| delorie.com/archives/browse.cgi | search |
Brian Dessent wrote on 12 March 2008 15:59:
> Dave Korn wrote:
>
> > Now, who supposes you could work around the restriction by writing
> >
> > * (WORD *) 0x004000dc = POSIX_CUI;
> >
> > just before calling NtSetInformation?
>
> How are you going to fool the executive by poking around in the PE
> header from userspace long after the process has initialized? The
> executive fundamentally knows which subsystem any given process is
> running in because it created it and manages the low level process
> table.
This is not just any code - this is MS code.
Given that, it's therefore going to have been done as quickly and cheaply
as possible, so why should we assume they wouldn't they just check the value
in the PE header at the start of NtSetInformationProcess?
> That's not to say that you couldn't install a kernel driver that
> somehow munges bits of the executive's internal datastructures to allow
> this, but sweet mother of sh*t do I not want to have the job of the
> person responsible for maintaining *that*.
Whassamatter, you don't *like* rootkits? ;-)
cheers,
DaveK
--
Can't think of a witty .sigline today....
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |