Holy anti-feature, batman

I had the opportunity to attend at talk by Mark Russinovich, of Sysinternals fame, during last week’s Trustworthy Computing Conference.  The topic of the talk was about security boundaries in Windows, and more specifically, what is not a security boundary.  The talk was very interesting, and I don’t want to reveal too much here, but there was one part of it that stuck with me and has been bothering me for a little while now.  One of the technologies he addressed was Patchguard, or Kernel Patch Protection, which was introduced in 64-bit Vista and Server 2008.  Patchguard is intended to keep programs from patching, hooking, or otherwise tampering with the internals of the NT kernel.  It does this by periodically taking a checksum of some important structures in the kernel (SSDT, interrupt table, HAL tables, etc) and comparing the current value with the previous one.  Any discrepancy here will indicate that the kernel has been subverted.  If it notices any changes to these structures, it throws an exception which throws a blue screen error.  Sounds good, right?  Sounds like a great new security feature, no more rootkits!  Well, not really.  The truth is, KPP really does nothing to stop malicious code, and in fact, is pretty useless in doing so.  Mark revealed in his talk, that that was never the intention of KPP, but rather, it was conceived as a way to force legitimate developers to stop using these techniques in their own programs.  See, most anti-virus and security products will use some level of system hooking in order to get a good view of activity.  In fact, one of Mark’s very own tools, RegMon, hook’s the SSDT to watch registry activity.  He even wrote a publication about the technique!  The problem with kernel hooking is that it is entirely unsupported and significantly reduces stability.

So here’s what I don’t understand.  Microsoft has recognized that system hooking leads to instability.  They’ve decided that programmers aren’t good enough to extend a kernel function safely without throwing a blue screen exception, so now they’re not going to allow us to hook certain system structures (pfft, allow is a funny thought).  But, instead of actually fixing the gaping holes in their system, they’re going to simply watch for system hooking, and then guarantee that the system will crash, by causing the crash.  Oh yeh, and they are going to blame it on the developer.  It’s like a car company deciding that talking on your cell phone while driving is dangerous, so they’re going to create a system that detects if you’re on the phone and then drives the car off the road for you.  That will show you! 

I just don’t understand this anti-feature.  There are plenty of legitimate reasons for hook these system functions, and it can be done safely.  I know it can because Mark has done it, and I’ve done it.  If you don’t want developers to subvert the kernel, then provide a complete API that we can use to extend and monitor the system, and fix the problems with your system that allows someone to take write-protected virtual memory, map it to physical memory, strip all the restrictions off of it, and send it back patched.  Don’t just come behind perfectly valid code, throw an exception and blame it on us. 

Updated Kernel Debugging

In my last post I explained how to set up kernel debugging with WinDbg and a Virtual PC running Windows XP.  I understand that this is a little outdated now, and there are some people that may be wondering how this can be done if the Virtual PC is running Vista.  The process is nearly identical to the one I outlined in my previous post, with the exception of step two.  In Vista, Microsoft changed the way boot options are defined and replaced the manual editing of a boot.ini file with an application called BCDEdit.exe.  This program can be invoked from the command prompt and you must use it configure your Vista boot for debugging.  Windows Hardware Developer Central has a step-by-step explanation that I am not going to try to reproduce here.  If you are interested, follow this link.

Kernel Debugging: WinDbg and Virtual PC

My new job has me doing a lot of device driver development, which naturally leads to quite a bit kernel debugging and system crashes.  Thankfully, with WinDbg and Virtual PC it is simple to set up kernel debugging for a virtual machine.  Since I am developing for a Windows environment, I am using Virtual PC 2007 and WinDbg.  This process will also work for Virtual PC 2004.  This is all probably possible with VMWare, Virtual Box, or any other virtual machine program out there, I am just not sure of the steps.  The following steps are all you need to get debugging, assuming that you have a Windows virtual machine already set up:

Step 1:  Edit the settings of you virtual machine to use a named pipe for a COM port  

Edit
Settings
COM1 
Named pipe:
Add: \\.\pipe\vpcdebug

Step 2:  Edit boot.ini file on the virtual machine.

Right-click on My Computer
Properties
Settings
Edit start-up file manually:

Add: /DEBUG /DEBUGPORT = COM1 /BAUDRATE=115200
I like to add a second line here instead. Copy the last line, and append it with the above line:
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
/DEBUG /DEBUGPORT=COM1 /BAUDRATE=115200

This will give you two different boot options, one for debugging and the other for normal use.

Step 3: Set up WinDbg for remote debugging over COM1.
This can be done through the File -> Kernel Debug menu, but I prefer to make a shortcut so I can have multiple different types of debugging environments.

Create a shortcut that points to WinDbg.exe and add the the necessary command-line arguments. Your shortcut target should look something like this:
"C:\Program Files\Debugging Tools for Windows\windbg.exe" -k com:pipe,port=\\.\pipe\vpcdebug,resets=10

 This is all you need to do to set up kernel debugging.  Be sure to start the VM before WinDbg so that it has a chance to create the named pipe.  Also, make sure you download the correct symbols for your environment.  For example:

SRV*c:\websymbols* http://msdl.microsoft.com/download/symbols

Debugging Tools for Windows
Virtual PC 2007