WPF question

OSR_Community_User · May 29, 2003, 2:04pm

Under WPF, I would like to know -

Who monitors the file changes, when the registry setting for protection
of known trusted components is enabled ( default setting) ? ( If I try to
replace afile in that repository, a service replaces it within 1 or 2 sec)
Can the monitor be killed or terminated ? If yes, system should be
stopped from doing most of the work otherwise there is a hole ?

-prokash

Michal_Vodicka-1 · May 29, 2003, 2:57pm

> ----------

From: xxxxx@vormetric.com[SMTP:xxxxx@vormetric.com]
Reply To: xxxxx@lists.osr.com
Sent: Thursday, May 29, 2003 8:05 PM
To: xxxxx@lists.osr.com
Subject: [ntdev] WPF question

Under WPF, I would like to know -

Who monitors the file changes, when the registry setting for protection
of known trusted components is enabled ( default setting) ? ( If I try to
replace afile in that repository, a service replaces it within 1 or 2 sec)

There is a thread which probably registers directory change notification for
protected directories.

Can the monitor be killed or terminated ? If yes, system should be
stopped from doing most of the work otherwise there is a hole ?

Yes. No, system continues running. Search archives for “sfc”, there was a
discussion about it month before or so. Alternatively, examine all sfc*.dll
files in system32 directory.

BTW, your message is the first one from ntdev I recived today. Using web
interface there is at least 15 I missed. Something wrong with listserver?

Best regards,

Michal Vodicka
STMicroelectronics Design and Application s.r.o.
[michal.vodicka@st.com, http:://www.st.com]

OSR_Community_User · May 29, 2003, 3:53pm

Thanx Michal,

As per Ur note, it seems like the monitor is killable(terminable), then I
need to hash out what and how the system would behave…

The reason for this is to tackle the man-in-the middle attack on those
trusted components, so that we can have a central control, without going
thru the checksumming etc of the components…

-prokash
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Michal Vodicka
Sent: Thursday, May 29, 2003 11:20 AM
To: NT Developers Interest List
Subject: [ntdev] RE: WPF question

From: xxxxx@vormetric.com[SMTP:xxxxx@vormetric.com]
Reply To: xxxxx@lists.osr.com
Sent: Thursday, May 29, 2003 8:05 PM
To: xxxxx@lists.osr.com
Subject: [ntdev] WPF question

Under WPF, I would like to know -

Who monitors the file changes, when the registry setting for protection
of known trusted components is enabled ( default setting) ? ( If I try to
replace afile in that repository, a service replaces it within 1 or 2 sec)

There is a thread which probably registers directory change notification for
protected directories.

Can the monitor be killed or terminated ? If yes, system should be
stopped from doing most of the work otherwise there is a hole ?

Yes. No, system continues running. Search archives for “sfc”, there was a
discussion about it month before or so. Alternatively, examine all sfc*.dll
files in system32 directory.

BTW, your message is the first one from ntdev I recived today. Using web
interface there is at least 15 I missed. Something wrong with listserver?

Best regards,

Michal Vodicka
STMicroelectronics Design and Application s.r.o.
[michal.vodicka@st.com, http:://www.st.com]

You are currently subscribed to ntdev as: xxxxx@vormetric.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Bill_McKenzie-2 · May 29, 2003, 4:06pm

> The reason for this is to tackle the man-in-the middle attack on those

trusted components, so that we can have a central control, without going
thru the checksumming etc of the components…

Just rename all of the CAB files which store the drivers to restore and
watch what happens. The system functions normally in my experience.

If you really are concerned about this, I suppose you will have to be
concerned about those cab files being tampered with as well, hmm?

–
Bill McKenzie
Compuware Corporation
Watch your IRPs/IRBs/URBs/SRBs/NDIS pkts with our free WDMSniffer tool:
http://frontline.compuware.com/nashua/patches/utility.htm

“Prokash Sinha” wrote in message news:xxxxx@ntdev…
>
> Thanx Michal,
>
> As per Ur note, it seems like the monitor is killable(terminable), then I
> need to hash out what and how the system would behave…
>
> The reason for this is to tackle the man-in-the middle attack on those
> trusted components, so that we can have a central control, without going
> thru the checksumming etc of the components…
>
> -prokash
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com]On Behalf Of Michal Vodicka
> Sent: Thursday, May 29, 2003 11:20 AM
> To: NT Developers Interest List
> Subject: [ntdev] RE: WPF question
>
>
> > ----------
> > From: xxxxx@vormetric.com[SMTP:xxxxx@vormetric.com]
> > Reply To: xxxxx@lists.osr.com
> > Sent: Thursday, May 29, 2003 8:05 PM
> > To: xxxxx@lists.osr.com
> > Subject: [ntdev] WPF question
> >
> > Under WPF, I would like to know -
> >
> > 1) Who monitors the file changes, when the registry setting for
protection
> > of known trusted components is enabled ( default setting) ? ( If I try
to
> > replace afile in that repository, a service replaces it within 1 or 2
sec)
> >
> There is a thread which probably registers directory change notification
for
> protected directories.
>
> > 2) Can the monitor be killed or terminated ? If yes, system should be
> > stopped from doing most of the work otherwise there is a hole ?
> >
> Yes. No, system continues running. Search archives for “sfc”, there was a
> discussion about it month before or so. Alternatively, examine all
sfc*.dll
> files in system32 directory.
>
> BTW, your message is the first one from ntdev I recived today. Using web
> interface there is at least 15 I missed. Something wrong with listserver?
>
> Best regards,
>
> Michal Vodicka
> STMicroelectronics Design and Application s.r.o.
> [michal.vodicka@st.com, http:://www.st.com]
>
>
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@vormetric.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
>

Michal_Vodicka-1 · May 29, 2003, 4:09pm

Admin rights are necessary to kill SFC watcher thread and when an intruder
has admin rights, all bets are off. Admin can start a kernel driver which
can do virtually anything incuding image changes in memory or loading faked
images.

Best regards,

Michal Vodicka
STMicroelectronics Design and Application s.r.o.
[michal.vodicka@st.com, http:://www.st.com]

From: xxxxx@vormetric.com[SMTP:xxxxx@vormetric.com]
Reply To: xxxxx@lists.osr.com
Sent: Thursday, May 29, 2003 9:54 PM
To: xxxxx@lists.osr.com
Subject: [ntdev] RE: WPF question

Thanx Michal,

As per Ur note, it seems like the monitor is killable(terminable), then I
need to hash out what and how the system would behave…

The reason for this is to tackle the man-in-the middle attack on those
trusted components, so that we can have a central control, without going
thru the checksumming etc of the components…

-prokash
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Michal Vodicka
Sent: Thursday, May 29, 2003 11:20 AM
To: NT Developers Interest List
Subject: [ntdev] RE: WPF question

> ----------
> From: xxxxx@vormetric.com[SMTP:xxxxx@vormetric.com]
> Reply To: xxxxx@lists.osr.com
> Sent: Thursday, May 29, 2003 8:05 PM
> To: xxxxx@lists.osr.com
> Subject: [ntdev] WPF question
>
> Under WPF, I would like to know -
>
> 1) Who monitors the file changes, when the registry setting for
protection
> of known trusted components is enabled ( default setting) ? ( If I try
to
> replace afile in that repository, a service replaces it within 1 or 2
sec)
>
There is a thread which probably registers directory change notification
for
protected directories.

> 2) Can the monitor be killed or terminated ? If yes, system should be
> stopped from doing most of the work otherwise there is a hole ?
>
Yes. No, system continues running. Search archives for “sfc”, there was a
discussion about it month before or so. Alternatively, examine all
sfc*.dll
files in system32 directory.

BTW, your message is the first one from ntdev I recived today. Using web
interface there is at least 15 I missed. Something wrong with listserver?

Best regards,

Michal Vodicka
STMicroelectronics Design and Application s.r.o.
[michal.vodicka@st.com, http:://www.st.com]

You are currently subscribed to ntdev as: xxxxx@vormetric.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

You are currently subscribed to ntdev as: michal.vodicka@st.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · May 29, 2003, 4:36pm

thanx bill, michal.

It looks like the gate to guard is admin privilage, assuming that w/o admin
priv. the monitor would be alive and ticking !!

Any pointer on redirecting admin hacks, how could we make another
indirection to make it harder to hijack admin power.

Seems like time to hit some security books. I’ve seen and studied quite a
bit on the kernl and usr space security, though by no means an expert, and
consequently still thinking that there must be a way to make it bit harder.

thanx
prokash

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Michal Vodicka
Sent: Thursday, May 29, 2003 1:10 PM
To: NT Developers Interest List
Subject: [ntdev] RE: WPF question

Admin rights are necessary to kill SFC watcher thread and when an intruder
has admin rights, all bets are off. Admin can start a kernel driver which
can do virtually anything incuding image changes in memory or loading faked
images.

Best regards,

Michal Vodicka
STMicroelectronics Design and Application s.r.o.
[michal.vodicka@st.com, http:://www.st.com]

From: xxxxx@vormetric.com[SMTP:xxxxx@vormetric.com]
Reply To: xxxxx@lists.osr.com
Sent: Thursday, May 29, 2003 9:54 PM
To: xxxxx@lists.osr.com
Subject: [ntdev] RE: WPF question

Thanx Michal,

As per Ur note, it seems like the monitor is killable(terminable), then I
need to hash out what and how the system would behave…

The reason for this is to tackle the man-in-the middle attack on those
trusted components, so that we can have a central control, without going
thru the checksumming etc of the components…

-prokash
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Michal Vodicka
Sent: Thursday, May 29, 2003 11:20 AM
To: NT Developers Interest List
Subject: [ntdev] RE: WPF question

> ----------
> From: xxxxx@vormetric.com[SMTP:xxxxx@vormetric.com]
> Reply To: xxxxx@lists.osr.com
> Sent: Thursday, May 29, 2003 8:05 PM
> To: xxxxx@lists.osr.com
> Subject: [ntdev] WPF question
>
> Under WPF, I would like to know -
>
> 1) Who monitors the file changes, when the registry setting for
protection
> of known trusted components is enabled ( default setting) ? ( If I try
to
> replace afile in that repository, a service replaces it within 1 or 2
sec)
>
There is a thread which probably registers directory change notification
for
protected directories.

> 2) Can the monitor be killed or terminated ? If yes, system should be
> stopped from doing most of the work otherwise there is a hole ?
>
Yes. No, system continues running. Search archives for “sfc”, there was a
discussion about it month before or so. Alternatively, examine all
sfc*.dll
files in system32 directory.

BTW, your message is the first one from ntdev I recived today. Using web
interface there is at least 15 I missed. Something wrong with listserver?

Best regards,

Michal Vodicka
STMicroelectronics Design and Application s.r.o.
[michal.vodicka@st.com, http:://www.st.com]

You are currently subscribed to ntdev as: xxxxx@vormetric.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

You are currently subscribed to ntdev as: michal.vodicka@st.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

You are currently subscribed to ntdev as: xxxxx@vormetric.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · May 29, 2003, 5:09pm

It should be impossible to hijack admin access without physical access
to the computer, assuming a well-chosen passphrase. If it is, then it’s
a kernel bug. Microsoft has fixed many of these over the years.

Nick Ryan

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Prokash Sinha
Sent: Thursday, May 29, 2003 1:37 PM
To: NT Developers Interest List
Subject: [ntdev] RE: WPF question

thanx bill, michal.

It looks like the gate to guard is admin privilage, assuming
that w/o admin priv. the monitor would be alive and ticking !!

Any pointer on redirecting admin hacks, how could we make
another indirection to make it harder to hijack admin power.

Seems like time to hit some security books. I’ve seen and
studied quite a bit on the kernl and usr space security,
though by no means an expert, and consequently still thinking
that there must be a way to make it bit harder.

thanx
prokash

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Michal Vodicka
Sent: Thursday, May 29, 2003 1:10 PM
To: NT Developers Interest List
Subject: [ntdev] RE: WPF question

Admin rights are necessary to kill SFC watcher thread and
when an intruder has admin rights, all bets are off. Admin
can start a kernel driver which can do virtually anything
incuding image changes in memory or loading faked images.

Best regards,

Michal Vodicka
STMicroelectronics Design and Application s.r.o.
[michal.vodicka@st.com, http:://www.st.com]

> ----------
> From: xxxxx@vormetric.com[SMTP:xxxxx@vormetric.com]
> Reply To: xxxxx@lists.osr.com
> Sent: Thursday, May 29, 2003 9:54 PM
> To: xxxxx@lists.osr.com
> Subject: [ntdev] RE: WPF question
>
> Thanx Michal,
>
> As per Ur note, it seems like the monitor is killable(terminable),
> then I need to hash out what and how the system would behave…
>
> The reason for this is to tackle the man-in-the middle
attack on those
> trusted components, so that we can have a central control, without
> going thru the checksumming etc of the components…
>
> -prokash
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com]On Behalf Of Michal Vodicka
> Sent: Thursday, May 29, 2003 11:20 AM
> To: NT Developers Interest List
> Subject: [ntdev] RE: WPF question
>
>
> > ----------
> > From: xxxxx@vormetric.com[SMTP:xxxxx@vormetric.com]
> > Reply To: xxxxx@lists.osr.com
> > Sent: Thursday, May 29, 2003 8:05 PM
> > To: xxxxx@lists.osr.com
> > Subject: [ntdev] WPF question
> >
> > Under WPF, I would like to know -
> >
> > 1) Who monitors the file changes, when the registry setting for
> protection
> > of known trusted components is enabled ( default setting)
? ( If I
> > try
> to
> > replace afile in that repository, a service replaces it
within 1 or
> > 2
> sec)
> >
> There is a thread which probably registers directory change
> notification for protected directories.
>
> > 2) Can the monitor be killed or terminated ? If yes,
system should
> > be stopped from doing most of the work otherwise there is a hole ?
> >
> Yes. No, system continues running. Search archives for “sfc”, there
> was a discussion about it month before or so.
Alternatively, examine
> all sfc*.dll files in system32 directory.
>
> BTW, your message is the first one from ntdev I recived
today. Using
> web interface there is at least 15 I missed. Something wrong with
> listserver?
>
> Best regards,
>
> Michal Vodicka
> STMicroelectronics Design and Application s.r.o.
> [michal.vodicka@st.com, http:://www.st.com]
>
>
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@vormetric.com To
> unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
> —
> You are currently subscribed to ntdev as: michal.vodicka@st.com To
> unsubscribe send a blank email to xxxxx@lists.osr.com
>

You are currently subscribed to ntdev as:
xxxxx@vormetric.com To unsubscribe send a blank email to
xxxxx@lists.osr.com

You are currently subscribed to ntdev as: xxxxx@nryan.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · May 29, 2003, 5:33pm

Nick,

Yes Ur right, since MS now have an ongoing effort for security, also they
lately putout quite a bit of stuff on the web to follow, actually there was
an article also on msdn about 10 things to do ( or something) to secure …

So there is no denial of that, but I’ve seen hacks to get some of services
down from net-attached machines, so I think I have to have bit better
understanding and clarity on this area.

Assessing and somewhat quantifying would be my next endavor, since this is
pretty serious business I suppose.

-prokash

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Nick Ryan
Sent: Thursday, May 29, 2003 2:10 PM
To: NT Developers Interest List
Subject: [ntdev] RE: WPF question

It should be impossible to hijack admin access without physical access
to the computer, assuming a well-chosen passphrase. If it is, then it’s
a kernel bug. Microsoft has fixed many of these over the years.

Nick Ryan

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Prokash Sinha
Sent: Thursday, May 29, 2003 1:37 PM
To: NT Developers Interest List
Subject: [ntdev] RE: WPF question

thanx bill, michal.

It looks like the gate to guard is admin privilage, assuming
that w/o admin priv. the monitor would be alive and ticking !!

Any pointer on redirecting admin hacks, how could we make
another indirection to make it harder to hijack admin power.

Seems like time to hit some security books. I’ve seen and
studied quite a bit on the kernl and usr space security,
though by no means an expert, and consequently still thinking
that there must be a way to make it bit harder.

thanx
prokash

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Michal Vodicka
Sent: Thursday, May 29, 2003 1:10 PM
To: NT Developers Interest List
Subject: [ntdev] RE: WPF question

Admin rights are necessary to kill SFC watcher thread and
when an intruder has admin rights, all bets are off. Admin
can start a kernel driver which can do virtually anything
incuding image changes in memory or loading faked images.

Best regards,

Michal Vodicka
STMicroelectronics Design and Application s.r.o.
[michal.vodicka@st.com, http:://www.st.com]

> ----------
> From: xxxxx@vormetric.com[SMTP:xxxxx@vormetric.com]
> Reply To: xxxxx@lists.osr.com
> Sent: Thursday, May 29, 2003 9:54 PM
> To: xxxxx@lists.osr.com
> Subject: [ntdev] RE: WPF question
>
> Thanx Michal,
>
> As per Ur note, it seems like the monitor is killable(terminable),
> then I need to hash out what and how the system would behave…
>
> The reason for this is to tackle the man-in-the middle
attack on those
> trusted components, so that we can have a central control, without
> going thru the checksumming etc of the components…
>
> -prokash
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com]On Behalf Of Michal Vodicka
> Sent: Thursday, May 29, 2003 11:20 AM
> To: NT Developers Interest List
> Subject: [ntdev] RE: WPF question
>
>
> > ----------
> > From: xxxxx@vormetric.com[SMTP:xxxxx@vormetric.com]
> > Reply To: xxxxx@lists.osr.com
> > Sent: Thursday, May 29, 2003 8:05 PM
> > To: xxxxx@lists.osr.com
> > Subject: [ntdev] WPF question
> >
> > Under WPF, I would like to know -
> >
> > 1) Who monitors the file changes, when the registry setting for
> protection
> > of known trusted components is enabled ( default setting)
? ( If I
> > try
> to
> > replace afile in that repository, a service replaces it
within 1 or
> > 2
> sec)
> >
> There is a thread which probably registers directory change
> notification for protected directories.
>
> > 2) Can the monitor be killed or terminated ? If yes,
system should
> > be stopped from doing most of the work otherwise there is a hole ?
> >
> Yes. No, system continues running. Search archives for “sfc”, there
> was a discussion about it month before or so.
Alternatively, examine
> all sfc*.dll files in system32 directory.
>
> BTW, your message is the first one from ntdev I recived
today. Using
> web interface there is at least 15 I missed. Something wrong with
> listserver?
>
> Best regards,
>
> Michal Vodicka
> STMicroelectronics Design and Application s.r.o.
> [michal.vodicka@st.com, http:://www.st.com]
>
>
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@vormetric.com To
> unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
> —
> You are currently subscribed to ntdev as: michal.vodicka@st.com To
> unsubscribe send a blank email to xxxxx@lists.osr.com
>

You are currently subscribed to ntdev as:
xxxxx@vormetric.com To unsubscribe send a blank email to
xxxxx@lists.osr.com

You are currently subscribed to ntdev as: xxxxx@nryan.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

You are currently subscribed to ntdev as: xxxxx@vormetric.com
To unsubscribe send a blank email to xxxxx@lists.osr.com