Page 1 of 1
New Patchguard in Windows 8
PostPosted:Sat Jan 05, 2013 10:46 pm
by Vrtule
Hello,
I read thie post
http://www.kernelmode.info/forum/viewto ... =14&t=1692 where the author writes that hooking of Win32k system call table is prohibited on Windows 5 (to be more precise: the Patchguard detects modifications of the driver).
I admit I did not expected this change because I had seen hooking of win32k.sys in quite many of well-known security software (Comodo, Kaspersky, Avast, Outpost, SandboxIE). It seems that this change will get them into a lot of troubles.
I tried to find some useful discussions about the topic, however, I did not find anything which would give me information I am looking for. I did not find any official statement what drivers and data structures exactly the Patchguard controls now.I did not see any new interfaces that would help the vendors to make their products equally functional without hooks in win32k.sys.
Do you know about any additional information about the topic?
Thanks in advance
Re: New Patchguard in Windows 8
PostPosted:Sun Jan 06, 2013 1:02 am
by Buster_BSA
Ronen Tzur, author of Sandboxie, has been working in Windows 8 support for some time. Considering his comments he has been having troubles to get Sandboxie supported, but actually he just needs to fix some bugs to get the thing working.
Re: New Patchguard in Windows 8
PostPosted:Mon Jan 07, 2013 7:09 pm
by Vrtule
Theoretically, I am able to cope with Windows Hooks and similar stuff. Raw Input Devices, AttachThreadInput, Get(Async)KeyState (and possibly other system calls), however, are the key points of my interest.
Re: New Patchguard in Windows 8
PostPosted:Thu Feb 07, 2013 3:37 am
by m5home
If you just want to realize window self-protection, you can use JOB OBJECT.
I hear that process in JOB cannot access other processes which not in the same JOB.
Re: New Patchguard in Windows 8
PostPosted:Sat Feb 09, 2013 9:33 pm
by Vrtule
Hello m5home,
I know about Job objects. The problem is they do not allow to decide whether certain operation (sending of a message, installation of a hook) should be permitted or blocked. They block it always (in case of Windows Hooks, processes outside the job are not hooked).
I am interested mainly in the HIPS-like behavior. I think a job object is fine for sandboxing purposes, however, I see its usage in HIPS to be problematic.
Vrtule
Re: New Patchguard in Windows 8
PostPosted:Sun Feb 10, 2013 6:17 pm
by Alex
Vrtule wrote:I read thie post viewtopic.php?f=14&t=1692 where the author writes that hooking of Win32k system call table is prohibited on Windows 5 (to be more precise: the Patchguard detects modifications of the driver).
Does anyone know if this is true?
Vrtule wrote:I admit I did not expected this change because I had seen hooking of win32k.sys in quite many of well-known security software (Comodo, Kaspersky, Avast, Outpost, SandboxIE). It seems that this change will get them into a lot of troubles.
Maybe because of KPP Kaspersky resigned from sandbox in KIS2013?
Buster_BSA wrote:Ronen Tzur, author of Sandboxie, has been working in Windows 8 support for some time. Considering his comments he has been having troubles to get Sandboxie supported, but actually he just needs to fix some bugs to get the thing working.
Sandboxie uses a lot of UM hooks, so it can to the same job by using only them - doesn't it?
Re: New Patchguard in Windows 8
PostPosted:Mon Feb 11, 2013 12:16 pm
by EP_X0FF
Alex wrote:Vrtule wrote:I read thie post viewtopic.php?f=14&t=1692 where the author writes that hooking of Win32k system call table is prohibited on Windows 5 (to be more precise: the Patchguard detects modifications of the driver).
Does anyone know if this is true?
Yes. You can google full of drama topic at MSDN forums where developer of one of such BSOD-generators cry in hysterics. Very funny indeed, using well-known OS security hole in your
commercial product and expect this flaw not be closed in the next version of OS, rofl.
Sandboxie uses a lot of UM hooks, so it can to the same job by using only them - doesn't it?
From what I saw in quick reversing of this dll, this is just a compatibility layer for making sandboxing of application transparent for application itself. For example translate real sandboxie registry keys into virtual names.
As for alternate to hooking, have a look on sandboxie 4.01 implementation, he seems found the way by implementing something like restricted security context.
HIPS and x64 lol, no thanks.
Re: New Patchguard in Windows 8
PostPosted:Tue Feb 12, 2013 2:15 pm
by EP_X0FF
@myid
Use "Private messages" if you want to ask somebody about something personal. Offtopic removed.
Re: New Patchguard in Windows 8
PostPosted:Tue Jul 01, 2014 9:49 pm
by moda
EP_X0FF wrote:
Very funny indeed, using well-known OS security hole in your commercial product and expect this flaw not be closed in the next version of OS, rofl.
To be fair, (I read) that Windows specifically didn't include Patchguard in any future x86 versions because so many commercial products violated it, so it's an understandable assumption.
Re: New Patchguard in Windows 8
PostPosted:Wed Jul 02, 2014 4:23 am
by EP_X0FF
moda wrote:EP_X0FF wrote:
Very funny indeed, using well-known OS security hole in your commercial product and expect this flaw not be closed in the next version of OS, rofl.
To be fair, (I read) that Windows specifically didn't include Patchguard in any future x86 versions because so many commercial products violated it, so it's an understandable assumption.
1) What is the point of this necroposting?
2) You read wrong.
Necroposting. Closed.