I'd like to sandbox a native code and use hooking of WinAPI and system functions to block or allow this program to perform some operations like reading/writing files, modify Windows registry, using an Internet connection. Is it a good and secure way to do so? How difficult would it be for that program to bypass such a security layer?
I've checked your questions and they all are related to the task that seems to be invalid from the very beginning, and here's why: you are trying to secure one application and you are ready to reinvent the wheel for this. There exist several approaches (and many ready-made solutions) to solve your problem. So instead of coding you need to look at existing solutions.
The approaches are:
use Windows permissions to restrict
access of your application to
resources
take take VMWare or Parallels or
other virtualization platform and
run your program there
take sandboxing SDK (such as
BoxedApp) and "wrap" your
application.
+1 to Hans, however if you are really into it then I can recommend Easyhook. I have personally used it successfully in Win XP, Vista and 7. I don't know how bypassable it is but other alternatives do exist - madSHI hooks, and, if you want to go the official way, try Detours from Microsoft.
Antivirus apps try to solve nearly the same problem, without much success.
1. You'd never know how even most common operations can be used.
2. There're syscalls, so the program doesn't have to use winapi at all.
Related
There are plenty of articles online that describe how DLL Injection works and what it can be used for. There has been lots of software written (both malicious and non) to use this functionality, but there's a question that I can't find the answer to with my Google-Fu and that is...why does Windows have/allow such a technique but Linux (and its ilk) do not?
LD_PRELOAD doesn't count as it doesn't allow runtime injection. I also know about injectso but that's not official.
What problem is DLL Injection supposed to solve, and since Linux doesn't have this functionality, how does it solve that problem? If possible please provide references to backup your answer, ideally first-party ones. Thank you.
I'm looking for a way to output traces to a log file in my code, which runs on linux.
I don't want to include the printing information in the binary, in every place I deploy it.
It windows, I simply used WPP to trace without putting the actual traces strings in my binary.
How can this by achieved in Linux?
I'm not very familiar with Linux tools in this area, so maybe there is a better system. However, since nobody else has made any good suggestions, I'll make a suggestion. (Probably not a very good suggestion, but the best I can think of right now.)
In theory, you could continue to use wpp. Wpp is simply a template system. It scans the configuration and input files to create data structures. Then it runs a template, fills in the data values it got from the scan, producing the tmh files. You could create a new set of templates that would use Linux apis instead of Windows apis, and would record the message strings in a way that works with some other log decoder system.
I noticed this question only now and would like to add my two cents to the story just for a case. Personally, I truly appreciate Windows WPP Tracing and consider it probably the best engineering solution for practical development troubleshooting among similar tools.
It happened I extended WPP use to Unix-like platforms twice. We wanted to use strong sides of WPP concept in general and yet use it in a multi-platform pieces of code. This was not a porting but rather a wrapper to specific WPP use we configured on Windows. One time we had a web service to perform actual WPP pre-processing on Windows; it may sound a bit insane but it worked fine and effective within the local network. A wrapper script that was executed before each compilation sent a web request, got a processed file and post-processed the generated include file to make it suitable for Unix-like platforms. The second time we implemented a simplified WPP pre-processor of our own (we found yet additional use for it - we could generate the tracing statements differently for production and unit testing, for example). This was a harsh solution: you anyway need to use some physical tracing framework behind the wrapper on non-Windows platform (well, the first time we apparently implemented our own lower level).
I do not think the Linux world has a framework comparable to WPP. Once I even thought it could be a great idea to make an open source porting project for WPP. I am not sure it would be much requested though. I said it is a great engineering solution. But who wants to do dirty engineering work? Open source community prefer abstract object-oriented and generic solutions, streaming and less necessity in corresponding tools (WPP requires special management tools and OS support).Ease of code writing is the today's choice.
There could be Microsoft fault (or unwillingness) in the lack of WPP popularity too. They kept it as an internal framework that came out just by a case with Windows DDK because they have to offer some logging/tracing solution for driver developers. Nobody even noticed much that WPP is well suitable for the user-space code too. And WPP pre-processor for C#, for example, has never been exposed to public at all.
Nevertheless, I still think that WPP porting to Unix/Linux work can be a challenging, interesting and maybe even useful attempt. If someone decides to lead it. :)
I've been using the MonoTorrent library for a couple of weeks now and am looking for any kind of feedback or recommended alternatives.
The only issue I have with the library so far is that it is MUCH slower than uTorrent, I am not sure if this is a configuration issue or whether it doesnt support a required feature etc, but I require higher speeds for my needs and I found that for the exact same file I can get a major difference (times 100) in terms of the numbers of seeders and speeds.
I wanted to give libtorrent a try as well but have not been able to even compile the windows dll, let alone write the required code to use it :-)
I probably don't know much about the history of the torrent protocol but found it strange to find so little support in the C#/.Net world.
Was even considering wrapping the uTorrent client somehow, but it might be 'frowned upon' lol
Ended up using the libtorrent C++ library (running on a seperate process with added REST api to communicate with the main program) it works well and the torrent performance is excellent.
I am in the process of evaluating the use of NodeJs for a shared programming platform.
Users should be able to submit code and run it on the server. To give them the best fundamentals, several NodeJs Modules should be provided.
For security reasons the processes should be chrooted to forbid access to system resources.
The best approach seems to be the use of child_processes, especially the fork() function.
For further security also some NodeJs Modules should be disabled, like launching additional child processes.
How can I disable these modules for a child? I can't even seem to find compile options to disable some by default,
Basically, what you are looking for is running untrusted code within a trusted environment. The key here is sandboxing, I guess.
Please note that there are various solutions out there for creating and managing sandboxes in Node.js, among others:
gf3/sandbox, which is A nifty javascript sandbox for node.js
hflw/node-sandbox, which is an Advanced sandboxing library that allows communication between the sandbox and the parent process.
I do not have any practical experience with either of them, but I guess that's a step into the right direction for you. Maybe you would like to share your experiences with them here? I think this would be awesome :-)
Hope this helps.
Any suggestion to detect flaws in VB6 components running under IIS. IIS becomes unstable and after some time enter in a state of hang. The problems occur in the most part only in the production environment. We have many modules running. Probably there are components with bugs and need to identify them.
Thanks in advance.
One thing to watch out for is multi-threading issues. VB6 components often don't play well when accessed by multiple threads.
If the client code is an ASP.NET application consider putting synchlocks around the calls to ensure that they are called sequentially.
Another sure-fire way to fubar IIS is to display a message box or initiate some other sort of user interaction. Get those MsgBox calls outa there.
Other than that... good logging helps. VB6 is pretty opaque when errors arise.
Use Debugging Tools for Windows to analyze a dump of IIS. Tess' blog is one of the best resources to learn to use WinDbg. Although she focuses on .NET debugging, most of the material is applicable to any Win32 process.