Hi madshi,
yesterday i found a commercial antimalware program which uses your hooking library. After some research (debugging etc.) i found so many bugs in it and now i am writing an article for rootkit.com why usermode code hooking is so bad for security programs (with this program as example).
Why do you still support security programs which are using user mode code hooking? You know how to bypass them easily.
I can understand if you want to make money with this hookunit, but lots of people who are using this anti-malware programs think they are good, but they arent.
Your hookunits are easy to use for everyone. You dont need to be an expert when using them. And i cryed when debugging the 'security module' because of it has so many bugs in it.
Cant you add a note that your library shouldnt be used for security programs?
What do you think about it and what do the other users here think?
commercial antivirus/malware programs
Hello Uall
Hi Uall,
Here's a question for you Uall, if you were/are so against usermode hooking of API why write your own hooking unit? Madshi does a wonderful job and his package is simply outstanding for usermode developers looking to do things that could not be done without such a concept of hooking. Also as you mentioned the simplicity of mch is a strong selling point for a fairly complex concept. People soak up packages that are easy to use and Mathias clearly and undeniably provides this. So I do agree with you about ring-3 being shit for security but I would not ask Madshi to make people aware of such things because that is not his responsibility and in the end, the user must be wise enough to implement security at the lowest possible level.
--Iconic
No usermode security program should be taken seriously, once you've done systems level programming you realize just how easy it is to bypass usermode security mechanisms that people attempt to enforce. Take writing a packet filtering system for example... why use a flimsy usermode LSP when you can use a TDI driver which allows for more powerful and faster filtering, why use TDI when you can use NDIS which receives the data before tcpip.sys has a chance to look at it and is at the lowest possible level. The lower-level you are the better because you see things first and you have much more control/power. Common sense really.What do you think about it and what do the other users here think?
Here's a question for you Uall, if you were/are so against usermode hooking of API why write your own hooking unit? Madshi does a wonderful job and his package is simply outstanding for usermode developers looking to do things that could not be done without such a concept of hooking. Also as you mentioned the simplicity of mch is a strong selling point for a fairly complex concept. People soak up packages that are easy to use and Mathias clearly and undeniably provides this. So I do agree with you about ring-3 being shit for security but I would not ask Madshi to make people aware of such things because that is not his responsibility and in the end, the user must be wise enough to implement security at the lowest possible level.
--Iconic
Re: commercial antivirus/malware programs
What is your preferred way to write security programs? Are you aware that kernel mode hooking is no longer allowed in 64bit Vista?uall wrote:yesterday i found a commercial antimalware program which uses your hooking library. After some research (debugging etc.) i found so many bugs in it and now i am writing an article for rootkit.com why usermode code hooking is so bad for security programs (with this program as example).
There are multiple reasons why user mode hooking makes sense:uall wrote:Why do you still support security programs which are using user mode code hooking? You know how to bypass them easily.
(1) Some things might be impossible to catch in kernel land.
(2) Kernel mode hooking is prohibited in 64bit Vista.
About (1) : Some API calls are not even passed down to kernel land, but are mostly or completely handled in user land. You simply cannot hook such API calls in kernel land. So you have no other choice than to use user mode hooking.
I'm just the developer of a general purpose hooking library. It's not my task to decide for which purpose my customers are using my library - as long as what they're doing is legal.uall wrote:I can understand if you want to make money with this hookunit, but lots of people who are using this anti-malware programs think they are good, but they arent.
There may be customers of mine which are doing a bad job with their software. But should I stop offering my library because of that? Or should I ban security companies from using my library because of that? That sounds like a strange conclusion to me.
I see no sense in that. A good security company will know better than I do whether it makes sense to use user mode hooking in their software. In most cases I don't even know what my customers are doing in their software in detail. I have no control over that. And I'm not in the position to say that developing security software by using madCodeHook is generally a bad idea. I don't think so. Of course a good security product should go as low as possible. That often means kernel land. But there are situations where this is simply not possible. See above.uall wrote:Cant you add a note that your library shouldnt be used for security programs?
Are you aware that McAfee and Kaspersky are also using user mode hooking? They are not using madCodeHook, but they're using similar techniques. Do you think their security software is bad, too? If you think that McAfee and Kaspersky write bad software, maybe you should create your own security software company? I'm not joking. I mean it. Make the world a better place! You'll have my support doing that.
@Icon, you are right. I have written my own hooking library and I am using suer mode code hooking. But not for security reasons!
You can use user mode code hooking to display something into directx or opengl games. You can use it to add functionally to an existing program.
There are lots of ways to use it, but not for writing antivirus / antimalware programs.
@Madshi
Kaspersky or MacAfee are using drivers t detects a virus etc. The are hooking NtCreateFile in ring0 not in ring3. They also protect their rin0 code and as i know a firewall (dont know the companys name) is protecting their user mode hook with a kernel NtVirtualProtect hook.
But how do you want to protect your code if you only be in userland? You can do nothing.
[EDITED BY MADSHI: Have removed some comments. Don't want explanations on my forum about how to break madCodeHook. Sorry.]
You library is so easy to use, my little sister can write a 'security program' with it. But she doesnt know much about the internal problems.
When I was debugging the code of the antimalware program I really cryed.
They have written the API kernel32.CreateProcessA wron so the hook was never installed (but they are lucky and hooked all A/W API - nice slowdown)
But the best was, you have to rename your malwar to outlook.exe and it wount be scanned anymore.
If someone is able to create a driver (kernel antivirus) I am sure he knows what security is.
madCHook can be used by everyone because of its easy use and someone was really so stupid to think he can use it for a security program. And what i have seen is that he doesnt know anything about a good security program.
All coders of Kaspersky and McAfee know what they are doing, because you know what security means if you can code a driver.
The coders of the malware only know how to call the HookCode Api - best for coding security programs.
You cant protect user mode code by user mode code.
But you can protect kernel code by kernel code and user code by kernel code.
Thats the difference why i think Kaspersky etc. can use user mode code hooking.
There are lots of possibilities to use usermode code hooking, but not for that.
You can use user mode code hooking to display something into directx or opengl games. You can use it to add functionally to an existing program.
There are lots of ways to use it, but not for writing antivirus / antimalware programs.
@Madshi
Kaspersky or MacAfee are using drivers t detects a virus etc. The are hooking NtCreateFile in ring0 not in ring3. They also protect their rin0 code and as i know a firewall (dont know the companys name) is protecting their user mode hook with a kernel NtVirtualProtect hook.
But how do you want to protect your code if you only be in userland? You can do nothing.
[EDITED BY MADSHI: Have removed some comments. Don't want explanations on my forum about how to break madCodeHook. Sorry.]
You library is so easy to use, my little sister can write a 'security program' with it. But she doesnt know much about the internal problems.
When I was debugging the code of the antimalware program I really cryed.
They have written the API kernel32.CreateProcessA wron so the hook was never installed (but they are lucky and hooked all A/W API - nice slowdown)
But the best was, you have to rename your malwar to outlook.exe and it wount be scanned anymore.
If someone is able to create a driver (kernel antivirus) I am sure he knows what security is.
madCHook can be used by everyone because of its easy use and someone was really so stupid to think he can use it for a security program. And what i have seen is that he doesnt know anything about a good security program.
All coders of Kaspersky and McAfee know what they are doing, because you know what security means if you can code a driver.
The coders of the malware only know how to call the HookCode Api - best for coding security programs.
You cant protect user mode code by user mode code.
But you can protect kernel code by kernel code and user code by kernel code.
Thats the difference why i think Kaspersky etc. can use user mode code hooking.
There are lots of possibilities to use usermode code hooking, but not for that.
Yes. But still AFAIK McAfee and Kaspersky are also using user mode hooking on top of their kernel mode hooking.uall wrote:Kaspersky or MacAfee are using drivers t detects a virus etc. The are hooking NtCreateFile in ring0 not in ring3. They also protect their rin0 code and as i know a firewall (dont know the companys name) is protecting their user mode hook with a kernel NtVirtualProtect hook.
And as a consequence you damn *any* user mode hooking for *any* security software?uall wrote:They have written the API kernel32.CreateProcessA wron so the hook was never installed (but they are lucky and hooked all A/W API - nice slowdown)
But the best was, you have to rename your malwar to outlook.exe and it wount be scanned anymore.
So now you're saying user mode hooking is ok for security software as long as kernel hooking is also used? Well, I can certainly agree to that. So why then should I ask companies not to use madCodeHook in their security software?uall wrote:Thats the difference why i think Kaspersky etc. can use user mode code hooking.
Btw, you didn't say anything about Vista 64bit kernel patch protection.
You said, i dont kow if they are using it. But you can still add an new point to hooking rules which is like: "The hooking code isn't protected. There are ways to bypass it, so don't use madCHook in security programs if you dont add a protection for it."madshi wrote: Yes. But still AFAIK McAfee and Kaspersky are also using user mode hooking on top of their kernel mode hooking.
No it was an example, how easy your hokkingcode is to use. You can see that they aren't the best programmers and you have to inform them about what can be done with it and what not. (See what i have written to the quote abouve - adding new hookin rule)madshi wrote: And as a consequence you damn *any* user mode hooking for *any* security software?
You have to inform them. A saw posts where you said only the program which installed the hooking dll can unload it. Thats right, but you havent mention that its bypassable in 1 minute. So the customer thought its secure to use it. (secure means only he can unload the dll)madshi wrote:So now you're saying user mode hooking is ok for security software as long as kernel hooking is also used? Well, I can certainly agree to that. So why then should I ask companies not to use madCodeHook in their security software?
Right, i havent done somethign with Vista. As i 'heard' the kernel protection is only for unlicensed drivers. (Maybe I am wrong)madshi wrote: Btw, you didn't say anything about Vista 64bit kernel patch protection.
But maybe on Vista you can protect you user mode code better than on XP (As i said I dont know how good vista is)
But that doesnt matter because on XP/2k only using madchook is a risk for every user which is using an antixyz program which is using user mode code hooking.
For example i can close or stop threads of them main program, because its not protected by kernel mode. You cant to this with kav.exe or aviri.exe or what it is.
Well, the hooking rules are pure technical guidelines to make hooking code stable. So such a recommendation you're suggesting doesn't really belong into the hooking rules. However, I could add it to the documentation at another place where it makes more sense. I'll add that to my to do list. Do you have a suggestion about what I should write that I could use as a starting point?uall wrote:You said, i dont kow if they are using it. But you can still add an new point to hooking rules which is like: "The hooking code isn't protected. There are ways to bypass it, so don't use madCHook in security programs if you dont add a protection for it."
Actually as far as I know you can't even load unsigned drivers in 64bit Vista, anymore. The problem is with signed drivers. They're not allowed to do patching/hooking in 64bit Vista, anymore. Look here for more information:madshi wrote:As i 'heard' the kernel protection is only for unlicensed drivers.
http://www.betanews.com/article/Symante ... 1161117633
No sorry, but you know where the problem is. With madChook you can't be sure that the API you want to hook is 100% intercepted wehen someone wants to call it.madshi wrote:Well, the hooking rules are pure technical guidelines to make hooking code stable. So such a recommendation you're suggesting doesn't really belong into the hooking rules. However, I could add it to the documentation at another place where it makes more sense. I'll add that to my to do list. Do you have a suggestion about what I should write that I could use as a starting point?
I think if microsoft has added a security API this isbetter than hooking the APIs in user mode. You see that the AV companys (a part of) claims that they need to have full kernel access for a good antivirus program and they dont want to use user mode code hooking, because they know thats not secure.madshi wrote:Actually as far as I know you can't even load unsigned drivers in 64bit Vista, anymore. The problem is with signed drivers. They're not allowed to do patching/hooking in 64bit Vista, anymore. Look here for more information:
http://www.betanews.com/article/Symante ... 1161117633
Bad move from microsoft IF theirs system can be bypassed by a virus and the AVCs can't use this method. But if its cant be bypassed the security API must be enough for an AV and usermode code hooking isnt needed.
I must ask a friend who knows a AV programmer what he think about user mode code hooking for security programs, but i think he has the same opinion like me...
This again reads as if user mode hooking would be bad in itself. You really should be more clear with your posts. Many of your posts sound as if you thought security software should never use any user mode hooking. And then all of a sudden in one post you say user mode hooking is ok if it's protected by a deeper level of kernel mode hooking. If I take all your posts together I think that I understand what you mean and with that I'm certainly not disagreeing. But it's very easy to misread many of your comments. A less careful reader will probably interpret most of your posts in that way that no security software should ever use any bit of user mode hooking. Which is probably not what you're really trying to say, or is it?I must ask a friend who knows a AV programmer what he think about user mode code hooking for security programs, but i think he has the same opinion like me...
My general opinion about this whole topic is that I'm just a provider of a general purpose library and that it's not my task to tell my customers how to design their software. I mean, a screwdriver manufacturer also doesn't try to tell it's customers how to build a plane, or does he?
Nevertheless I agree that many tasks could and should be done better in kernel land. If you read through the forums, you'll see me advising against using madCodeHook and using other methods instead, if I think that that's the better choice. E.g. I'm often recommending the use of filter drivers if people are trying to hook into file operation stuff big time. But on the other hand I'm not forcing my opinion on anybody. Everybody may use my library as he sees fit, as long as it's legal. I don't have the manpower to watch over whether the products of my customers are any good or not.
I think a really good anti virus product will probably use lots of kernel mode tricks. And it will probably add a layer of user mode hooking on top of that, because there are simply things that don't run through driver land but which must be controlled/checked/hooked by a good anti virus software nevertheless. Consequently I have no problem whatsoever with madCodeHook being used by security companies.
But I'll gladly add a list of things to my documentation which in my opinion should better be done in kernel land. However, I can not force my customers to follow my advice. I can't even check whether they do.
-
Arksole Hoax
- Posts: 211
- Joined: Sat May 08, 2004 11:41 am
@uall:
madshi is right in the points of easy of use thing. I know many people
including me, who (if they want to "hook") use madShi because its,
a multi-purpose hooking kit. Even i tryed to make "security" software
and realised, like iconic sayed, that this is very easy to bypass and
hard to code with userland, ring3 stuff.
But you both look at a different, more professional perspective then
many other users, including me. for example the most (advanced)
terms iconic often uses, i hear for the very first time
Not everyone has the "right" skill to say "ach, ich code mir mal
nen driver" or "och, da bastell ich mir doch mal ne hooking lib zusammen",
if you know what i mean
for the average programmer, who just wants to "enhance" his program
a little bit, its very OK to use such a "general purpose" Hooking kit,
like madshi's (which in my opinion, is very very easy to use).
Revealing the points how to bypass this, hmm i dont think it does
much sense because why would a ordinary user want to know that?:)
madshi is right in the points of easy of use thing. I know many people
including me, who (if they want to "hook") use madShi because its,
a multi-purpose hooking kit. Even i tryed to make "security" software
and realised, like iconic sayed, that this is very easy to bypass and
hard to code with userland, ring3 stuff.
But you both look at a different, more professional perspective then
many other users, including me. for example the most (advanced)
terms iconic often uses, i hear for the very first time
Not everyone has the "right" skill to say "ach, ich code mir mal
nen driver" or "och, da bastell ich mir doch mal ne hooking lib zusammen",
if you know what i mean
for the average programmer, who just wants to "enhance" his program
a little bit, its very OK to use such a "general purpose" Hooking kit,
like madshi's (which in my opinion, is very very easy to use).
Revealing the points how to bypass this, hmm i dont think it does
much sense because why would a ordinary user want to know that?:)
http://www.heise.de/security/news/meldung/82858uall wrote: As i 'heard' the kernel protection is only for unlicensed drivers.
"Die APIs sollen auch auf 32-Bit-Vista zum Einsatz kommen. Damit erhält 32-bittiges Windows möglicherweise eine sicherere Infrastruktur, da nur signierte Treiber auf die neuen Schnittstellen zugreifen dürfen."
Therefore no AV-company needs usermode code hooking (for security reasons) in vista anymore
My opinion: Both of you are right but I have an opinion.
Uall, I know what is your level of knowledge on security. Your tolerance is much bigger then for many people. For example: A 99% security system for me could be only 50% for you. But a 99% security system for you could be only 0,005% security for some one over the world. What I want to say is that there will never exist a 100% security system and there will be always someone avaiable to bypass it.
I think that a security program using 100% API hooking technique can be such secure. For example: To unhook an API is easy, just copy the first 6 bytes of the binary API entryPoint to the address of the API in memory. But if you think on it when writing the program, turns easy to bypass the anti-hook technique. Just hook the APIs that read data from the disk and change the returned buffer. If there's a way to bypass it, try to preview and write an anti-bypass technique. If theres a way to bypass this anti-bypass, write an anti-anti-anti-bypass. And so on.
A good AntiVirus writter will problably preview all ways that his program can be bypassed and will write anti-bypass systems.
I don't think a driver is soooo necessary to write protection systems. If you do so, you will filter the people who is able to bypass your protection, but will not turn it impossible to bypass.
There will never be an unbypassable system. There will be always a crazy guy who will break it.
Uall, I know what is your level of knowledge on security. Your tolerance is much bigger then for many people. For example: A 99% security system for me could be only 50% for you. But a 99% security system for you could be only 0,005% security for some one over the world. What I want to say is that there will never exist a 100% security system and there will be always someone avaiable to bypass it.
I think that a security program using 100% API hooking technique can be such secure. For example: To unhook an API is easy, just copy the first 6 bytes of the binary API entryPoint to the address of the API in memory. But if you think on it when writing the program, turns easy to bypass the anti-hook technique. Just hook the APIs that read data from the disk and change the returned buffer. If there's a way to bypass it, try to preview and write an anti-bypass technique. If theres a way to bypass this anti-bypass, write an anti-anti-anti-bypass. And so on.
A good AntiVirus writter will problably preview all ways that his program can be bypassed and will write anti-bypass systems.
I don't think a driver is soooo necessary to write protection systems. If you do so, you will filter the people who is able to bypass your protection, but will not turn it impossible to bypass.
There will never be an unbypassable system. There will be always a crazy guy who will break it.
This thread is hallerious....
We ALL know that userlevel hooking is not 100% safe... and we ALL know that it should not be the only thing used if your trying to make your software secure.
He is essentially saying.... A shop with a lock on the front door is harder to break into then the vault inside the shop, so why bother with a lock on the front door?
How stupid, every reasonable level of protection, no matter how hard/easy it is to bypass should be implemented. Some hackers may be good at breaking userlevel code, some may be good at breaking kernel level code... some may be good at both, but no matter the case.... its an extra level of protection.
Also... for a rootkit to remove/bypass a userlevel hook it has to be run on the target pc first. If, and i say "IF" it manages to run before the userlevel protection detects it (via AV or Malware detection) then yes, it can bypass it all. But IT HAS TO RUN FIRST.
I have over ten years experiance as a programmer and a technician, and I will say this... once a PC is infected with a virus/malware... 99% of the time the AV software is NOT to be blamed... its the idiot user that doesnt keep their virus definitions up to date.
Personal firewalls are a joke, ZoneAlarm, Nortan Internet Security... etc... are the biggest piles of crap I have ever seen as are AV products. They are easy to bypass, break, and if the initial installation of the product fails (esp. NAV) in any way, it screws up the windows install so bad the PC usually needs a re-install anyway. We are just lucky that 99% of the virus/rootkit developers out there are essentially script kiddies playing with code they don't understand.
With all that said... your trying to make a system secure, that was and will never be secure, even vista still has its problems... XP/2k/NT/98/95/3.11 doesnt have ANY real security, your PC will NEVER be 100%, 99% or even 10% secure... all it takes is ONE bug and full access can be obtained, you cant quantify the level of security on your computer.
Windows was NEVER designed with the idea of API hooking in mind, it in itself is a hack, and like ALL unsupported hacks, it is prone to its problems. If windows was truly designed with security in mind, none of this would have been possible in the first place... and rootkits would not be such a problem.
If you are that paranoid about your computer, dont run an operating system that is KNOWN to be full of security problems, switch to somthing like Linux that has all this built in, and is continually updated to fix the holes that are found. Or if that isnt good enough, unplug your internet connection and go back to the dark ages.
We ALL know that userlevel hooking is not 100% safe... and we ALL know that it should not be the only thing used if your trying to make your software secure.
He is essentially saying.... A shop with a lock on the front door is harder to break into then the vault inside the shop, so why bother with a lock on the front door?
How stupid, every reasonable level of protection, no matter how hard/easy it is to bypass should be implemented. Some hackers may be good at breaking userlevel code, some may be good at breaking kernel level code... some may be good at both, but no matter the case.... its an extra level of protection.
Also... for a rootkit to remove/bypass a userlevel hook it has to be run on the target pc first. If, and i say "IF" it manages to run before the userlevel protection detects it (via AV or Malware detection) then yes, it can bypass it all. But IT HAS TO RUN FIRST.
I have over ten years experiance as a programmer and a technician, and I will say this... once a PC is infected with a virus/malware... 99% of the time the AV software is NOT to be blamed... its the idiot user that doesnt keep their virus definitions up to date.
Personal firewalls are a joke, ZoneAlarm, Nortan Internet Security... etc... are the biggest piles of crap I have ever seen as are AV products. They are easy to bypass, break, and if the initial installation of the product fails (esp. NAV) in any way, it screws up the windows install so bad the PC usually needs a re-install anyway. We are just lucky that 99% of the virus/rootkit developers out there are essentially script kiddies playing with code they don't understand.
With all that said... your trying to make a system secure, that was and will never be secure, even vista still has its problems... XP/2k/NT/98/95/3.11 doesnt have ANY real security, your PC will NEVER be 100%, 99% or even 10% secure... all it takes is ONE bug and full access can be obtained, you cant quantify the level of security on your computer.
Windows was NEVER designed with the idea of API hooking in mind, it in itself is a hack, and like ALL unsupported hacks, it is prone to its problems. If windows was truly designed with security in mind, none of this would have been possible in the first place... and rootkits would not be such a problem.
If you are that paranoid about your computer, dont run an operating system that is KNOWN to be full of security problems, switch to somthing like Linux that has all this built in, and is continually updated to fix the holes that are found. Or if that isnt good enough, unplug your internet connection and go back to the dark ages.