I just wanna to know if there are some kind of a program that could stop me from running viruses, trojans and other bad stuff on a victim's PC. I am not speaking about anti-virual scanners/monitors, but about sandboxes, that contain a number of 'safe' API functions program can use, and prohibit to user 'dangerous'. That is similar to JAVA's JVM but for Windows programs in PE format.
Of course, I'm interested in source code (if possible).

And one more thing: where I can get information on writing debuggers and information on API interception?
Posted on 2002-08-24 17:08:58 by Maestro
DotNET Framework, but you have to only run CLR apps. :)
Posted on 2002-08-24 18:07:50 by bitRAKE
Yea, I know about .NET framework. But that is stupid really: there are many examples in the Internet how to bypass that security. So that is not what I need.
And whats about other applications that were built without CLR? They need some kind of other protection.
Posted on 2002-08-24 18:46:29 by Maestro
VMware?

This could be something for you. Basicly you can make a isolated environment where you can destroy the entire os and restore it again in a few mins since it's only based on 'container' files.

http://www.vmware.com/

I've heard in past the Antivirus developers also use it to explore new viruses instead of letting them run wild on their normal desktop machines.

// CyberHeg
Posted on 2002-08-25 02:26:18 by CyberHeg
If you have the space you could create a new partision and install the OS there.
Posted on 2002-08-25 06:54:22 by Kudos
The idea came to me? What is the purpose of creating 'unsafe' executables if we can create 'safe', that run in a isolated VM (like JVM) and can't completely destroy the system? Use some kind of leveling to provide the access to dangerous functions... What do you think? Will it work?
Posted on 2002-08-25 09:18:20 by Maestro
Maestro, that was the goal for the .NET Framework. :)
Can you post some links to how it is flawed?
Posted on 2002-08-25 09:25:14 by bitRAKE
1) See the www.securityfocus. com archive - I'va seen recently a post there.
2) The .NET uses PE format that have just a manifest at the end of a file. But I speak about inventing completely new format.
Posted on 2002-08-25 09:27:41 by Maestro
That site is hard to browse due to being busy, but I did find a patch I had not installed. I will look when I have more time. What is gained by a new file format? When it becomes popular it will be a target of bad people. As long as windows supports the old file formats the system is vulnerable to a malicious file being executed. The danger does not even have to come from an EXE that is run. I agree that an executable should be 'safe'.
Posted on 2002-08-25 10:06:05 by bitRAKE
VMWare would probably be the way to go, except that I've never had luck getting Windows 98 going on it. It ran but it was horribly slow. Otherwise there is nothing you can do about it.

You can't make a new partition on the same computer; tonnes of viruses screw with partition tables, and i'm sure some do lowlevel formats. And what happens if you get CIH? Then it will erase your bios, no matter what partition the OS is on. I haven't heard of any exploits to break through VMWARE to the host computer, nor have I seen any viruses to do it, so try VMWARE first.

I had that whole .NET framework going, but it was slow on my computer.
So far though, there isn't a managed .NET virus that I know of.

Though, if you make a new format and it becomes popular enuff, it'll be a new target for VXers.. for personal use it could work, but then you need something to run it that will be succeptible to viruses too right(?)
Posted on 2002-08-25 16:06:36 by matthew
I had that whole .NET framework going, but it was slow on my computer.


I think I heard of a .NET virus created by someone.
Posted on 2002-08-26 04:46:18 by roticv
Hi All


I stumbled upon an ASM compiler to .NET at http://home.worldonline.dk/viksoe/asmil.htm. I've not tried it yet but it claims to compile/assemble asm to MSIL. This obviously goes a long way to running asm in a sandbox type enviroment but I'm sure there are many many other applications.

Comments suggestions?
Posted on 2002-08-28 04:14:01 by timkempster
The best solution I have seen for viral attack if you are in some sense vulnerable is a BIOS that can easily be restored to its original settings and a bootable CD with a GHOST image on it.

My latest Intel board can be reset this way and a ghost image is a very good way to defeat any virus as long as you bother to set it up properly in the first place.

It means you have to do some sensible backup of your important box but that is good sense anyway as hardware failure can take you out much more than viral attack.

My own view is that a CLR will not solve the problem as even scripting is a source of viral/worm attack. If you can write to disk with the CLR, it is probably capable of being exploited somewhere.

Probably operating system redesign can reduce the vulnerabilities a lot but if a computer can do enough to be useful, it can probably be trashed somewhere along the line. If the OS was built into hardware and the hardware was designed to restore the rest of it if it was damaged, it would be very hard to attack but I doubt that will ever be done on domestic computers as it would kill a lot of the market.

Regards,

hutch@movsd.com
Posted on 2002-08-28 08:06:06 by hutch--