Best secure single running app guard on windows

Question

Hello,

I would like to improve the way how an application is checking that another instance is not already running. Right now we are using named mutexes with checking of running processes.

The goal is to prevent security attacks (as this is security software). My idea right now is that "bulletproof" solution is only to write an driver, that will serve this kind of information and will authenticate client via signed binaries.

Does anyone solved such problem? What are your opinions and recommendations?

Answer 1

First, let me say that there is ultimately no way to protect your process from agents that have administrator or system access. Even if you write a rootkit driver that intercepts all system calls (a difficult and unsafe practice in of itself), there are still ways to use admin access to get in. You have the wrong design if this is a requirement.

If you set up your secure process to run as a service, you can use the Service Control Manager to start it. The SCM will only start one instance, will monitor that it stays up, allow you to define actions to execute if it crashes, and allow you to query the current status. Since this is controlled by the SCM and the service database can only be modified by administrators, an attacking process would not be able to spoof it.

Answer 2

I use a named pipe¹, where the name is derived from the conditions that must be unique:

• Name of the application (this is not the file name of the executable)
• Username of the user who launched the application

If the named pipe creation fails because a pipe with that name already exists, then I know an instance is already running. I use a second lock around this check for thread (process) safety. The named pipe is automatically closed when the application terminates (even if the termination was due to an End Process command).

¹ This may not be the best general option, but in my case I end up sending data on it at a later point in the application lifetime.

Answer 3

I don't think there's a secure way of doing this. No matter what kind of system-unique, or user-unique named object you use - malicious 3rd party software can still use the exact same name and that would prevent your application from starting at all.

If you use the method of checking the currently executing processes, and checking if no executable with the same name is running - you'd run into problems, if the malicious software has the same executable name. If you also check the path, of that executable - then it would be possible to run two copies of your app from different locations.

If you create/delete a file when starting/finishing - that might be tricked as well.

The only thing that comes to my mind is you may be able to achieve the desired effect by putting all the logic of your app into a COM object, and then have a GUI application interact with it through COM interfaces. This would, only ensure, that there is only one COM object - you would be able to run as many GUI clients as you want. Note, that I'm not suggesting this as a bulletproof method - it may have it's own holes (for example - someone could make your GUI client to connect to a 3rd party COM object, by simply editing the registry).

So, the short answer - there is no truly secure way of doing this.

Answer 4

In pseudo code:

numberofapps = 0
for each process in processes
    if path to module file equals path to this module file
        increment numberofapps
if number of apps > 1
    exit

See msdn.microsoft.com/en-us/library/ms682623(VS.85).aspx for details on how to enumerate processes.