Name   : Integrity Protection Driver (IPD)
Version: 1.4
Purpose: Prevent installation of rootkit device drivers on NT/2000
License: Open Source



Integrity Protection Driver (IPD)
---------------------------------

The IPD is an Open Source device driver designed to prohibit the
installation of new services and drivers and to protect existing drivers
from tampering. It installs on Windows NT and Windows 2000 computers.

Updated information about this driver may be found at

      http://www.pedestalsoftware.com/intact


Motivation
----------

This driver was created to provide protection against rootkit
installation by attempting to block any new kernel code from being
installed and executed. This will help to prevent tojan hiding from
integrity checking programs such as Intact.


What It Does
------------

Specifically, the IPD blocks device driver installation, acquiring 
selected priveleges, accessing memory directly, opening processes, 
and inserting threads. These restrictions prevent any user from
altering the OS.

The IPD uses undocumented service function hooking to alter access
rights on driver-related registry keys, values and files to be read-only
no matter what account is requesting access. This effectively prohibits
the Service Control Manager or user applications from changing service
and driver keys and values in the registry and modifying or replacing
driver executables.

The IPD restricts all processes except some system processes(*) from
obtaining the following privileges:

   Debug Privilege
   TCB Privilege
   Create Token Privilege
   Assign Primary Token Privilege

The IPD forbids any process from opening \Device\PhysicalMemory.

The IPD forbids any process, except select system processes, from
creating threads in other processes and from writing in the virtual
memory space of other processes.

(*) See h_tok.c for a list of the system images that are permitted
these privileges.

Is there a way to circumvent the IPD?
-------------------------------------

The IPD attempts to block known methods for loading and executing
kernel code. There may be undocumented or undiscovered methods
for installing and executing kernel code. As new methods are
discovered the IPD can be updated to counter those methods.

Functionality Issues
--------------------

The IPD is designed to alter the operating system's normal operating
behavior. In doing so, there will be some loss of functionality. The
following are some of the constraints you may encounter:

\Device\PhysicalMemory issues:

NTVDM requires access to \Device\PhysicalMemory on startup. This means
that no 16-bit applications will work (unless an NTVDM session was
running before the IPD driver engaged and the 16-bit application is
not configured to run in it's own memory space). Some screen savers
(such as the blank screen saver) will not work because of this.

Legitimate device drivers may attempt to open \Device\PhysicalMemory
during normal operation. The IPD will block these attemps and so may
cause unexpected results. So far, we have not encountered any device
drivers that do this after startup.

Debugging Programs:

The IPD blocks the ability to debug programs.


What's Included
---------------

You should have received the following files with your distribution:

  ipd.sys         -- the compiled device driver for i386 computers
  ipdinstall.exe  -- the installation/remove program
  readme          -- this file
  driver/*        -- source files


Installation
------------

To install the IPD device driver, unzip all files into a directory. 
Execute the ipdinstall.exe program to install and start the driver:

	ipdinstall.exe install

The driver is installed for "automatic" startup, which means it will
automatically start at system boot. The driver engages, or begins
protecting, 20 minutes after it has started.


IMPORTANT:

* Once the Driver is started it may not be stopped.

* Once the Driver is engaged it may not be removed. Even if the
appropriate Service Control Manager function call marks the driver for
deletion, the driver will still not be removed. 


Removal
-------

YOU MUST REMOVE THE IPD DEVICE DRIVER WITHIN 20 MINUTES OF STARTUP,
AND THEN REBOOT THE SYSTEM. If the driver has already engaged then you
will have to reboot and remove it within 20 mintes of boot up.

The remove command is:

	ipdinstall.exe remove


Support
-------

There is no support. New versions can be found at 
http://www.pedestalsoftware.com. Bug reports should be sent to 
bugs@pedestalsoftware.com.


References
----------

Undocumented Windows NT by Dabak, Phadke and Borate; M&T Books, 1999.
Windows NT/2000 Native API Reference, Gary Nebbett; Macmillan Technical Publishing, 2000.
Microsoft Windows DDK.


Copyright and Grant of Use
--------------------------

Copyright (c) 2000-2002 Pedestal Software, Inc.  All rights reserved.  

By using this software, YOU AGREE to the following license terms.  IF
YOU DO NOT AGREE, YOU MAY NOT USE THE SOFTWARE.

(1) Pedestal Software believes that this software is safe for use in
normal circumstances, and has performed what it believes to be
reasonable but non-exhaustive testing to verify this. The software is
intended for use only by experienced and knowledgeable computer
professionals. IT IS PROVIDED "AS IS, WITH ALL FAULTS," including source
code so that the user can study the source code and independently
determine the software's suitability. Pedestal Software makes no
warranty of any kind, express or implied, and DISCLAIMS ANY AND ALL
WARRANTIES, CONDITIONS, OR IMPLIED TERM OF QUALITY, INCLUDING THE
IMPLIED WARRANTIES OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY, AND
FITNESS FOR A PARTICULAR PURPOSE.

(2) TO THE MAXIMUM EXTENT PERMITTED BY LAW, UNDER NO CIRCUMSTANCES AND
UNDER NO LEGAL THEORY, TORT, CONTRACT, OR OTHERWISE, SHALL PEDESTAL
SOFTWARE BE LIABLE TO YOU OR ANY OTHER PERSON FOR ANY MONEY DAMAGES,
WHETHER DIRECT, INDIRECT, SPECIAL, INCIDENTAL, COVER, RELIANCE OR
CONSEQUENTIAL DAMAGES, EVEN IF PEDESTAL SOFTWARE SHALL HAVE BEEN
INFORMED OF THE POSSIBILITY OF SUCH DAMAGES, OR FOR ANY CLAIM BY ANY
OTHER PARTY. IN THE EVENT THAT NOTWITHSTANDING THE FOREGOING, PEDESTAL
SOFTWARE IS FOUND LIABLE TO YOU FOR DAMAGES FROM ANY CAUSE WHATSOEVER,
AND REGARDLESS OF THE FORM OF THE ACTION (WHETHER IN CONTRACT, TORT
(INCLUDING NEGLIGENCE), PRODUCT LIABILITY OR OTHERWISE), PEDESTAL
SOFTWARE'S LIABILITY TO YOU WILL BE LIMITED TO $0.01. SOME JURISDICTIONS
DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL
DAMAGES, SO THIS LIMITATION AND EXCLUSION MAY NOT APPLY TO YOU.

(3) Pedestal Software will not object to your distribution of complete,
unmodified copies of the distribution package of the software as
provided by Pedestal Software, PROVIDED that you do not charge a fee
other than a reasonable fee for distribution services.

(4) You may modify the software and distribute copies of the modified
software, PROVIDED:

(4.1) that you distribute, together with the executable code of the
modified software:

(4.1.1) the source code of the modified software, which must contain the
Pedestal Software copyright notice set forth above (in addition to your
own copyright notice if any); and

(4.1.2) a copy of the complete, unmodified distribution package of the
software as provided by Pedestal Software; and

(4.2) that you clearly indicate in the source code and in any
accompanying documentation file that the software is based on Pedestal
Software's software and was modified by you; and

(4.3) that you grant users of the modified software the same rights as
are granted to you by this license.


Who is Pedestal Software?
-------------------------

Pedestal Software is based near Boston, MA, and has been providing
security software since 1996. Its founders come from the financial
services and banking industries where security and system integrity
are top priorities.

On the web: http://www.pedestalsoftware.com
email:      support@pedestalsoftware.com

