Database Users

Theft protection.

Hmm, came accross a statistic that listed theft of PDA and laptops in the US. Europe shouldnt be far from this numbers, so I am looking for a decent theft protection software. I do have a lot of files on my HERMES and on the microSD card. Since my PIN is disabled and protection via device password entry is not save: How can I make sure that I can delete a) calendar & contacts b) SMS & eMail c) SD card files and d) lock the phone (probably even render the GSM useless with a few wrong PIN entries) from remote?
I tried Phone Security from evenbyte. It surely tells me SIM information of changed cards and can lock the phone. But it will render GPRS/UMTS connections useless after the first phone call. So a big no.
Now I am willing to try remote protect 1.5 from scpsoft. It is still beta. Does anyone know if this application does work?
Any other applications? Please no Net.CF2 ones, I do not want to install it.
Next subject: I already flashed a new splash screen on my device via Bootloader 1.01. It shows my picture and contact details. Just in case the device will be lost or stolen. This is quite effective against hard-resets. But not effective for the knowledged ones since they can flash a full new ROM on the device.
So, is there any address-range that is NOT used by the current ROMS? Just a few bytes would be enough. I would love to poke a few identification information in that area - e.g. via a small application and Bootloader 1.01. Just to make sure you can always identify this device. This application should be free and could be used to check against stolen devices. Could be a skript as well. Jsut has to be save enough for the average user

This best encryption setup I've seen is from Pointsec, but they don't seem to do individual licenses, just big contracts.
http://www.pointsec.com/products/smartphonepda/

nombCrypt - beta

Hello Everyone,
I just got my 8525 in the mail yesterday and upgraded the boot loader, radio, and WM6. I had a little trouble but in the end, all that I can't get working right is the internet for Cingular. I really appreciate all the hard work everyone puts into this. Here is my thank you, this is my first app so go easy on me.
nomb
nombCrypt
nombCrypt is an encryption program I originally made for the desktop but then decide to port it over. It uses a password you provide and encrypts either a block of text or files using 256bit Rijndael (AES). This level of encryption was given the ok to encrypt Top Secret documents. It can of course decrypt as well. This is for Windows Mobile 6. Please enjoy and every developer of course likes to get back feedback.
Planned/Requested Improvements
Truecrypt like encrypted containers
Implement Encrypted Backups (P)
Get File Encrypt Status Bar Working (P/R) <-- I'm dreading writing the working class :'(
Use Device ID As Salt Option (P)
Randomize Salt More (P)
Add More Encryption Algorithms (P)
Change File Open Dialog To Open Less (R) completed - now initially looks for *.nen (nombCrypt Enc. Files)
Encryption Password Confirmation (R) completed
Clipboard Paste Button (R) completed
Clipboard Clear Button (R) completed
Take Off Start Menu Icon (R) completed
Change Icon (R) completed
Add Exit To The Menu (R) completed
Add Time Out Feature (R) completed - (see page two for details)
Integrate nombCrypt Into WM6 More (P)
I. Encrypt MS Certificate Store (R)
Other Fixes
Improved Text Encryption So The End TextBox Is Opened Less
Added file error checking to the file decryption process
Two screenshots and the cab file are attached.
I hope you guys enjoy...
nomb

Hey! I wanted to do the same thing too! Just that I use my own XOR method (One Time Pad-like) instead. Of all the thing, it works alright, except that I can't get it to do a Copy-Paste. (see here http://forum.xda-developers.com/showthread.php?t=321014)
Also, from what it seems, I would presume that (since you uses AES), the end result would be in 'relatively' binary format (right?), which may not be very program friendly.
I was going to do about the same thing, except that I'll have my end result Base64 encoded, such that I can have them pasted to Notes and have it sycned to outlook. And I have my PC based software to do the job there (if required).
Previously, I used a software called Ccrryyppttoo, which did quite alright, but it seems that my PC is doing some coding, when synced, that makes it goes funny (i.e. cannot be decrypted anymore).
I'll PM you a demo of what I did (in Java web), of which I intended to do it in PPC

With Rijnael the resulting encrypted string/file gets encoded into base64 as well because if it didn't, all the characters wouldn't be represented. You can paste this into notes just fine.
Mine is programmed in c# so there is a clipboard function which works relatively well. If you'd like to help with this your more than welcome to. Or if you want to join your project with mine that would be cool too. I plan to support all major and a lot of minor encryption algorithms that I can find. Plus people were complaining about how the encrypted backup on the ppc should use the device id to encrypt instead of the randomly generated key so I plan to implement that as well.
I'm looking forward to seeing your demo.
nomb

Hmm.. so it is b64 encoded.. niicceee. Hmmm. . I should try out C# soon.
Anyway, there is a suggestion, I'm not sure if you have the library for it. After my symmetric cipher program, I'm in thinking about a asymmetric-public-private key cipher, which people can exchange short messages in secret (e.g. via email, IM, SMS) without the need to exchange the key/password. It is relatively done now, I'll show you the web base version once it is done. It runs on the Java security class, which I'm not sure if C# has those library or not.
The idea is, Alice go to my page, generate a pair of keys. Alice then send Bob her pub key. Bob use pub key, go to my page, encrypt the message. Send it to Alice. Alice decrypt message at my page. No software to install, no secret key exchanged.

Yup c# has the ability to do that built into its cryptography namespace.
That is a cool idea, but instead of having Alice send the key to him. You should just make a db to keep track of the keys and then have him answer a question about Alice or something like that to use the pub key. that way thats even one less step they have to worry about. Or have Alice put in his email address and have your site auto email him the pub key. That would be good too.
But sweet idea, maybe I'll make my program talk to your site.
Have you tried mine yet?
nomb

I dont like the "answer a question" method, as in that case, you might as well use the answer as the password?
Anyway, the emailing the pub key is an idea
I'm not in my own PC yet, can't send it to my phone from this PC. Will try it out later tonight.

hanmin said:
I dont like the "answer a question" method, as in that case, you might as well use the answer as the password?
Click to expand...
Click to collapse
Ya I'm at work and was hungry so I wasn't thinking strait. I don't like that idea either. ^^
I think my next step in mine is to build the background worker class to update the progress bar when you encrypt/decrypt a file.
If you just point your phone to the cab above it will install it for you. You don't need a comp unless u don't have a dataplan.
nomb

I dont have data in my plan.. although O2 gives me 1MB+ a month free.. I'm not using it.
Anyway, I've tested your software, a few comments.
Slightly major problems:
[1] It is not wise to do a 'All folders' and 'All Files' upon browsing (for file to be de/encrypt). People (e.g. me) has gazillion files around and it may take ages to load the list.
[2] You may want to pop up a Window, asking the user to confirm his/her password upon encryption (one of the thing I intended to add on mine )
[3] I'm not able to paste any data onto the 'start text' area. E.g., I have encrypted my stuff, saved it into Notes. Later, I wanted to get it back, I copy the encrypted code from my Notes, and no way of pasting it into the 'Start text'
[4] You already knew this, but, good to have some kind of progress bar to indicate the progress
[5] Hmmm.. on the browsing, there doesn't seems to have a way to find files on my Storage Card's root directory
[6] For security reason, probably it is good for you to add a 'Clear Clipboard' button?
Minor:
[1] I find it annoying that once I had the software installed, it is on my Start menu
[2] You could use a better icon, I just see a black square on my not so bright screen. I can help you on this.
[3] Add an "Exit" on the menus below?
Other possible suggestions:
[1] Have a time out on your software, such that, e.g. if there is no activity on software after a certain amount of time, it will do one/some/all of these (a) close itself (b) clear the password, input, output (c) clear the clipboard

Good suggestions, I'll have those done by tomorrow. I can't play with the storage card aspect yet because I don't have one. :'( Soon though I'm hoping to get a 4gb. And ya, i can't make icons worth any.
Oh, to past it back I always did ctrl+v from the keyboard. But I'll throw a button up there to do that. And I'll make sure to take it off of the start menu.
1 good comment would have been nice. Altho criticism is good.
nomb

Haha.. sorry for the lack of good comments, I was trying to think of something to suggest. But come to think of it my post on top are good comments (e.g. niiiiccceee Base 64 encoded), and the fact that it has the simple string->string encryption.
I did googling a bit, and found these
http://www.entity.cc/ICONS/security-icons.php
http://www.hscripts.com/freeimages/icons/computer/lock-icon.php
http://icons.qarchive.org/
which you may want to use as your icons?

Ya I was just teasing you. The icon I have now I got off of your last link at somepoint I just don't remember when. But I think I will probably use one of the others. But ya, I'll work on those fixes and then attach the updated program. Then once I get those fixes done, I'll work on adding the differnt encryption algorithms and the encrypted backups.
nomb

Did you wrote any backup software before for the PPC? I'm not really sure, but it seems that backup-ing can have a lot of issues. You have the "Copy everything" backup, the PIM only backup, etc. Some backups are ROM-flashing/upgrading friendly, some are not. You can have a backup software all standalone by itself. I would recommend you to have the backup software seperated and have encryption onto it as a plugin. Take a look at PIM-backup, it is very popular here.

Hi,
This is a very interesting thread. Thanks for your efforts so far (is there a donation link anywhere?)
A basic question...I understood that to carry out really secure encryption it would be necessary to write a filter driver that worked within the core ROM Image. Is this not the case?
Can I encrypt the MS certificate store too? The crypto protection on this store could be beefed up...
Once again I am very pleased that this thread has appeared and will be testing your software with interest,
Well done for your work so far,
Sam.

Hey there PianoSam,
First I just want to make it clear I'm not doing this to make money. If anyone donates I want it to be because they like the software. I am at work so PayPal is blocked but I'll put my donation link on the front page later today.
Also, I am going to try and incorporate the encryption as much as possible. If that is a feature you'd like, then after I get all of the previously requested changes done, I'll start on that for you.
And thank you for your kind words.
nomb
***EDITED***
Sorry I didn't answer you question at first.
Question: A basic question...I understood that to carry out really secure encryption it would be necessary to write a filter driver that worked within the core ROM Image. Is this not the case?
Answer: I pondered over this for a little while and I can't think of a reason this would be necessary. However, I've only had my phone for two days. Can you find where you saw that so I can read it as well and maybe gather a little bit on information so I can do some research on the topic? If thats what needs to be done then thats what I'll do but I can't see why. Let me know!

Added another cab with all the fixes I've completed.
nombCrypt-beta.cab <-- On the front page.

I added the donate link.

I added the timeout feature and thought I would make a comment on it.
It is a two minute timeout. Whenever you fucos on a textbox the timer is stopped and when the textbox looses focus, the timer is on. The downside to this is if you were in the middle of typing and set your device down, it wont timeout. I could make it so when you start typing into the textbox it restarts the two minutes and you have two minutes to complete your message but I didn't know if that was a good idea or not.
Also, when you copy, and go to another program to paste it in, you have two minutes before the clipboard is cleared and the program shutdown.
When the encryption program is encrypting something, the timeout is not running. It starts afterwards.
I can tweak this as much as you guys would like, just let me know.
nomb

I've tested your Beta.. niiiiiccceeeeee.. it is gooood. Almost prefect. Few things (OH NO! )
- The "Clear" button doesn't seems to be working. It is suppose to clear the clipboard only? Should you clear off everything as well?
Other requests/suggestion
<rant>
- I'm not sure why I thought I need it.. but it would be good to have a copy function for the "End Text" as well. I thought I may need it one day. Not sure why. It ought to make the screen a bit crowded, I thought.
Anyway, slightly related to the suggestion above, I've just revisited the design I made on my copy-paste-failed PPC attempt, I have this idea which I thought you might want to use it. For my design, I do not have "Start Text" and "End Text", I only have ONE TextField "Message" (and another for the password). The user enter the encrypted/plain text on this "Message". Click on the button "Encrypt" or "Decrypt", the result will then overwrite whatever that is in "Message" TextField.
Example:
(1) "Message"=<plain text>. User key in password, click "Encrypt", "Message"=<encrypted text>.
(2) "Message"=<encrypted text>. User key in password, click "Dencrypt", "Message"=<plain text>.
In such cases, you only need a pair of copy-paste to perform copy-paste on both (in a way) encrypted and plain text.
</rant>
As for the time out issue, I thought the typing-sensitive time out would be a better choice. The moment that you are worried about your data being seen is when you are away from your phone. You can have focus on your TextField but you can be million miles away from your phone. But, you ought to be around to be typing stuff, right?
BTW, I'm also wondering on the working of this time out feature. I thought there ought to be a 'clock' running and when time's up, it will clear the stuff needed to be cleared, right? So, if I were to forget to switch off the application, the timer will not be another running software that drain my battery, right?
Good work.

hanmin said:
- The "Clear" button doesn't seems to be working. It is suppose to clear the clipboard only? Should you clear off everything as well?
Click to expand...
Click to collapse
The "clear" button is in the clipboard row, i think i tagged it on the left, and only clears the clipboard. If you go to menu->reset it will clear everything like your looking for.
hanmin said:
- I'm not sure why I thought I need it.. but it would be good to have a copy function for the "End Text" as well. I thought I may need it one day. Not sure why. It ought to make the screen a bit crowded, I thought.
Click to expand...
Click to collapse
The "Copy" button copies the end text to the clipboard. Not the start text.
hanmin said:
Anyway, slightly related to the suggestion above, I've just revisited the design I made on my copy-paste-failed PPC attempt, I have this idea which I thought you might want to use it. For my design, I do not have "Start Text" and "End Text", I only have ONE TextField "Message" (and another for the password). The user enter the encrypted/plain text on this "Message". Click on the button "Encrypt" or "Decrypt", the result will then overwrite whatever that is in "Message" TextField.
Click to expand...
Click to collapse
I originally had it setup this way, however there was a time when I had wrote a huge paragraph in it and encrypted it, and then found out I had forgot a line. I switched it so this wont happen.
hanmin said:
As for the time out issue, I thought the typing-sensitive time out would be a better choice. The moment that you are worried about your data being seen is when you are away from your phone. You can have focus on your TextField but you can be million miles away from your phone. But, you ought to be around to be typing stuff, right?
Click to expand...
Click to collapse
The timeout I have running in it now, (new version that isn't up yet), is completely off of the user's actions. Whenever you do anything in the program the timer resets. Except for encrypting/decrypting. The timer is off for those functions incase you encrypt a file that takes longer.
hanmin said:
BTW, I'm also wondering on the working of this time out feature. I thought there ought to be a 'clock' running and when time's up, it will clear the stuff needed to be cleared, right? So, if I were to forget to switch off the application, the timer will not be another running software that drain my battery, right?
Click to expand...
Click to collapse
The timeout feature does not clear everything in the program. I have it so it actually completely closes the program. So if you forget to close it and walk away, the program will end so it doesn't drain your battery.
hanmin said:
Good work.
Click to expand...
Click to collapse
Thanks, wait till you see the next version...
nomb

I got the progressbar working for encryption, now for decryption.

MobilMon - File system monitor utility

To the many excellent folks here at xda-developers.com, I'm releasing MobilMon 0.5 for free.
I wrote a simple app that monitors file system access (specifically, file creation, deletion, or modification). This sort of tool can be invaluable when you are trying to figure out what's happening on your system. You can export the findings to a log file.
It's pretty bare bones at this point, but that was somewhat intentional. I wanted to see what folks wanted out of such an app before spending more development time on it.
Check it out, and let me know what you think: http://www.mobilmon.com

wow! thank you! this is pretty much exactly what i was wishing for ever since i started playing around with new apps and such on my phone.
it's a great help for just before a system backup. for example, i have SPB backup set to run every other morning. let's say it runs on Saturday at 5:00am. I install some apps and do some random things from 8:00am to 9:00am. 9:30am, my phone crashes. I reset to 5:00am, and I lost all that stuff i did from 8 to 9. now i know! thanks for this app.

Feature changes
A couple of things I was considering:
1. CSV EXPORT. Would it be better to leave the plain text formatting for easy readability, or format it for CSV export?
2. DIRECTORY. I was originally going to include the ability to change the directory (i.e. something other than just "\") but that would involve some significant work on my part. And, I'm not sure if you'd really want to do that anyway.
3. VIEW FILE READS. As delivered, it monitors file adds, deletes, and changes - not reads. This was done intentionally for performance reasons. Would people want to see all the file reads, even if it bogged the device down?

This is awesome! I haven't seen anything else like it, so I am really happy to see someone from the xda-forums to make this magic!
I think that you should add in the view file reads, but only as an option. Maybe also an option to select which operations you want logged (eg. when I only want to see the files created, and not deleted). Although being able export to CSV would give me the same results, but with some editing.

3. VIEW FILE READS. As delivered, it monitors file adds, deletes, and changes - not reads. This was done intentionally for performance reasons. Would people want to see all the file reads, even if it bogged the device down?
Click to expand...
Click to collapse
Many thanks for the app.
It would be nice to have (even as a separate app) something like mamaaich's file monitor: http://forum.xda-developers.com/showthread.php?t=247425, with ability to start/stop and good frontend - to capture all file activities in the whole system.
It helps a lot to find frequent, unintended system file reads (in most cases - draining batteries)

monitor lost memory
i wonder if you could add some powerful memory mgmt to check where my pda memory is lost and what is the process,application or service which is causing memory leaks or using too much memory. maybe you could draw a graph or monitor memory usage during time for all processes. when i start my pda i have 48% free ram, after a day i am back to 80% without any visible app running.
Thanks!

Thanks
Thanks for the good feedback; I'll look into making it where you can select the types of events to monitor and then go from there.
Good lead on mamaich's program - I wasn't aware of it. I will take a look. I'm all about working smarter, not harder

Hello,
I stumbled over this (admittedly quite old) thread on the search for a windows-mobile version of something like iTunes FolderWatch or iPad ShutterSnatch.
Would it be possible to extend MobiMon such that an action can be triggered once a new file is found? In my case that action would be to start a picture viewer with the newly created file name as a parameter.
Scenario: Send pictures I take with my camera to my Windows Mobile Phone (HTC HD2) via FTP (MochaFTP) through an Ad-Hoc Network directly from the camera (using Eye-Fi). MobiMon would recognize the new file and fire up the picture viewer. This way, the latest picture taken will be shown on HD2's big display right after the shot was taken.
Of course, if there is a more streight-forward way of doing this (like a picture viewer with integrated FTP-Server ) I'd be more than happy to hear about it!
Regards and a happy new year!
Alex

Yes, it's possible.
In regards to your inquiry, it's programmatically possible, but would require a re-write. This has to do with the way things are instantiated. Whether I could afford the time to do it is a different question
1. What is the target OS?
2. Do you have the means and skills to adjust my code and compile it yourself if I just pointed out the changes needed?

allright, heres my question:
is it possible to add (i.e)tray/taskbar icon showing card r/w activity?
I am thinking not exactly about this specific project, but general idea related to it.

DM_CRYPT kernel required

Hello,
Most tablet owners will store valuable and/or personal files on their tablets. I belive no one wants his data to be stollen, right?
I solved this problem on my laptop using Truecrypt.
However no truecrypt is available for android .
The solution for android is Luks manager (available on the market).
However (again however) in order luks manager to work it requires the kernel to be DM_CRYPT capable.
I have no idea what this is. Just I know a kernel must be compiled in such manner that this to be part of it.
So, is it possible when compiling next kernels to put this in?
Thanks

Why anyone would leave personal and sensitive data on a portable machine is beyond me. Keep it in a secure location and use a secure VPN to access it.

Why anyone would leave sensitive data on a networked device is beyond me.
Sent from my Transformer TF101

Android 3.0 does have device-mapper and dm-crypt baked into the kernel.
It's actually also coded into the OS. See here:
http://bryanhinton.com/android3security
sassafras

encrypting entire tablet vs. secure mounting like Truecrypt
@sassafras_
I read the link and I sent it to the author of Luks Manager - the thing that acts as Truecrypt for android devices.
Here is the discussion on the matter between us:
http://nemesis2.qx.net/forums/index.php/topic,60.0.html
here is the description of his software:
http://nemesis2.qx.net/pages/LUKSManager
I think that Truecrypt conception is much better than encrypting the entire tablet, which I personally find to be clumsy and not useful:
1. You encrypt the entire tablet, that is slow.
2. (More important): You decrypt the tablet when turning it on. On the other hand, with Truecrypt conception you mount the sensitive data when you need it, after that you can unount it. I.e. it is possilble to use the tablet without exposing the data.
@cosine83 & @frosty5689 - Guys, everyone is free to choose the way he keeps senstive data.
@cosine83 - it is a plus to keep whatever you want wherever you wish, provided it is protected, includingly on portable device.

You're asking for someone to make a workaround to a non-problem.
Encrypting the entire tablet is not clumsy - it is built into the OS and is persistent. It takes about two minutes to set it up.
It isn't slow - if you read the entire article you see a 20% speed decrease for reads, and almost no speed penalty for writes. This is slower but certainly not slow.
If you're concerned about security, doesn't it make sense to have a password to work with the tablet? With the built-in solution, you must enter a PIN each time you unlock the device. This is the most secure and minimally intrusive. Much less than mounting an encrypted volume each time you want to interact with sensitive data and then having to unmount it when complete.
sassafras

sassafras_ said:
You're asking for someone to make a workaround to a non-problem.
Encrypting the entire tablet is not clumsy - it is built into the OS and is persistent. It takes about two minutes to set it up.
It isn't slow - if you read the entire article you see a 20% speed decrease for reads, and almost no speed penalty for writes. This is slower but certainly not slow.
If you're concerned about security, doesn't it make sense to have a password to work with the tablet? With the built-in solution, you must enter a PIN each time you unlock the device. This is the most secure and minimally intrusive. Much less than mounting an encrypted volume each time you want to interact with sensitive data and then having to unmount it when complete.
sassafras
Click to expand...
Click to collapse
+1, my tablet is encrypted using Honeycomb's built-in encryption engine, and I have no qualms with performance considering that all data is decrypted on the fly.

sassafras_ said:
If you're concerned about security, doesn't it make sense to have a password to work with the tablet? With the built-in solution, you must enter a PIN each time you unlock the device.
Click to expand...
Click to collapse
How long is the PIN? Does it contain letters? If it's only numbers and short it can be hacked in hours if not minutes.
Also - has anyone tried if HC works with linux encrypted (with DM_CRYPT) external drives? I don't have USB adapter to check it. Hm, or maybe you could encrypt microSD with DM_CRYPT on linux and use it with Transformer?

Magnesus said:
How long is the PIN? Does it contain letters? If it's only numbers and short it can be hacked in hours if not minutes.
Also - has anyone tried if HC works with linux encrypted (with DM_CRYPT) external drives? I don't have USB adapter to check it. Hm, or maybe you could encrypt microSD with DM_CRYPT on linux and use it with Transformer?
Click to expand...
Click to collapse
It doesn't have to be a PIN, mine is protected with a password containing letters and numbers. The only slight concern I have is that for some reason the password itself can't be longer than 16 characters .

misunderstanding
@sassafras_ "You're asking for someone to make a workaround to a non-problem."
You do not understand what I mean, when I say encrypting the entire device is clumsy. I am not talking about speed. I am talking about conception.
I will try to explain once more, please do try to understand, if you want.
I do not want to encrypt the entire tablet. Did you ever use TrueCrypt? It makes a containter. It contains all your valuable files. When you need them you simply supply a password and mount the container to the file system. It appears like device. Encrypting entire tablet is so far from this conception that I am getting very frustrated to explain this again and again.
For example, if your friend wants to check his email on the tablet, if you hand it over he will have access to all your files. Unlike that with the TrueCrypt method you would simply unmount the container and you will be safe to give it whoever you want to.

Have you looked at tasker (non market verion). This has the ability to encrypt folders, there are definitely some issues if stuff is really classified but for what you describe it could work.
Sent from my Transformer TF101 using XDA Premium App

Windows Hooking question

Is it possible to create an application that would hook all api calls to windows and be able to accept or deny the call? How trivial would this be?

All calls, for all apps? Very damn hard. You'd basically need to shim the entire standard libraries. The shims could probably be programmatically generated, but you'd need to write the program to create them. Then you'd need Admin access to install them, and then...
Why don't you explain what you're trying to do? This is a very complicated thing to attempt, and it might not be the right approach at all,

GoodDayToDie said:
All calls, for all apps? Very damn hard. You'd basically need to shim the entire standard libraries. The shims could probably be programmatically generated, but you'd need to write the program to create them. Then you'd need Admin access to install them, and then...
Why don't you explain what you're trying to do? This is a very complicated thing to attempt, and it might not be the right approach at all,
Click to expand...
Click to collapse
Due to recent program vulnerabilities *cough cough* IE exploit, I want to create a program to minimize and effectively stop the exploits, by blocking reading api calls from programs that have the vulnerability and determining if the call should be made or not.

There's already tools like EMET, which blocked that (and may other) exploits.
Have you ever looked at the output generated by procmon on a typical Windows application? Even for just the subset of system calls that it monitors, the log scrolls too fast to read, much less to make a decision about each call. Something as simple as opening a single static HTML page in IE would require an incredible number of clicks. Your typical modern page, which has dozens of separately-requested elements, generates considerable traffic to log files and cookies and so forth, and may contain rich content requiring a bunch of additional functions... Yeah, not practical at all.

GoodDayToDie said:
There's already tools like EMET, which blocked that (and may other) exploits.
Have you ever looked at the output generated by procmon on a typical Windows application? Even for just the subset of system calls that it monitors, the log scrolls too fast to read, much less to make a decision about each call. Something as simple as opening a single static HTML page in IE would require an incredible number of clicks. Your typical modern page, which has dozens of separately-requested elements, generates considerable traffic to log files and cookies and so forth, and may contain rich content requiring a bunch of additional functions... Yeah, not practical at all.
Click to expand...
Click to collapse
For educational purposes and further knowledge could you show me what I would have to do to hook one api call from a process? it does not have to be a global hook.

There's a handful of possible approaches.
If you *wanted* to do it globally, and didn't mind doing so only at the kernel syscall layer (meaning any purely user-space code wouldn't get caught, but since anything that can go between processes in any practical way involves the kernel anyhow...) you could create a driver that filters the relevant system calls. Filtering the entire system call interrupt at one place is possible if you can mess with the relevant interrupt service routine, but I believe that's protected by PatchGuard. There may be some all-in-one place anyhow, but it would be tricky. Anyhow, this is how tools such as Process Monitor (which only handles a relative handful of system calls) work.
If you want to modify the behavior of a bunch of programs, you could create modified versions of the system libraries, and put them where the programs would load them (usually the application directory would work, but sometimes you would need to replace the system copy). This approach is a lot of work, though not completely impractical; you simply need to shim all the exported functions (or at least, the ones you care about) with a version that filters the call before passing it through to the "real" version, but you would need to cover all the exported functions without breaking their ABI. Doable, but a lot of work.
If you only want to get one function, the easiest way would be to re-write all calls to that function in the process memory such that they go to your filter instead. This is how the Detours library (http://research.microsoft.com/en-us/projects/detours/) works; you can find code samples of using it online. I believe that is also how Microsoft's application compatibility shims work. There are registry keys which will cause a given program to be loaded in a debugger (which can be mostly non-interactive, and just make this change for you) or I *think* there's a way to specify an arbitrary DLL that a given program must load (and run its DllMain function) when it starts up too, which would also do the trick.
Bear in mind that the second and third methods can be bypassed by an attacker who knows what you're doing; the attacker just (re-)overwrites the function tables to point at the real versions of the APIs, or alternatively makes the relevant system calls directly (Win32 programs basically never do this, instead letting the Win32 subsystem translate their Win32 function calls in NT system calls and invoking the wrapped syscall, but there's nothing *stopping* them). The first approach can't be bypassed by an attacker with less than Admin privileges (assuming you did it right; I can think of a couple of potential gotchas you'd need to avoid) but you would need Admin yourself in order to install that driver in the first place, and if you want to *interactively* filter the API calls you would need the entire interaction path including the UI to protected against tampering by less-privileged processes.
With all that said, a real Mandatory Access Control that gives finer-grained control than Windows' Mandatory Integrity Control would be a really cool thing (something more like SELinux or AppArmor). It would probably be more effort on NT than on Linux though, due to NT not (so far as I know) having any equivalent of http://en.wikipedia.org/wiki/Linux_Security_Modules (a good place to start reading about the topic).

GoodDayToDie said:
There's a handful of possible approaches.
If you *wanted* to do it globally, and didn't mind doing so only at the kernel syscall layer (meaning any purely user-space code wouldn't get caught, but since anything that can go between processes in any practical way involves the kernel anyhow...) you could create a driver that filters the relevant system calls. Filtering the entire system call interrupt at one place is possible if you can mess with the relevant interrupt service routine, but I believe that's protected by PatchGuard. There may be some all-in-one place anyhow, but it would be tricky. Anyhow, this is how tools such as Process Monitor (which only handles a relative handful of system calls) work.
If you want to modify the behavior of a bunch of programs, you could create modified versions of the system libraries, and put them where the programs would load them (usually the application directory would work, but sometimes you would need to replace the system copy). This approach is a lot of work, though not completely impractical; you simply need to shim all the exported functions (or at least, the ones you care about) with a version that filters the call before passing it through to the "real" version, but you would need to cover all the exported functions without breaking their ABI. Doable, but a lot of work.
If you only want to get one function, the easiest way would be to re-write all calls to that function in the process memory such that they go to your filter instead. This is how the Detours library (http://research.microsoft.com/en-us/projects/detours/) works; you can find code samples of using it online. I believe that is also how Microsoft's application compatibility shims work. There are registry keys which will cause a given program to be loaded in a debugger (which can be mostly non-interactive, and just make this change for you) or I *think* there's a way to specify an arbitrary DLL that a given program must load (and run its DllMain function) when it starts up too, which would also do the trick.
Bear in mind that the second and third methods can be bypassed by an attacker who knows what you're doing; the attacker just (re-)overwrites the function tables to point at the real versions of the APIs, or alternatively makes the relevant system calls directly (Win32 programs basically never do this, instead letting the Win32 subsystem translate their Win32 function calls in NT system calls and invoking the wrapped syscall, but there's nothing *stopping* them). The first approach can't be bypassed by an attacker with less than Admin privileges (assuming you did it right; I can think of a couple of potential gotchas you'd need to avoid) but you would need Admin yourself in order to install that driver in the first place, and if you want to *interactively* filter the API calls you would need the entire interaction path including the UI to protected against tampering by less-privileged processes.
With all that said, a real Mandatory Access Control that gives finer-grained control than Windows' Mandatory Integrity Control would be a really cool thing (something more like SELinux or AppArmor). It would probably be more effort on NT than on Linux though, due to NT not (so far as I know) having any equivalent of http://en.wikipedia.org/wiki/Linux_Security_Modules (a good place to start reading about the topic).
Click to expand...
Click to collapse
I want to write open sourced code that will be like super user and permissions for windows so you can have the open feeling of windows but a secure feeling as well with little to no anti-virus's. This would not be like windows rt's locks, you can run any program you like.

You're not the first person to have this idea, but I don't think you understand the magnitude of what you're asking for. Even if such a system were created, it would be a lot of work to create all the rule sets for every program you want to protect. Besides, you'd still be vulnerable to malicious code that runs as Admin (i.e. most installers, etc.) since they could unload or modify your driver.