Good Discussion on Protected Processes

Down at the Disparity Bit, Dan Armak has a very good discussion on why exactly he thinks protected processes are bad, and a sort of addendum to my post on the subject. Check out “Making it Clear Just Why Protected Processes are a Bad Idea.” for a more detailed explenation on the problem.

A few people have started to reverse engineer the binary I posted, and some have come up with some partial explenations and analysis. I just wanted to clear up a few things: Yes, the method uses a driver. It’s based on the Microsoft documentation which says “Please don’t use a driver to bypass this”, which led me to believe that it would be possible to do this (which wouldn’t work on 64-bit Vista, of course).

Secondly, almost everything inside the binary I provided is a low-level obfuscation to confuse any kiddies that might try to grab a hold of the expanded driver and use it for the own purposes. It was not meant for, nor is it an example of, proper techniques to obfuscate/protect a program against advanced reverse engineers.

3 Replies to “Good Discussion on Protected Processes”

  1. If you things clear right away it wouldn’t have been a big deal; however, you made it turned it into FUD… by simply saying “Vista has protected processes that nobody can access, but here I created a tool that can”… And without specifically talking about Vista 64-bit vs. 32-bit you implied that your tool works everywhere, which is, again, misleading.

    And do you really think that the AV folks and crackers don’t already know about the technique you used?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.