Memory Access protection

[Guest]

[PhyxionNL]

I'm curious regarding the memory access protection, how good does it work? For example, does it protect from reading an applications memory by ring0 drivers and/or low level API's like NtReadVirtualMemory? If not, it would be pretty useless as it would still be extremely easy to workaround that... I couldn't find a single thing about this in the documentation, so if someone can enlighten me, please do so 

(Also posted in a subforum, but I *think* this is more in place here)

[i4u1]

Write a simple driver, then try to load it hehe and then check if it can access. What the question is about?

[PhyxionNL]

Write a simple driver, then try to load it hehe and then check if it can access. What the question is about?

Seems an aweful lot of trouble as I'm pretty sure someone here knows the answer to it I want to protect an application by not allowing it's memory to be read from any another application.

[Valentin N]

Seems an aweful lot of trouble as I'm pretty sure someone here knows the answer to it I want to protect an application by not allowing it's memory to be read from any another application.

There is a a way, I am not sure though, but you'll need to added the wanted application with customized settings, by going ti d+ --> Computer Secuity --> add --> 1) application path, 2) customize --> which acess --> modify --> allow/blocked application.

I hope this helps

[PhyxionNL]

There is a a way, I am not sure though, but you'll need to added the wanted application with customized settings, by going ti d+ --> Computer Secuity --> add --> 1) application path, 2) customize --> which acess --> modify --> allow/blocked application.

I hope this helps

Yeah, I already set it up like that, thanks My question however is simple, how good is this protection: does it protect against ring0 drivers, and/or low level API's like NtReadVirtualMemory? Because if this is not the case the whole memory access protection would be useless.

[Valentin N]

Yeah, I already set it up like that, thanks My question however is simple, how good is this protection: does it protect against ring0 drivers, and/or low level API's like NtReadVirtualMemory? Because if this is not the case the whole memory access protection would be useless.

That I can't say. I hope a mod or a developer can tell you.

[PhyxionNL]

Yeah, I hope so. Haven't seen much developers/mods going around here lately though

[Valentin N]

Yeah, I hope so. Haven't seen much developers/mods going around here lately though

You could try to ask Melih and egmen for more info. Jackob might also know something

[PhyxionNL]

I PMed Melih and egemen, couldn't find Jackob. Still haven't heard from them though.

[Valentin N]

I PMed Melih and egemen, couldn't find Jackob. Still haven't heard from them though.

Jacob - I added a k without seeing it.

[PhyxionNL]

PMed all of them, still no response. Any other person with insight into this? Thanks!

[EricJH]

The following still stands as I wrote in your duplicate topic:

With Ring0 you mean kernel mode access I assume. Once an application has kernel mode access it can do anything. As far as I understand CIS it cannot protect from actions initiated from kernel mode applications.

According to egemen, the head developer, once a program has kernel access it can do anything including attacking and taking down security applications.

That's why unknown applications are not allowed to install drivers or make services. CIS will help to prevent unauthorized access to kernel level.

In short CIS will prevent to let unknown programs, or gives the user the ability to prevent when  using D+ and disabled sandbox, to load a driver (get kernel access). But once a program has kernel access it is end of exercise for each and every application when the program has malicious intent.

[Valentin N]

Thanks for the explanation Eric Didn't know Ring 1 was the same as kernel mode access

[Tags:]