. I will continue after my Encryption Implementation.

Can u me some link which explain me from Basic about
Encryption Algorithm ?

Regards,
Satish K.S

> Anders, and especially Satish:
>
> what kind of encryption is that that relies on an attacker
being unable
> to debug the driver? First law of cryptography: Always
assume that your
> attacker has access to everything except the secret (key, whatever)
> itself. Attempts to fool with the IDT or the DR regs, for
instance, will
> be a waste of time against an ICE; even if one is only
being debugged in
> the regular manner, it is a bit cheeky to assume that one’s
attacker is
> so stupid as to permit you to overwrite the IDT. That works
on the first
> attempt, but from then on …
>
> IMNSHO, you (Satish in this case) would be much better served by
> concentrating your efforts where they do count – selecting a decent
> encryption algorithm suited to your users’ needs, and
making sure that
> your implementation doesn’t leak secrets. Any time saved can be
> profitably invested into making sure that your FSF or FSD
doesn’t fail
> when stacked with notorious offenders like anti-virus software.
>
> Cheers,
> Felix.


You are currently subscribed to ntfsd as: xxxxx@emc.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Buy a copy of the book “Applied Cryptography” by Bruce Schneier.

Shaun

P.S. I totally agree what Felix said (and I was trying to point out
in earlier posts) - the encryption should stand up on it’s own. Without
secure tamper-proof hardware, you can’t possibly prevent your code being
debugged by someone who is determined enough.

Satish wrote:
>Thank u. I will continue after my Encryption Implementation.
>
>Can u me some link which explain me from Basic about Encryption Algorithm ?
>
>Regards,
>Satish K.S
>
>> Anders, and especially Satish:
>>
>> what kind of encryption is that that relies on an attacker being unable
>> to debug the driver? First law of cryptography: Always assume that your
>> attacker has access to everything except the secret (key, whatever)
>> itself. Attempts to fool with the IDT or the DR regs, for instance, will
>> be a waste of time against an ICE; even if one is only being debugged in
>> the regular manner, it is a bit cheeky to assume that one’s attacker is
>> so stupid as to permit you to overwrite the IDT. That works on the first
>> attempt, but from then on …
>>
>> IMNSHO, you (Satish in this case) would be much better served by
>> concentrating your efforts where they do count – selecting a decent
>> encryption algorithm suited to your users’ needs, and making sure that
>> your implementation doesn’t leak secrets. Any time saved can be
>> profitably invested into making sure that your FSF or FSD doesn’t fail
>> when stacked with notorious offenders like anti-virus software.
>>
>> Cheers,
>> Felix.
>
>
>
>—
>You are currently subscribed to ntfsd as: xxxxx@sdlabs.demon.co.uk
>To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Thanks u allllllllllllllllllllll.

Regards,
Satish K.S

----- Original Message -----
From: “Shaun”
To: “File Systems Developers”
Sent: Thursday, May 03, 2001 7:20 PM
Subject: [ntfsd] Re: Trapping

> Buy a copy of the book “Applied Cryptography” by Bruce Schneier.
>
> Shaun
>
> P.S. I totally agree what Felix said (and I was trying to point out
> in earlier posts) - the encryption should stand up on it’s own. Without
> secure tamper-proof hardware, you can’t possibly prevent your code being
> debugged by someone who is determined enough.
>
> Satish wrote:
> >Thank u. I will continue after my Encryption Implementation.
> >
> >Can u me some link which explain me from Basic about Encryption Algorithm
?
> >
> >Regards,
> >Satish K.S
> >
> >> Anders, and especially Satish:
> >>
> >> what kind of encryption is that that relies on an attacker being unable
> >> to debug the driver? First law of cryptography: Always assume that your
> >> attacker has access to everything except the secret (key, whatever)
> >> itself. Attempts to fool with the IDT or the DR regs, for instance,
will
> >> be a waste of time against an ICE; even if one is only being debugged
in
> >> the regular manner, it is a bit cheeky to assume that one’s attacker is
> >> so stupid as to permit you to overwrite the IDT. That works on the
first
> >> attempt, but from then on …
> >>
> >> IMNSHO, you (Satish in this case) would be much better served by
> >> concentrating your efforts where they do count – selecting a decent
> >> encryption algorithm suited to your users’ needs, and making sure that
> >> your implementation doesn’t leak secrets. Any time saved can be
> >> profitably invested into making sure that your FSF or FSD doesn’t fail
> >> when stacked with notorious offenders like anti-virus software.
> >>
> >> Cheers,
> >> Felix.
> >
> >
> >
> >—
> >You are currently subscribed to ntfsd as: xxxxx@sdlabs.demon.co.uk
> >To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@aalayance.com
> To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com