Process Guard [doesn't] fail their own test

Discussion in 'ProcessGuard' started by Jason_DiamondCS, Jan 9, 2004.

Thread Status:
Not open for further replies.
  1. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Original Post:
    http://forum.misec.net/board/3PSoftware;action=display;num=1073583878

    Thanks for the people who gave me the original url.

    Even though the person who started the thread didn't even seem able to configure the program/read the helpfile I will post a reply.

    Kill method #5 DebugActiveProcess method
    This is still vulnerable on Windows 2000, due to WIN2K using RPC/LPC for this undocumented method. It is fine on Windows XP however.

    Kill Method #6 End Task method
    Yeah simply turn on the option to block End Task . Protection -> General Protection Options -> Block End Task

    Kill Method #7 Window Close method
    Forgot to turn on another option. Click on the program you are protecting in the list, click on "Options" in the combobox that appears. Click "Windows Message Protection"

    So the only method which isn't covered 100% on Windows 2000 machines is kill method #5. On Windows XP all methods are covered 100% when the program is setup correctly.

    -Jason-

    - Fixed link to misec.net
     
  2. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    Hey, thanks Jason for the clarification.

    Lookin' forward to next release of PG! ;)
     
  3. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    The next release also adds protection for the only known attack against Process Guard, which is SetWindowsHookEx. This was tricky to add because it's a system service, so it involves working with things like the Interrupt Descriptor Table which is on the CPU itself so we needed to add extra code to the driver to support multi-processor machines, but it's all working superbly now and our beta team will be able to test it this weekend, with a public release expected next week.
     
  4. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Yes Wayne, but the author of the thread isn't talking about SetWindowHookEx, but about APT tests which are in fact all blocked, on my WinXP at least.

    He probably didn't read the helpfile.

    Good news that next PG release is soon :)
     
Thread Status:
Not open for further replies.