Best secure single running app guard on windows

Tag: windows Author: feiye1988 Date: 2009-07-22

I would like to improve the way how an application is checking that another instance is not already running. Right now we are using named mutexes with checking of running processes.

The goal is to prevent security attacks (as this is security software). My idea right now is that "bulletproof" solution is only to write an driver, that will serve this kind of information and will authenticate client via signed binaries.

Does anyone solved such problem? What are your opinions and recommendations?

and what would happen if the user runs the application twice ??
second instance should end when first allready running, that's why I'm putting the energy into solution.

Other Answer1

First, let me say that there is ultimately no way to protect your process from agents that have administrator or system access. Even if you write a rootkit driver that intercepts all system calls (a difficult and unsafe practice in of itself), there are still ways to use admin access to get in. You have the wrong design if this is a requirement.

If you set up your secure process to run as a service, you can use the Service Control Manager to start it. The SCM will only start one instance, will monitor that it stays up, allow you to define actions to execute if it crashes, and allow you to query the current status. Since this is controlled by the SCM and the service database can only be modified by administrators, an attacking process would not be able to spoof it.

comments:

Maybe I haven't been clear, the solutioon is for application that runs under user account, I'm aware that when you have an administrator rights there is nothing guaranteed. So service is also not solution. I want just to be sure that someone under user account will not prevent running of this application.

Other Answer2

I don't think there's a secure way of doing this. No matter what kind of system-unique, or user-unique named object you use - malicious 3rd party software can still use the exact same name and that would prevent your application from starting at all.

If you use the method of checking the currently executing processes, and checking if no executable with the same name is running - you'd run into problems, if the malicious software has the same executable name. If you also check the path, of that executable - then it would be possible to run two copies of your app from different locations.

If you create/delete a file when starting/finishing - that might be tricked as well.

The only thing that comes to my mind is you may be able to achieve the desired effect by putting all the logic of your app into a COM object, and then have a GUI application interact with it through COM interfaces. This would, only ensure, that there is only one COM object - you would be able to run as many GUI clients as you want. Note, that I'm not suggesting this as a bulletproof method - it may have it's own holes (for example - someone could make your GUI client to connect to a 3rd party COM object, by simply editing the registry).

So, the short answer - there is no truly secure way of doing this.

comments:

Paulis I still think that driver that will check the location and signing of all modules should be quite secure solution, except of case where already rootkit is settled in system.

Other Answer3

I use a named pipe¹, where the name is derived from the conditions that must be unique:

  • Name of the application (this is not the file name of the executable)
  • Username of the user who launched the application

If the named pipe creation fails because a pipe with that name already exists, then I know an instance is already running. I use a second lock around this check for thread (process) safety. The named pipe is automatically closed when the application terminates (even if the termination was due to an End Process command).

¹ This may not be the best general option, but in my case I end up sending data on it at a later point in the application lifetime.

comments:

what if some malicious application creates the pipe? your process won't start at all?
@Paulius: That's correct, but 1) considering you can't enumerate named pipes in Windows, have fun finding it's name, 2) no one cares enough to sabotage my program and 3) it's a malicious program, why not just delete the executable (or for the average user, deleting the shortcut would serve the same purpose).
1) anyone can disassemble your executable to find it 2) the more users you have - the more chances there are that someone might be bored enough 3) it may or may not be a malicious program - you have no guarantees that some other application won't use the same pipe name for it's own purposes (unlikely, but may happen). If your application is a common word - any other programmer might use it in conjunction with the current user name.

Other Answer4

In pseudo code:

numberofapps = 0
for each process in processes
    if path to module file equals path to this module file
        increment numberofapps
if number of apps > 1
    exit

See msdn.microsoft.com/en-us/library/ms682623(VS.85).aspx for details on how to enumerate processes.

comments:

Thanks Edgecombe, thanks for answer but we cannot rely on this as the module path can be faked very easily on WinXP < SP2
A single-instance program is its own Denial of Service Attack blogs.msdn.com/oldnewthing/archive/2006/06/20/639479.aspx