I saw some anti-virus software notice me that some other process was trying to modify my registry entry and ask me whether to allow it. How can this anti-virus software hang that process up and stop if from modifying my registry until I make a decision? I fail to find any API that could do such things, which is crucial for my project.
Thanks,
Feng
Consider properly securing your applications registry keys using RegSetKeySecurity (MSDN).
Alternately, you could also construct a registry filter kernel mode driver. Such a driver can utilize the CmRegisterCallback/Ex() service to filter registry events. This is a big job (tm), but is the only documented/supported method to accomplish this that I am aware of.
This is done with games too. They hijack function calls which render objects in a 3D scene, they then tell the game engine to render all characters on top of every other object, which results in a wallhack.
An API you could use for this (not anymore since anti-cheat software blocks it now) is the detours API. You can still use it for your own purposes ofcourse.
There's alot of information about this API on the web.
http://research.microsoft.com/en-us/projects/detours/
The antivirus is most likely hooking the registry functions so it's own code gets called first before passing the requests to the real functions.
Note that doing this in anything but a few very specific circumstances can be suspicious behaviour.
I guess you could have a look at RegNotifyChangeKeyValue, but I think a antivirus won't use this approach. This does not block changes made to the registry, but could be used to get notified when a key is modified.
Related
NEFilterProvider, or more specifically its 2 subclasses NEFilterDataProvider and NEFilterPacketProvider, has the functionality to allow or deny network activity. However, I couldn't find any way to log in the activity, for debugging purposes.
I know the documentation says this:
it runs in a very restrictive sandbox. The sandbox prevents the Filter
Data Provider extension from moving network content outside of its
address space by blocking all network access, IPC, and disk write
operations.
but is there any trick to log this anyway in debug mode? Maybe using os_log or something like that?
yes, you can use os_log and read the output in the Console app. if you want to workaround the privacy restrictions (while developing/testing), use the %{public} prefix, like so...
import os.log
// ...somewhere in the provider class
os_log("something i want to log %{public}#", someVar)
you're right, the documentation is really, really lacking for this area, other than the SimpleFirewall sample code, and wwdc video. i have an app in production using NEFilterDataProvider but it about cost me my sanity to figure out how to put it all together. at some point i'm going to try to write some blog posts or make a demo repo to try to help create a central community resource to share knowledge and fill in the gaps in the documentation with hard-won knowledge.
This is my first post so please bear with me, will i get use to the posting requirements.
I need help finding out when i insert a smartcard (on Windows 64bit machine), what it then access in the background. I have tried using process monitor, process explorer and TCP View. These didn't provide me with what i needed which is to be able to see ports, registry keys, background network access and so on.I need something that will allow me to activate it to observe what happens when i use a smartcard. The idea is that a smartcard is inserted and then it looks at certain registry keys and also checks via an connection various URL's, ports to ensure access is granted. The problem is the software we have installed hasn't put the registry keys where they should be so i can't change them, and these are what i really need to get at. I have also tried searching the registry keys for a value one would be logged under and i can't seem to find it that way either.
I use to have a piece of software years ago that provided it, was a listener of some sort, but i can't think of it for the life of me what it is called. If anyone can point me in the direction of what i need to be thinking off i would be so grateful!
If i need to be clearer please let me know, thanks!
Actually a smartcard accesses nothing on its own. I'm aware, that Windows might look up the ATR in the registry in order to provide a "friendly card name", but if absent no harm is done except not having the friendly card name.
Any actions like internet request are more likely to be associated with a software tool called Service Provider, which knows, what commands to send for this specific card in order to perform actions like:
User authentication
Signature computation
Significant knowledge concerning the specific card is required, so entering some registry entries is far from sufficient. If the card contains a certificate, some software may try to verify the certificate chain or ensure, that the key was not revoked, but this is also not initiated by the card.
I am trying to port Wine 1.7.13 to modern Cocoa. I am considering running Windows binaries in an XPC service’s process, for security isolation and crash-proofing. However, there is one problem: To the best of my knowledge, XPC services are singletons. Only one XPC service process is allowed to be running at a time. This is a problem because, if I use threads to enable multiple Windows binaries to run at once, a segfault or other hard crash in one Windows binary would cause all the other binaries to crash with it.
As mentioned here, it is generally understood that the above assertion is true. If that is so, it would seem that I cannot implement this sort of isolation within a single XPC service process.
My other alternative is to use sandbox inheritance (having the GUI application fork and using more traditional IPC to have the Windows processes talk to each other) instead of an XPC service. What are the pros and cons of using that instead of an XPC service? I understand that processes that inherit their parent’s sandbox does not get to have its own entitlements. What other drawbacks are there?
I also understand that Apple discourages the use of sandbox inheritance in favor of XPC, but it is still an available design decision. They must have kept it around for a reason. Would a sandboxed Mac App Store app be able to use sandbox inheritance in this fashion?
I am going through the same decision. I had my heart set on XPC services, but upon discovering that there would be a single XPC Service with multiple connections, I cannot use them (my XPC Service will use plug-ins provided by third-parties so I want to keep them apart, and also the XPC Service will use libraries that might not clean-up properly, so I want to be able to dispose of them while keeping the UI stable - well I shouldn't have to justify this - I want one-process-per-job and that's that).
I am considering the normal sub-process model using posix_spawn() (I think this behaves better than fork() WRT to Sandboxing), CocoaAsyncSocket for the comms. I am going to see if I can replace the use of TCP/IP in CocoaAsynSocket with UNIX sockets to speed-up up comms (with the intent of contributing it back to the project if this works out). (UPDATE: this has already been done, some time ago by github user #jdiehl. See his socketUN branch and the discussion in issue #88 of the upstream repo).
For data marshalling I will use Google Protocol Buffers (UPDATE #2: Nope; not worth the hassle when NSKeyedArchiver and NSKeyedUnarchiver provide everything required out-of-the box. They may not provide data as packed as Google Protocol Buffers, but they 1) Don't require writing and maintaining, 2) Allow any class to participate by implementing the NSCoding protocol, and 3) Don't have to solve the issue of cross-platform data exchange.
The only possible disadvantage I can see is I don't know if file bookmarks can be passed to the subprocess and used (i.e. the UI opens a file or has a file dragged to it and wants to give access to the file to the worker process). I will update this answer with whatever I learn. (FINAL UPDATE: Passing the URL bookmark across the UNIX domain socket works fine, and the bookmark doesn't even need to be a security-scoped bookmark for this to work. There are no more impediments to this alternative to XPC).
Your assertion is incorrect about sub-processes not having their own entitlements; they do and are embedded into the executable and it must have "inherits sandbox" set for the sub-process to work correctly.
And the end-of-the-day the one-xpc-service-per-app is a show stopper so you have no choice but to find an alternative.
I have a problem that probably is not unique, but certainly does not seem to be widely reported.
I need a method to ping a windows service that will tell me if it has stalled out, even if windows is reporting that it is running.
I would prefer to use have a Perl solution but would accept any solution that someone can come up with.
Thanks,
Jeremy
What service are you dealing with? I don't think there is any generic solution to your question if the Services control panel doesn't indicate a problem. In order to detect a running-but-no-longer-functioning-properly process, you have to know what "functioning properly" looks like.
You could use the Win32::Service module
use Win32::Service;
GetStatus(hostName, serviceName, status);
From http://metacpan.org/pod/Win32::Service:
Get the status of a service. The third argument must be a hash reference that will be populated with entries corresponding to the SERVICE_STATUS structure of the Win32 API. See the Win32 Platform SDK documentation for details of this structure. You can even grab the service with GetServices(hostName, hashref).
My company is looking at implementing a new VPN solution, but require that the connection be maintained programatically by our software. The VPN solution consists of a background service that seems to manage the physical connection and a command line/GUI utilty that initiates the request to connect/disconnect. I am looking for a way to "spy" on the API calls between the front-end utilty and back-end service so that our software can make the same calls to the service. Are there any recommended software solutions or methods to do this?
Typically, communications between a front-end application and back-end service are done through some form of IPC (sockets, named pipes, etc.) or through custom messages sent through the Service Control Manager. You'll probably need to find out which method this solution uses, and work from there - though if it's encrypted communication over a socket, this could be difficult.
Like Harper Shelby said, it could be very difficult, but you may start with filemon, which can tell you when certain processes create or write to files, regmon, which can do the same for registry writes and reads, and wireshark to monitor the network traffic. This can get you some data, but even with the data, it may be too difficult to interpret in a manner that would allow you to make the same calls.
I don't understand why you want to replace the utility, instead of simply running the utility from your application.
Anyway, you can run "dumpbin /imports whatevertheutilitynameis.exe" to see the static list of API function names to which the utility is linked; this doesn't show the sequence in which they're called, nor the parameter values.
You can then use a system debugger (e.g. Winice or whatever its more modern equivalent might be) to set breakpoints on these API, so that you break into the debugger (and can then inspect parameter values) when the utility invokes these APIs.
You might be able to glean some information using tools such as Spy++ to look at Windows messages. Debugging/tracing tools (Windbg, or etc.) may allow you to see API calls that are in process. The Sysinternals tools can show you system information to some degree of detail of usage.
Although I would recommend against this for the most part -- is it possible to contact the solution provider and get documentation? One reason for that is fragility -- if a vendor is not expecting users to utilize that aspect of the interface, they are more likely to change it without notice.