X-Recipient: archive-cygwin AT delorie DOT com
X-Spam-Check-By: sourceware.org
From: "Dave Korn" <dave DOT korn AT artimi DOT com>
To: <cygwin AT cygwin DOT com>
References: <47D4A7E4 DOT 5070509 AT tlinx DOT org> <47D4B7D2 DOT 1F78DADB AT dessent DOT net> <47D4E892 DOT 1090305 AT tlinx DOT org> <47D50BB6 DOT EFB28302 AT dessent DOT net> <47D6056B DOT 6000805 AT tlinx DOT org> <47D610C2 DOT EECE7EE9 AT dessent DOT net> <00b601c8843a$d94fe2c0$2708a8c0 AT CAM DOT ARTIMI DOT COM> <47D7EFEC DOT 122C76AE AT dessent DOT net> <00d001c88456$9f75a3c0$2708a8c0 AT CAM DOT ARTIMI DOT COM> <47D7FDDB DOT 73ABB705 AT dessent DOT net>
Subject: RE: Bug: C-prog from Win dies in fork; gdb.exe also won't run
Date: Wed, 12 Mar 2008 16:13:37 -0000
Message-ID: <00dd01c8845c$078e8ee0$2708a8c0@CAM.ARTIMI.COM>
MIME-Version: 1.0
Content-Type: text/plain; 	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
In-Reply-To: <47D7FDDB.73ABB705@dessent.net>
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

Brian Dessent wrote on 12 March 2008 15:59:

> Dave Korn wrote:
> 
> >   Now, who supposes you could work around the restriction by writing
> > 
> >   * (WORD *) 0x004000dc = POSIX_CUI;
> > 
> > just before calling NtSetInformation?
> 
> How are you going to fool the executive by poking around in the PE
> header from userspace long after the process has initialized?  The
> executive fundamentally knows which subsystem any given process is
> running in because it created it and manages the low level process
> table.  

  This is not just any code - this is MS code.

  Given that, it's therefore going to have been done as quickly and cheaply
as possible, so why should we assume they wouldn't they just check the value
in the PE header at the start of NtSetInformationProcess?

> That's not to say that you couldn't install a kernel driver that
> somehow munges bits of the executive's internal datastructures to allow
> this, but sweet mother of sh*t do I not want to have the job of the
> person responsible for maintaining *that*.

  Whassamatter, you don't *like* rootkits?  ;-)


    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/