SlideShare a Scribd company logo

NSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes

•
•
N
NoSuchCon

NSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes

Technology
1 of 49
Download to read offline
UNREAL MODE: BREAKING PROTECTED PROCESSES Alex Ionescu http://www.alex-Ionescu.com NSC 2014 @aionescu
ABOUT ALEX IONESCU • Chief Architect at CrowdStrike, a security startup • Previously worked at Apple on iOS Core Platform Team • Co-author of Windows Internals 5th and 6th Editions • Reverse engineering NT since 2000 – main kernel developer of ReactOS • Instructor of worldwide Windows internals classes • Conference speaking: • SyScan 2014-2012 • NoSuchCon 2014-2013, Breakpoint 2012 • Recon 2014-2010, 2006 • Blackhat 2013, 2008 • For more info, see www.alex-ionescu.com • Twitter: @aionescu
INTRODUCTION • Windows Vista introduced core changes to the kernel to allow atomic, kernel-driven process creation inside of a “protected environment” • Used to protect access to the DRM keys and to secure the System process • Windows 8.1 extends that model in order to protect key non-DRM system processes even from Admin, and to mitigate against pass-the-hash attacks • Digital signatures and code signing now add an additional boundary of protection beyond load/don’t load • Similar to the iOS Entitlement Model • Mechanisms change a few core security paradigms: • Admin == Kernel is something that Microsoft has sometimes disagreed with, especially in light of PatchGuard, Code Signing and DRM. Now it’s really != • Unkillable processes and unstoppable services are now something supported and documented for developer (mis)use
OUTLINE • Introduction • Code Signing 101 • Signature Levels • Process and Service Protection • UEFI Variables 101 • LSASS Pass-the-Hash Protection • Windows 10 Hyper-V Process Containers • Conclusion
CODE SIGNING 101
AUTHENTICODE • For almost two decades, Portable Executable format (PE) supports Digital Code Signing through the Microsoft Authenticode standard • Digital certificate (X.509 standard) contains a signature that ties the application to a publisher (or “signer”) that is identified by a public key. • Public key is used to compute a hash of the executable • Hash is compared to the hash in the certificate itself • Over the years, extended with • Embedded catalog support (to avoid bloating executable size) • Support for page hashes (so that each page can be hashed at runtime) • Stricter requirements (now SHA-256 is used and keys are 2048-bit or more)
ENHANCED KEY USAGE • X.509 certificates are used by different applications for different intended purposes • SSL Encryption • EFS Encryption • Java Applet Signing • Windows Kernel Mode Driver Signing • …etc • The “EKUs” in a certificate, which are requested during the certificate creation through the CA process, allow the signature validation algorithm to make sure that the certificate is being used in accordance to its issuance rules • For example, if a Root CA issued a 19$ SSL Certificate, it should not be used in order to authenticate a Windows kernel-mode driver load
WINDOWS EKU USAGE • Windows traditionally only used one EKU to validate code signing requirements: • Code Signing (1.3.6.1.5.5.7.3.3) • A few other EKUs were used for WHQL and determining OS files • Microsoft Publisher (1.3.6.1.4.1.311.76.8.1) • Now this has changed with additional support for ELAM: • Early Launch Antimalware Driver (1.3.6.1.4.1.311.61.4.1) • And new Windows 8.1 PPL support: • Windows System Component Verification (1.3.6.1.4.1.311.10.3.6) • Protected Process Light Verification (1.3.6.1.4.1.311.10.3.22) • Windows TCB Component (1.3.6.1.4.1.311.10.3.23) • Windows 10 adds 2 additional EKUs
SAMPLE EKUS
SIGNATURE LEVELS
SIGNING LEVEL NUMBER • In Windows 8, the system needed to differentiate between Windows, Microsoft, and 3rd party signed files, instead of the black and white “signed or unsigned” choice • A system of integers was added in which each successive higher level indicates an increased amount of trust for the signer • 0->Unchecked, 1->Unsigned, 4->Authenticode, 8->Microsoft, 12->Windows • In Windows 8.1, this was extended to differentiate against the new types of processes and their protection levels • 6->Store, 7->Anti Malware, 14->Windows TCB • Other custom levels can be defined with a signing policy • Signing level is granted based on the root key, the EKUs, and the operating system usage/requirement
SIGNING LEVEL CHECKS • On Windows 8.1, signing levels are computed only for user-mode binaries that are run as protected processes • On Windows 8.1 RT, they are computed anytime a process launches, based on SeILSigningPolicy • Defaults to 8, can be configured through different signing policy • Process launch is not allowed if the User-Mode Code Integrity (UMCI) runtime does not allow the given certificate to grant the required signing level • This is called the Exe Signature Level • Each successful process launch also carries with it the Dll Signature Level • Image load is not allowed if UMCI runtime does not allow the certificate of any loaded DLL to grant the required section signing level
LEVELS DEMO
SECURE BOOT POLICY • The default signing levels are embedded inside the Windows Code Integrity Library (CI.DLL) • You can see their names by dumping the strings/resources inside Ci.dll • Documented on my blog • However, signing levels can be customized through the use of a custom Secure Boot Policy • Also allows customizing hash requirements, mapping to protected process signers, and more • Finally, signing levels can also be “runtime” registered • See blog for more details – used to allow 3rd party Anti-Malware developers to access level 7 • Policy is loaded from EFIMicrosoftBootSecureBootPolicy.p7b or UEFI Authenticated Variable “CurrentPolicy” or embedded inside Bootmgfw.efi
PROCESS PROTECTION
VISTA PROTECTED PROCESS • In Windows Vista, the term protected process was first introduced as a mechanism to protect the DRM requirements of the system • “Protected Media Path”, PMP requires trusted components all the way to the output source • Protected Processes had one bit set in the kernel EPROCESS structure at process launch time, if • CREATE_PROTECTED_PROCESS was passed to CreateProcess • Correct Windows Media DRM Certificate is present • Media Foundation API took care of implementation details • Protected Environment Authorization (Peauth.sys) handles the obfuscation, key exchange, etc… • PsIsProtectedProcess is documented for kernel-mode drivers and NtQueryInformationProcess can be used to check the PEB field as well
PROTECTED PROCESS RIGHTS • Once a process runs with the bit set, all of its threads and processes are protected against accesses except: • PROCESS/THREAD_QUERY_LIMITED_INFORMATION • PROCESS_TERMINATE • PROCESS/THREAD_SUSPEND_RESUME • SYNCHRONIZE • Only other protected processes can bypass the checks and use ACL instead • Debug/TCB privilege, SYSTEM account, does not carry any weight here! • In-box processes that run protected include • Mfpmp.exe (if playing protected media with WMP) • Audiodg.exe (Windows Audio Service Device Graph)
WINDOWS 8 • Minor change introduced in Windows 8, the ProtectedProcess bit disappears • OR’ing bit 1 to the SignatureLevel makes the process protected • Thus, Audiodg.exe is 5 on Windows 8, 9 on Windows 8 RT • Continues to be a DRM-enforcement mechanism only, however • Note that System process also runs as Protected • This prevents Administrators from accessing the handle table or user-mode virtual address space of the process • ASLR relocation information is stored in user-mode • Code Integrity catalogs, driver images, and other data, temporarily stored in user-mode as well! • Some DRM/crypto temporary data as well • Handles could be duplicated and lead to access to protected kernel resources, such as hibernation file, page file, registry hives and transactional logs
WINDOWS 8.1 • Adds a new “Protection” field to EPROCESS composed of three elements • Protected Signer • Protected Type • Auditing Mode • The Protected Signer is one of the root keys accepted by UMCI, possibly combined with one or more required EKUs • PsProtectedSignerAuthenticode = 0n1 • PsProtectedSignerCodeGen = 0n2 • PsProtectedSignerAntimalware = 0n3 • PsProtectedSignerLsa = 0n4 • PsProtectedSignerWindows = 0n5 • PsProtectedSignerWinTcb = 0n6
PROTECTED PROCESS LIGHT • The Protected Type is one of: • PsProtectedTypeProtectedLight = 0n1 OR PsProtectedTypeProtected = 0n2 • Combined together this creates a number such as 0x31 • Anti-Malware Protected Light • New API introduced for kernel: PsIsProcessProtectedLight. • User mode can also check PEB, or PROCESS_EXTENDED_BASIC_INFORMATION • Protected processes can only be accessed by Protected processes • Protected Light processes can only be accessed by Protected Light or higher processes • Each signer dominates the other and creates an access hierarchy • Different signers receive different access mask protections • See RtlProtectedAccess array (used by RtlTestProtectedAccess)
SYSTEM EFFECTS • LSA processes, Anti-Malware processes, and Windows TCB processes can no longer be killed • But suspension is still possible • Deprecates previous “Critical Process” functionality used to protect CSRSS and SMSS • Makes Windows 8 RT public jailbreak impossible to execute, as it requires injection of code into CSRSS • Makes injection/memory-based techniques for dumping LSA hashes, passwords, and secrets impossible • But only if LSA protection is enabled • Also makes it that much harder to steal (impersonate) a SYSTEM token
PROTECTION ATTRIBUTE • In Vista, CREATE_PROTECTED_PROCESS was the only flag needed for CreateProcess to do the right thing • But in Windows 8.1, how to specify the actual protection level required (type and signer?) • Using the new Protection Level Attribute (0x2000B) in the Process/Thread Attribute List • At the Win32 level, this is based on an undocumented enumeration: • 1 – Windows Signer, Protected Type • 2 – Windows Signer, Protected Light Type • 3 – Antimalware Signer, Protected Light Type • At the NT level, it is converted into the actual PS_PROTECTED_SIGNER and PS_PROTECTED_TYPE number we saw earlier
PROTECTION CHAIN • Recall that Windows 8.1 only checks signature levels if and only if a process is created requesting a protection level • Double-clicking a file on Explorer doesn’t do this • Therefore, there exists an implied “protection chain” that makes the system work: • The System process marks itself as protected • It launches SMSS requesting protection 0x61 • SMSS launches CSRSS requesting protection 0x61 • SMSS launches Wininit and Winlogon with no protection (Win 10: Wininit is 0x61) • Wininit launches LSASS with protection 0x41 (if configured) • Wininit launches SCM with protection 0x61 • But what about Anti-Malware?
PROTECTION DEMO
WINDBG ANALYSIS DEMO
SERVICE PROTECTION
PROTECTED SERVICES • Since Services.exe (aka the SCM/Service Control Manager) launches highly protected, this might imply that it can manage protected light processes… • Since Anti-Malware applications run protected, this implies something must have had launched them requesting a protection level… • Indeed, the key to Process Protection Light is that it must also allow 3rd party and/or non-System processes to also run protected • This is done by enhancing services to support a protection level of their own • In Windows 8,1 SERVICE_CONFIG_LAUNCH_PROTECTED can be sent to ChangeServiceConfig2, with a matching SERVICE_LAUNCH_PROTECTED_INFO structure and level • The SCM sends this protection level request in the CreateProcess call that it makes
PROTECTED SERVICES • The SCM API ultimately ends up setting the key “LaunchProtected” in the Services database entry in the registry • The following calls/commands immediately become blocked by non- protected callers: • ChangeServiceConfig(2) / sc config • ControlService(Ex) / sc start, stop, pause • DeleteService / sc delete • SetServiceObjectSecurity / sc privs • Check is done by the RPC Server inside SCM, using RtlTestProtectedAccess and by asking the kernel for the caller’s protection level • AppXSvc, sppsvc, WdNisSvc, WinDefend and WSService run protected in Windows 8.1 • Can check with “sc qprotection”
PROTECTED APPLICATIONS • Therefore, services ultimately are in charge of the last chain of protected process launches as they can use CreateProcess to spawn children that are also protected • Recall that the enumeration is undocumented, however! • Microsoft expects developers to thus use PROTECTION_LEVEL_SAME, which is documented as the only valid type for PROC_THREAD_ATTRIBUTE_PROTECTION_LEVEL • In this way, Anti-Malware services will spawn Anti-Malware processes, etc… • User-launched applications will never run protected, unless the application employs a type of self-launcher and/or COM activation launcher method and requests a protection level for its spawned clone
PROTECTED SERVICES DEMO
UEFI VARIABLES 101
UEFI VARIABLES (SPECIFICATION) • UEFI variables are used to control behavior of UEFI Boot Manager, Drivers, and Applications • Can also be used to define OS settings • Boot#### and Driver#### define drivers and boot applications. • BootCurrent, BootNext, BootOrder influence boot manager selection • DriverOrder influences driver ordering • Three types of UEFI variables exist • Boot Variables can only be seen while in “Boot Services” mode (in TSL or earlier) • Runtime Variables can be seen while in “Runtime” mode (RT or later) • Authenticated Variables are Authenticode-signed binary blobs that must be signed as per Secure Boot policy • Variables can also be volatile and/or read-only vs read-write • Variables live in different namespaces, identified by a GUID
UEFI VARIABLES (WINDOWS) • Windows provides user and kernel APIs for Firmware Variables • User-mode: Get/SetFirmwareEnvironmentVariableEx • Requires SE_SYSTEM_ENVIRONMENT_PRIVILEGE • Kernel-mode: ExGet/SetFirmwareEnvironmentVariable • Internally, kernel calls IoGet/SetEnvironmentVariable • Can use either the DeviceSysenv device if custom NVRAM is present, or the HAL in standard scenarios • Microsoft owns the following Vendor GUID. Used as KEK Signature Owner, Secure Boot Policy GUID, and also UEFI Variable Namespace GUID • {77fa9abd-0359-4d32-bd60-28f4e78f784b} [ExpSecureBootVendorGuid] • Variables that start with “Kernel_” are implicitly part of this namespace • User-mode uses NtSetSystemEnvironmentValueEx which prevents the above
LSASS PASS-THE-HASH PROTECTION
LSASS PROTECTED MODE • LSASS uses new Process Protection Level to prevent attacks from user-mode elevated caller • Runs as Protected Process Light, Protected Signer LSA • Disabled by default, since would now require DLLs to also be signed at least with the LSA or higher protected signer flag • To enable, set RunAsPPL in SYSTEMCurrentControlSetControlLsa • On UEFI systems, variable is mirrored into the UEFI firmware database • Kernel_Lsa_Ppl_Config is used as a Runtime EFI Variable • Microsoft provides reset UEFI binary to interactively remove UEFI protection • Both system variable and registry key must be deleted for LSA to revert to old behavior • Prevents operations against LSA except PROCESS_TERMINATE
DISABLING LSA PROTECTION • mountvol X: /s • copy C:LSAPPLConfig.efi X:EFIMicrosoftBootLSAPPLConfig.efi /Y • bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader • bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "EFIMicrosoftBootLSAPPLConfig.efi" • bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879- d86a476d7215} • bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions %1 • bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X: • mountvol X: /d
LSAPPLCONFIG.EFI VIDEO
PROTECTED PROCESSES AND CRASHES
TAKING A DUMP • When a Windows process crashes, the Windows Error Reporting infrastructure is activated in order to generate a mini-dump • Programs can do this on their own by using MiniDumpWriteDump • Procdump.exe, Taskmgr.exe, Windbg.exe all use this API • Quote “Windows Internals, 6th Edition”: • “Can also run protected” ???
WER FOR PROTECTED PROCESSES • If a protected process crashes, WER launches a special version of the WerFault.exe process, which has the correct EKUs for running as a protected process • It’s launched as Protected TCB (0x62) – or the highest possible level! • Because of its protection level, this version of WER is able to open handles to processes such as Csrss.exe and Smss.exe • And more interestingly, Lsass.exe if running with LSA Protection • It’s then able to call MiniDumpWriteDump without any problems • So we can we just force a protected process to crash? • Not obvious • But let’s cheat and use the kernel debugger…
PROTECTED CRASH DEMO
PROTECTED CRASH DEMO 2
PROTECTED CRASH ANALYSIS • By following the Procmon output we’ve just seen, the following command- line is visible: • WER parses the following options: • /h /s – Secure Dump • /pid – Crashing PID • /tid – Crashing TID • /type – Minidump Type (see MiniDumpWriteDump) • /file – Dump File Handle • /encfile – Encrypted Dump File Handle • /cancel – Event to Cancel Dump
TRICKING WER • By controlling the parameters that are passed to WER and using a flaw in the dumping process, one can cause WER to reveal the unencrypted contents of the dump • Patch for the issue is delayed to January – cannot reveal exact design flaw • Resulting dump is the same type of dump that ProcDump generates and which Windbg can open • And, more concretely, the same format dump that Mimikatz can parse when using the sekurlsa::minidump option • Thus, by leveraging a WER design flaw, the LSA Protection Mode can essentially be ignored/bypassed, and Mimikatz can continue to be used without requiring a driver
MIMIKATZ DEMO
OTHER ISSUES • As mentioned, LSASS is not the only process that leverages process protection levels • Other system issues can arise from the ability to dump protected processes • WER can do more than just create a dump of a process • Other potential issues can exist due to the ability to control WER • What about writing into a protected process? • No current public flaw exists. My RPC vulnerability presented at SyScan would be used to target protected processes that contain an RPC server and spray data inside of their memory • Fixed in October Patch Tuesday • However, I will be presenting new ALPC vulnerabilities at a later time • Ultimately, an admin can still cause dangerous environment changes which can affect protected processes
WINDOWS 10 AND CONCLUSION
WINDOWS 10: THE FUTURE • From Critical Process to Protected Process to Protected Process Light to ??? • “VSM” – Virtual Secure Machine? • “Hyper-V Secure Containers”? • “Isolated Process”? • “Secure Process”? • Windows 10 blog announced that in Windows 10, LSA credential information will be stored in a secured container/enclave leveraging Hyper-V Client • Latest builds of Windows 10 contain an “LsaIso.exe” process which is an early prototype of an isolated version of LSASS • Calls itself “VSMified LSASS” • Latest kernel contains “IsSecureProcess” in PROCESS_EXTENDED_INFORMATION and “SecureProcess” in KPROCESS->Flags • New Process Creation Attribute -- PsAttributeSecureProcess
CONCLUSION • Protected Processes in Windows 8.1 significantly increase the overall platform security • Less exploitable vulnerabilities • Tighter control of core system binaries • Anti-malware-type applications can survive manipulation and termination by admin-level malware • They do not protect against kernel attackers –boundary is at the user level • Desire of supporting customer crash scenarios through WER has resulted in a “backdoor” into the memory of protected processes • Will be fixed in January 2015 • Upcoming Windows 10 platform features will prevent this type of attack • Even from a kernel attacker!

Recommended

Mca ii os u-1 introduction to os
Mca ii os u-1 introduction to osMca ii os u-1 introduction to os
Mca ii os u-1 introduction to osRai University
 
UEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and RealityUEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and RealitySally Feller
 
Privilege Analysis with the Oracle Database
Privilege Analysis with the Oracle DatabasePrivilege Analysis with the Oracle Database
Privilege Analysis with the Oracle DatabaseMarkus Flechtner
 
CISSP - Chapter 4 - Network Fundamental
CISSP - Chapter 4 - Network FundamentalCISSP - Chapter 4 - Network Fundamental
CISSP - Chapter 4 - Network FundamentalKarthikeyan Dhayalan
 
Operations on Processes
Operations on ProcessesOperations on Processes
Operations on ProcessesNavid Daneshvaran
 
Os Threads
Os ThreadsOs Threads
Os ThreadsSalman Memon
 
HKG15-311: OP-TEE for Beginners and Porting Review
HKG15-311: OP-TEE for Beginners and Porting ReviewHKG15-311: OP-TEE for Beginners and Porting Review
HKG15-311: OP-TEE for Beginners and Porting ReviewLinaro
 
Deadlock in Operating System
Deadlock in Operating SystemDeadlock in Operating System
Deadlock in Operating SystemAUST
 

Recommended

Mca ii os u-1 introduction to os
Mca ii os u-1 introduction to osMca ii os u-1 introduction to os
Mca ii os u-1 introduction to osRai University
 
UEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and RealityUEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and RealitySally Feller
 
Privilege Analysis with the Oracle Database
Privilege Analysis with the Oracle DatabasePrivilege Analysis with the Oracle Database
Privilege Analysis with the Oracle DatabaseMarkus Flechtner
 
CISSP - Chapter 4 - Network Fundamental
CISSP - Chapter 4 - Network FundamentalCISSP - Chapter 4 - Network Fundamental
CISSP - Chapter 4 - Network FundamentalKarthikeyan Dhayalan
 
Operations on Processes
Operations on ProcessesOperations on Processes
Operations on ProcessesNavid Daneshvaran
 
Os Threads
Os ThreadsOs Threads
Os ThreadsSalman Memon
 
HKG15-311: OP-TEE for Beginners and Porting Review
HKG15-311: OP-TEE for Beginners and Porting ReviewHKG15-311: OP-TEE for Beginners and Porting Review
HKG15-311: OP-TEE for Beginners and Porting ReviewLinaro
 
Deadlock in Operating System
Deadlock in Operating SystemDeadlock in Operating System
Deadlock in Operating SystemAUST
 
Process synchronization
Process synchronizationProcess synchronization
Process synchronizationAli Ahmad
 
Process Synchronization And Deadlocks
Process Synchronization And DeadlocksProcess Synchronization And Deadlocks
Process Synchronization And Deadlockstech2click
 
Synchronization linux
Synchronization linuxSynchronization linux
Synchronization linuxSusant Sahani
 
Processes and threads
Processes and threadsProcesses and threads
Processes and threadsKrasimir Berov (Красимир Беров)
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationNikhil Mittal
 
BUD17-400: Secure Data Path with OPTEE
BUD17-400: Secure Data Path with OPTEE BUD17-400: Secure Data Path with OPTEE
BUD17-400: Secure Data Path with OPTEE Linaro
 
Windows internals Essentials
Windows internals EssentialsWindows internals Essentials
Windows internals EssentialsJohn Ombagi
 
Lcu14 107- op-tee on ar mv8
Lcu14 107- op-tee on ar mv8Lcu14 107- op-tee on ar mv8
Lcu14 107- op-tee on ar mv8Linaro
 
Understanding oracle rac internals part 2 - slides
Understanding oracle rac internals part 2 - slidesUnderstanding oracle rac internals part 2 - slides
Understanding oracle rac internals part 2 - slidesMohamed Farouk
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsBrent Muir
 
Storage Management
Storage ManagementStorage Management
Storage ManagementSURBHI SAROHA
 
Cs8493 unit 3
Cs8493 unit 3Cs8493 unit 3
Cs8493 unit 3Kathirvel Ayyaswamy
 
CS6401 OPERATING SYSTEMS Unit 2
CS6401 OPERATING SYSTEMS Unit 2CS6401 OPERATING SYSTEMS Unit 2
CS6401 OPERATING SYSTEMS Unit 2Kathirvel Ayyaswamy
 
Os unit 3 , process management
Os unit 3 , process managementOs unit 3 , process management
Os unit 3 , process managementArnav Chowdhury
 
Cs8493 unit 2
Cs8493 unit 2Cs8493 unit 2
Cs8493 unit 2Kathirvel Ayyaswamy
 
Threads in Operating System | Multithreading | Interprocess Communication
Threads in Operating System | Multithreading | Interprocess CommunicationThreads in Operating System | Multithreading | Interprocess Communication
Threads in Operating System | Multithreading | Interprocess CommunicationShivam Mitra
 
Architecture Of The Linux Kernel
Architecture Of The Linux KernelArchitecture Of The Linux Kernel
Architecture Of The Linux Kernelguest547d74
 
Less07 storage
Less07 storageLess07 storage
Less07 storageAmit Bhalla
 
Your tuning arsenal: AWR, ADDM, ASH, Metrics and Advisors
Your tuning arsenal: AWR, ADDM, ASH, Metrics and AdvisorsYour tuning arsenal: AWR, ADDM, ASH, Metrics and Advisors
Your tuning arsenal: AWR, ADDM, ASH, Metrics and AdvisorsJohn Kanagaraj
 
Understand and optimize Linux I/O
Understand and optimize Linux I/OUnderstand and optimize Linux I/O
Understand and optimize Linux I/OAndrea Righi
 
NSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based device
NSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based deviceNSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based device
NSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based deviceNoSuchCon
 
NSC #2 - Challenge Introduction
NSC #2 - Challenge IntroductionNSC #2 - Challenge Introduction
NSC #2 - Challenge IntroductionNoSuchCon
 

More Related Content

What's hot

Process synchronization
Process synchronizationProcess synchronization
Process synchronizationAli Ahmad
 
Process Synchronization And Deadlocks
Process Synchronization And DeadlocksProcess Synchronization And Deadlocks
Process Synchronization And Deadlockstech2click
 
Synchronization linux
Synchronization linuxSynchronization linux
Synchronization linuxSusant Sahani
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationNikhil Mittal
 
BUD17-400: Secure Data Path with OPTEE
BUD17-400: Secure Data Path with OPTEE BUD17-400: Secure Data Path with OPTEE
BUD17-400: Secure Data Path with OPTEE Linaro
 
Windows internals Essentials
Windows internals EssentialsWindows internals Essentials
Windows internals EssentialsJohn Ombagi
 
Lcu14 107- op-tee on ar mv8
Lcu14 107- op-tee on ar mv8Lcu14 107- op-tee on ar mv8
Lcu14 107- op-tee on ar mv8Linaro
 
Understanding oracle rac internals part 2 - slides
Understanding oracle rac internals part 2 - slidesUnderstanding oracle rac internals part 2 - slides
Understanding oracle rac internals part 2 - slidesMohamed Farouk
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsBrent Muir
 
Storage Management
Storage ManagementStorage Management
Storage ManagementSURBHI SAROHA
 
CS6401 OPERATING SYSTEMS Unit 2
CS6401 OPERATING SYSTEMS Unit 2CS6401 OPERATING SYSTEMS Unit 2
CS6401 OPERATING SYSTEMS Unit 2Kathirvel Ayyaswamy
 
Os unit 3 , process management
Os unit 3 , process managementOs unit 3 , process management
Os unit 3 , process managementArnav Chowdhury
 
Threads in Operating System | Multithreading | Interprocess Communication
Threads in Operating System | Multithreading | Interprocess CommunicationThreads in Operating System | Multithreading | Interprocess Communication
Threads in Operating System | Multithreading | Interprocess CommunicationShivam Mitra
 
Architecture Of The Linux Kernel
Architecture Of The Linux KernelArchitecture Of The Linux Kernel
Architecture Of The Linux Kernelguest547d74
 
Less07 storage
Less07 storageLess07 storage
Less07 storageAmit Bhalla
 
Your tuning arsenal: AWR, ADDM, ASH, Metrics and Advisors
Your tuning arsenal: AWR, ADDM, ASH, Metrics and AdvisorsYour tuning arsenal: AWR, ADDM, ASH, Metrics and Advisors
Your tuning arsenal: AWR, ADDM, ASH, Metrics and AdvisorsJohn Kanagaraj
 
Understand and optimize Linux I/O
Understand and optimize Linux I/OUnderstand and optimize Linux I/O
Understand and optimize Linux I/OAndrea Righi
 

What's hot (20)

Process synchronization
Process synchronizationProcess synchronization
Process synchronization
 
Process Synchronization And Deadlocks
Process Synchronization And DeadlocksProcess Synchronization And Deadlocks
Process Synchronization And Deadlocks
 
Synchronization linux
Synchronization linuxSynchronization linux
Synchronization linux
 
Processes and threads
Processes and threadsProcesses and threads
Processes and threads
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory Domination
 
BUD17-400: Secure Data Path with OPTEE
BUD17-400: Secure Data Path with OPTEE BUD17-400: Secure Data Path with OPTEE
BUD17-400: Secure Data Path with OPTEE
 
Windows internals Essentials
Windows internals EssentialsWindows internals Essentials
Windows internals Essentials
 
Lcu14 107- op-tee on ar mv8
Lcu14 107- op-tee on ar mv8Lcu14 107- op-tee on ar mv8
Lcu14 107- op-tee on ar mv8
 
Understanding oracle rac internals part 2 - slides
Understanding oracle rac internals part 2 - slidesUnderstanding oracle rac internals part 2 - slides
Understanding oracle rac internals part 2 - slides
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary Artefacts
 
Storage Management
Storage ManagementStorage Management
Storage Management
 
Cs8493 unit 3
Cs8493 unit 3Cs8493 unit 3
Cs8493 unit 3
 
CS6401 OPERATING SYSTEMS Unit 2
CS6401 OPERATING SYSTEMS Unit 2CS6401 OPERATING SYSTEMS Unit 2
CS6401 OPERATING SYSTEMS Unit 2
 
Os unit 3 , process management
Os unit 3 , process managementOs unit 3 , process management
Os unit 3 , process management
 
Cs8493 unit 2
Cs8493 unit 2Cs8493 unit 2
Cs8493 unit 2
 
Threads in Operating System | Multithreading | Interprocess Communication
Threads in Operating System | Multithreading | Interprocess CommunicationThreads in Operating System | Multithreading | Interprocess Communication
Threads in Operating System | Multithreading | Interprocess Communication
 
Architecture Of The Linux Kernel
Architecture Of The Linux KernelArchitecture Of The Linux Kernel
Architecture Of The Linux Kernel
 
Less07 storage
Less07 storageLess07 storage
Less07 storage
 
Your tuning arsenal: AWR, ADDM, ASH, Metrics and Advisors
Your tuning arsenal: AWR, ADDM, ASH, Metrics and AdvisorsYour tuning arsenal: AWR, ADDM, ASH, Metrics and Advisors
Your tuning arsenal: AWR, ADDM, ASH, Metrics and Advisors
 
Understand and optimize Linux I/O
Understand and optimize Linux I/OUnderstand and optimize Linux I/O
Understand and optimize Linux I/O
 

Viewers also liked

NSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based device
NSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based deviceNSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based device
NSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based deviceNoSuchCon
 
NSC #2 - Challenge Introduction
NSC #2 - Challenge IntroductionNSC #2 - Challenge Introduction
NSC #2 - Challenge IntroductionNoSuchCon
 
NSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic Backdooring
NSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic BackdooringNSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic Backdooring
NSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic BackdooringNoSuchCon
 
NSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNoSuchCon
 
NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NSC #2 - D2 06 - Richard Johnson - SAGEly AdviceNSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NSC #2 - D2 06 - Richard Johnson - SAGEly AdviceNoSuchCon
 
NSC #2 - D2 05 - Andrea Barisani - Forging the USB Armory
NSC #2 - D2 05 - Andrea Barisani - Forging the USB ArmoryNSC #2 - D2 05 - Andrea Barisani - Forging the USB Armory
NSC #2 - D2 05 - Andrea Barisani - Forging the USB ArmoryNoSuchCon
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNoSuchCon
 
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch ProtectionsNSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch ProtectionsNoSuchCon
 
NSC #2 - D1 03 - SĂŠbastien Dudek - HomePlugAV PLC
NSC #2 - D1 03 - SĂŠbastien Dudek - HomePlugAV PLCNSC #2 - D1 03 - SĂŠbastien Dudek - HomePlugAV PLC
NSC #2 - D1 03 - SĂŠbastien Dudek - HomePlugAV PLCNoSuchCon
 
NSC #2 - D1 02 - Georgi Geshev - Your Q is my Q
NSC #2 - D1 02 - Georgi Geshev - Your Q is my QNSC #2 - D1 02 - Georgi Geshev - Your Q is my Q
NSC #2 - D1 02 - Georgi Geshev - Your Q is my QNoSuchCon
 
NSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacks
NSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacksNSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacks
NSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacksNoSuchCon
 
NSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineering
NSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineeringNSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineering
NSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineeringNoSuchCon
 
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - MimikatzNSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - MimikatzNoSuchCon
 
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database AttacksNSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database AttacksNoSuchCon
 
NSC #2 - D2 03 - Nicolas Collignon - Google Apps Engine Security
NSC #2 - D2 03 - Nicolas Collignon - Google Apps Engine SecurityNSC #2 - D2 03 - Nicolas Collignon - Google Apps Engine Security
NSC #2 - D2 03 - Nicolas Collignon - Google Apps Engine SecurityNoSuchCon
 
NSC #2 - D1 05 - Renaud Lifchitz - Quantum computing in practice
NSC #2 - D1 05 - Renaud Lifchitz - Quantum computing in practiceNSC #2 - D1 05 - Renaud Lifchitz - Quantum computing in practice
NSC #2 - D1 05 - Renaud Lifchitz - Quantum computing in practiceNoSuchCon
 

Viewers also liked (16)

NSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based device
NSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based deviceNSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based device
NSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based device
 
NSC #2 - Challenge Introduction
NSC #2 - Challenge IntroductionNSC #2 - Challenge Introduction
NSC #2 - Challenge Introduction
 
NSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic Backdooring
NSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic BackdooringNSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic Backdooring
NSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic Backdooring
 
NSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNSC #2 - Challenge Solution
NSC #2 - Challenge Solution
 
NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NSC #2 - D2 06 - Richard Johnson - SAGEly AdviceNSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
 
NSC #2 - D2 05 - Andrea Barisani - Forging the USB Armory
NSC #2 - D2 05 - Andrea Barisani - Forging the USB ArmoryNSC #2 - D2 05 - Andrea Barisani - Forging the USB Armory
NSC #2 - D2 05 - Andrea Barisani - Forging the USB Armory
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
 
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch ProtectionsNSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
 
NSC #2 - D1 03 - SĂŠbastien Dudek - HomePlugAV PLC
NSC #2 - D1 03 - SĂŠbastien Dudek - HomePlugAV PLCNSC #2 - D1 03 - SĂŠbastien Dudek - HomePlugAV PLC
NSC #2 - D1 03 - SĂŠbastien Dudek - HomePlugAV PLC
 
NSC #2 - D1 02 - Georgi Geshev - Your Q is my Q
NSC #2 - D1 02 - Georgi Geshev - Your Q is my QNSC #2 - D1 02 - Georgi Geshev - Your Q is my Q
NSC #2 - D1 02 - Georgi Geshev - Your Q is my Q
 
NSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacks
NSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacksNSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacks
NSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacks
 
NSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineering
NSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineeringNSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineering
NSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineering
 
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - MimikatzNSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
 
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database AttacksNSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
 
NSC #2 - D2 03 - Nicolas Collignon - Google Apps Engine Security
NSC #2 - D2 03 - Nicolas Collignon - Google Apps Engine SecurityNSC #2 - D2 03 - Nicolas Collignon - Google Apps Engine Security
NSC #2 - D2 03 - Nicolas Collignon - Google Apps Engine Security
 
NSC #2 - D1 05 - Renaud Lifchitz - Quantum computing in practice
NSC #2 - D1 05 - Renaud Lifchitz - Quantum computing in practiceNSC #2 - D1 05 - Renaud Lifchitz - Quantum computing in practice
NSC #2 - D1 05 - Renaud Lifchitz - Quantum computing in practice
 

Similar to NSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes

Ch 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesCh 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesSam Bowne
 
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...Vincent Giersch
 
Finding The Weak Link in Windows Binaries
Finding The Weak Link in Windows BinariesFinding The Weak Link in Windows Binaries
Finding The Weak Link in Windows BinariesOllie Whitehouse
 
CNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesCNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesSam Bowne
 
SSecuring Your MongoDB Deployment
SSecuring Your MongoDB DeploymentSSecuring Your MongoDB Deployment
SSecuring Your MongoDB DeploymentMongoDB
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Qualcomm Developer Network
 
Enterprise Node - Securing Your Environment
Enterprise Node - Securing Your EnvironmentEnterprise Node - Securing Your Environment
Enterprise Node - Securing Your EnvironmentKurtis Kemple
 
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
 
CNIT 123: 6: Enumeration
CNIT 123: 6: EnumerationCNIT 123: 6: Enumeration
CNIT 123: 6: EnumerationSam Bowne
 
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain AccessDefcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Accesseightbit
 
W982 05092004
W982 05092004W982 05092004
W982 05092004Sumit Tambe
 
CNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS VulnerabilitiesCNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS VulnerabilitiesSam Bowne
 
CNIT 123 8: Desktop and Server OS Vulnerabilities
CNIT 123 8: Desktop and Server OS VulnerabilitiesCNIT 123 8: Desktop and Server OS Vulnerabilities
CNIT 123 8: Desktop and Server OS VulnerabilitiesSam Bowne
 
System Event Logs
System Event LogsSystem Event Logs
System Event Logsprimeteacher32
 
20-security.ppt
20-security.ppt20-security.ppt
20-security.pptajajkhan16
 
CNIT 152: 10 Enterprise Services
CNIT 152: 10 Enterprise ServicesCNIT 152: 10 Enterprise Services
CNIT 152: 10 Enterprise ServicesSam Bowne
 
Dakotacon 2017
Dakotacon 2017Dakotacon 2017
Dakotacon 2017Blue Teamer
 
Microsoft (Data Protection Solutions)
Microsoft (Data Protection Solutions)Microsoft (Data Protection Solutions)
Microsoft (Data Protection Solutions)Vinayak Hegde
 
CNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise ServicesCNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise ServicesSam Bowne
 

Similar to NSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes (20)

Ch 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesCh 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS Vulnerabilites
 
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
 
Finding The Weak Link in Windows Binaries
Finding The Weak Link in Windows BinariesFinding The Weak Link in Windows Binaries
Finding The Weak Link in Windows Binaries
 
CNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesCNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS Vulnerabilites
 
SSecuring Your MongoDB Deployment
SSecuring Your MongoDB DeploymentSSecuring Your MongoDB Deployment
SSecuring Your MongoDB Deployment
 
Powering up on power shell avengercon - 2018
Powering up on power shell avengercon - 2018Powering up on power shell avengercon - 2018
Powering up on power shell avengercon - 2018
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
 
Enterprise Node - Securing Your Environment
Enterprise Node - Securing Your EnvironmentEnterprise Node - Securing Your Environment
Enterprise Node - Securing Your Environment
 
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)
 
CNIT 123: 6: Enumeration
CNIT 123: 6: EnumerationCNIT 123: 6: Enumeration
CNIT 123: 6: Enumeration
 
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain AccessDefcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
 
W982 05092004
W982 05092004W982 05092004
W982 05092004
 
CNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS VulnerabilitiesCNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS Vulnerabilities
 
CNIT 123 8: Desktop and Server OS Vulnerabilities
CNIT 123 8: Desktop and Server OS VulnerabilitiesCNIT 123 8: Desktop and Server OS Vulnerabilities
CNIT 123 8: Desktop and Server OS Vulnerabilities
 
System Event Logs
System Event LogsSystem Event Logs
System Event Logs
 
20-security.ppt
20-security.ppt20-security.ppt
20-security.ppt
 
CNIT 152: 10 Enterprise Services
CNIT 152: 10 Enterprise ServicesCNIT 152: 10 Enterprise Services
CNIT 152: 10 Enterprise Services
 
Dakotacon 2017
Dakotacon 2017Dakotacon 2017
Dakotacon 2017
 
Microsoft (Data Protection Solutions)
Microsoft (Data Protection Solutions)Microsoft (Data Protection Solutions)
Microsoft (Data Protection Solutions)
 
CNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise ServicesCNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise Services
 

Recently uploaded

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 

Recently uploaded (20)

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 

NSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes

  • 1. UNREAL MODE: BREAKING PROTECTED PROCESSES Alex Ionescu http://www.alex-Ionescu.com NSC 2014 @aionescu
  • 2. ABOUT ALEX IONESCU • Chief Architect at CrowdStrike, a security startup • Previously worked at Apple on iOS Core Platform Team • Co-author of Windows Internals 5th and 6th Editions • Reverse engineering NT since 2000 – main kernel developer of ReactOS • Instructor of worldwide Windows internals classes • Conference speaking: • SyScan 2014-2012 • NoSuchCon 2014-2013, Breakpoint 2012 • Recon 2014-2010, 2006 • Blackhat 2013, 2008 • For more info, see www.alex-ionescu.com • Twitter: @aionescu
  • 3. INTRODUCTION • Windows Vista introduced core changes to the kernel to allow atomic, kernel-driven process creation inside of a “protected environment” • Used to protect access to the DRM keys and to secure the System process • Windows 8.1 extends that model in order to protect key non-DRM system processes even from Admin, and to mitigate against pass-the-hash attacks • Digital signatures and code signing now add an additional boundary of protection beyond load/don’t load • Similar to the iOS Entitlement Model • Mechanisms change a few core security paradigms: • Admin == Kernel is something that Microsoft has sometimes disagreed with, especially in light of PatchGuard, Code Signing and DRM. Now it’s really != • Unkillable processes and unstoppable services are now something supported and documented for developer (mis)use
  • 4. OUTLINE • Introduction • Code Signing 101 • Signature Levels • Process and Service Protection • UEFI Variables 101 • LSASS Pass-the-Hash Protection • Windows 10 Hyper-V Process Containers • Conclusion
  • 6. AUTHENTICODE • For almost two decades, Portable Executable format (PE) supports Digital Code Signing through the Microsoft Authenticode standard • Digital certificate (X.509 standard) contains a signature that ties the application to a publisher (or “signer”) that is identified by a public key. • Public key is used to compute a hash of the executable • Hash is compared to the hash in the certificate itself • Over the years, extended with • Embedded catalog support (to avoid bloating executable size) • Support for page hashes (so that each page can be hashed at runtime) • Stricter requirements (now SHA-256 is used and keys are 2048-bit or more)
  • 7. ENHANCED KEY USAGE • X.509 certificates are used by different applications for different intended purposes • SSL Encryption • EFS Encryption • Java Applet Signing • Windows Kernel Mode Driver Signing • …etc • The “EKUs” in a certificate, which are requested during the certificate creation through the CA process, allow the signature validation algorithm to make sure that the certificate is being used in accordance to its issuance rules • For example, if a Root CA issued a 19$ SSL Certificate, it should not be used in order to authenticate a Windows kernel-mode driver load
  • 8. WINDOWS EKU USAGE • Windows traditionally only used one EKU to validate code signing requirements: • Code Signing (1.3.6.1.5.5.7.3.3) • A few other EKUs were used for WHQL and determining OS files • Microsoft Publisher (1.3.6.1.4.1.311.76.8.1) • Now this has changed with additional support for ELAM: • Early Launch Antimalware Driver (1.3.6.1.4.1.311.61.4.1) • And new Windows 8.1 PPL support: • Windows System Component Verification (1.3.6.1.4.1.311.10.3.6) • Protected Process Light Verification (1.3.6.1.4.1.311.10.3.22) • Windows TCB Component (1.3.6.1.4.1.311.10.3.23) • Windows 10 adds 2 additional EKUs
  • 11. SIGNING LEVEL NUMBER • In Windows 8, the system needed to differentiate between Windows, Microsoft, and 3rd party signed files, instead of the black and white “signed or unsigned” choice • A system of integers was added in which each successive higher level indicates an increased amount of trust for the signer • 0->Unchecked, 1->Unsigned, 4->Authenticode, 8->Microsoft, 12->Windows • In Windows 8.1, this was extended to differentiate against the new types of processes and their protection levels • 6->Store, 7->Anti Malware, 14->Windows TCB • Other custom levels can be defined with a signing policy • Signing level is granted based on the root key, the EKUs, and the operating system usage/requirement
  • 12. SIGNING LEVEL CHECKS • On Windows 8.1, signing levels are computed only for user-mode binaries that are run as protected processes • On Windows 8.1 RT, they are computed anytime a process launches, based on SeILSigningPolicy • Defaults to 8, can be configured through different signing policy • Process launch is not allowed if the User-Mode Code Integrity (UMCI) runtime does not allow the given certificate to grant the required signing level • This is called the Exe Signature Level • Each successful process launch also carries with it the Dll Signature Level • Image load is not allowed if UMCI runtime does not allow the certificate of any loaded DLL to grant the required section signing level
  • 14. SECURE BOOT POLICY • The default signing levels are embedded inside the Windows Code Integrity Library (CI.DLL) • You can see their names by dumping the strings/resources inside Ci.dll • Documented on my blog • However, signing levels can be customized through the use of a custom Secure Boot Policy • Also allows customizing hash requirements, mapping to protected process signers, and more • Finally, signing levels can also be “runtime” registered • See blog for more details – used to allow 3rd party Anti-Malware developers to access level 7 • Policy is loaded from EFIMicrosoftBootSecureBootPolicy.p7b or UEFI Authenticated Variable “CurrentPolicy” or embedded inside Bootmgfw.efi
  • 16. VISTA PROTECTED PROCESS • In Windows Vista, the term protected process was first introduced as a mechanism to protect the DRM requirements of the system • “Protected Media Path”, PMP requires trusted components all the way to the output source • Protected Processes had one bit set in the kernel EPROCESS structure at process launch time, if • CREATE_PROTECTED_PROCESS was passed to CreateProcess • Correct Windows Media DRM Certificate is present • Media Foundation API took care of implementation details • Protected Environment Authorization (Peauth.sys) handles the obfuscation, key exchange, etc… • PsIsProtectedProcess is documented for kernel-mode drivers and NtQueryInformationProcess can be used to check the PEB field as well
  • 17. PROTECTED PROCESS RIGHTS • Once a process runs with the bit set, all of its threads and processes are protected against accesses except: • PROCESS/THREAD_QUERY_LIMITED_INFORMATION • PROCESS_TERMINATE • PROCESS/THREAD_SUSPEND_RESUME • SYNCHRONIZE • Only other protected processes can bypass the checks and use ACL instead • Debug/TCB privilege, SYSTEM account, does not carry any weight here! • In-box processes that run protected include • Mfpmp.exe (if playing protected media with WMP) • Audiodg.exe (Windows Audio Service Device Graph)
  • 18. WINDOWS 8 • Minor change introduced in Windows 8, the ProtectedProcess bit disappears • OR’ing bit 1 to the SignatureLevel makes the process protected • Thus, Audiodg.exe is 5 on Windows 8, 9 on Windows 8 RT • Continues to be a DRM-enforcement mechanism only, however • Note that System process also runs as Protected • This prevents Administrators from accessing the handle table or user-mode virtual address space of the process • ASLR relocation information is stored in user-mode • Code Integrity catalogs, driver images, and other data, temporarily stored in user-mode as well! • Some DRM/crypto temporary data as well • Handles could be duplicated and lead to access to protected kernel resources, such as hibernation file, page file, registry hives and transactional logs
  • 19. WINDOWS 8.1 • Adds a new “Protection” field to EPROCESS composed of three elements • Protected Signer • Protected Type • Auditing Mode • The Protected Signer is one of the root keys accepted by UMCI, possibly combined with one or more required EKUs • PsProtectedSignerAuthenticode = 0n1 • PsProtectedSignerCodeGen = 0n2 • PsProtectedSignerAntimalware = 0n3 • PsProtectedSignerLsa = 0n4 • PsProtectedSignerWindows = 0n5 • PsProtectedSignerWinTcb = 0n6
  • 20. PROTECTED PROCESS LIGHT • The Protected Type is one of: • PsProtectedTypeProtectedLight = 0n1 OR PsProtectedTypeProtected = 0n2 • Combined together this creates a number such as 0x31 • Anti-Malware Protected Light • New API introduced for kernel: PsIsProcessProtectedLight. • User mode can also check PEB, or PROCESS_EXTENDED_BASIC_INFORMATION • Protected processes can only be accessed by Protected processes • Protected Light processes can only be accessed by Protected Light or higher processes • Each signer dominates the other and creates an access hierarchy • Different signers receive different access mask protections • See RtlProtectedAccess array (used by RtlTestProtectedAccess)
  • 21. SYSTEM EFFECTS • LSA processes, Anti-Malware processes, and Windows TCB processes can no longer be killed • But suspension is still possible • Deprecates previous “Critical Process” functionality used to protect CSRSS and SMSS • Makes Windows 8 RT public jailbreak impossible to execute, as it requires injection of code into CSRSS • Makes injection/memory-based techniques for dumping LSA hashes, passwords, and secrets impossible • But only if LSA protection is enabled • Also makes it that much harder to steal (impersonate) a SYSTEM token
  • 22. PROTECTION ATTRIBUTE • In Vista, CREATE_PROTECTED_PROCESS was the only flag needed for CreateProcess to do the right thing • But in Windows 8.1, how to specify the actual protection level required (type and signer?) • Using the new Protection Level Attribute (0x2000B) in the Process/Thread Attribute List • At the Win32 level, this is based on an undocumented enumeration: • 1 – Windows Signer, Protected Type • 2 – Windows Signer, Protected Light Type • 3 – Antimalware Signer, Protected Light Type • At the NT level, it is converted into the actual PS_PROTECTED_SIGNER and PS_PROTECTED_TYPE number we saw earlier
  • 23. PROTECTION CHAIN • Recall that Windows 8.1 only checks signature levels if and only if a process is created requesting a protection level • Double-clicking a file on Explorer doesn’t do this • Therefore, there exists an implied “protection chain” that makes the system work: • The System process marks itself as protected • It launches SMSS requesting protection 0x61 • SMSS launches CSRSS requesting protection 0x61 • SMSS launches Wininit and Winlogon with no protection (Win 10: Wininit is 0x61) • Wininit launches LSASS with protection 0x41 (if configured) • Wininit launches SCM with protection 0x61 • But what about Anti-Malware?
  • 27. PROTECTED SERVICES • Since Services.exe (aka the SCM/Service Control Manager) launches highly protected, this might imply that it can manage protected light processes… • Since Anti-Malware applications run protected, this implies something must have had launched them requesting a protection level… • Indeed, the key to Process Protection Light is that it must also allow 3rd party and/or non-System processes to also run protected • This is done by enhancing services to support a protection level of their own • In Windows 8,1 SERVICE_CONFIG_LAUNCH_PROTECTED can be sent to ChangeServiceConfig2, with a matching SERVICE_LAUNCH_PROTECTED_INFO structure and level • The SCM sends this protection level request in the CreateProcess call that it makes
  • 28. PROTECTED SERVICES • The SCM API ultimately ends up setting the key “LaunchProtected” in the Services database entry in the registry • The following calls/commands immediately become blocked by non- protected callers: • ChangeServiceConfig(2) / sc config • ControlService(Ex) / sc start, stop, pause • DeleteService / sc delete • SetServiceObjectSecurity / sc privs • Check is done by the RPC Server inside SCM, using RtlTestProtectedAccess and by asking the kernel for the caller’s protection level • AppXSvc, sppsvc, WdNisSvc, WinDefend and WSService run protected in Windows 8.1 • Can check with “sc qprotection”
  • 29. PROTECTED APPLICATIONS • Therefore, services ultimately are in charge of the last chain of protected process launches as they can use CreateProcess to spawn children that are also protected • Recall that the enumeration is undocumented, however! • Microsoft expects developers to thus use PROTECTION_LEVEL_SAME, which is documented as the only valid type for PROC_THREAD_ATTRIBUTE_PROTECTION_LEVEL • In this way, Anti-Malware services will spawn Anti-Malware processes, etc… • User-launched applications will never run protected, unless the application employs a type of self-launcher and/or COM activation launcher method and requests a protection level for its spawned clone
  • 32. UEFI VARIABLES (SPECIFICATION) • UEFI variables are used to control behavior of UEFI Boot Manager, Drivers, and Applications • Can also be used to define OS settings • Boot#### and Driver#### define drivers and boot applications. • BootCurrent, BootNext, BootOrder influence boot manager selection • DriverOrder influences driver ordering • Three types of UEFI variables exist • Boot Variables can only be seen while in “Boot Services” mode (in TSL or earlier) • Runtime Variables can be seen while in “Runtime” mode (RT or later) • Authenticated Variables are Authenticode-signed binary blobs that must be signed as per Secure Boot policy • Variables can also be volatile and/or read-only vs read-write • Variables live in different namespaces, identified by a GUID
  • 33. UEFI VARIABLES (WINDOWS) • Windows provides user and kernel APIs for Firmware Variables • User-mode: Get/SetFirmwareEnvironmentVariableEx • Requires SE_SYSTEM_ENVIRONMENT_PRIVILEGE • Kernel-mode: ExGet/SetFirmwareEnvironmentVariable • Internally, kernel calls IoGet/SetEnvironmentVariable • Can use either the DeviceSysenv device if custom NVRAM is present, or the HAL in standard scenarios • Microsoft owns the following Vendor GUID. Used as KEK Signature Owner, Secure Boot Policy GUID, and also UEFI Variable Namespace GUID • {77fa9abd-0359-4d32-bd60-28f4e78f784b} [ExpSecureBootVendorGuid] • Variables that start with “Kernel_” are implicitly part of this namespace • User-mode uses NtSetSystemEnvironmentValueEx which prevents the above
  • 35. LSASS PROTECTED MODE • LSASS uses new Process Protection Level to prevent attacks from user-mode elevated caller • Runs as Protected Process Light, Protected Signer LSA • Disabled by default, since would now require DLLs to also be signed at least with the LSA or higher protected signer flag • To enable, set RunAsPPL in SYSTEMCurrentControlSetControlLsa • On UEFI systems, variable is mirrored into the UEFI firmware database • Kernel_Lsa_Ppl_Config is used as a Runtime EFI Variable • Microsoft provides reset UEFI binary to interactively remove UEFI protection • Both system variable and registry key must be deleted for LSA to revert to old behavior • Prevents operations against LSA except PROCESS_TERMINATE
  • 36. DISABLING LSA PROTECTION • mountvol X: /s • copy C:LSAPPLConfig.efi X:EFIMicrosoftBootLSAPPLConfig.efi /Y • bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader • bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "EFIMicrosoftBootLSAPPLConfig.efi" • bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879- d86a476d7215} • bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions %1 • bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X: • mountvol X: /d
  • 39. TAKING A DUMP • When a Windows process crashes, the Windows Error Reporting infrastructure is activated in order to generate a mini-dump • Programs can do this on their own by using MiniDumpWriteDump • Procdump.exe, Taskmgr.exe, Windbg.exe all use this API • Quote “Windows Internals, 6th Edition”: • “Can also run protected” ???
  • 40. WER FOR PROTECTED PROCESSES • If a protected process crashes, WER launches a special version of the WerFault.exe process, which has the correct EKUs for running as a protected process • It’s launched as Protected TCB (0x62) – or the highest possible level! • Because of its protection level, this version of WER is able to open handles to processes such as Csrss.exe and Smss.exe • And more interestingly, Lsass.exe if running with LSA Protection • It’s then able to call MiniDumpWriteDump without any problems • So we can we just force a protected process to crash? • Not obvious • But let’s cheat and use the kernel debugger…
  • 43. PROTECTED CRASH ANALYSIS • By following the Procmon output we’ve just seen, the following command- line is visible: • WER parses the following options: • /h /s – Secure Dump • /pid – Crashing PID • /tid – Crashing TID • /type – Minidump Type (see MiniDumpWriteDump) • /file – Dump File Handle • /encfile – Encrypted Dump File Handle • /cancel – Event to Cancel Dump
  • 44. TRICKING WER • By controlling the parameters that are passed to WER and using a flaw in the dumping process, one can cause WER to reveal the unencrypted contents of the dump • Patch for the issue is delayed to January – cannot reveal exact design flaw • Resulting dump is the same type of dump that ProcDump generates and which Windbg can open • And, more concretely, the same format dump that Mimikatz can parse when using the sekurlsa::minidump option • Thus, by leveraging a WER design flaw, the LSA Protection Mode can essentially be ignored/bypassed, and Mimikatz can continue to be used without requiring a driver
  • 46. OTHER ISSUES • As mentioned, LSASS is not the only process that leverages process protection levels • Other system issues can arise from the ability to dump protected processes • WER can do more than just create a dump of a process • Other potential issues can exist due to the ability to control WER • What about writing into a protected process? • No current public flaw exists. My RPC vulnerability presented at SyScan would be used to target protected processes that contain an RPC server and spray data inside of their memory • Fixed in October Patch Tuesday • However, I will be presenting new ALPC vulnerabilities at a later time • Ultimately, an admin can still cause dangerous environment changes which can affect protected processes
  • 47. WINDOWS 10 AND CONCLUSION
  • 48. WINDOWS 10: THE FUTURE • From Critical Process to Protected Process to Protected Process Light to ??? • “VSM” – Virtual Secure Machine? • “Hyper-V Secure Containers”? • “Isolated Process”? • “Secure Process”? • Windows 10 blog announced that in Windows 10, LSA credential information will be stored in a secured container/enclave leveraging Hyper-V Client • Latest builds of Windows 10 contain an “LsaIso.exe” process which is an early prototype of an isolated version of LSASS • Calls itself “VSMified LSASS” • Latest kernel contains “IsSecureProcess” in PROCESS_EXTENDED_INFORMATION and “SecureProcess” in KPROCESS->Flags • New Process Creation Attribute -- PsAttributeSecureProcess
  • 49. CONCLUSION • Protected Processes in Windows 8.1 significantly increase the overall platform security • Less exploitable vulnerabilities • Tighter control of core system binaries • Anti-malware-type applications can survive manipulation and termination by admin-level malware • They do not protect against kernel attackers –boundary is at the user level • Desire of supporting customer crash scenarios through WER has resulted in a “backdoor” into the memory of protected processes • Will be fixed in January 2015 • Upcoming Windows 10 platform features will prevent this type of attack • Even from a kernel attacker!