Re: SAS behavior in Windows NT - RE: Windows 2000 Run As... Feature

[ron () GWMICRO COM (Ron Parker)]

At 05:59 PM 1/26/2000 -0800, jdglaser wrote:
> So if entry to a kernel mode piece is protected by application level ACL's,
> it is a weaker form of protection. (Yes you can get past kernel mode
> protection too, but it is a more sophisticated attack)

Not that sophisticated.  Get a copy of the DDK, write a graphics driver
whose sole purpose in life is to patch the kernel, and away you go.  The
API at the driver level is a bit different, but it's easily possible to
hook a kernel function and point it at your new version.  I've done it,
for a legitimate purpose, and my driver has no visible effect on the
day-to-day operation of the machine (SoftICE doesn't like it, though.)

The only things preventing your new device driver from being installed
are the protections on a few registry keys in HKEY_LOCAL_MACHINE.  The
only things preventing it from walking all over kernel memory (in W2K)
are a couple more keys that NuMega was kind enough to document in the
SoftICE Knowledge Base.  All of them are writable for the Administrator.
Next time the machine is rebooted, it's yours.

--
Ron Parker
GW Micro, Inc.
Voice 219-489-3671
Fax 219-489-2608