Assume i have a User accound on an NT based system. If i run my program on my account, but the program sets its tokens and puts itself in Ring-0, will it be running as a part of the OS. Will it have scope in a sense that its actions will be restricted by the account its been running on, or will it be as if the program is running under a ADMIN acc. Just curious. I have some operations in my program that need to be run from an admin account, that are restricted for general users. I set up the restrictions myself, but i am writing a nanny so to speak, so you can see my implementation. Also, could anyone show me HOW to setup a KMD which is as i understand, Ring-0. Thanx mates, Cheers!:alright:
Posted on 2003-10-21 23:32:39 by Snoopy2K
If you will manage to put something into Ring0 it will be running as a part of the OS itself with no restrictions. But the problem is that you may not run KMD or any ring0 stuff under User account.

Basic knowledge about KMD you can find here
Posted on 2003-10-22 00:20:26 by Four-F
sound like your going to have to make a service.. this way for one they cant kill your service unless they have the admin pass that is if you force the service to only have control from the admin account.. then you can make a program that talks to your service from the user account..
Posted on 2003-10-22 01:28:53 by devilsclaw
Well its like this. My program will be a standard exe, or a exe with a dll, that will be run via the registry when any given user loggs on. My program will run even if its the admin logging on. What i want, is essentially that my program cannot in any way be killed by the user, or even the admin without a password. This is a nanny, so if the people happen to crack the admin password, or see the admin typing it in, they still dont have control of the PC.
Furthermore, i want it to be able to set itself up no matter when it is run. So, it doesnt necessarily have to run at login. For example, if i just put the EXE and DLL into a folder and run it from a user account, i want it to still move itself into ring 0, and setup all of its attributes, even though it was initially run by a user, from a user account. Im trying to cover every possibility the users could do, in trying to break this nanny. Thanx for the feed back mates, cheers!
Posted on 2003-10-22 18:23:14 by Snoopy2K
personally i think you have other resons for this program than what your saying... there is no reason for it to be able to run with admin rights with out being admin.. unless your making a type of trojen or hacking tools.. but that just MO
Posted on 2003-10-22 19:06:38 by devilsclaw
A service (not KMD) is probably the way to go - and will have to be set up by an administrator account. Also, not allowing an administrator account to shut down the app? This does indeed sound fishy.
Posted on 2003-10-23 04:27:44 by f0dder

if i just put the EXE and DLL into a folder and run it from a user account, i want it to still move itself into ring 0, and setup all of its attributes

no legitimate tool has such needs. Legitimate tools are run by administrators who have administrative access. If you're thinking "I'll help my admins with this" , don't. You'll only get yourself in trouble (possibly fired if it's at work) and you'll never get peace with them again.
Posted on 2003-10-23 04:56:14 by Hiroshimator
Apparently none have you have been to a modern high school. They have installed all sorts of malicious things on our computers including key loggers, viruses, trojans, and the like. Getting the admin password, i suppose, would be very easy to do, for some of them. Most highschools nowadays have shitty run down computers, that can barely do what you want them to OR macs. We have top of the line, 2.2ghz computers, 512 ram, the whole shananagin. About 300 of them at that. All of them run XP. We host our own website on an on-campus server, we have file and application servers, and every teacher has their own computer. All the grades are stored on the servers, along with student information and records. Every student has a directory shared to the entire network that they can save their work on, and access at any point in the network. With this kind of resources, and this volume of information, you need to be very careful and very touchy. Times are changing, technology is changing, and the programs need to change as well to fit the hardware. Our net nanny has been hit uncountable amount of time. We currently use Fortress as our access restriction program. For the most part, its flawless. But we have been logging an enormous amount of hits to it.
In short, im patching the few flaws that the Fortress has. Im on the good side, trying to prevent all the shmucks who think they are "1337 h4x0rs" from breaking this multi million dollar technology. We have several server admins and desktop technicians on payroll. But 1000+ plus students its a little much, it seems, for a few techs. I hope this brief explanation of my goal has cleared any doubts you have. Thanks again!
Posted on 2003-10-23 20:07:31 by Snoopy2K
well tell you this NT is not safe anymore... since i have software that can reset the admin pass on any NT based OS... but if you file protect your files and not give out your passwords like smart people you would not have problems... i worked for the schools about a year ago and its almost always the teachers fault for trusting someone.. also the tech fault for not keeping upto date on stuff...

there are alot of ways to protect the system and not have problems with out that type of software..
Posted on 2003-10-23 20:32:57 by devilsclaw
I completely agree with you, and i thank you for taking into consideration that i might be doing something malicious. Again, that isnt the case. I agree with you, aswell, that its usually stupid errors which get people in trouble (acc. sharing, teacher sharing, and the like), but that doesnt mean we shouldnt protext against it. Thanx for the thought though.

So anyway, is there anyway what im saying can be done, or is this a little much. Perhaps some suggestions on redesign would be good. Im just trying to cover the most probable scenarios.

I forgot to menchin as well, some kids have found the LOCAL admin password on some of the machines. Probably some of my techs typing in clear view. So now some of the kids have control of one or two computers. As i said, their local accounts so the network is at risk. But having an admin account, period, is bad news. They can do stuff like registry entry, and virus propagation. I dont need to tell you what can be done, as we have all seen what head strong teenagers can do. That is the main reason why i wanted to have the admin bit, but its less than necessary. Right now i just want to get it either KMD or registered process. I need some code examples, as the NT based API is not exactly the same as older ME/98SE so forth API. Examples or raw code are great. Thanx again!
Posted on 2003-10-24 01:35:36 by Snoopy2K