From: IPD [ipd@pedestalsoftware.com] Sent: Thursday, June 29, 2000 2:05 PM To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Update to Integrity Protection Driver Available Name : Integrity Protection Driver (IPD) Version: 1.1 Purpose: Prevent installation of rootkit device drivers on NT/2000 License: Open Source Changes since 1.0 ----------------- 1. Deny access to only the essential keys for adding device drivers. Previously, the driver denied access to change any driver setting. New features in 1.1 ------------------- 1. Restrict use of rights that allow debugging, privileged operation and changing access tokens. 2. Deny access to \device\physicalmemory. 3. Restrict ability to create threads in other processes and write to the memory of other processes. Integrity Protection Driver (IPD) --------------------------------- The IPD is an Open Source device driver designed to prohibit the installation of new services and drivers and to protect existing drivers from tampering. It installs on Windows NT and Windows 2000 computers. Updated information about this driver may be found at http://www.pedestalsoftware.com/ Motivation ---------- This driver was created to provide protection against rootkit installation by attempting to block any new kernel code from being installed and executed. This will help to prevent tojan hiding from integrity checking programs such as Intact. What It Does ------------ The IPD uses undocumented service function hooking to alter access rights on driver-related registry keys, values and files to be read-only no matter what account is requesting access. This effectively prohibits the Service Control Manager or user applications from changing service and driver keys and values in the registry and from adding to or replacing existing driver binaries in the %SystemRoot%\system32\drivers directory. The IPD restricts all processes except some system processes(*) from obtaining the following privileges: Debug Privilege TCB Privilege Create Token Privilege Assign Primary Token Privilege The IPD forbids any process from opening \Device\PhysicalMemory. The IPD forbids any process, except select system processes, from creating threads in other processes and from writing in the virtual memory space of other processes. (*) See h_tok.c for a list of the system images that are permitted these privileges. Is there a way to circumvent the IPD? ------------------------------------- The IPD attempts to block known methods for loading and executing kernel code. There may be undocumented or undiscovered methods for installing and executing kernel code. As new methods are discovered the IPD can be updated to counter those methods. Functionality Issues -------------------- The IPD is designed to alter the operating system's normal operating behavior. In doing so, there will be some loss of functionality. The following are some of the constraints you may encounter: \Device\PhysicalMemory issues: NTVDM requires access to \Device\PhysicalMemory on startup. This means that no 16-bit applications will work (unless an NTVDM session was running before the IPD driver engaged and the 16-bit application is not configured to run in it's own memory space). Some screen savers (such as the blank screen saver) will not work because of this. Legitimate device drivers may attempt to open \Device\PhysicalMemory during normal operation. The IPD will block these attemps and so may cause unexpected results. So far, we have not encountered any device drivers that do this after startup. Debugging Programs: The IPD blocks the ability to debug programs. What's Included --------------- You should have received the following files with your distribution: ipd.sys -- the compiled device driver for i386 computers ipdinstall.exe -- the installation/remove program readme -- this file driver/* -- source files Installation ------------ To install the IPD device driver, unzip all files into a directory. Execute the ipdinstall.exe program to install and start the driver: ipdinstall.exe install The driver is installed for "automatic" startup, which means it will automatically start at system boot. The driver engages, or begins protecting, 20 minutes after it has started. IMPORTANT: * Once the Driver is started it may not be stopped. * Once the Driver is engaged it may not be removed. Even if the appropriate Service Control Manager function call marks the driver for deletion, the driver will still not be removed. Removal ------- YOU MUST REMOVE THE IPD DEVICE DRIVER WITHIN 20 MINUTES OF STARTUP, AND THEN REBOOT THE SYSTEM. If the driver has already engaged then you will have to reboot and remove it within 20 mintes of boot up. The remove command is: ipdinstall.exe remove Support ------- There is no support. New versions can be found at http://www.pedestalsoftware.com. Bug reports should be sent to bugs@pedestalsoftware.com. References ---------- Undocumented Windows NT by Dabak, Phadke and Borate; M&T Books, 1999. Windows NT/2000 Native API Reference, Gary Nebbett; Macmillan Technical Publishing, 2000. Microsoft Windows DDK. Copyright and Grant of Use -------------------------- The IPD is Open Source, please see the web site for details. Who is Pedestal Software? ------------------------- Pedestal Software is based near Boston, MA, and has been providing security software since 1996. Its founders come from the financial services and banking industries where security and system integrity are top priorities. On the web: http://www.pedestalsoftware.com email: support@pedestalsoftware.com ---------------------------------------------------------------------------- Delivery co-sponsored by eEye Digital Security ============================================================================ Vulnerability Is Over ... eEye Digital Security Announces Retina(tm) Retina is the first security software application with state-of-the-art artificial intelligence features that allow it to think like a hacker. Other security scanners search for known vulnerabilities, Retina uses built-in features designed to handle 'what if' scenarios. Retina gives you the most comprehensive network security analysis available. Available for download; ----------------------------------------------------------------------------