-
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
88 changed files
with
22,642 additions
and
5,843 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
# System Informer Kernel | ||
|
||
- optimizes retrieval of information from the system | ||
- enables broader inspection into the system | ||
- informs of system activity in realtime | ||
- assists in removal of malware | ||
|
||
## Security | ||
|
||
[Security Policies and Procedures](../SECURITY.md) | ||
|
||
Because the information exposed through the driver enables, by design, broader | ||
access into the system. Access is strictly limited to verified callers. | ||
Access is restricted based on the state of the calling process. This involves | ||
signing, privilege, and other state checks. If the client does not meet the | ||
state requirements they are denied access. | ||
|
||
Any binaries built with the intention of loading into System Informer must | ||
have a `.sig` from the key pair integrated into the build process and driver. | ||
Or be signed by Microsoft or an anti-malware vendor. Loading of unsigned | ||
modules will restrict access to the driver. Third-party plugins are supported, | ||
however when they are loaded access to the driver will be restricted as they | ||
are not signed. | ||
|
||
The driver tracks verified clients, restricts access by other actors on the | ||
system, and denies access if the process is tampered with. The intention is to | ||
discourage exploitation of the client when the driver is active. If tampering | ||
or exploitation is detected the client is denied access. | ||
|
||
## Development | ||
|
||
Developers may generate their own key pair for use in their environment. | ||
|
||
1. execute `tools\CustomSignTool\bin\Release64\CustomSignTool.exe createkeypair kph.key public.key` | ||
2. copy `kph.key` into `tools\CustomSignTool\resources` | ||
3. copy the bytes for `public.key` into the `KphpTrustedPublicKey` array in [verify.c](verify.c) | ||
|
||
Once these steps are completed builds of System Informer components will | ||
generate a `.sig` file next to the output binaries. And the developer built | ||
driver will use the specified key when doing verification checks. Any plugins | ||
not built through the regular build process must also have their own `.sig`. | ||
|
||
Developers may suppress protections and state requirements by changing | ||
`KPH_PROTECTION_SUPPRESSED` to `1` in [kphapi.h](../kphlib/include/kphapi.h). | ||
This is necessary if you intend to use a user mode debugger as the protections | ||
and state requirements will break the debugger. |
Oops, something went wrong.