Re: Preventing WinLogon entry points being called by external programs

several answers:

- to open user token - OpenThreadToken() if you have impersonated some user,
or OpenProcessToken() if you want your process real identity

- memory injection can be done only from the same account that runs the
other process or from under administrator account (SeDebugPrivilege or so).
So no problem for your application.

- you can as well restrict the access to your DLL by setting NTFS
EXECUTE/READ permissions for the .DLL files only e.g for SYSTEM.



O.




"Skywing" <skywing_NO_SPAM_@xxxxxxxxxxxxxxxxxxx> wrote in message
news:OnEmP4tFGHA.1032@xxxxxxxxxxxxxxxxxxxxxxx
> BTW, you should consider the possibility that a malicious user might patch
> some instructions in your notification package to disable any checks you
> might have that you are running under winlogon. You should be sure that
> you aren't designing your program such that this will allow a user to
> compromise the system.
>
> "Anthony Wieser" <me@xxxxxxxxxxxxxxxx> wrote in message
> news:43c54e8c$0$1480$ed2619ec@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>> So, run without impersonation, and then use ImpersonateLoggedOnUser when
>> the validation succeeds.
>>
>> The trouble is, I now can't figure out how to get the token of the logged
>> on user from my Winlogon package, because I'd like to perform the actions
>> in the security context of the logged on user too.
>>
>> Anthony Wieser
>> Wieser Software Ltd
>>
>>
>> "Ondrej Sevecek" <ondra at my_surname dot com> wrote in message
>> news:OXluNisFGHA.216@xxxxxxxxxxxxxxxxxxxxxxx
>>> check the processes access token for local system account. It will
>>> either mean it is the regular winlogon or any other application running
>>> under the local system account. But when an application is running under
>>> local system, you cannot be secure against it anyway. So this check
>>> should be sufficient.
>>>
>>>
>>> O.
>>>
>>>
>>> "Anthony Wieser" <me@xxxxxxxxxxxxxxxx> wrote in message
>>> news:43bea03b$0$1461$ed2619ec@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>>>> Hello,
>>>>
>>>> I'm developing a Winlogon notification package, and need to prevent my
>>>> entry points from doing anything, unless they've been called by the
>>>> Winlogon itself, instead of another program like rundll32.exe or some
>>>> such.
>>>>
>>>> What test can I perform to verify that it is a legitimate caller
>>>> (winlogon.exe I assume) that has not been tampered with or renamed?
>>>>
>>>> Anthony Wieser
>>>> Wieser Software Ltd
>>>>
>>>>
>>>
>>>
>>
>>
>
>


.

Relevant Pages