Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Vista Protected Processes Bypassed

CowboyNeal posted more than 7 years ago | from the falling-confidence-levels dept.

Windows 221

Anonymous Hero writes "Security Researcher Alex Ionescu strikes again, this time with a proof of concept program that will arbitrarily enable and foremost disable the protection of so-called 'protected processes' in Windows Vista. Not only threatening Vista DRM and friends, it's also another step towards hardened and even more annoying malware. Normally, only specially signed processes made by special companies (decided by Microsoft) can be protected, but now the bad guys can protect any evil process they want, including the latest version of their own keylogger, spambot, or worm, as well as unprotect any 'good' one."

cancel ×

221 comments

Sorry! There are no comments related to the filter you selected.

Other OSes (0, Offtopic)

tsa (15680) | more than 7 years ago | (#18647229)

Is it possible to do this in other operating systems?

Re:Other OSes (4, Funny)

Anonymous Coward | more than 7 years ago | (#18647293)

No, this feature is available only in Windows Vista.

Re:Other OSes (4, Insightful)

diegocgteleline.es (653730) | more than 7 years ago | (#18647567)

No, other operative systems don't have this stupid notion of "protected processes", not even XP has it, only vista.

In related news (5, Funny)

tinkertim (918832) | more than 7 years ago | (#18647251)

A spokesperson for Microsoft was quoted as saying :

This is only an issue if you're downloading and watching porn. You should be watching only wholesome media, like "What About Bob [wikipedia.org] ", instead.

Re:In related news (5, Insightful)

_KiTA_ (241027) | more than 7 years ago | (#18647637)


A spokesperson for Microsoft was quoted as saying :

        This is only an issue if you're downloading and watching porn. You should be watching only wholesome media, like "What About Bob", instead.


People are modding this as flamebait, but I've seen far, FAR too many IT professionals take that stance with Spyware / Malware. I've seen a system get all sorts of nasty winlogon-enabled Spyware within minutes of being hooked up to a network, with no action on the user's part. Not only that, in a world where banner ad companies can get infected with trojans [out-law.com] the idea of people only getting infected if they're doing something "shady" on their machine is utterly absurd.

Re:In related news (-1, Troll)

jafiwam (310805) | more than 7 years ago | (#18648325)

Yes. Because everyday surfers everywhere are constantly picking up infectious shit off mainstream web sites such as Disney, CNN, Fox News (ok that one), Slashdot and Fark.

Whereas the collective observations of thousands of admins amounts to nothing because you are too uptight to admit you are surfing porn to us when it is obvious to everybody in the industry that infection and porn go together like cookies and cream.

Hello, we like good porn too, just realize you take a dumb risk when you do search for it, and shouldn't do it with a "critical" middle management laptop in any case.

Re:In related news (4, Interesting)

cduffy (652) | more than 7 years ago | (#18648421)

The only infection my home Windows system has ever had came from a MySpace page my wife was browsing. Both of us appreciate good porn, and use that system for viewing it -- and, as I said, the only infection we've ever had was from MySpace.

The parent is not necessarily too uptight to admit surfing porn.

Re:In related news (3, Insightful)

LighterShadeOfBlack (1011407) | more than 7 years ago | (#18648503)

You're wrong. The "collective observations of thousands of admins" is in fact little more than assumptions and anecdotes perpetuated by people such as yourself.

Do a significant proportion of porn sites have malware? Probably.

Is there a greater risk of getting infected by malware when surfing for porn than doing "wholesome" surfing? Perhaps.

Is a malware infection reason enough to presume that they got it from browsing porn and/or piracy-related sites? Not in the slightest in my experience. If you've got differing experiences that prove me wrong, by all means collate your data and present your findings because I and I'm sure many other people working in admin or IT roles would love some hard numbers on the nature of malware sources online. Until then I'll have to assume the "observations of thousands of admins" you speak of are in fact nothing more than your own pre-conceptions.

Re:In related news (0)

Anonymous Coward | more than 7 years ago | (#18648615)

Yeah, I mean only sickos search for song lyrics online [google.com] - good people never do that!

Re:In related news (3, Informative)

tinkertim (918832) | more than 7 years ago | (#18648441)

People are modding this as flamebait, but I've seen far, FAR too many IT professionals take that stance with Spyware / Malware. I've seen a system get all sorts of nasty winlogon-enabled Spyware within minutes of being hooked up to a network, with no action on the user's part. Not only that, in a world where banner ad companies can get infected with trojans the idea of people only getting infected if they're doing something "shady" on their machine is utterly absurd.


It was a joke, just a joke and only a joke.

The link given is to Microsoft Bob, which Microsoft gave up on shortly after launching it and (according to Wikipedia) later admitted the product was their single largest failure in their company history.

You'd need to remember Bob in order to appreciate that Vista is well on its way to being "Bob 2".

I suppose any joke could be taken as flamebait lol, but really, its just a joke. Better put in /. terms :

its funny, laugh. .. or perhaps not, since I had to explain it :)

Can we have Source? (2, Interesting)

Anonymous Coward | more than 7 years ago | (#18647261)

I most certainlly hope he releases the source for this. We *know* the bad guys will invent the time to figure out how this works. Let's be on level ground, shall we?

Why do they even bother? (2, Insightful)

Mr_eX9 (800448) | more than 7 years ago | (#18647267)

All of this "security" is just crap if it can apparently be exploited so easily.

Re:Why do they even bother? (4, Insightful)

cyphercell (843398) | more than 7 years ago | (#18647429)

no it's worse than crap when it can be exploited so easily. I read it as malware can become a "protected process", as in protected processes that the administrator doesn't have control over.

Re:Why do they even bother? (1, Insightful)

Anonymous Coward | more than 7 years ago | (#18647981)

Well, now I can honestly say "Wow!".

Re:Why do they even bother? (4, Funny)

cyphercell (843398) | more than 7 years ago | (#18648149)

after a $b investment over five years from the dominant player in operating systems, yes "The WOW starts Now!"

Re:Why do they even bother? (1)

Surt (22457) | more than 7 years ago | (#18647865)

Alternatively, it's great. By being so breakable we sucker the evil DRM lords into another copy protection regime that ultimately doesn't work.

Re:Why do they even bother? (5, Insightful)

Rodness (168429) | more than 7 years ago | (#18647909)

I agree.

The problem with Microsoft is not so much one of bugs as it is a problem with their general design philosophy.

Such as providing mechanisms for your own developers to bypass the security of the entire system to make some friggin media clips play more smoothly. News flash, idiots: if you provide two paths through security, a strongly checked path and a weakly checked path, you incentivize attackers to take the weak path! And if you provide those hooks for your own developers to bypass security, then attackers can use them too!

They were probably praying that no one would ever figure out that those hooks were there... and security by obscurity is very, very poor design.

My inclinations against myself or my family running vista just got a +1 Justification.

Can't beat em, join em? (1)

friend.ac (1071626) | more than 7 years ago | (#18647277)

Can you imagine if companies actually recruited these people who were skilled enough to break their OSs? I know I've paid someone who hacked into my site, to find any further holes (fortunately they didnt!) and its far cheaper in the long run..

Re:Can't beat em, join em? (5, Insightful)

Fallen Kell (165468) | more than 7 years ago | (#18647341)

The problem with this is that the said paid hackers get better pay working on the exploits on their own and selling them in the black market. A lot of exploit code goes for $5000 a pop to the people who use it, and there are plenty of buyers (and it is not like they can't sell to multiple people, and make N*$5000 for a single good exploit). Heck, something like the above would easily sell hundreds or possibly thousands of times for $5000 a pop. Can most software companies afford to pay hackers the $300,000-500,000 a year that a good one could easily make off a single exploit?

Re:Can't beat em, join em? (2, Insightful)

Anonymous Coward | more than 7 years ago | (#18647477)

>>Can most software companies afford to pay hackers the $300,000-500,000 a year that a good one could easily make off a single exploit?

Microsoft can.

You think so? (2, Insightful)

Fallen Kell (165468) | more than 7 years ago | (#18647575)

Do you really think so? Why would MS pay someone $300,000-500,000 when they have people who get $70,000 that could simply scan the code itself? They won't upset their current pay scales and pay grades to place "hackers" into their business units. For one, many of those "hackers" are hackers because they have a record of conduct that does not work in a normal business environment. Be it social, societal or other issues (potentially and not limited to criminal and trust issues). In fact, some people many not even be employable due to said activities due to security reasons.

Again, MS sure isn't going to hire a hacker who is paid more then their bosses and that is for sure.

Re:You think so? (3, Funny)

sqlrob (173498) | more than 7 years ago | (#18647595)

Right, like those code scanners that preemptively found the second ANI bug after the first was found. Those code scanners?

Re:Can't beat em, join em? (1)

Anonymous Coward | more than 7 years ago | (#18647641)

I cant wait until someone creates an auction site where they sell off exploits.

Forcing companies to pay for flaws/exploits in their software might make them actually give a crap about securing them in the first place.

Re:Can't beat em, join em? (1)

Surt (22457) | more than 7 years ago | (#18647929)

I've seen plenty of exploits for auction on ebay over the years.

Re:Can't beat em, join em? (1)

Joe The Dragon (967727) | more than 7 years ago | (#18647979)

I got it buy hackbay.com and put it up for sale.

Re:Can't beat em, join em? (1)

iminplaya (723125) | more than 7 years ago | (#18648685)

Damn! With those kind of incentives, I wonder if pencil and paper are safe.

Re:Can't beat em, join em? (3, Insightful)

misleb (129952) | more than 7 years ago | (#18647555)

Sure, but what kind of employees do these people make? And will they have the same motivation if they are being paid to do it? It is highly variable. You're little website is one thing, but if you're microsoft, you have a lot to lose. Maybe the hacker just wants to get on the inside to get better info for future illicit hacks... or worse, put in backdoors.

-matthew

Re:Can't beat em, join em? (1)

friend.ac (1071626) | more than 7 years ago | (#18647657)

Hi Matthew..

I completely agree with you, and know that my priorities of securing peoples information and ensuring there are no holes far outweights Microsofts obligations ;-) It was fairly easy to manage the 'third person', any vulnerabilities were noted down and acted on immediately, and he was paid to find further vulnerabilities (which fortunately he didnt). My reasoning for this was someone, or he, was going to find any holes anyway, what better way for him to report them to me and get paid for doing it.

Sure, its only a small website with several thousand transactions a day, but I care about my users and wanted any security implications brought to my attention as soon as possible, and fixed as soon as possible, and our agreement worked fantastically - no further holes have been found, and lessons were learnt. Thats probably why me and Microsoft differ, I care about my end users - you only have to look at their reoccuring .ANI bug and refusal to fess up to realize the difference ;-)

Re:Can't beat em, join em? (0)

Anonymous Coward | more than 7 years ago | (#18648075)

if you're microsoft, you have a lot to lose.

Not as much as you would have had yesterday (if you were microsoft). And tomorrow there will be even less to lose.

Microsoft is circling the drain...

As the Gubenator once said, Hasta la Vista, Baby!

Re:Can't beat em, join em? (3, Funny)

ultranova (717540) | more than 7 years ago | (#18648079)

You're little website is one thing, but if you're microsoft, you have a lot to lose. Maybe the hacker just wants to get on the inside to get better info for future illicit hacks... or worse, put in backdoors.

Why would anyone bother putting in more backdoors to the OS equivalent of Goatse ?

Re:Can't beat em, join em? (3, Interesting)

sjames (1099) | more than 7 years ago | (#18648407)

That's MS's big problem. A LOT of people WANT them to fail because they're MS. Because fundamentally, a computer and it's OS is supposed to do what the user wants, not what Bill Gates, the RIAA and the MPAA want it to do. There are enough people out there who know how to hack it up so it actually does do what they want. The more pragmatic ones WANT MS to fail because that's how to crack the content they want.

Once the hacking is accomplished, a significant number of people will then abuse that code to get other people's computers to do what THEY want rather than what Bill wants (doing what the user wants is simply not up for discussion).

The real beauty here is that the "bad guys" are turning the OS's own features against the creator (the other bad guys). The divine appropriatness of that is simply irresistable.

Re:Can't beat em, join em? (0)

Anonymous Coward | more than 7 years ago | (#18647645)

I've paid someone who hacked into my site, to find any further holes (fortunately they didnt!)

Actually they found several and added another backdoor for good measure.

Re:Can't beat em, join em? (1)

AnonymousCactus (810364) | more than 7 years ago | (#18648397)

It's a lot easier to break a system than to make sure it's totally secure.
If you're Microsoft, then it's even more difficult because you have to support tons of third-party outfits, legacy crap, and who-knows-what that the Office team requires.
I think you'd be amazed to see how many exploits they prevented pre-emptively.
Microsoft gets a lot of crap, but what they're trying is really hard. Implementing secure software is hard enough, now try doing so in a way that agrees with thousands of companies that you rely on, and which every hacker in the world will try to break. If Linux tried that, it wouldn't hold up either. Thank God, it doesn't...

Marketing Strategy (1)

HillaryWBush (882804) | more than 7 years ago | (#18647283)

People in the know, know: if there was ever a time to upgrade it's now.

Because it's only gonna be worse as time goes on...

Highly amusing! (1)

gweihir (88907) | more than 7 years ago | (#18647297)

At the moment these people are doing great work. Just take the promises MS made and see them being invalidated pice by pice!

The bottom line is that no matter what OS, competent system administration is essentlial. However MS makes system administration a lot harder, than it is on other systems.

Re:Highly amusing! (0)

Anonymous Coward | more than 7 years ago | (#18648097)

What's a pice?

cmdrdildo (-1, Troll)

Anonymous Coward | more than 7 years ago | (#18647319)

fuck cmdrdildo. he's a fucking retard and a liar and is out of the times. how useless except for as a complete and total dildo.

Re:cmdrdildo (1, Informative)

dreamchaser (49529) | more than 7 years ago | (#18647561)

Ballmer, we told you before not to post here as an AC. Now you're late picking up Bill's dry cleaning, so stop dicking around and get back to work!

Didn't we see this before... (2, Informative)

NecroPuppy (222648) | more than 7 years ago | (#18647337)

With that OS protected space in Windows ME?

I clearly remember being called to help a friend with a spyware/malware problem, discoverng he had ME, and going out to buy a copy of XP to replace it.

Re:Didn't we see this before... (5, Funny)

FutureDomain (1073116) | more than 7 years ago | (#18648019)

I clearly remember being called to help a friend with a spyware/malware problem, discoverng he had ME, and going out to buy a copy of XP to replace it.
Well, it looks like you might be doing it again. Helping a friend with a malware problem, finding out that he has Vista, and buying a copy of XP to replace it.

User competence (1, Insightful)

Anonymous Coward | more than 7 years ago | (#18648277)

I have been using ME for years without ANY problems with spyware or malware. Zip.
I still use ME for one and only one purpose, to play World Of Warcraft (incidentally WoW officially does not support ME, but it runs great). For all other things I use my linux box (and I use THAT competently as well).

Why am I not infected? Simple: I am a very competent user. I know how to configure my router and my system properly, and I know how to avoid doing the sorts of things that get a system compromised. ME was one of Microsoft's weakest releases...but when used intelligently it is quite solid and safe.

The problem is that Microsoft is trying to make the OS protect its users from their own incompetence. It is a noble idea, but it is doomed to failure. No matter how secure they make it, their users will fall victim to the socially-engineered exploits of malicious developers every time. Furthermore, the attempts made to protect the user from this will actually make it harder to fix the system after it has been compromised, and will make it harder for competent administrators to do their job.

Microsoft winds up with the worst of both worlds.

Computers are not like cars. The complexity that they represent cannot be neatly tucked away under the hood. I know that people would prefer to avoid dealing with this complexity (it is tedious and uninteresting to most people, and I sympathize), however, the reality of the situation is that computers are and will remain complicated. Those who don't learn the details are and will always remain a danger to themselves and to everyone on the net, despite Microsoft's best efforts.

Source code (0)

iamacat (583406) | more than 7 years ago | (#18647363)

The guy is a low life for not releasing the source code. We need administration tools to manage our own systems, and yes Symantec would be one company with legitimate use of this functionality.

Re:Source code (2, Funny)

Original Replica (908688) | more than 7 years ago | (#18647483)

yes, it would make a nice tool for you to administer your systems. or for anyone out there to "administer" for you.

Re:Source code (1, Insightful)

Anonymous Coward | more than 7 years ago | (#18647583)

It's 7K, command line, and does only one job. Anyone could reverse this in their sleep.

Re:Source code (4, Informative)

eddy (18759) | more than 7 years ago | (#18647883)

Seems to contain a compressed buffer with a .sys driver that is decompressed with a call to RtlDecompressBuffer and hidden away by writing it to the alternate stream "%SystemRoot%\system32\drivers\crusoe.sys:drmkaud. sys", and then there's a registry update to load the driver.

Someone who cares should write out the compressed buffer and disassemble that.

wtf moron? (0)

Anonymous Coward | more than 7 years ago | (#18647605)

learn to write code yourself instead of attacking people, retarded fsck.

Re:Source code (4, Insightful)

cyphercell (843398) | more than 7 years ago | (#18647635)

no one is a low life for holding on to their code. this guy just cracked the one of the strongest features of Vista. A system that took five years and a billion dollars to produce. About two months after public release and this guy has broken the "heightened security" wide open. If Symantec wants the code they should pay for it or figure it out themselves. Symantec doesn't give me anything for free. If you're using Vista, then you're an early adopter and need to deal with that, just thank this "low life" for providing you with a binary tool you can use if you get into trouble.

Re:Source code (1)

iamacat (583406) | more than 7 years ago | (#18648519)

True if it's actually your own code. If you find a security flaw in a widely owned product written by others, it's good net citizenship to explain it to said owners so that they can (hire others to) protect against it and make use of any implications that are in their favor. As it is, he is displaying a typical 1337 attitude. "Hahaha, I know how to compromise your system, but I am not going to tell you!".

Disassemble it (2, Insightful)

eddy (18759) | more than 7 years ago | (#18647735)

Considering the executable is just about 6K and doesn't seem protected/compressed, reversing it ought to be fairly trivial. Try the demo version of IDA [datarescue.be] .

DRM in Vista is misunderstood (1, Insightful)

MarkByers (770551) | more than 7 years ago | (#18647371)

> Not only threatening Vista DRM and friends

The DRM in Vista is not intended to lock down your computer so that evil companies can control what you watch. This is impossible to do without a TPM chip. Microsoft knows this.

The addition of DRM in Vista allows you to play DRM-encrypted files on your computer. Without this feature, you would not be able to play DRM'd songs. Now at least you have the choice.

'Cracking' DRM is on about the same level as downloading illegal copies online. Useful in some cases (such as when you bought a DRM'd song by mistake and wish to play it on your MP3 player/iPod), but still illegal (in the US at least).

Now mod me down, Vista bashers!

Re:DRM in Vista is misunderstood (4, Insightful)

jomas1 (696853) | more than 7 years ago | (#18647433)

The addition of DRM in Vista allows you to play DRM-encrypted files on your computer. Without this feature, you would not be able to play DRM'd songs. Now at least you have the choice.
You can't possibly mean what you just wrote. Vista's DRM is needed to play DRM-encrypted files? Why can XP and Windows 2000 play encrypted files?

You're joking, right? (2, Informative)

MarkByers (770551) | more than 7 years ago | (#18647837)

> Why can XP and Windows 2000 play encrypted files?

The ability to play some DRM'd files was also added to XP and Windows 2000. I assume you already knew that though...

Re:You're joking, right? (2, Insightful)

jomas1 (696853) | more than 7 years ago | (#18648073)

> Why can XP and Windows 2000 play encrypted files?

The ability to play some DRM'd files was also added to XP and Windows 2000. I assume you already knew that though...
Ok so your original quote that suggested Vista's DRM, which is clearly different when compared to XP's and 2000's DRM mechanisms, is somehow a good thing was wrong? Or were you trying to say that some type of DRM is necessary? If the latter, then I don't know yet if I disagree. I can't however understand why you would criticize Ionescu for enlightening us to the flaws in Vista's security/DRM strategy. Ionescu did not make Vista any less secure than it was a week ago. He's simply let some of us know that Vista is really not ready for the mainstream market. Who knows, maybe he's even inspired Redmond to get Vista SP1 out the door earlier.

I still use Windows 2000 from time to time and don't yet see what advantages Vista has but I'll give the OS some time to mature.

Re:You're joking, right? (1)

Razed By TV (730353) | more than 7 years ago | (#18648199)

I'm going to go out on a limb here, but I think GP's point was that we can already play drm files on WIN XP/2000. What functionality does vista add to that? We already had the ability to play DRM'd files. It's not like this is some new vista-only technology, so why pass it off like Vista is the only way to play files with DRM? Yes, vista can play DRM files. Also, the sun rises in the morning.

Was there a different point you were trying to make, perhaps relating to content providers and some sort of Vista only DRM?

Re:DRM in Vista is misunderstood (1)

CFrankBernard (605994) | more than 7 years ago | (#18648215)

And why do video download services such as http://www.netflix.com/WatchNow [netflix.com] require Windows XP SP2? What's missing on Windows 2000 and Media Player 9? Do I really need millions of lines of unrelated bloat in XP to play the movie?

Re:DRM in Vista is misunderstood (0)

Anonymous Coward | more than 7 years ago | (#18647461)

The addition of DRM in Vista allows you to play DRM-encrypted files on your computer. Without this feature, you would not be able to play DRM'd songs. Now at least you have the choice.

Is that all?

Apple software allows DRM files to be played on both Windows and OS X. It's part of the application. So why is DRM enabling software a part of the OS again?

Sure dood... (0)

Anonymous Coward | more than 7 years ago | (#18647511)

6 month detention without charge is not intended as totalitarianism. Places like Gitmo exists to give people a choice about freedom and without them we wouldn't have any freedom.


Re:DRM in Vista is misunderstood (1)

SanityInAnarchy (655584) | more than 7 years ago | (#18647681)

Without this feature, you would not be able to play DRM'd songs.

There are plenty of ways to implement DRM, with or without OS support, with or without hardware support. Or you could turn off DRM altogether.

In fact, why doesn't Microsoft do that? They're certainly in more a position to deliver a big "fuck you" to the recording industry than Steve Jobs is.

Re:DRM in Vista is misunderstood (0)

Anonymous Coward | more than 7 years ago | (#18647793)

Just to fill in the blank left by your rhetorical question...

Or you could turn off DRM altogether. In fact, why doesn't Microsoft do that?

The DRM is there to lock users into Microsoft software and file formats. Using the sweet-sell by collusion from the entertainment industry, they hoped to gain complete control of the end-users computing environment.



DRM in Vista is only misunderstood by people like the grandparent who are incapable of basic comprehension or analytical thought.

Re:DRM in Vista is misunderstood (0)

Anonymous Coward | more than 7 years ago | (#18647821)

Because Microsoft has no incentive to placate users. Their internal directive is to make businesses happy, such as the ones who enjoy DRM-ming up music.

this is just an another step (4, Funny)

imbaczek (690596) | more than 7 years ago | (#18647391)

...to start considering Vista as an usable OS.

Wait, wait... (4, Interesting)

kripkenstein (913150) | more than 7 years ago | (#18647405)

A typical process cannot perform operations such as the following on a protected process:
[...]
Access the virtual memory of a protected process
It's been a while since I knew squat about operating system internals, but aren't processes supposed to not be able to access other processes' memory anyhow? I assume, then, that this means that 'protected processes' are special in that they are also protected from any 'supervisor'-type processes, not just run-of-the-mill? In that case, are 'protected processes' meant to protect the kernel from itself, in some sense?

Most likely I am missing the point here, and can't understand TFA accordingly. Somebody please set me straight.

Re:Wait, wait... (4, Informative)

Guilly (136908) | more than 7 years ago | (#18647505)

There are ways, using the windows API, for any process run with Debugger privileges (any Administrator really) to read,write,terminate,create threads, etc in any other process. This was true in Windows 95 and still is in XP and probably Vista, except for protected processes.

It's not like they can just create a pointer and address the other memory space but using the API they can achieve the same thing.

This is what allows programs like xfire to inject into your game process or (as they mention in TFA) allows Warden to peek inside all processes to see if they are evil.

Re:Wait, wait... (1)

kripkenstein (913150) | more than 7 years ago | (#18647621)

There are ways, using the windows API, for any process run with Debugger privileges (any Administrator really) to read,write,terminate,create threads, etc in any other process. This was true in Windows 95 and still is in XP and probably Vista, except for protected processes.

Interesting.

This seems very non-secure to me. Any idea if this is standard on other OSes than Windows?

Re:Wait, wait... (2, Insightful)

Anonymous Coward | more than 7 years ago | (#18647775)

root can read and write kernel and process memory under Linux. (Via /dev/kmem and /proc//mem.)

Re:Wait, wait... (0)

misleb (129952) | more than 7 years ago | (#18647713)

So basically this whole "protected processes" thing is just a hack to fix their orignal poor/insecure design? Imaging that. I seriously think Microsoft should just scrap Win32 and start from scratch (or adopt something that is known to be relatively secure and stable). Win32 blows.

-matthew

Re:Wait, wait... (1)

init100 (915886) | more than 7 years ago | (#18647901)

So basically this whole "protected processes" thing is just a hack to fix their orignal poor/insecure design?

If the ability for the admin to manipulate the memory of any process is a poor/insecure design, then most operating systems I know of are poorly designed and insecure. Do you want processes on your computer that you cannot manipulate, and that only obey Microsoft?

Re:Wait, wait... (1)

lord_sarpedon (917201) | more than 7 years ago | (#18648793)

Yes. Thank heavens they patched away "debugging." Nothing but a plague upon mankind... If you're going to hate on MS, get your facts straight.

Re:Wait, wait... (0)

Anonymous Coward | more than 7 years ago | (#18647535)

Even without reference to the hack in question, if you have permissions to open another process's memory, then there is a straightforward way of doing this.

Re:Wait, wait... (2, Interesting)

randyflood (183756) | more than 7 years ago | (#18647629)

I could be wrong, but I think Windows (2000, XP) generally allows processes running under the same user to look at each other's memory and such. This is useful when you want to debug a program or whatever. It's generally designed to protect users from each other, rather than protect users from themselves.

How do you think trainers work? (1)

SmallFurryCreature (593017) | more than 7 years ago | (#18647833)

What is not supposed to happen in "normal" circumstances, is that one process "accidently" accesses a part of memory not assinged to it. However plenty of programs work by doing this on purpose and as long as they behave, there is nothing wrong with it. It just so happens that trainers are a common example.

However typically with trainers, the user level is the same. There is no real problem with a trainer I run, modifying the memory of a program I am also running. It becomes more of a problem if user levels are not accepted (should I be able to read the memory of a program belonging to another user?).

In Vista/DRM case the problem is even more severe because there even processes belonging to you should still not be accesable to you. Why not? Well, because you are nasty mean piraty who steal the living from hard working people, you commie!

But no, traditionally OS'es do NOT protect process memory against deliberate snooping.

Re:Wait, wait... (0)

Anonymous Coward | more than 7 years ago | (#18647943)

sit. good boy! shake. good boy! now, don't be gay! don't be gay, sparky! don't be gay!

well, hope that sets you straight...

Re:Wait, wait... (0)

Anonymous Coward | more than 7 years ago | (#18648499)

It's not that it should be impossible to share memory - the idea is more that a program can't accidentally clobber another program, and can't do it without the OS's permission. Windows has APIs that allow processes to access other memory belonging to other processes, but it acts as a gate keeper.

Wow. (0)

Anonymous Coward | more than 7 years ago | (#18647427)

I thought vista was insecure because they rushed to bring it to market prematurely.

Looks like I'm completely wrong - It's flawed to the core and will NEVER be secure.

Not in 2 years, or 3, or 4, or even 5... but we'll have XP sp3 by then, so no worries.

THE 64,000 QUESTION - WHO WILL STEP UP? Now taking bets and holding cash for fools.

Ever since DOS (4, Insightful)

Original Replica (908688) | more than 7 years ago | (#18647443)

I miss the days when I gave my computer commands not suggestions. This whole "protected area" stuff just pisses me off.

Re:Ever since DOS (2, Insightful)

Anonymous Coward | more than 7 years ago | (#18647585)

You should try this new Linux thing out!

It's awesome. I type commands, it obeys them. It never patronises me. The security works FOR me, not against me.

Now THAT is user-friendliness.

Re:Ever since DOS (5, Funny)

Anonymous Coward | more than 7 years ago | (#18647743)

I miss the days when I gave my computer commands not suggestions.

You are becoming nostalgic, Deny or Allow?

It's really Melinda's fault (5, Funny)

ColdWetDog (752185) | more than 7 years ago | (#18647791)

Want your missing is the higher social value of interacting with your computer on a more equal basis. Just like women, Computers are complex, pretty, expensive and inscrutable. Just like women, they are best handled with suggestions, not commands.

So get off your old, tired, 20th Century horse and get with the new paradigm.

Just a suggestion of course.

biting the hand that feeds you (5, Funny)

kv9 (697238) | more than 7 years ago | (#18647455)

He [Alex Ionescu] is also a Microsoft Student Ambassador and is representing the company on campus as a Technical Rep.

not for long, I bet.

Re:biting the hand that feeds you (0)

Anonymous Coward | more than 7 years ago | (#18647761)

I'll bet a promotion is in is future.

Being able to duct-tape the Windows Kernel requires skill at this point. Let alone what he does.

Paul Graham confirms it (0)

Anonymous Coward | more than 7 years ago | (#18647497)

Microsoft is dying

New Meaning for "Genuine Advantage" (2, Funny)

BoRegardless (721219) | more than 7 years ago | (#18647675)

Genuine Advantage seems to now benefit the bastards too.

possible silver lining (3, Interesting)

Trailer Trash (60756) | more than 7 years ago | (#18647689)

Could this technology be used to make a file copy command for Vista that isn't dog slow? Just wondering...

No reason to run Vista (1, Troll)

JackMeyhoff (1070484) | more than 7 years ago | (#18647697)

Outside of being forced to use it at work, at home it brings nothing of VALUE.

Re:No reason to run Vista (0)

misleb (129952) | more than 7 years ago | (#18647749)

Man, I love being on the IT side of things. I can run whatever I want. God help me if I ever take a job where the company I work for can actually dictate what I run on my desktop.

Re:No reason to run Vista (0)

Anonymous Coward | more than 7 years ago | (#18648027)

I work for Microsoft, while we target Vista for our "client" side applications (and longhorn for our server side) I personally prefer to use 2003 or XP 64 (Im a 2000 fan also). I have Vista on a machine and its s stinky peice of shit and even while I can use it for FREE and buy it at employee pricing, I steer friends and family away from it.

Surprising really? (3, Funny)

loconet (415875) | more than 7 years ago | (#18647705)

If you build a house out of hardened excrements, it is still a house built out of shit even if you paint it pink.

Again? (2, Interesting)

Proudrooster (580120) | more than 7 years ago | (#18647751)

VISTA hacked again? In about three years I predict this OS will actually be usable due to helper apps which allow end users to use the computer as they see fit, instead of how MS and friends think you should use it. DRM is such a waste of human resources, but I guess this is the game we have to play.

Bill Gates wants more cheap labor [infoworld.com] to waste of useless software [theinquirer.net] . What a waste of human intellect and talent. How about making the computer RUN faster, be more intuitive, and reliable?

Re:Again? (1)

ConceptJunkie (24823) | more than 7 years ago | (#18648123)

Bill Gates and company have successfully created the software version of Soviet Russia, where software runs you. I've always complained that Microsoft never understood that the software should work for you, not you work for it, and Vista seems like a step _further_ in the direction of making the user do work.

Of course, I guess that's better than something like Word, where it takes 3 times as long to get anything done as it should because of all the unpredictable and illogical "helpful" stuff that the program keeps doing for you.

I miss the the old days when software was a tool rather than a shackle. Oh wait, no I don't, there's always Linux.

Good, now MS cant dictate software advantage (3, Insightful)

plasmacutter (901737) | more than 7 years ago | (#18647767)

all DRM issues aside, i'm surprised nobody has brought up new antitrust charges, especially in europe, for this idea that microsoft is allowed to deny a company the ability to use process protection.

by doing that they give incumbents an advantage over others and are using their OS to exapand monopoly interests into other sectors.

Good idea, bad implementation. (5, Insightful)

Animats (122034) | more than 7 years ago | (#18647773)

"Protected processes" are a reasonable idea. They're certainly better than putting video and audio processing in the kernel as part of the DRM system. But apparently Microsoft botched the implementation.

Microsoft has for some years allowed processes to do too much to other processes. Things like "injecting" a DLL or thread into a running process from the outside, or "hooking" system calls, are inherently security problems. In the Windows world, normal processes can do that to each other. This tends to be overdone, with too much "hooking" of system calls and such, a tradition from the DOS era. The UNIX/Linux world doesn't have that tradition. Fortunately.

In the Linux world, the things you can't do to a Microsoft "protected process" are roughly equivalent to the functions of the PTRACE [linuxgazette.net] call. In SElinux, the mandatory security system controls which processes can use PTRACE on which other processes. [12.110.110.204] So SELinux already has "protected processes", but with a better security model.

If we have to have DRM, protected processes aren't a bad idea. But what you want is for them to be compartmented, not privileged. They should be running in a compartment which prevents other processes from attaching to them, but they don't need the privilege of attaching to other processes. So the video decoder can be protected, but doesn't have enough privileges to act as an aimbot for some game. The security system for a game should be able to lock the game processes into a compartment which other processes cannot enter, preventing cheats. Enforce separation, not privilege.

Re:Good idea, bad implementation. (1)

plasmacutter (901737) | more than 7 years ago | (#18647957)

"Protected processes" are a reasonable idea. They're certainly better than putting video and audio processing in the kernel as part of the DRM system. But apparently Microsoft botched the implementation.

youre kidding right? securing the computer's processes against its own owner without any option for override is reasonable?
how about i do that to your house, and make you pay me rent on top of your mortgage for the "right" to use those extra bedrooms, kitchen cabinets, and garage space?

Microsoft has for some years allowed processes to do too much to other processes. Things like "injecting" a DLL or thread into a running process from the outside, or "hooking" system calls, are inherently security problems. In the Windows world, normal processes can do that to each other. This tends to be overdone, with too much "hooking" of system calls and such, a tradition from the DOS era. The UNIX/Linux world doesn't have that tradition. Fortunately.

no.. debugging is not a "security" problem, and debugging is present in unix and linux. protected processes are designed specifically to lock out debuggers, and also to prevent non-incumbent vendors' software from interacting or competing with who microsoft arbitrarily designates as the incumbents.

Re:Good idea, bad implementation. (0)

Anonymous Coward | more than 7 years ago | (#18648253)

So the video decoder^W^W user can be protected, but doesn't have enough privileges to act as^W^W run an aimbot for some game

Fixed that for you.

I think the comment a few threads up ("Gee, I remember when I gave my computer commands, not suggestions,") says it all. What makes you think the authority to run an aimbot belongs in the hands of anyone except the owner of the computer? What makes you think that a trusted authority will behave any more responsibly than I would?

WHat the heck? Windows processes are WEIRD (2, Insightful)

Anonymous Coward | more than 7 years ago | (#18647841)

http://www.microsoft.com/whdc/system/vista/process _Vista.mspx [microsoft.com]

Protected processes have additional security restrictions, but apparently in vista, they are strange beasts. Parent processes can always obtain a handle to a child process. So, you can't have a child process become a true daemon?

Processes can "inject threads" into other processes? Buhuh?

Here's apparently more of what processes can't do to Protected Processes do in Windows:

Inject a thread into a protected process
Access the virtual memory of a protected process
Debug an active protected process
Duplicate a handle from a protected process
Change the quota or working set of a protected process

So yer telling me, normal processes can do this to other normal processes in windows?

Irrespective of any kind of access restrictions on Linux, process memory space is a lot more sacrosanct. To even get the same level of process seperation would apparently require the setting of a lot of ACLs in windows, if it can be done at all.

The footnote at the end is the best though!

"Do not attempt to circumvent this restriction by installing a kernel-mode component to access the memory of a protected process because the system and third-party applications may rely on the fact that protected processes are signed code that is run in a contained environment. "

Please play nice with our restriction scheme!

I bet this is what our enterprising hacker has done.

Before MS sics their lawyers on me, the above quotes were used for the purposes of review.

This is how it's done (5, Informative)

Anonymous Coward | more than 7 years ago | (#18647847)

The tool needs to be run with elevated privileges (otherwise it will not work). It decompresses a 848 bytes driver and loads the driver. The driver does nothing but set bit 11 (ProtectedProcess) of the Flags2 bitfield (offset 0x224) of the corresponding _EPROCESS structure of the process to be modified. However, this requires the neccessary rights to load and install a driver...and as we all know, once being in kernel mode there's no real protection against malicious code...

Re:This is how it's done (1)

AndrewNeo (979708) | more than 7 years ago | (#18648107)

And here everyone is complaining about UAC, while it's the only thing between you and installing that driver.

The Philosophy of Protection (3, Insightful)

The Living Fractal (162153) | more than 7 years ago | (#18648011)

I think history has shown that no matter how hard you try you cannot create a doorway in software protection and only expect to let those you want get through. The nature of software today is so fluid that it's possible to make your way through the door by imitation, brute force, social engineering, etc. Microsoft does not seem to grog this. Neither do DRM propenents. Information will find a way to get through, around, over and above, and beneath all obstacles.

So what do you do? Well, one thing you don't do is provide special security rights to only certain approved software.

The only true answer is open software and education. People who don't know how to use their computers will be attacked. They will be compromised. If you can't control yourself on the internet and local networks, you will lose the right to control your computer because someone will take it from you. If you run unknown and untrusted programs, you face the risks. Your online habits help determine your exposure. If you absolutely must visit 'free porn', warez, social networks like MySpace, etc websites, then do so with caution tempered by proper education on how to isolate your important, sensitive data, from the rest of the crap you are willing to lose. You are better off simply not visiting sites of that nature. But if you are going to, at least understand how to keep yourself safe. Because no software written today is going to be able to do it for you. There will always be software out there capable of getting around it.

In the end, to the wolves go the slowest, weakest sheep. It's natural. Don't be one of them.

Looks like 32-bit (3, Interesting)

figleaf (672550) | more than 7 years ago | (#18648031)

I would like to see him do this in 64-bit.
32-bit allows unsigned code in kernel mode for legacy reasons so its much more easier to inject into 32-bit processes.

That man is a cyber ninja. (1)

Unknownk Kadath (1075351) | more than 7 years ago | (#18648109)

Someone give him an internet!

Easy Attack Vector (0)

Anonymous Coward | more than 7 years ago | (#18648311)

Offer a free copy of Windows Vista to anyone who goes to your infected site. Wait that only works for Mac users.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>