Exploit/Jailbreak Mitigations, Unkillable Processes and Protected Services « Alex Ionescu’s Blog. Introduction. In this continuing series on the improvements of the protected process mechanism in Windows, we’ll move on past the single use case of LSASS protection and pass- the- hash mitigation through the Protected Process Light (PPL) feature, and into generalized system- wide use cases for PPLs. In this part, we’ll see how Windows uses PPLs to guard critical system processes against modification and how this has prevented the Windows 8 RT jailbreak from working on 8. We’ll also take a look at how services can now be configured to run as a PPL (including service hosts), and how the PPL concept brings yet another twist to the unkillable process argument and semantics. System Protected Processes. To start the analysis, let’s begin with a simple Win. DBG script (you should collapse it into one line) to dump the current PID, name, and protection level of all running processes: lkd> ! EPROCESS*) @#Process. Vista Process Unkillable BugInternet Explorer Unkillable Process; Last updated: 2 November 2008. Archive View Return to standard view. User #152126 168 posts. Allevra. Forum Regular reference: whrl.pl/RbFHE2. posted 2008-Nov-2, 5:41 pm. Vista? User #152126 168 posts. Allevra. Forum Regular reference: whrl.pl/RbFHI2. posted 2008-Nov-2, 6:08 pm ref: whrl.pl/RbFHI2 posted 2008-Nov-2, 6:08 pm O.P. sorry, Im on windows XP. 2.0.2 in Vista - the browser crashes silently, leaving an unkillable process that prevents running Seamonkey. Showing 1-12 of 12 messages. The Evolution of Protected Processes Part 2: Exploit/Jailbreak Mitigations, Unkillable Processes and Protected Services. The Tool Box Alex Ionescu. This output shows that the System process (the unnamed process), as has been the case since Vista, continues to be a full-fledged protected process, alongside the Software Piracy Protection Service (Sppsvc.exe). Protection. Level). D \"%0. 8x < b> [%7. Unique. Process. Id). Se. Audit. Process. Csrss.exe is a critical process, I think it has the flag set in its EPROCESS structure. On newer version of Windows (Windows Vista), there exists some documented methods which can be used to restrict access to the process. The Evolution of Protected Processes Part 2: Exploit/Jailbreak Mitigations, Unkillable Processes and Protected Services. (the unnamed process), as has been the case since Vista, continues to be a full-fledged protected process, alongside the Software Piracy Protection Service (Sppsvc.exe). Exploit/Jailbreak Mitigations, Unkillable Processes and Protected Services. Really killing a process in Windows [closed] up vote 193 down vote favorite. 53. We killed two programs which were unkillable with the other tools mentioned in this thread. Unfortunately ntsd was removed from Vista and you have to install the (free) debbugging tools for windows to get a suitable debugger. share | improve this answer. answered Sep 8 '08 at 16:00. Rob Walker. Home Windows 8 Windows 7 Windows Vista Windows XP MDOP Windows Intune Library Forums. Ask a question. Windows 7 Miscellaneous http:// Question 13 12/26/2013 12:13:07 PM 1/7/2014 8:08:11 AM. I am using a Windows 7 64bit and can't kill some 32 bit processes. when i use task manager to end the process it just gets stuck on not reponding and sits there. Vista Process Unkillable NasusUnkillable process problem. up vote 9 down vote favorite. 3. that is certainly the most common cause of this sort of thing. Most of the unkillable processes I have seen were either related to the CD-drive (eg EAC.EXE) or the TV tuner/video card (eg ATIMMC.EXE). In both cases. It is likely that the programs you are using were developed before Windows Vista/7 and are incompatible with the changes made. Your best bet is to locate the executable for the programs which have this problem. Vista process servers (619) 602-3382. Registered Vista, California process servers. We serve court documents anywhere in San Diego County. Creation. Info. Image. File. Name- > Name). Protection. Level). The output on my rather clean Windows 8. VM, with LSA protection enabled as per the last post, looks something like below. I’ve added the actual string representation of the protection level for clarity: As a reminder, the protection level is a bit mask composed of the Protected Signer and the Protection Type: PS_PROTECTED_SIGNER. Ps. Protected. Signer. None = 0n. 0. Ps. Protected. Signer. Authenticode = 0n. Ps. Protected. Signer. Code. Gen = 0n. 2. Ps. Protected. Signer. Antimalware = 0n. Ps. Protected. Signer. Lsa = 0n. 4. Ps. Protected. Signer. Windows = 0n. Ps. Protected. Signer. Win. Tcb = 0n. 6. Ps. Protected. Signer. Max = 0n. 7PS_PROTECTED_TYPE. Ps. Protected. Type. None = 0n. 0. Ps. Protected. Type. Protected. Light = 0n. 1. Ps. Protected. Type. Protected = 0n. Ps. Protected. Type. Max = 0n. 3This output shows that the System process (the unnamed process), as has been the case since Vista, continues to be a full- fledged protected process, alongside the Software Piracy Protection Service (Sppsvc. The System process is protected because of its involvement in Digitial Rights Management (DRM) and because it might contain sensitive handles and user- mode data that a local Administrator could have accessed in previous versions of Windows (such as XP). It stands to reason that Sppsvc. DRM- like reasons, and we’ll shortly see how the Service Control Manager (SCM) knew to launch it with the right protection level. The last protected process we see is Audiodg. Vista days. Note that because Audiodg. Windows, 3rd party “System Audio Processing Objects” (s. APOs), it only uses the Authenticode Signer, allowing it to load the DLLs associated with the various s. APOs. We also see a number of “Win. Tcb” PPLs – TCB here referring to “Trusted Computing Base”. For those familiar with Windows security and tokens, this is not unlike the Se. Tcb. Privilege (Act as part of the Operating System) that certain highly privileged tokens can have. We can think of these processes as essentially the user- mode root chain of trust provided by Windows 8. We’ve already seen that SMSS is responsible for launching LSASS with the right protection level, so it would make sense to also protect the creator. Very shortly, we’ll revisit what actual “protection” is really provided by the different levels. Finally, we see the protected LSASS process as expected, followed by two “Antimalware” PPLs – the topic of which will be the only focus of Part 3 of this series – and one “Windows” PPL associated with a service host. Just like the SPP service, we’ll cover this one in the “Protected Services” section below. Jailbreak and Exploit Mitigation. Note that it’s interesting that Csrss. It isn’t responsible for launching any special protected processes and doesn’t have any interesting data in memory like LSASS or the System process do. It has, however, gained a very nefarious reputation in recent years as being the source of multiple Windows exploits – many of which actually require running inside its confines for the exploit to function. This is due to the fact that a number of highly privileged specialized APIs exist in Win. Csrss (as well as the fact that on 3. Csrss has the NULL page mapped, and it also handles much of VDM support). Because the Win. 32k. Administrator rights, after all), many of these APIs didn’t even have SEH, or had other assumptions and bugs. Perhaps most famously, one of these, discovered by j. Windows 8 RT jailbreak. In Windows 8. 1 RT, this jailbreak is “fixed”, by virtue that code can no longer be injected into Csrss. Similar Win. 32k. Csrss. exe are also mitigated in this fashion. Protected Access Rights. Six years ago in my Vista- focused protected process post, I enumerated the documented access rights which were not being granted to protected processes. In Windows 8. 1, this list has changed to a dynamic table of elements of the type below: RTL_PROTECTED_ACCESS. Dominate. Mask : Uint. B. +0x. 00. 4 Denied. Process. Access : Uint. B. +0x. 00. 8 Denied. Thread. Access : Uint. B. PAGE: 8. 21. AD3. RTL_PROTECTED_ACCESS Rtl. Protected. Access[]. PAGE: 8. 21. AD3. None]. PAGE: 8. 21. AD3. 98 < 2, 0. FC7. FEh, 0. FE3. FDh> [Authenticode]. PAGE: 8. 21. AD3. FC7. FEh, 0. FE3. FDh> [Code. Gen]. PAGE: 8. 21. AD3. FC7. FFh*, 0. FE3. FFh*> [Antimalware]. PAGE: 8. 21. AD3. FC7. FFh*, 0. FE3. FFh*> [Lsa]. PAGE: 8. AD3. 98 < 3. Eh, 0. FC7. FEh, 0. FE3. FDh> [Windows]. PAGE: 8. 21. AD3. Eh, 0. FC7. FFh*, 0. FE3. FFh*> [Win. Tcb]Access to protected processes (and their threads) is gated by the Psp. Process. Open (for process opens) and Psp. Thread. Open (for thread opens) object manager callback routines, which perform two checks. The first, done by calling Psp. Check. For. Invalid. Access. By. Protection(which in turn calls Rtl. Test. Protected. Access and Rtl. Valid. Protection. Level), uses the Dominate. Mask field in the structure above to determine if the caller should be subjected to access restrictions (based on the caller’s protection type and protected signer). If the check fails, a second check is performed by comparing the desired access mask with either the “Denied. Process. Access” or “Denied. Thread. Access” field in the Rtl. Protected. Accesstable. As in the last post, clicking on any of the function names will reveal their implementation in C. Based on the denied access rights above, we can see that when the source process does not “dominate” the target protected process, only the 0x. FC7. FE) access mask is allowed, corresponding to PROCESS_QUERY_LIMITED_INFORMATION, PROCESS_SUSPEND_RESUME, PROCESS_TERMINATE, and PROCESS_SET_LIMITED_INFORMATION (the latter of which is a new Windows 8. On the thread side, THREAD_SET_LIMITED_INFORMATION, THREAD_QUERY_LIMITED_INFORMATION, THREAD_SUSPEND_RESUME, and THREAD_RESUME are the rights normally given, the latter being another new Windows 8. Pay attention to the output above, however, and you’ll note that, this is not always the case! Unkillable Processes. In fact, processes with a Protected Signer that belongs to either Antimalware, Lsa, or Win. Tcb only grant 0x. FC7. FF) – in other words prohibiting the PROCESS_TERMINATE right. And for the same group that prohibits PROCESS_TERMINATE, we can also see that THREAD_SUSPEND_RESUME is also prohibited. This is now Microsoft’s 4th system mechanism that attempts to prevent critical system process termination. If you’ll recall, Windows Server 2. Task Manager would refuse to kill (and cause a bugcheck if killed with other tools), while Windows 2. Task Manager to prevent their termination. Both of these approaches had flaws: malware on Windows 2. Csrss. exe” to avoid user- initiated termination, while calling Rtl. Set. Process. Is. Critical on Vista allowed malware to crash the machine when killed by AV (and also prevent user- initiated termination through Task Manager). Oh, and LSASS was never a critical process – but if you killed it, SMSS would notice and take down the machine. Meanwhile, AV companies were left at the mercy of process- killing malware, until Vista SP1 added object manager filtering, which allowed removing the PROCESS_TERMINATE right that could be granted to a handle. It would seem like preventing PROCESS_TERMINATE to LSASS, TCB processes, and anti- virus processes is probably the mechanism that makes the most sense – unlike all other approaches which relied on obfuscated API calls or hard- coded paths, the process protection level is a cryptographic approach that cannot be faked (barring a CA/PKI failure). Launching Protected Services. As SMSS is created by the System process, and it, in turn, creates LSASS, the SCM, and CSRSS, it makes sense for all of these processes to inherit some sort of protection level based on the implicit process creation logic in each of them. But how did my machine know to launch the SPP service protected? And why did I have one lone PPL service host? It turns out that in Windows 8. Service Control Manager now has the capability of supporting services that need to run with a specific protection level, as well as performing similar work as the kernel when it comes to defending against access to them. In Windows 8. 1, when the SCM reads the configuration for each service, it eventually calls Sc. Read. Launch. Protected which reads the “Launch. Protected” value in the service key. As you can see below, my “App. XSvc” service, for example, has this set to the value “2”. You’ll see the “sppsvc” service with this value set to “1”, and you’ll see “Windefend” and “Wd. Nis. Svc” at “3”. All of these match the new definitions in the Winsvc. Service Launch. Protected types supported//#define SERVICE_LAUNCH_PROTECTED_NONE 0#define SERVICE_LAUNCH_PROTECTED_WINDOWS 1#define SERVICE_LAUNCH_PROTECTED_WINDOWS_LIGHT 2#define SERVICE_LAUNCH_PROTECTED_ANTIMALWARE_LIGHT 3.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
September 2016
Categories |