Home > Uncategorized > Conversations with Fred: Windows Filter Drivers

Conversations with Fred: Windows Filter Drivers

[9:39:27 AM] Matt Brown says: hey fred…
[9:39:52 AM] Matt Brown says: when you get a minute, i’m curious if you could do me a favor and verify that the following diagram correctly explains the data flow of a file read: http://img518.imageshack.us/img518/1858/dataflowdiagramoffileretc4.png
[9:46:40 AM] Matt Brown says: thanks
[10:06:41 AM] Frederic Boismenu says: this is system dependant
[10:06:53 AM] Frederic Boismenu says: as far I know it seems right
[10:07:04 AM] Frederic Boismenu says: and apply for win nt to xp
[10:07:12 AM] Matt Brown says: by that, you mean for a windows system with ntfs?
[10:07:36 AM] Frederic Boismenu says: i mean that the system is undocumented
[10:07:47 AM] Frederic Boismenu says: because nobody should care
[10:07:52 AM] Matt Brown says: right right
[10:07:54 AM] Frederic Boismenu says: to let them change it
[10:07:55 AM] Matt Brown says: can filter drivers fit in anywhere?
[10:08:00 AM] Frederic Boismenu says: i dunno
[10:08:18 AM] Matt Brown says: this was a fairly interesting presentation on rootkits
[10:08:20 AM] Frederic Boismenu says: it will be obviously at kernel level
[10:08:28 AM] Matt Brown says: http://www.security-assessment.com/files/presentations/darrenbilby_ruxcon06_v0_5.pdf
[10:08:30 AM] Frederic Boismenu says: but i dunno where it fits
[10:08:44 AM] Matt Brown says: I’m trying to understand where truecrypt and anti-virus lay
[10:08:53 AM] Matt Brown says: maybe I’ll write trendmicro
[10:09:04 AM] Matt Brown says: but it really doesn’t matter
[10:09:06 AM] Matt Brown says: i’m just curious
[10:09:21 AM] Frederic Boismenu says: anti-virus
[10:09:33 AM] Frederic Boismenu says: are diverting API at different levels
[10:09:50 AM] Frederic Boismenu says: they are replacing software interupts
[10:09:57 AM] Frederic Boismenu says: and or deverting api calls
[10:10:06 AM] Frederic Boismenu says: or any else..
[10:10:18 AM] Frederic Boismenu says: there’s as many implementation as devs
[10:11:15 AM] Frederic Boismenu says: you can for exemple patch code in memory pf programs to execute your code when a function is call
[10:11:25 AM] Frederic Boismenu says: it can be done at various level…
[10:12:05 AM] Frederic Boismenu says: there’s even people that patch the kernel at run time
[10:12:33 AM] Matt Brown says: that seems inefficient, no?
[10:12:41 AM] Matt Brown says: to divert api calls?
[10:12:56 AM] Frederic Boismenu says: it is very efficient
[10:13:21 AM] Frederic Boismenu says: it’s actually the most efficient you can do
[10:13:24 AM] Frederic Boismenu says: but it’s hard
[10:13:34 AM] Frederic Boismenu says: need to be able to disassm
[10:13:53 AM] Matt Brown says: so, for instance, in this diagram… Readfile() would be diverted to some library that is the anti-virus?
[10:14:10 AM] Frederic Boismenu says: it’s implementation dependant
[10:14:15 AM] Frederic Boismenu says: it’s one way to do it
[10:14:20 AM] Matt Brown says: before kernel32.dll is called
[10:14:24 AM] Frederic Boismenu says: I dunno about the file filter capability
[10:14:28 AM] Matt Brown says: so it acts as a middle man, inserting itself into the flow?
[10:14:33 AM] Frederic Boismenu says: oui
[10:14:55 AM] Matt Brown says: okay… what you’re saying about the most efficient and the hardest is inserting itself after the kernel?
[10:14:55 AM] Frederic Boismenu says: you can patch the code in memory
[10:15:06 AM] Frederic Boismenu says: you can savegely replace the dll
[10:15:11 AM] Frederic Boismenu says: w/ a middleman dll
[10:15:44 AM] Matt Brown says: where do you figure truecrypt lay in this diagram?
[10:15:48 AM] Frederic Boismenu says: you can intercept API at differnet6 levels
[10:16:30 AM] Matt Brown says: or anti-virus specifically… where do you figure they placed themselves?
[10:16:38 AM] Matt Brown says: (opinion)?
[10:17:20 AM] Matt Brown says: i’m under the impressiont that truecrypt must fall between the volume manager disk driver and the file system driver? Is this a correct assumption?
[10:19:51 AM] Frederic Boismenu says: i dunno… if it’s not documented forget about it
[10:20:00 AM] Frederic Boismenu says: ask to their support or something
[10:20:05 AM] Matt Brown says: okay
[10:20:08 AM] Frederic Boismenu says: don’t even try to debug it
[10:20:16 AM] Matt Brown says: I’m not debugging :)
[10:20:17 AM] Matt Brown says: hah
[10:20:22 AM] Matt Brown says: thanks fro the infos

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: