patch guard ... patched

Discussion in 'Ghost Security Suite (GSS)' started by f3x, Mar 19, 2006.

Thread Status:
Not open for further replies.
  1. f3x

    f3x Registered Member

    Joined:
    Feb 6, 2006
    Posts:
    311
    Location:
    Montreal, Quebec
    Appdefend x64 beta was the first program that i know off that can disable patchguard to effectively hook the kernel on 64 bit computers.

    The resoning behing this is that if Jason can patch it... what will stop hacker from doing it. Very few thing really. Appdefend maybe ;)

    Uninformed published an interesting article about the inner working of patchguard and some way to circumvent it with proof of concept code.

    http://www.uninformed.org/?v=3&a=3

    This is prooving that Jason's rigth and we still need non microsoft solution to protect our kernel. A very few ppl will actually understand the paper as it's very thecnical but it show the kind of devlopment which is behind such a great product.

    Maybe someone can even find new way to disable patchguard in the event of a service pack.
     
  2. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hello,

    Extremelly interesting, thank you f3x very much for this link.
    However, the information there are indeed very technical.

    May be Jason can come up with a comment ? :)

    Regards,
    gkweb.
     
  3. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Releasing a paper on how to break the protection is something I purposedly decided not to do. Things like this do make it a walk in the park for the above average programmer to come in and circumvent it. When most of the work is in reverse engineering or "trial and error" it stops a lot of people who don't have the technical abilities and/or the time to put into finding a solution.

    I learnt some things from this paper that I myself didn't bother to research into, not that it makes that any difference in regards to how AppDefend works.
     
  4. f3x

    f3x Registered Member

    Joined:
    Feb 6, 2006
    Posts:
    311
    Location:
    Montreal, Quebec
    Hehe...
    This bring us to the old should we publish vulnerability problem.
    If we do not, only a few ppl will know how to do it.
    Then if those ppl have good willing they can acheive really great thing.
    However such secret keep in bad hand can leed to even more powerfull rootkit wit less powerfull security application.

    A public paper somehow show that the problem can be more mainstream.
    And big compagny like microsoft often wait for a problem to be critical before properly patching it.

    Publishing such exploit can result in more overall security (more bloated code ?).
    Off course it can also also mean some extra work for the legitimate use of disabling patchguard.

    If it become really mainstream and patchguard is useless maybee it can even change MS official position on should MS release patchguard.
     
  5. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Apparently Vista has been further delayed so Microsoft can "enhance security" even more. I wonder if this has anything to do with patchguard. ;)
     
  6. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    What I find a little surprising is that Microsoft haven't moved the Windows kernel (or as much of it as possible) from Ring0 to Ring1. If PatchGuard (or whatever security mechanism they subsequently employ) only had to secure Ring1 code, then this would mitigate one of the key criticisms made in that paper (the impracticality of securing code with an equal privilege level).

    There would be a performance hit, but this could be minimised with tight, well-crafted code - oops, sorry, we're talking about Microsoft here. :(
     
  7. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    In Windows Vista, isn't the kernel concealed into an unreachable zone, that you can only access if your driver is signed and approved ? Simply speaking, will rootkits will exist on Vista ? :)
     
  8. f3x

    f3x Registered Member

    Joined:
    Feb 6, 2006
    Posts:
    311
    Location:
    Montreal, Quebec
    The other question is ...

    What will be responsible to verify signature for new driver...
    Protection à la patchguard ?
    You see ... one can be cracked... why not hte other one...
    So i guess yeah ... rootkit will finish by making their place
     
Thread Status:
Not open for further replies.