Delusions of Invincibility ?

Discussion in 'ProcessGuard' started by Nautilus, Jan 13, 2004.

Thread Status:
Not open for further replies.
  1. Nautilus

    Nautilus Registered Member

    Joined:
    Oct 22, 2002
    Posts:
    37
    Against this background ...

    "Hi Magnus, I would like you to tell me how you would remove a kernel mode hook (one which patches the service dispatch table). ... I find it funny you make this comment when it seems you don't know how some of the kernel mode hooks work. ... I do appreciate and acknowledge that you have put some protection into your program, I don't want to discredit you or your program. However I don't see why you need to defend 'usermode' hooking that you use, you know (at least now I hope you do) it has vulnerabilities/problems."

    ... I would like to kindly ask Wayne & Co. whether they have already tried to terminate processes protected by PG with the help of a small tool called Kernel PS 0.4?

    Regards,

    Nautilus

    -- EDITED --

    First, I tried to protect notepad.exe with PG.

    See here ( http://home.arcor.de/scheinsicherheit/Image1.jpg ) You may also notice that I am the poor victim of a terrible rootkit ;-)

    Secondly, I asked notepad.exe whether it believes in anti-termination protection ...

    See here ( http://home.arcor.de/scheinsicherheit/Image2.jpg ) PG did not say a word.

    Thirdly, PG's stamina was tested ...

    See here ( http://home.arcor.de/scheinsicherheit/Image3.jpg )
     
  2. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Nautilus - Apparently, you haven't been keeping up with all the information in the various threads on PG.

    It's been stated over and over again that all defensive programs can be defeated, given enough time and knowledge.

    If you're getting the impression that PG (or DCS) is claiming that the program's "invincible", then I suggest you're mis-reading the information put out. Pete
     
  3. Nautilus

    Nautilus Registered Member

    Joined:
    Oct 22, 2002
    Posts:
    37
    @Spy

    1.
    It has been stated that TH's user-mode protection is much less secure than PG's kernel-mode protection. It seems to me that both protections are not secure. Therefore, I do not believe that Magnus needs to change anything in respect of TH. In addition, TH's protection was quite stable.

    2.
    I do not believe that anti-termination protection is terribly important at all.

    3.
    I believe that PG should try to alert the user if it is unable to prevent the termination of a programm.

    4.
    I believe that PG is a good and useful program.
     
  4. controler

    controler Guest

    wayne and jason are claimng PG does not patch the kernel @ all but rather links through undocumented methods.

    What are you trying to say? Are you saying you think they do patch the kernel?

    controler
     
  5. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Nautilus,
    So give us a download link (privmsg or here is fine) and we'll try and add protection for it (although I have a feeling that it's already protected). However, be aware that Kernel PS uses a highly unconventional (and probably tricky-to-program) termination technique, so while it's an interesting technique, it's also one of the hardest to program.

    Edit - nevermind, Gavin just pointed me to a copy we've already got. Screenshots and info to follow.
     
  6. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Well it seems this driver just uses KeAttachProcess/TerminateProcess in kernel mode, I can easily block this.

    Regardless of that though, take a look at the following screenshots :-
     

    Attached Files:

  7. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Here is with Block Drivers enabled :-
     

    Attached Files:

  8. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Here is with Process Guard's protection disabled, to show it does work :-
     

    Attached Files:

  9. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    BTW Nautilus, what I asked Magnus still stands. What this driver does is not remove our hooks, it simply calls a function we havn't hooked because in most cases you cannot call that function without calling others. This driver uses an undocumented method to not call the other functions we hook. So this hasn't removed our hooks, it simply uses even more undocumented ways to get around them.

    When in kernel mode anything is possible given you spend enough time reverse engineering Windows. Which is why it is better to be able to stop malicious drivers from being installed (like rootkits) than letting them in and blocking what they do in Kernel mode. That is why we developed this protection option. All other programs which run in usermode cannot defeat the protections, and with this protection option no rootkits can be installed and hence you are safe and PG is safe.

    -Jason-
     
  10. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Where, when ??
     

    Attached Files:

  11. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Do you mean when the public version will be released? :)

    This Friday or Monday looks like the two most likely dates. Beta testers will be getting a second beta version version today.

    -Jason-
     
  12. Nautilus

    Nautilus Registered Member

    Joined:
    Oct 22, 2002
    Posts:
    37
    @Jason

    Maybe, maybe not. There are even more drivers on my HD which I have not even tried ...

    In principle, I agree with you that a kernel-mode driver should be safer than a user mode-driver.

    I also believe that it is more important to concentrate on the release of PG version 1.200 than trying to publicly convince a competing developer that his product is flawed ...
     
  13. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Nautilus, well since all the drivers you have on your hard drive won't work with PG 1.2 I don't know what the "maybe, maybe not" refers to. :)

    So, can PG 1.2 stop what you just showed and every other driver? Yes. Can usermode protection schemes stop any driver? No. I never tried to convince anyone that their product was flawed, rather that a mechanism they use is flawed. I am not out to put down other people or products or whatever, I am just interested in the facts and making sure people know them.

    Since I am one of the developers of Process Guard and get IM's and emails from people asking me to respond to claims by other developers I feel I should set the record straight. Magnus made what I believed to be some incorrect claims, I corrected them. It isn't the biggest news of the century, it doesn't mean you shouldn't use TrojanHunter if you like it. :)

    -Jason-
     
  14. Nautilus

    Nautilus Registered Member

    Joined:
    Oct 22, 2002
    Posts:
    37
    Let's talk about some good news ...

    if I am not mistaken PG 1.200 should also stop the installation of the Hacker Defender rootkit driver?
     
  15. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    If you believe this I don't know why you started this thread with the "Magnus" background, almost like you want us to try and get into an "argument" over TrojanHunter/Magnus. I don't see how it is relevant since it isn't like you are comparing TH protection vs PG protection. If it was you would have shown how TH worked against the same program.

    Feel free to start threads stating that PG doesn't work as it should but don't try and instigate arguments between developers. Magnus is welcome to comment on anything I have posted, especially on things which refers to protection schemes he uses (as I have commented on things he has said about the schemes we use). If Magnus wanted to comment on what I posted in the thread you referenced he would have. He hasn't and that is his choice, not yours.

    So I have shown you that Process Guard 1.2 has a fix for the problem you showed, is there anything else you want add, bearing in mind what I have said above?

    -Jason-
     
  16. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Correct. :)

    -Jason-
     
  17. Nautilus

    Nautilus Registered Member

    Joined:
    Oct 22, 2002
    Posts:
    37
    1.
    "is there anything else you want add, bearing in mind what I have said above"

    Yes. See above ;-)

    2.
    "but don't try and instigate arguments between developers"

    I do not. On the contrary, I suggest that you do not talk so much about the flaws of a competing product before your own product is perfect. That's what it's all about. I simply did not like the thread were Magnus was accused by various people of using madshi trojan code, not understanding anything about the kernel-mode, etc etc.
     
  18. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    It does use the MADSHI library which IS used in Trojans . MADSHI isn't a trojan it is a library of code which TrojanHunter uses. The code in the MADSHI library is also used in a lot of trojans. People are not accusing Magnus of things which are untrue, so there is nothing for you to get upset or worry about. Magnus made the choice to program TrojanHunter how he saw fit, so if you have problems with the way it works you can discuss it over on his forum.

    Again, you don't need to defend Magnus because no personal attack was made on him, and if you feel you need to, find a better place to do it, not the PG forum.

    -Jason-
     
  19. 4A6F4A6F

    4A6F4A6F Registered Member

    Joined:
    Dec 23, 2003
    Posts:
    34
    a new verison ? nice, you work very hard for this product, but i have a question about the new anti-termination feature "Block drivers and Services from installing" it seems this is like the old anti-rookit driver protection tool from ehm pestralsoftware or whatever the name was but what if the user want to install new drivers for hardware or installs other software which need to install a driver, like firewalls or other security applications ?
     
  20. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    JoJo,

    The actual block isn't termination-related, but it stops things like trojans from dropping drivers and making the drivers do the termination.

    You're referring to Pedestal Software's Software Integrity Protection Driver, but no, Process Guard doesn't actually use any code from that (even though it is open source), and actually I believe the mechanism used to block the installation of services is different in PG's to IPD's.

    There actually is very little 'overlap' between the two programs (PG and IPD), and although I haven't tried using both yet, that's probably the way to go.

    In Process Guard, simply right-click on the main menu and turn off "Block drivers & services installing" if it was on.

    Cheers,
    Wayne
     
  21. 4A6F4A6F

    4A6F4A6F Registered Member

    Joined:
    Dec 23, 2003
    Posts:
    34
    ok thanks for the infos Wayne :)
     
  22. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    It would seem that protection driver somewhat neuters Windows :) Protection comes at a big cost there unless its configurable
     
  23. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    neuters ? what does it mean ? my hand-dictionnary doesn't has this word :)
     
  24. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Neuters = Cuts off parts - usually refers to the way animals are stopped from reproducing :Ouch!:
    Could also mean to neutralise. :D
     
  25. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Ok, thanks you Pilli ;)
     
Thread Status:
Not open for further replies.