ntoskrnl.exe

Discussion in 'ProcessGuard' started by Feivel, Jul 30, 2004.

Thread Status:
Not open for further replies.
  1. Feivel

    Feivel Registered Member

    Joined:
    Nov 7, 2002
    Posts:
    100
    Location:
    Baytown, TX
    Can we put ntoskrnl.exe on PG's protection list?
     
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    What is it?
     
  3. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    I found this in Windows XP expert. Ntoskrnl.exe systemroot\System32 The core (also called the kernel) of the Windows XP Professional operating system. Code that runs as part of the kernel does so in privileged processor mode and has direct access to system data and hardware.
    During installation on single processor systems, Windows XP Professional Setup copies Ntoskrnl.exe from the operating system CD . During installation on multi-processor systems, Windows XP Professional Setup copies Ntoskrnlmp.exe and renames it Ntoskrnl.exe. Deep! It is in Microsoft Knowledge Base article 311775. It seems to only be in XP Professional. Well I have XP Home edition and it is in System 32 on my system. Just checked.
     
    Last edited: Jul 30, 2004
  4. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
  5. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    Peter this question is in regards to the post about vulnerability. The question remains. Can ntoskrnl.exe be protected by PG in order to remove the vulnerabilityo_O :rolleyes:
     
  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi William, Did you notice that ntoskrnl.exe does not show in your checksum list? Not on mine anyway - XP Pro -
    Jason will be the one to answer this as there is some hard coding within Process Guard at the kernel level so it may already be covered.
    As an experiment I have added it to my protection list and given it the "getinfo" and "read" flags as well as the first four Block flags.
    I will watch the logging and see what it does, if anything :)

    Pilli
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    I haven't had time to go check out the Microsoft Knowledge Base article, but I still don't know what the vulnerability is. I have the file in my system32 area, but there is no process running, and I've checked several websites, that don't mention it as a process one way or the other.
     
  8. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    Well Peter, Chew Keong posted somewhere that he could defeat PG by hooking on to ntoskrnl.exe and actually told how to do it. There was a link that has been shut down, that explained it. I had printed it but thu it away. Didn't understand it any way. Chew had sent the info to Diamond CS ,which was good, but then posted the info.
     
  9. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi William, That vulnerability is being addressed in the next release of PG due shortly.
    To actually produce malware that might possibly kill Process Guard using this vulnerability would very probably produce it than Jason will take to fix it.
    Chew Keong even stated that this vulnerability was also likely to terminate a session before it could do it's business as it was not stable. Any programmer capable of using this type of attack would have to have excellent machine code skills and then develop it for all current NT versions.
    Wayne stated that such an effort for such a small user base (PG) would not be worth it for crackers.
     
  10. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    I certainly have faith in Jason and PG. It amazes me how smart these folks are.
     
  11. Feivel

    Feivel Registered Member

    Joined:
    Nov 7, 2002
    Posts:
    100
    Location:
    Baytown, TX
    More than likely true but there is no rhyme nor reason to "genius."
     
Thread Status:
Not open for further replies.