Hi people,
Looking around the net I've seen alot of posts about how to hook CreateProcess() or other API's. I have made a prog which does just this and need a few people to test it. It's a file execution protection system which will only allow certain authorised programs to run. It simply gathers a list of all the executable files that are currently on the system and compiles all of the names and hashes into a file. When the driver runs it will read this file and will not allow any other program to run other than those in the list. Each file is hashed so that simply renaming an unauthorised file to one which is authorised will not work. The driver can be loaded dynamically and once loaded it will automatically start up at boot time.
Please try this software out but use at your own risk. It is not perfect and may crash your system (although it works perfectly on mine). Feedback is ofcourse the main aim of giving out this software so if there are any problems, comments or suggestions then please leave them here or email them to me. I am particularly interested in security issues and ways of getting around the protection (I can think of 1).
Thx!!
Looking around the net I've seen alot of posts about how to hook CreateProcess() or other API's. I have made a prog which does just this and need a few people to test it. It's a file execution protection system which will only allow certain authorised programs to run. It simply gathers a list of all the executable files that are currently on the system and compiles all of the names and hashes into a file. When the driver runs it will read this file and will not allow any other program to run other than those in the list. Each file is hashed so that simply renaming an unauthorised file to one which is authorised will not work. The driver can be loaded dynamically and once loaded it will automatically start up at boot time.
Please try this software out but use at your own risk. It is not perfect and may crash your system (although it works perfectly on mine). Feedback is ofcourse the main aim of giving out this software so if there are any problems, comments or suggestions then please leave them here or email them to me. I am particularly interested in security issues and ways of getting around the protection (I can think of 1).
Thx!!
Each file is hashed so that simply renaming an unauthorised file to one which is authorised will not work.
How do you deal with authorised files that have had service packs or version upgrades applied (which means your calculated hash will no longer be valid)? What happens if a Windoze service pack is applied, and a new "always running" process is installed which is not on your list (as happened with SP3 for Win2K)? And does your driver suspend itself if you log on with administrative privileges?In this case you will have to authorise the files again (using AuthGen.exe). In the future I will make it easier to authorise and unauthorise single files, but for now you have to create the list again. The driver doesn't suspend itself if you log on as admin (YET!) but this will be implimented in a later version. For now, simply unload the driver if you dont want it running and reload to protect. If a process is always running (meaning the file is exclusively locked and cannot be opened) then this is no problem. This is because the driver also intercepts every call to NtCreateFile() and modifies the share access parametre so that it is still possible to open files which were intended to be locked.
Did it all work ok for you? Any problems??
Thx!
Did it all work ok for you? Any problems??
Thx!
Removing the WriteProtect bit for the whole system running time is a BAD idea.
You could implement it in your driver, just for writing to the memory you want to write to.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; Enable write access to system pages (Clear WP)
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
EnableWrite macro
push eax
mov eax, cr0
and eax, 11111111111111101111111111111111b
mov cr0, eax
pop eax
endm
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; Disable write access to system pages (Set WP)
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
DisableWrite macro
push eax
mov eax, cr0
or eax, not 11111111111111101111111111111111b
mov cr0, eax
pop eax
endm
You could implement it in your driver, just for writing to the memory you want to write to.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; Enable write access to system pages (Clear WP)
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
EnableWrite macro
push eax
mov eax, cr0
and eax, 11111111111111101111111111111111b
mov cr0, eax
pop eax
endm
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; Disable write access to system pages (Set WP)
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
DisableWrite macro
push eax
mov eax, cr0
or eax, not 11111111111111101111111111111111b
mov cr0, eax
pop eax
endm
Ah, didnt know that! Thx alot for that tip. So this means that the system won't bugcheck if I try to patch the kernel right??
i assume the attachments were lost when the message board upgrade was done. does anyone know where I can get this code? it would be very helpful for the license metering application I'm writing. thanks.