NT内核编程 [英] NT Kernel Programming
问题描述
我想知道从哪里开始,或者挂钩或修补Windows内核(XP及更高版本)的可能性.我对McAfee Entercept之类的软件或某些修补内核的防病毒扫描程序特别感兴趣.我想知道对于一家初创公司而言,创建在内核中添加了功能的软件是多么可行(我知道KPP,并且可以绕开它),以及这样做的任何改进.我找不到简单的描述,只对Win32有有限的经验.非常感谢您的帮助,
J
进一步的说明:我不是像这样的驱动程序,并且会对在技术上是否有可能将PaX之类的东西移植到Windows上感兴趣.这是一个不好的例子,因为Windows已经实现了,但是我很感兴趣是否可以在不访问NT源的情况下移植类似的技术.
驱动程序开发根本不是一件容易的事.防病毒软件需要处理文件系统(文件系统过滤器驱动程序),这会使生活变得更加复杂.如果您尝试描述要达到的目标,这将很有用.
推荐用于驱动程序开发的资源是 OSR .有2个相关的邮件列表:
可以在此处找到图书清单... >
除非驱动程序是您的核心工作繁忙(在这种情况下,请找有内核经验的人),否则我强烈建议外包这项工作.在上面的列表中,您可以找到很多顾问.
不幸的是,基本上不能访问Windows源:).要使用虚拟内存管理器,您必须处于内核模式(如果有可能的话).
尝试在ntdev上问这个问题,您将询问世界上大多数内核开发人员.您将需要提出更具体的问题才能获得合理的答案(我将观看主题,有趣的话题).
如果正确理解您要做什么,则在Windows上是不可能的.至少并非没有重大的逆向工程工作,但我主要使用标准类型的驱动程序,所以我认为我不足够得出最终结论.
回复评论:
我不确定Entercept到底在做什么(在产品描述中没有发现任何暗示他们正在播放内存或处理权限的信息). 因此,定义最终目标而不是特定的技术如何实现这一目标可能会更有成效.
回复评论2:
1.1.什么是LIDS?
LIDS是对Xie Huagang和Philippe Biondi编写的Linux内核的增强.它实现了Linux内核本身未提供的一些安全功能.
其中一些包括:
1.强制访问控制(MAC)-不知道真正的含义.
2.端口扫描检测器-绝对可以在此网站上查看.
3.桩保护-上面说明的文件系统筛选器驱动程序.
4.进程保护-您可以在驱动程序中挂接进程创建,在ntdev档案中查看,有很多 解决方案
Driver development is not an easy task at all. Anti-virus software require dealing with file system ( file system filter driver) that make the life more complex. It would be useful if you try to describe what are you trying to achieve more detailed.
The most recommended resources for driver development is OSR. There is 2 related mailing lists:
Book list can be found here.
Unless the driver is your core busyness (in this case find the person with kernel experience) i would strongly suggest outsourcing this work. On lists above you can find plenty of consultants.
Windows source basically can't be accessed :) unfortunately. To play with the virtual memory manager you must be in kernel mode, if this is possible at all.
Try asking this question on ntdev, you will ask most of kernel developers in the world. You will need to ask more concrete question to get reasonable answer (i will watch the thread, interesting topic).
If understand correctly what you are you want to do, this is impossible on Windows. At least not without major reverse engineering work, but i mostly work with standard types of drivers so it's i think i don't know enough to make a final conclusion.
Response to comment :
I'm not sure what exactly Entercept doing (did not find anything in product description suggesting they playing the memory or processes permissions). So defining final goal rather specific technology how to achieve this might be more productive way.
Response to comment 2 :
1.1. What is LIDS?
LIDS is an enhancement for the Linux kernel written by Xie Huagang and Philippe Biondi. It implements several security features that are not in the Linux kernel natively.
Some of these include:
1. Mandatory access controls (MAC) - Don't know what is really mean.
2. Port scan detector - This is definitely doable look on this site.
3. Pile protection - File system filter driver explained above.
4. Process protection - You can hook process creation in your driver, look in ntdev archives there is a lot of discussions about this.
这篇关于NT内核编程的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
