Re: WriteProcessMemory and ReadProcessMemory

• Previous message: sbardhan_at_adelphia.net: "Re: Wrapper CSP"
• Maybe in reply to: Sam Hobbs: "WriteProcessMemory and ReadProcessMemory"
• Next in thread: lelteto: "Re: WriteProcessMemory and ReadProcessMemory"
• Reply: lelteto: "Re: WriteProcessMemory and ReadProcessMemory"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 24 Sep 2005 10:29:03 -0700

Thank you very much. I was nearly certain that this was the situation but I
could not be totally sure. I can't speak authoritatively enough. On the
other hand, you are definitely authoritative enough. It is an immense help
to have your answer that you have provided here.

I even wrote a message to the author of Writing Secure Code but he did not
understand that I was asking because other people are advising other people
to use WriteProcessMemory/ReadProcessMemory for IPC. I explained in a reply
but that is as far as I got that way.

In addition to Administrators, developers also need debug privilege, but you
know that. I assume you would agree that good managers would reject software
that requires debug privileges for all users of it (unless they would all be
Administrators and/or developers due to the purpose of the software).

As far as performance, shared memory is significantly more efficient, but
that is off-topic for here. The only real advantage of
WriteProcessMemory/ReadProcessMemory for IPC is simplicity for the
programmer.

"lelteto" <lelteto@discussions.microsoft.com> wrote in message
news:387F19D9-1F24-4B72-868D-0B89E6B31FFC@microsoft.com...
> The problem with these APIs is that they require DEBUG PRIVILEGE (in order
> to
> attach to the process). If you have this privilege than you can attach to
> ANY
> PROCESS including eg. virusscan, firewall, services etc. and can modify
> their
> behavior to your liking (eg. disable them). Obviously this broad "can do
> anything" right is a security risk. (Well, if you are running as Admin on
> the
> computer you have this right anyway.)
> If you want to use the memory for IPC communication than use SHARED MEMORY
> (named or unnamed memory mapped files). The speed could be the same
> (memory
> access) but it doesn't have the security risk of touching the other
> process'
> code and/or normal data area.
>
> Laszlo Elteto
> SafeNet, Inc.
>
> "Sam Hobbs" wrote:
>
>> In at least a couple of programming forums, programmers are advised to
>> use
>> WriteProcessMemory/ReadProcessMemory for IPC. My impression is that it is
>> (they are) not a good solution for IPC.
>>
>> I won't try to convince someone that they should not use
>> WriteProcessMemory/ReadProcessMemory for IPC, and I won't use
>> WriteProcessMemory/ReadProcessMemory for IPC, but it seems to me that I
>> should say something indicating that use of
>> WriteProcessMemory/ReadProcessMemory for IPC is not a good solution.
>>
>> Is there any security-related potential problem with use of
>> WriteProcessMemory/ReadProcessMemory for IPC? In particular, would use of
>> WriteProcessMemory/ReadProcessMemory for IPC require use of a higher set
>> of
>> permissions in a manner that is a potential security risk?
>>
>> People say that use of WriteProcessMemory/ReadProcessMemory for IPC is
>> not
>> good, but no one has provided an explanation for why it is not good that
>> is
>> sufficient to use for advising others. In other words, it is foolish to
>> post
>> a comment that simply says that it is not good to use
>> WriteProcessMemory/ReadProcessMemory for IPC. If it is not good, then
>> there
>> must be an eplanation for why it is not good.
>>
>>
>>

• Previous message: sbardhan_at_adelphia.net: "Re: Wrapper CSP"
• Maybe in reply to: Sam Hobbs: "WriteProcessMemory and ReadProcessMemory"
• Next in thread: lelteto: "Re: WriteProcessMemory and ReadProcessMemory"
• Reply: lelteto: "Re: WriteProcessMemory and ReadProcessMemory"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]