NOD32, IMON and DuplicateHandle

Discussion in 'NOD32 version 2 Forum' started by o2b43, Nov 28, 2005.

Thread Status:
Not open for further replies.
  1. o2b43

    o2b43 Registered Member

    Joined:
    Nov 28, 2005
    Posts:
    1
    When the NOD32 IMON module is enabled, it monitors all socket calls to see if they are legal. However, if you call the Win32 function DuplicateHandle, the returned handle is not marked as a socket. Though it certainly is one.

    All subsequent actions on the duplicated handle will be blocked and return with an error.

    A call to DuplicateHandle is often used to say that you don't want the socket to be inherited by any child process you spawn. That would be a security risk, why would you allow a child process to ave access to your sockets?

    To disallow this you can either call SetHandleInformation or DuplicateHandle. SetHandleInformation is only supported on NT/XP platforms, not on Windows 98 for example. That's the reason why many programs still use DuplicateHandle. The code to disable inherit of sockets looks like this:

    Result := Socket (a_family, a_type, a_protocol)
    if Result /= unassigned_value then
    old_handle := Result
    DuplicateHandle (
    posix_getcurrentprocess, old_handle,
    posix_getcurrentprocess, $new_handle,
    DUPLICATE_SAME_ACCESS,
    False, 0))
    Result := new_handle
    CloseHandle (old_handle))
    end

    It's ironic that security conscious programs are most impacted by this... And it impacts a lot of programs, not only my own, but also the entire cygwin suite for example.

    The fix is easy: the IMON module should treat any socket that is duplicated by DuplicateHandle as a socket as well. That's what Windows does anyway.
     
Thread Status:
Not open for further replies.