Doron
Thu Aug 03 20:36:52 CDT 2006
i mean altering the stack through the debugger,not at runtime in another
driver.
d
--
Please do not send e-mail directly to this alias. this alias is for
newsgroup purposes only.
This posting is provided "AS IS" with no warranties, and confers no rights.
<soviet_bloke@hotmail.com> wrote in message
news:1154587249.114268.79270@m79g2000cwm.googlegroups.com...
> Hi Doron
>
>> 1) I cann set the image name to null.sys in the registry and reboot.
>
> In fact, Don, apparently, meant disabling a driver without terminating
> current session.....
> Let's face it - the thing you mentioned is already out of programmer's
> control. Actually, if
> users with Admin privileges are somehow unhappy about your service,
> they can just uninstall it, in the first place
>
>> 2) i can hook up a debugger and change your code/device stack layout
>
> It is really funny that you have have raised this issue on the thread
> where both Don and me are participants....The thing is, we always argue
> about advantages and disadvantages of "unsupported" tricks (mainly
> hooking vs filtering). Therefore, you just presented deadly serious
> argument against using filtering in security software. The problem is
> that, once lower device, its driver object and addresses of all its
> handlers can be easily discovered, ANY(!!!) filter driver can be
> literally stripped of its functionality really easily. All you have to
> do is to capture calls and forward them directly to the lower device,
> so that filter driver just does not have a slightest chance to see
> calls that are being made to the lower device. However, if you rely
> upon hooking, neutralizing your driver is not that easy, because no
> one, apart from your driver, knows the address of the target function.
>
> Anton Bassov
>
>
>
>
> Doron Holan [MS] wrote:
>> 1) I cann set the image name to null.sys in the registry and reboot.
>> 2) i can hook up a debugger and change your code/device stack layout
>>
>> d
>>
>> --
>> Please do not send e-mail directly to this alias. this alias is for
>> newsgroup purposes only.
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>>
>> <soviet_bloke@hotmail.com> wrote in message
>> news:1154575388.499389.297350@b28g2000cwb.googlegroups.com...
>> > Hi Don
>> >
>> >
>> >>You recognize that administrator privledge will allow people to
>> >> disable your driver, so security is limited.
>> >
>> > But who forces you to implement Unload() routine and configure your
>> > service as stoppable one ???? If you don't do it, disabling your driver
>> > is a bit tricky, don't you think???
>> >
>> > Anton Bassov
>> >
>> >
>> > Don Burn wrote:
>> >> When you say port blocker, do you mean no one can access the physical
>> >> device, or that the parallel port driver is stopped from operation, so
>> >> no
>> >> one (or by some schema only blessed stuff) can write to it?
>> >>
>> >> If you mean the latter, and presuming:
>> >>
>> >> 1. You recognize that administrator privledge will allow people
>> >> to
>> >> disable your driver, so security is limited.
>> >> 2. That system access control can do this for you so why write
>> >> a
>> >> driver.
>> >>
>> >> If with the above, you still want to proceed, you will need a filter
>> >> that
>> >> passes through all regular operations except IRP_MJ_CREATE (assuming
>> >> you
>> >> want to be able to enable and disable this functionality) and handles
>> >> plug
>> >> and play and power correctly. For the create call you fail the call
>> >> when
>> >> you do not want access and allow it when you do.
>> >>
>> >> I would not do this with WDM since you are asking for a lot of work
>> >> you
>> >> do
>> >> not need. Instead get KMDF which will take care of the PNP and Power
>> >> stuff
>> >> for you.
>> >>
>> >>
>> >> --
>> >> Don Burn (MVP, Windows DDK)
>> >> Windows 2k/XP/2k3 Filesystem and Driver Consulting
>> >>
http://www.windrvr.com
>> >> Remove StopSpam from the email to reply
>> >>
>> >>
>> >>
>> >> "Debabrata" <debabrata@stellarinfo.com> wrote in message
>> >> news:uSf7%23MjtGHA.4852@TK2MSFTNGP02.phx.gbl...
>> >> > Hi ..
>> >> > I need to implement an IO port blocker in the form of a WDM
>> >> > driver(filter driver).I will start with the elementary case namely
>> >> > the
>> >> > blocking of the parallel port.Any ideas about how to proceed?
>> >> > Will completing IRP_MJ_READ/IRP_MJ_WRITE using
>> >> > IoCompleteRequest
>> >> > work or is there any other way out?
>> >> >
>> >> > Regards
>> >> > DC
>> >> >
>> >> >
>> >
>