A co-worker recently asked me what I thought about the upcoming hardening of the x64 versions of Windows, which makes it harder to write cool programs like Compuware’s SoftIce, or RegMon & FileMon from SysInternals. The gist is that Windows will attempt to block modification of the IDT/GDT and the system call tables, except by authorized Microsoft hot patches.
I’m of mixed opinion on this.
The “Cools tools” part of me thinks this is a bad thing. A lot of awesome projects have come about only because of great tools that provided visibility into the system’s inner workings.
The other “OS purist” side applauds the Windows kernel team for making the OS that much better. (Almost) anything that improves robustness is a good thing, and I certainly want to run the best Windows possible.
On an internal email thread, a kernel guru dismissed these tools as “hacky”, and that was the nicer of the adjectives. They suggested that there are better ways to get similar functionality (such as filter drivers for the file system.)
There’s also a middle ground in my mind. To perform these hacks, these tools need sufficient access rights to load kernel mode drivers. If your running with enough rights to load a driver, (e.g., as Administrator) the driver can (mostly) party all over the kernel data structures. What if there was a special mode that needed to explicitly be enabled was available? This mode would turn off the hardening so that tools could muck about to their heart’s content. Something similar to this has happened already. In order to work on Windows XP, the SoftIce installation has to disable Window’s kernel page write protection. (Sorry, no links, and I don’t know the details.)
I personally have no direct control over any of this, as I’m not in the Windows group. I’m just an interested bystander in the discussion.
What’s your opinion?