NOD32, IMON and DuplicateHandle

When the NOD32 IMON module is enabled, it monitors all socket calls to see if they are legal. However, if you call the Win32 function DuplicateHandle, the returned handle is not marked as a socket. Though it certainly is one.

All subsequent actions on the duplicated handle will be blocked and return with an error.

A call to DuplicateHandle is often used to say that you don't want the socket to be inherited by any child process you spawn. That would be a security risk, why would you allow a child process to ave access to your sockets?

To disallow this you can either call SetHandleInformation or DuplicateHandle. SetHandleInformation is only supported on NT/XP platforms, not on Windows 98 for example. That's the reason why many programs still use DuplicateHandle. The code to disable inherit of sockets looks like this:

Result := Socket (a_family, a_type, a_protocol)
if Result /= unassigned_value then
old_handle := Result
DuplicateHandle (
posix_getcurrentprocess, old_handle,
posix_getcurrentprocess, $new_handle,
DUPLICATE_SAME_ACCESS,
False, 0))
Result := new_handle
CloseHandle (old_handle))
end

It's ironic that security conscious programs are most impacted by this... And it impacts a lot of programs, not only my own, but also the entire cygwin suite for example.

The fix is easy: the IMON module should treat any socket that is duplicated by DuplicateHandle as a socket as well. That's what Windows does anyway.