Re[4]: Protecting code and data in Windows
From: Eric Landuyt (eric_at_datarescue.com)
Date: 10/03/03
- Previous message: Wiest, Damian: "RE: Re[2]: Protecting code and data in Windows"
- In reply to: Dana Epp: "Re: Re[2]: Protecting code and data in Windows"
- Next in thread: Muzaffar Mahkamov: "Re[5]: Protecting code and data in Windows"
- Reply: Muzaffar Mahkamov: "Re[5]: Protecting code and data in Windows"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 3 Oct 2003 09:32:17 +0200 To: secprog@securityfocus.com
Hello,
Thursday, October 02, 2003, 9:12:49 PM, you wrote:
DE> How about using something like VirtualProtectEx() and set the memory storing
DE> the key to PAGE_GUARD. If anything tried to access that page you would get
DE> an alarm/exception of STATUS_GUARD_PAGE. Any time you need to read the key
DE> you can promote the access state to PAGE_READONLY to do the read, then
DE> demote it back to PAGE_GUARD when done. The result here would be that if
DE> anything tries to touch that memory when it SHOULDN'T, you could get a
DE> chance to defend against it or fail securely.
This approach could be interesting to "protect" from malicious code
injected in the process itself: Windows itself uses such a mechanism
to implement automatic stack checking (see [1]).
However, another process (with Debug Programs privilege) which will use
ReadProcessMemory() [2] to access the memory of our protected process
will not generate such STATUS_GUARD_PAGE exception in the context of
this protected process...
More generally, another process with Debug Programs privilege has
an almost unlimited set of possibilities to access data, manipulate
the execution flow, ... of another process (think
WriteProcessMemory(), CreateRemoteThread(), SetThreadContext(), ...).
So the first problem to soluce will be to avoid such a debugger
to attach to our critical process. Once a debugger can attach, the
game is over.
Best regards,
--- [1] http://msdn.microsoft.com/library/default.asp?url=/library/en-us/memory/base/creating_guard_pages.asp [2] http://msdn.microsoft.com/library/default.asp?url=/library/en-us/debug/base/readprocessmemory.asp -- Eric Landuyt, Developer - mailto:eric@datarescue.com DataRescue sa/nv, Home of the IDA Pro Disassembler - http://www.datarescue.com
- Previous message: Wiest, Damian: "RE: Re[2]: Protecting code and data in Windows"
- In reply to: Dana Epp: "Re: Re[2]: Protecting code and data in Windows"
- Next in thread: Muzaffar Mahkamov: "Re[5]: Protecting code and data in Windows"
- Reply: Muzaffar Mahkamov: "Re[5]: Protecting code and data in Windows"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
