Protected Processes


In prior versions of Windows, parent processes have complete control over their child processes, and administratively started processes can control other processes. A common malware ploy is to maliciously manipulate an existing legitimate application or service into running a new malicious process. Often the new malicious process will incorrectly appear to the operating system and other defense tools as a legitimate child process. Or a rogue invoked process can modify another completely unrelated legitimate process into doing something malicious.

Windows Vista introduces the concept of protected processes (unfortunately currently focused on DRM technologies and content), which run alongside non-protected processes. Only system and application files digitally signed and belonging to the Windows Protected Media Path (WMPM) can create a protected process. When a process is protected, a non-protected process or thread cannot:

  • Access the virtual memory area of a protected process

  • Debug an active protected process

  • Inject a new thread into a protected process

  • Impersonate a thread

  • Set or receive context information

  • Duplicate a handle from a protected process

There are other process protections, as you can read about at http://www.microsoft.com/whdc/system/Vista/process_Vista.mspx.

Note 

Protected processes can be recognized in the Task Manager by locating processes (besides System and System Idle) with no values present in the Data Execution Prevention or Virtualization columns. Enable Show processes from all users and add the Data Execution Prevention and Virtualization columns to the list of columns displayed on Task Manager's Processes view. You can run Vista's Audiodg.exe program as an example. Protected processes appear in Task Manager.



Windows Vista Security. Securing Vista Against Malicious Attacks
Windows Vista Security. Securing Vista Against Malicious Attacks
ISBN: 470101555
EAN: N/A
Year: 2004
Pages: 163

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net