At 05:59 PM 1/26/2000 -0800, jdglaser wrote: >So if entry to a kernel mode piece is protected by application level ACL's, >it is a weaker form of protection. (Yes you can get past kernel mode >protection too, but it is a more sophisticated attack) Not that sophisticated. Get a copy of the DDK, write a graphics driver whose sole purpose in life is to patch the kernel, and away you go. The API at the driver level is a bit different, but it's easily possible to hook a kernel function and point it at your new version. I've done it, for a legitimate purpose, and my driver has no visible effect on the day-to-day operation of the machine (SoftICE doesn't like it, though.) The only things preventing your new device driver from being installed are the protections on a few registry keys in HKEY_LOCAL_MACHINE. The only things preventing it from walking all over kernel memory (in W2K) are a couple more keys that NuMega was kind enough to document in the SoftICE Knowledge Base. All of them are writable for the Administrator. Next time the machine is rebooted, it's yours. -- Ron Parker GW Micro, Inc. Voice 219-489-3671 Fax 219-489-2608
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:31:58 PDT