共用方式為


The death of 3rd party system tools?

A co-worker recently asked me what I thought about the upcoming hardening of the x64 versions of Windows, which makes it harder to write cool programs like Compuware's SoftIce, or RegMon & FileMon from SysInternals. The gist is that Windows will attempt to block modification of  the IDT/GDT and the system call tables, except by authorized Microsoft hot patches.

I'm of mixed opinion on this.

The "Cools tools" part of me thinks this is a bad thing. A lot of awesome projects have come about only because of great tools that provided visibility into the system's inner workings.

The other "OS purist" side applauds the Windows kernel team for making the OS that much better. (Almost) anything that improves robustness is a good thing, and I certainly want to run the best Windows possible.

On an internal email thread, a kernel guru dismissed these tools as "hacky", and that was the nicer of the adjectives. They suggested that there are better ways to get similar functionality (such as filter drivers for the file system.)

There's also a middle ground in my mind. To perform these hacks, these tools need sufficient access rights to load kernel mode drivers. If your running with enough rights to load a driver, (e.g., as Administrator) the driver can (mostly) party all over the kernel data structures. What if there was a special mode that needed to explicitly be enabled was available? This mode would turn off the hardening so that tools could muck about to their heart's content. Something similar to this has happened already. In order to work on Windows XP, the SoftIce installation has to disable Window's kernel page write protection. (Sorry, no links, and I don't know the details.)

I personally have no direct control over any of this, as I'm not in the Windows group. I'm just an interested bystander in the discussion.

What's your opinion?

Comments

  • Anonymous
    October 21, 2004
    A world without those 3rd party debugging tools is a world full of pain if you start having problems with your system, a 3rd party app, or your own code.

    I use the sysinternals tools all the time.

    It might make much more sense to have something similar to what VS2k3 does right now - that is, a debugger account which has the rights to do these kinds of things.
  • Anonymous
    October 21, 2004
    The comment has been removed
  • Anonymous
    October 21, 2004
    What if Microsoft just made it easy for the "cool" tools to get authorized? I only use "cool" tools from a handful of places anyway. I know some of those places' tools are even referenced in KB articles. Why doesn't Microsoft offer some option to the developers of those tools?
  • Anonymous
    October 21, 2004
    I think Microsoft needs to look at these tools as an indication of a lack of functionality within the Operating System itself.

    Has anyone tried opening a COM port to find out "another application or telephony device" may be using it? How come I can't go find out who has ownership of what resources on my PC?

    How about IP connections and ports? I know I can get information using the netsh interface, but how come I can't get a summary in my network connections?

    Wouldn't security be easier if we could easily assess what has control of what parts of our system?

    To answer these questions, I go to "cool tools". But man, I think these need to be part of the operating system.
  • Anonymous
    October 21, 2004
    The comment has been removed
  • Anonymous
    October 21, 2004
    The comment has been removed
  • Anonymous
    October 21, 2004
    1 >Tell us the interfaces you need to accomplish your task and we'll try to put them in...
    2 >Use filter driver...

    1. Will take forever to implement, delays will be infinite and only certain companies will get enough presence to effect anything.
    2. Filter driver DDK costs. Which once again will have effect on the number/price of tools available.
  • Anonymous
    October 21, 2004
    The comment has been removed
  • Anonymous
    October 21, 2004
    The comment has been removed
  • Anonymous
    October 21, 2004
    Bad news...:(
  • Anonymous
    October 22, 2004
    We do need those kind of tools. I'm not really too concerned about how they are implemented, but we do need the functionality. At a minimum there needs to be a developer/soften mode where these tools can function.
  • Anonymous
    October 22, 2004
    The comment has been removed
  • Anonymous
    October 22, 2004
    The comment has been removed
  • Anonymous
    October 22, 2004
    The comment has been removed
  • Anonymous
    October 22, 2004
    The comment has been removed
  • Anonymous
    October 22, 2004
    I live and code by tools like FileMon and RegMon, and if third-parties (as much as they may try, MS can never provide everything) such as SysInternals were prevented from providing such tools, it would be a sad day. And they shouldn't have to pay or register with MS, either.

    Improving security is great, and making it more difficult for the people to do "bad" things is fine, but there should always be an admin-controlled mechanism for allowing dev and system tools.

  • Anonymous
    October 22, 2004
    http://frontline.compuware.com/nashua/kb/doc/857.asp -- old, but still accurate, as of [4.]3.1, at least.
  • Anonymous
    October 23, 2004
    The comment has been removed
  • Anonymous
    October 25, 2004
    maybe they want nobody to find foles in their OS with these tools and exploit it instead of making more secure OS ..
  • Anonymous
    October 28, 2004
    .
  • Anonymous
    November 04, 2004
    The comment has been removed
  • Anonymous
    June 08, 2009
    PingBack from http://insomniacuresite.info/story.php?id=6037