tags:

views:

69

answers:

2
Q: 

Developing a kernel patch or driver for windows?

How long, approximately, would it take to develop a kernel patch or driver for the windows NT kernel/series of kernels, that would introduce new functionality, or replace existing functionality?

For example, to add in a different encryption algorithm, or to implement some sort of new security model.

What are the advantages/disadvantages between actually writing a kernel patch, and a driver?

Can a driver be theoretically bypassed, in a way a kernel patch cannot?

I understand the windows kernel is proprietary and it is hard to write a kernel patch for it, but this is exactly what several companies, notably AV companies do, without cooperation from Microsoft, so it is possible...

+5  A: 

A different encryption algorithm

This is done by extending the encryption provider. There is a framework where you can do that.

new security model

What new security model?

  • If you want more specific control over one application, you build a sandbox.
  • If you want more specific control over an OS, you put the OS into a virtual machine.
  • If you have something completely new, you have to write a new kernel. Right management is really a broad topic, where you have to touch every entry point to get your solution to work.

Can a driver be theoretically bypassed, in a way a kernel patch cannot?

No and yes ... How do you think a driver changes a security model?

but this is exactly what several companies, notably AV companies do.

No, they don't. They have a kernel driver, which hooks into the right functions. Most AV software hooks the ReadFile/WriteFile/CreateFile APIs, in which they check for 'malicious code-sequences'. This is not a security model. Its just a binary 'May access/may not access' check.

Christopher  2010-08-09 11:19:04
+1 for Most AV software hooks the ReadFile/WriteFile/CreateFile APIs.
x86shadow  2010-08-09 11:24:41
Your answer is full of a lot of incorrect info, and does not address the question asked. Read up on KPP, and why it was such an issue.
Jacob  2010-08-10 05:52:04
Cleaned the 'wrong' bits. But i don't see, that the information is so wrong when you see the question. To repeat the thing to take away 'You cannot easily add a new security model'.
Christopher  2010-08-10 10:58:08
If he wants to add a new security model, i.e. not ACL based, something like GRSecurity, then surely the only way to do that is with kernel patching, and not with drivers? If KPP is a problem, he would probably have to get permission from microsoft somnehow.....
Jacob  2010-08-11 21:05:11
A: 

Well, Christopher is wrong above...Kernel Patches are used quite a lot in Windows land.

Just to quote from the wiki: wikipedia.org/wiki/Kernel_Patch_Protection

"Since patching the kernel is technically permitted in x86 editions of Windows, several antivirus software developers use kernel patching to implement antivirus and other security services. This kind of antivirus software will not work on computers running x64 editions of Windows. Because of this, Kernel Patch Protection has been criticized for forcing antivirus makers to redesign their software without using kernel patching techniques."

ACL's are far from state of the art, something like RBAC is far more functional.

Anyway, I think a kernel patch is a better solution, as there wont be performance overhead when you switch from usermode, and you can provide additional system calls and functionality nativley.

Jacob  2010-08-10 05:51:04
You are right int that, some software used to patch the kernel function tables, or patched some functions directly. As you can see in that article you posted, this was always unsupported and does not work in windows x64. More, it was always very discouraged, because changes in the functions, that you wanted to patch, could lead to enormous problems. Many patches introduced instabilities into the kernel. So why do you want to change a function which is neither documented nor guaranteed to 'not change' between security patches?
Christopher  2010-08-10 10:52:33
Because a kernel patch is probably the only way to extend the windows security model beyond an ACL? If you want to add in RBAC for example, doing it via drivers just seems sloppy. Agreed that kernel patching is not the best solution practically, but it is technically...
Jacob  2010-08-11 21:07:18

related questions

Verifying files for testing
How do you create your own moniker (URL Protocol) on Windows systems?
Windows Equivalent of 'nice'
Is this a good way to determine OS Architecture?
Dual vs. Quadcore on a Webserver
Is there a WMI Redistributable Package?
PHP Error - Uploading a file
Ruby On Rails with Windows Vista - Best Setup?
OpenVPN Config file to prevent timeout
How can I create Debian install packages in Windows for a Visual Studio project?
How do I configure and communicate with a serial port?
What's the best setup for Mono development on Windows?
Appropriate pagefile size for SQL Server
XML Editing/Viewing Software
Linux shell equivalent on IIS
What is a better file copy alternative than the Windows default?
Windows Help files - what are the options?
Heap corruption under Win32; how to locate?
Best way to access Exchange using PHP?
Get a preview jpeg of a pdf on windows?
WinForms ComboBox data binding gotcha
How do you schedule tasks in Windows?
Register Windows program with the mailto protocol programmatically
Embedding Windows Media Player for all Browsers
Best Subversion clients for Windows Vista (64bit)