Ok, I'm hooked....

True Rich, it is complicated and I cannot disagree hence the not understanding what exactly is going on down there ..

I just wished someone would step up and stay with us for one hour and explain stuff .. cause giving links where we can read difficult items is not an answer...it gives me more questions then answers so to speak.

 

The "experts" all show up when it is time to sell products but they seem to disappear when questions are asked about subjects like this. I would like to see these subjects explained in language I could better understand sometimes.

Many security companies use marketing that use all different types of terms that few really understand (I think). Then when you ask what do you mean by this term and how does your software go about doing this or that better than other software......well, then everyone disappears except for those wanting the answers.



Starrob

 

Hi Infinity,

Despite your protestations ..

http://www.giac.org/certified_professionals/practicals/gcih/0617.php

The first part of this article gives a very good overview of rootkits and how they try to instantiate themselves on a system. Reading this, gives some clues, on how DiamondCS arrived at their design fro ProcessGuard.

I think experts are reluctant to step forward for two reasons:

1) I believe that truly knowledgeable experts realize that this whole issue is such a quagmire of ambiguities and unknowns, that they do not want to give any "explanations" that that can be so easily challenged as being incomplete or incorrect.

2) Some experts have "proprietary knowledge" that they do not want to reveal for one reason or another. This is quite common.

My approach toward security is this:

1) First try to understand all of the entry points (forget about what happens afterwards because within XPs millions of lines of code, anything can happen and no one really knows all that can happen)

2) Try to post "sentries" at these points of entry that will stop unauthorized executables from ever getting started (and entering into those millions of lines of Windows spaghetti code).

I realize that there are lots of points of entry. Some of the better anti-malware tools nowadays attempt to cover these points as best as their own developers have figured it out (new vulnerabilities are always being discovered). If a file is downloaded and gets by the initial point of inspections, then I have additional sentries at other "gates". I do the best I can at guarding these gates, because once a program starts to execute all bets are off. As new "security" programs come out, I will check them out to see if they offer more/better capabilities.

Clearly a new operating system, designed from the ground up with security in mind would be a better solution, however, operating systems nowadays are designed with the idea of "enabling commerce" (e.g. to make money) so I do not believe I will be seeing such an operating system in the near future - unless big companies such as the banks and MS are subjected to class action lawsuits (as Newsweek describes this week) that will force organizations to take security of users more seriously.

Rich

 

For this I will give you a lot of karma cookies Rich!!

I have something to read again .. something interesting. That learning has never been a prb to me and helping...man if I just could count the hours I helped here and @ sb ...

I hope I'll understand a bit better soon cause if I have questions I will continue to address them here

Sincerely.

VERY BIG EDIT: I understand that information these days is as valuable as hard cash but that doesn't mean I am going to use that info just to build a new competing product with this... .. or whatever..

but I understand and no hard feelings.

 

Hi Infinity,

Thanks for the Karma cookies! For this unselfish gesture, you have earned double the amount of Karma cookies of your own! (I love the way Karma works )

I hope the article helps pull away some of the "cloaking" that surrounds rootkits. But as I sit here and ruminate, I am quite sure that there is no one answer. Even the operating system code that drives "events', I am quite sure, has indefinite aspects to it (as do all event-driven systems). It is sort of like quantum-like behavior manifesting itself in the real physical world. And we as humans have to learn to deal with it.

Cya around,
Rich

 

Windows XP is an extremely complex operatng system, and I doubt anyone on the planet knows how to "secure" it from detecting all unauthorised programs.

We are all aware of how much you worship at the shine of execution launch protection Rich, but this certainly isn't the thread for it.

Everyone knows that if you don't run a program, you can't get infected by it, it's doesn't take a security guru like yourself to figure that out.

I recommend you give it a rest and stop stating the same "wisdom" post after post on every thread about every conceviable security risk. The rest of us live in the real world where programs have to be run, and many of the "authorised" programs might actually be malicious

Someone who insists on seeing execution launch protection has the holy grail of computer security clearly has a lot to learn about computer security.

 

The last time I checked those guys don't hawk security products? In any case, these papers are way too new. The sysinternal article and books are a much more likely source of inspiration.

I think experts are reluctant to step forward for two reasons:

We must distinguish between 2 types of experts. Those who have a product to sell and those who don't. Those of the second varity, who gain fame by their expertise as consultants, are more likely to explain more (to those who can follow). They build a name for themselves by publishing white papers and what not.

For experts who hawk security software, generally they don't have as much an incentive to release info about what they know. I suppose, If they were truly honest when they discussed their methods, they would probably have to point out their own weaknesses.


2) Some experts have "proprietary knowledge" that they do not want to reveal for one reason or another. This is quite common.
[/quote]

3) They don't want to waste time explaining things, they just hawk you security software, they certainly arent here to teach you about the guts of the windows system.

Of course occasionally they need to drop some technobabble ("proactive", "DPI".) to convince you to buy, but no more than necessary. Still as competiting products come into the market, vendors will have to bring in more buzz words to further distinguish their product, so they start educating their use base a bit more... and so on..

 

I found this which may shed some more light on things, see what you think.


API Hooking Revealed

Intercepting Win32 API calls has always been a challenging subject among most of the Windows developers and I have to admit, it's been one of my favorite topics. The term Hooking represents a fundamental technique of getting control over a particular piece of code execution. It provides an straightforward mechanism that can easily alter the operating system's behavior as well as 3rd party products, without having their source code available.

Many modern systems draw the attention to their ability to utilize existing Windows applications by employing spying techniques. A key motivation for hooking, is not only to contribute to advanced functionalities, but also to inject user-supplied code for debugging purposes.

Unlike some relatively "old" operating systems like DOS and Windows 3.xx, the present Windows OS as NT/2K and 9x provide sophisticated mechanisms to separate address spaces of each process. This architecture offers a real memory protection, thus no application is able to corrupt the address space of another process or in the worse case even to crash the operating system itself. This fact makes a lot harder the development of system-aware hooks.

My motivation for writing this article was the need for a really simple hooking framework, that will offer an easy to use interface and ability to capture different APIs. It intends to reveal some of the tricks that can help you to write your own spying system. It suggests a single solution how to build a set for hooking Win32 API functions on NT/2K as well as 98/Me (shortly named in the article 9x) family Windows. For the sake of simplicity I decided not to add a support for UNICODE. However, with some minor modifications of the code you could easily accomplish this task.

Spying of applications provides many advantages:

http://www.codeguru.com/Cpp/W-P/system/misc/article.php/c566


StevieO

 

So sorry missed off a 7

http://www.codeguru.com/Cpp/W-P/system/misc/article.php/c5667


StevieO

 

The buzz words are not so catchy with me. Unless the vendor is prepared to fully explain what they are talking about then the buzz words are meaningless to me but then again they are probably not marketing so much to me but to those types that like to buy hype.

One vendor I respect more than most is Jason simply because in the past I found him more willing to go further with his explanations beyond the buzz words and try to give a explanation in simple English all without giving too much of his knowledge away. He gets a A for at least trying to educate his users somewhat about his product.

Most of the others will simply throw out the buzz word and let you sink or swim with it....most prefer that you sink with it and just simply buy whatever they are trying to hawk but that is the business world for you,

Buying a lot of software is like buying diamonds in a third world country. The diamond might be good to the naked eye but unless you are a expert in looking at precious stones and know how to look for the flaws, it becomes near impossible to determine it's worth.

Some software may work beyond expectations......and others are not worth as much as the hype. It takes a bit of education and lots of trial and error to determine which is which......




Starrob

 

Geez, this does get confusing. I'm going to stick with this question, though, to keep things simple. Programs like PG are "dumb" in that they don't try to differentiate data coming in through those APIs, it's a very black and white system.. "if input then alert, allow if user agrees, block if user denies". Since the data would still have to continue along the API chain, the only way I could think of for something to bypass the other hooks is if maybe one of the first hooks initiated a Windows exploit, then who knows what can happen. Something like a scanner, ie Ewido, would try to intelligently discern between good and bad data, so could be bypassed, but I really don't think something like PG could be 'fooled'.

And I have to agree w/ Pollmaster's earlier statement that it's the "Driver/Rootkit" and hooks functions that make PG so powerful. Anything can be run as long as you leave those two options enabled. The only exception would be static dll injection, where the dll is injected into the files on the disk, not in memory, and this is (I believe) one of, if not the, main reason/s for the execution protection- to let you know when a program has been changed on disk (which is why I like having something like Prevx on board). To balance things out, though, execution protection is very good for unexpected executions, such as by mobile code to install drive-by-downloads, just not acutal trojans where you're fooled into executing it in the first place.

I'll run this by some programmers I know and post back.. let me know if I'm not grasping the whole of the question, or oversimplifying.

 

Hi Notok,

Well, I am not so sure. There is plenty of malware out there than can cause quite a bit of damage without deploying a driver/service or rootkit.

Rich

 

That is a plain English answer that I can understand. Also, Does PREVX block static DLL injection?


Starrob

 

Yes, some malware could still set up shop and send out spam all it wants. That's out of the scope of PG, and why we don't rely on it 100%, using products like registry monitors/RegDefend, our AV of choice, etc. However what we're discussing here is hooking and bypassing protective hooks, which is the context in which that statement was made.

 

thanx for the link Stevieo (you were second .. so no karma cookies left )after this post I will read it together with the certified one...they even give exams over the net .. wtf who knew that? ok...mvps windows I know but those are real firms and stuff with professors... man what a big world ^^

 

Yes, something like that , But i suppose that's unlikely.

PG can't be fooled in that sense, but if it is not directly hooked (last in a line of hooked apps) , there's always a possibily that the info following down the chain could somehow be subverted before it reachs PG. Okay so I'm paranoid.

There's a fairly confusing old discussion about the difference between dynamic/static dll loading and dynamic/static dll injection
https://www.wilderssecurity.com/showthread.php?t=48712

But in any case, you already know that PG does not do checksumming for dlls, so it doesn't really completely protect you from static dll injection. Post #19 and Post #22 clears it up some.

I suppose PrevX offers some protection from static dll injections since it informs you if there are attempts to write to windows directory, where most of the dlls are residing?

Or we could use one of the firewalls that does checksumming for dlls (sygate ,ZAP for example) rather just exes.

 

A few posts were removed that had nothing to do with this thread and more to do with slight, toeing the line personal attacks. To those that feel the necessity to always gig another poster....Please feel free to find another venue. There really is no need for it....it distracts from the thread....and causes me to take a thread slightly off course explaining.

 

I sincerely doubt that 2% of all wilders members this all knows!!!

... let's cut the crap please and no offence to anyone.

do I have to learn all this to understand how it all works?
I wonder where everybody is at the moment...

 

and another question...again the above post is no offence to anyone!!!!!

but I maybe hoped someone would enlighten us...some of the respected men here and would stick with us with those valid questions.

I bet we are al wrong *except for the Pro-Active part and all the fancy words* in what we're saying .. and I truely thought someone would already stepped up, I wouldn't care any less who, but no articles where you have to learn a code first to understand what that all means. debugger is bugging me like /*-+

 

Yep....and then you can be so kind as to explain it to the less knowledgeable

 

hooking isn't kernel driven...at least I think those are completely separate things. a program that uses a hook doesn't have to be kernel driven.

so if trojan is kernel driven (rootkit) how in earth can a hooking program (it's like practicaly all of them programs) clean something that is deeper as itself.

please guys ...

 

yes bubba, there are persons that have other signs then you, you have skills in moderating (and other things...so my peace goes out to you ..but no karma cookies )

that's just scary I guess...so much ...

 

I know one thing for sure: I will send my kids later to such a school and cut the playing what we learn at school...man what a joke after all ...

 

Edited, don't want to offend anyone

 

It's really too bad there isn't whiteboard capability here, this discussion would probably be a lot easier.

Pollmaster: I don't think any one hook could bypass any other hooks, it would have to pass the info on to the next.. The only other thing I could think of is if it diverted the info from that one API into another that is not monitored. Unless I'm not understanding what you're saying? Of course there will probably be new vulnerabilities found that can bypass what PG, et all, protects, but for the time being, I think it's all pretty much set. Oops.. late from break, will come back to this later..