[FAQ] So where do isolated programs have access to (part 4)?

Started by fixer, September 07, 2017, 02:23:41 PM

Previous topic - Next topic


In the previous 3 parts of the series we talked about file system access. But what about other resources? I often get questions like "does ReHIPS protect from process hollowing or memory injections?" So in this blogpost we'll talk about sessions, window stations, desktops and processes access including memory protection.

Sessions. Sessions usually exist to completely isolate different logged-in users. So this isolation stands even without ReHIPS, but I included this security boundary for the sake of completeness.

Window Stations. A window station contains a clipboard, an atom table, and one or more desktop objects. Isolated processes use the same window station as non-isolated processes, but with limited access rights, you can find them in isolated environment on Privileges tab.

Desktops. Using the same desktop for isolated and non-isolated processes may be dangerous. For example it's always possible for an isolated process to take screenshot of the desktop and possibly steal some confidential data. That's why it's recommended to use isolated desktop. Or you can use main default desktop, but limit access rights to it. Both these options can be set in isolated environment on Privileges tab.

Processes. As ReHIPS executes isolated processes from separate ReHIPS users, isolated processes have access only to the processes running in the same isolated environment. But they don't have any access to processes running in other isolated environments or non-isolated processes. You can always see it for yourself executing for example Process Explorer in isolation and trying to get information about non-isolated processes. It'll fail to open them. This also means that memory code injection (and memory reading) will also fail. And ReHIPS doesn't have to have additional protection for this abusing CPU and checking access, everything is already implemented and done automatically!