Unprotecting Protected Processes

By Jerome at April 07, 2007 15:09 Tags: ,

Alex Ionescu's been searching a bit about Protected Processes, and he's managed to get around that protected state.

I'm no expert on that part nor have I read enough documentation on how that works, but since a goal of that particular feature is the "Protected Media Path" (PMP) to prevent anyone from eavesdropping a protected media, this is not good.

Since that implementation is based on a driver, that won't work on Vista 64, well, as long as you don't boot in that particular mode that allows you to load unsigned drivers. That's a good news for malware protection, since a virus shoud not be able to hide itself under normal conditions, but this is not for PMP. It seems that protected processes can check for a "tainted" environment, but how long is it going to take for someone to fool programs into thinking the system is clean... ? As always, that won't prevent evil dvd rippers to copy the media... but that'll piss a legitimate user.

Moreover, since it is easily possible in Vista 32, as alex is pointing it out, it probably won't take long for viruses to hide themselves using this technique and just a bit longer for antiviruses to unprotected any running process.

What a mess :)

About me

My name is Jerome Laban, I am a Software Architect, C# MVP and .NET enthustiast from Montréal, QC. You will find my blog on this site, where I'm adding my thoughts on current events, or the things I'm working on, such as the Remote Control for Windows Phone.