Tigzy wrote:I totally agree with you EP. But something I don't want is simply opening the task manager and kill the service associated to my kernel filter.
When you open TaskManager on Vista/7/8 with default system settings (UAC on) - you CANNOT kill anything running not from your account. Once TaskManager started privileged - it can kill everything, except some internally blacklisted applications. So the question is not how many and which hooks you install - the question is when and how code will be executed. Once something gets system privileges - game over. On x64 you have advantage because common malware cannot into ring0. So use it.
I don't want to have a full-proof protection, but just a basic one to avoid at least userland tricks.
Run service->application combo with service configured to restart on any error. Service is responsible for running your main tasks and restarting your application, while your application only provides GUI (requestedExecutionLevel = asInvoker) for manipulating some service features like for example scan. Protect service registry keys by removing current user from ACL. Remove SeDebugPrivilege from current user token globally or downgrade every new starting process privileges in ProcessNotify. That is all - no hooks. Or do you want to be the same laughingstock like these expensive and useless rattles?
http://www.kernelmode.info/forum/viewto ... 657#p16657 <- Without hook this is impossible, with comodo driver incorrect call to SST become legal, wonderful isn't it?
If I'm right, on XP there's no documented way to do this? I'm obliged to use ugly hooks on NtOpenProcess?
PatchGuard won't allow you do this.
Instead of trying implement useless features better focus on program itself.
