Komodia's Watchdog

From Komodia
Jump to: navigation, search

Introduction

Komodia's watchdog is a kernel driver that is used to protect Komodia's Redirector SDK from being removed, modified or terminated by the user whether he is administrator or a standard user.

Features

The watchdog provides the following protection mechanisms:

Fully protect a file

The file protected will neither be accessable to any application nor can it be deleted or modified, the only way to access that file is either remove the protection or tell the watchdog to allow a process (using the PID) to access that file.

Read only protect a file

The file protected will be accessable to all application, but as read only, it can neither be modified nor deleted.

Protect registry

The protection applies to a single key and its values and it can also be applied to a key and all its sub keys, the protection is for read only and the key/subkeys/values can neither be modified nor deleted.

Process protection

The process will be protected against termination, the process can neither be terminated by "end task" nor by any other means, this applies to windowless processes only, if you want to protect a window process you need to create a service that monitors it and every time it goes down restart that process and use the watchdog to protect the process.

Level of protection

Because the Watchdog offers high level of protection some operations that may be legit are forbidden:

  1. When protecting the LSP, you will not be able to remove any existing LSP or install new LSP, even if it's legit like a LSP that is part of an AV, because there is no way to know how the LSP removal/install will affect the installed LSP.
  2. The Watchdog must be disabled before installing a OS Service Pack.
  3. The Watchdog can't protect processes that accept WM_QUIT or has GUI.
  4. When protecting a process the Watchdog denies all write access to the process, some WinAPI functions calls (specially token/security) causes the OS to use svchost and request write access to the process (even if the function is read only) which will be disabled by the Watchdog.
  5. When protecting the LSP stack you can't install any SP because they require to change the stack.

Installation and usage

Introduction

To add rules you first set the rules using the GUI which caches them at the Redirector service and when you are done setting the rules you upload them to the driver, when you want to remove the rules you clear them from the driver, but the list is still cached inside the Redirector.

Signing

You can find instructions on how to sign the WD here: Signing and cross signing files.

Installing

  1. Run: install.bat (if under Vista of Windows7 please run it under UAC enabled command prompt)
  2. Now goto the "Watchdog" button in the main screen of "PCController.exe", when the watchdog is not installed you should see the status as not running and not installed, like in the sample picture:

WatchdogMain.png

Click "Install watchdog", you should see the watchdog status changed to installed and running:

WatchdogInstalled.png

Adding rules to protect the SDK

First rules you want to install are the rules to protect the SDK, you can do that by clicking on: "Add redirector rules", this will fill the four rules boxes with rules according to the installation path and name, all names are case insensitive.

From the SDK point of view all the needed rules have been set, adding more rules is used only to protect user specific files.

What is protected

  1. LSP registration, you will not be able to install any additional LSP, or remove the LSP, also protects against common LSP removal tools.
  2. Service registration, you will not be able to delete the service.
  3. COM registration, you will not be able to delete the COM entries in the registry.
  4. Proxy service, can't be killed from task manager.
  5. SDK files, you will not be able to delete them.

Adding rules to protect user's data

Adding read only protection to files

To add a read only file protection write the full path of the file, i.e. c:\test.txt to the: "Files that will be read only".

Adding full protection to files

To add full protection to files write the full path of the file, i.e. c:\test.txt to the: "Files that will be fully protected".

Adding process to protect

To add protection against termination add the full process path, i.e. c:\PCProxy.exe to the: "Processes that can't be stopped.

Adding registry keys and values to protect

To add key read only protection you need to add the key name to the: "Registry keys". Use these guidelines to decide how you want to protect the keys:

  • Add the key name to protect only the key and its values.
  • Add the key name with astrix at the end to protect the key, sub keys and all values and the sub keys' values:
hkey_local_machine\software\classes\appid*
  • To add keys under CurrentControlSet use the following method:
hkey_local_machine\system\controlset*\rest of key name

Uploading the rules

To upload the rules press the "Upload rules to watchdog" button, this will update the driver with the rules and greyout the rules so you can't edit them, you will be able to edit them again after you remove the rules from the driver, the rules will look somehow like this:

WatchdogRulesU.png

Setting trusted processes

Trusted process is a process that is able to access a fully protected file, to add such process press the "Add trusted PID" button and specify the PID that process, keep in mind that this is a non persistant value and as soon as this process ends, the PID is removed from the driver.

Locking the INI file

After you uploaded the rules to the driver you will be able to lock the INI file against modifications, to do that press the "Lock INI file" button, keep in mind that after you locked the file you will not be able to save settings or remove the rules from the driver until you unlock it.

Unlocking the INI file

Press the "Unlock INI file" button.

Removing rules from the watchdog

Press the "Remove rules from watchdog" button, the rules will be removed from the driver but still cached at the Redirector.

Uninstalling

To uninstall the watchdog press the "Uninstall watchdog" button. Don't install the watchdog again in this session, you must reboot the OS before you can install it again. Also please make sure you uninstall the watchdog before you uninstall the SDK.

Updating

Without uninstalling

  1. Stop the Watchdog
  2. Replace the Watchdog files under system32\drivers
  3. Reboot

With uninstalling

  1. Uninstall the Watchdog
  2. Reboot
  3. Install the Watchdog

FAQ

Why do I need a special version for 32bit and 64bit?

32bit kernel is different then 64bit kernel, that's why you need a specialized driver for 32bit and 64bit.

Do I need any thing else for the 64bit driver?

Yes, to distribute the 64bit watchdog you must sign it with a special SPC certificate as specified here: MSDN on 64bit driver signing.

Kernel Watchdog vs User mode Watchdog

Kernel Watchdog pros/cons

Pros:

  • Hard to remove.

Cons:

  • Hard to justify with AV companies (unless you're doing parental control).

User mode Watchdog pros/cons

Pros:

  • Non invasive.

Cons:

  • Moderate level of protection, power user can find a way to remove it.

Troubleshooting

You can read the WD trouble shooting guide: Komodia's Redirector troubleshooting guide#Watchdog.

Common pitfalls

Not signing the Watchdog correctly

The 64bit Watchdog must be cross signed, many time this fails because of various reasons and then the Watchdog can't be installed. You must verify that the cross sign was completed successful before deploying the Watchdog . The 32bit Watchdog must be signed regularly (not cross signed)

Not deploying the right version

The 32bit WD has two versions, one for Windows XP/Vista and one for Windows 7/8, make sure you deploy the right version based on the OS.