Discussion in 'ProcessGuard' started by Feivel, Jul 30, 2004.
Can we put ntoskrnl.exe on PG's protection list?
What is it?
I found this in Windows XP expert. Ntoskrnl.exe systemroot\System32 The core (also called the kernel) of the Windows XP Professional operating system. Code that runs as part of the kernel does so in privileged processor mode and has direct access to system data and hardware.
During installation on single processor systems, Windows XP Professional Setup copies Ntoskrnl.exe from the operating system CD . During installation on multi-processor systems, Windows XP Professional Setup copies Ntoskrnlmp.exe and renames it Ntoskrnl.exe. Deep! It is in Microsoft Knowledge Base article 311775. It seems to only be in XP Professional. Well I have XP Home edition and it is in System 32 on my system. Just checked.
More info: http://forum.gladiator-antivirus.com/index.php?showtopic=16895&st=0&#entry57199
Peter this question is in regards to the post about vulnerability. The question remains. Can ntoskrnl.exe be protected by PG in order to remove the vulnerability
Hi William, Did you notice that ntoskrnl.exe does not show in your checksum list? Not on mine anyway - XP Pro -
Jason will be the one to answer this as there is some hard coding within Process Guard at the kernel level so it may already be covered.
As an experiment I have added it to my protection list and given it the "getinfo" and "read" flags as well as the first four Block flags.
I will watch the logging and see what it does, if anything
I haven't had time to go check out the Microsoft Knowledge Base article, but I still don't know what the vulnerability is. I have the file in my system32 area, but there is no process running, and I've checked several websites, that don't mention it as a process one way or the other.
Well Peter, Chew Keong posted somewhere that he could defeat PG by hooking on to ntoskrnl.exe and actually told how to do it. There was a link that has been shut down, that explained it. I had printed it but thu it away. Didn't understand it any way. Chew had sent the info to Diamond CS ,which was good, but then posted the info.
Hi William, That vulnerability is being addressed in the next release of PG due shortly.
To actually produce malware that might possibly kill Process Guard using this vulnerability would very probably produce it than Jason will take to fix it.
Chew Keong even stated that this vulnerability was also likely to terminate a session before it could do it's business as it was not stable. Any programmer capable of using this type of attack would have to have excellent machine code skills and then develop it for all current NT versions.
Wayne stated that such an effort for such a small user base (PG) would not be worth it for crackers.
I certainly have faith in Jason and PG. It amazes me how smart these folks are.
More than likely true but there is no rhyme nor reason to "genius."
Separate names with a comma.