Solved

Is GlobalLock() hacker/cracker-proof?

Posted on 2003-10-21
11
320 Views
Last Modified: 2010-05-18
Hello,

I have a very simple yes/no-question for which I'd like a detailed answer :))

The simple question:   Can GlobalLock() under Windows be trusted?


The more elaborate sub-questions:

I have sensitive data to process in one of my Windows programs.

If I use GlobalAlloc(),  and then use GlobalLock() on these heap-pages, how secure are they from spying eyes?

Who can read those pages (I assume just the locking thread or is it the locking process?)?
What actually does GlobalLock on the deep levels of Windows?
How can "locked" pages be broken into by a cracker/hacker and how can that be prevented or at least detected?

What do I have to do to detect read-access to a certain memory-page.  (Read, if I don't want to trust the locking mechanism of Windows, can I somehow monitor what processes or threads are reading from that memory-area, and if I detect an intruder, I would clear the memory area again and terminate my program.   How would I implement such a page-watch mechanism reliably) ?

Can I prevent Windows from swapping my locked pages to the swapfile on disk?
Do device drivers or other Ring0 code have free access to locked pages?

Basically I want to make sure that ONLY my thread (not even my whole process, just the locking thread) can read from a certain memory-page.  Is that possible under Windows?
Could you point me to websites that deal with that problem?

Simple question, probably no simple answers :))

But thank you all for your input!

Kind regards
Reinhard

0
Comment
Question by:rhopperger
  • 3
  • 3
  • 2
  • +2
11 Comments
 
LVL 22

Accepted Solution

by:
grg99 earned 63 total points
ID: 9592100
I think you're misinterpreting what GlobalLock() does.

IIRC all it does is force that range of addresses to stay in real silicon.
Nothing to do with access rights.

Also the whole concept of "peeking" into other address spaces varies from version to version of windows.

On Windows 95/98/Se/Me there is no real security..  Programs can peek anywhere using standard API's.

On Windows NT/2000/XP security is much better... In theory you can't go poking and peeking into any old address,
at least not with the typical access rights.   You have to have "admin" privs. to do any major peeking and poking.



0
 
LVL 86

Assisted Solution

by:jkr
jkr earned 62 total points
ID: 9592119
>>If I use GlobalAlloc(),  and then use GlobalLock() on these heap-pages, how secure are they from spying eyes?

Not at all. Any debugger will be able to read that memory.

>>What do I have to do to detect read-access to a certain memory-page

There's no way to do so. At best, you will be able to tell whether your program is running under a debugger ('IsDebuggerPresent()')

>> I want to make sure that ONLY my thread can read from a certain memory-page.  Is that possible under
>> Windows?

No. Not even in kernel mode (remember SoftICE :o)
0
 

Author Comment

by:rhopperger
ID: 9592372
grg99, jkr,  thank you for your comments.
So if I read that right then GlobalLock means nothing other than "Fix the block in memory and give me a pointer".  It makes the block immovable.   Ok.  Accepted.

So obviously there's no such thing as "locked" memory under Windows.

How can I then detect if anybody other than my thread is reading from that memory?
Can I create some code that receives a memory page exception or something the like when a read is done ?

Thanks for your help!
Reinhard
0
 
LVL 86

Expert Comment

by:jkr
ID: 9592416
>>Can I create some code that receives a memory page exception or something the like when a read is done ?

You could use 'VirtualProtect()' with 'PAGE_NOACCESS' to generate access violations when that memory area is accessed - but, as with everything, a hacker could reset the page status also. And, the access violation does not apply to a debugger reading the memory...
0
 

Author Comment

by:rhopperger
ID: 9592784
thanks again jkr.   So no chance for any kind of "private" memory?

I could try to detect a debugger and rule out that case.   If a debugger is detected, I would just not run my program.

So I would only have to get an exception or notification if any other program (ring0 or 3) accesses my memory-page.

Would VirtualProtect() accomplish this reliably?    Are there work-arounds around VirtualProtect that others can use to still get access to my page?

Thanks a lot for your help!
Reinhard
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 17

Expert Comment

by:rstaveley
ID: 9594265
Can't you put the process with sensitive data onto a separate secure PC - i.e. a PC which doesn't have unknown processes running on it?
0
 
LVL 86

Expert Comment

by:jkr
ID: 9595444
>>If a debugger is detected, I would just not run my program.

Remember that a hacker could zero out such functionality - it just adds another hurdle, but does not make anything "proof"

>>So I would only have to get an exception or notification if any other program (ring0 or 3)
>>accesses my memory-page.

Yup, an access violation to be precise.

>>Would VirtualProtect() accomplish this reliably?

Definitely.

>>Are there work-arounds around VirtualProtect that others can use to still get access to my
>>page?

Yes :o)

Using a debugger or just changing the page's protection attributes etc. *veg*
0
 
LVL 22

Expert Comment

by:grg99
ID: 9595679
I don' tthink this page-protect business is going to help you much.

Maybe you culd give us a hint as to what you're trying to do?

If you're trying to protect data in memory, you could always encrypt it.
To protect code, you could encrypt it and then just decrypt small bits at a time.
or write the code in some pseudo-language like java byte-codes.

That will stop 95% or so of the crackers.  For the rest, you leave some text in ther like
"If yo can decode this, we may want to hire you"




0
 

Author Comment

by:rhopperger
ID: 9599252
Hello again.

I think my questions have been sufficiently answered (although I am not happy about the result).  I would like to split the points between the two of you but I do not know how to do that.

Can you please let me know?

Thank you both for your help.

Kind regards
Reinhard
p.s.  If either of you wants to take a last shot at the question "How to maximally ensure that a block of memory is only read by my program and all other accesses are detected reliably" then please go ahead.  If a better answer deserves the whole points then I will give them undivided, otherwise I will (try to) divide them.   Thanks again!
0
 
LVL 11

Expert Comment

by:bcladd
ID: 10481849
sNo comment has been added lately, so it's time to clean up this TA. I will
leave a recommendation in the Cleanup topic area that this question is:

Answered: Points split between grg99 and jkr

Please leave any comments here within the next four days.

Experts: Silence means you don't care. Grading recommendations are made in light
of the posted grading guidlines (http://www.experts-exchange.com/help.jsp#hi73).

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

-bcl (bcladd)
EE Cleanup Volunteer
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

In days of old, returning something by value from a function in C++ was necessarily avoided because it would, invariably, involve one or even two copies of the object being created and potentially costly calls to a copy-constructor and destructor. A…
Basic understanding on "OO- Object Orientation" is needed for designing a logical solution to solve a problem. Basic OOAD is a prerequisite for a coder to ensure that they follow the basic design of OO. This would help developers to understand the b…
The goal of the tutorial is to teach the user how to use functions in C++. The video will cover how to define functions, how to call functions and how to create functions prototypes. Microsoft Visual C++ 2010 Express will be used as a text editor an…
The viewer will be introduced to the technique of using vectors in C++. The video will cover how to define a vector, store values in the vector and retrieve data from the values stored in the vector.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now