Google: Process Failure Modes

Video in TIB AV-Portal: Google: Process Failure Modes

Formal Metadata

Google: Process Failure Modes
Title of Series
Part Number
Number of Parts
CC Attribution 4.0 International:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Creating processes on Windows is fraught with danger. There are many things that could go wrong. This is even more true when dealing with creating processes in system services under the behest of the user. At best making a mistake could result in creating processes from files the user can’t access, at worst they get system privileges. This presentation will go into detail on how processes are created in Windows and the many ways that it can go horribly wrong. I’ll discuss some of the shortcomings of the Windows process and Session models and how that can be abused to elevate privileges. Throughout I’ll provide examples of vulnerabilities and exploitation techniques I’ve discovered (some of which won’t be fixed any time soon) with clear anti-pattern examples to aid in discovering similar vulnerabilities. One of the issues I’ll discuss is the complexities around one of my most recent project zero blog posts (specifically raising dead) which dealt with session creation and stuck processes. Some of the other topics I’ll include are: Process creation internals Process creation w.r.t. impersonation Session Hopping Dangerous creation patterns
Process (computing) Computer animation Multiplication sign Letterpress printing
User interface Thermodynamischer Prozess Dependent and independent variables Process (computing) Information Code State of matter Multiplication sign Bit Instance (computer science) Software bug Computer animation Hacker (term) Energy level Iteration Right angle Quicksort Address space Window Spacetime
Point (geometry) Functional (mathematics) Service (economics) Computer file Sheaf (mathematics) Mass Mereology Theory Preprocessor Core dump Gastropod shell Energy level Cuboid Address space Physical system User interface Thermodynamischer Prozess Process (computing) Information Bit Maxima and minima Cartesian coordinate system Message passing Computer animation Personal digital assistant Network topology Order (biology) Iteration Quicksort Window Asynchronous Transfer Mode
User interface Default (computer science) Thermodynamischer Prozess Email Process (computing) Inheritance (object-oriented programming) System administrator Sheaf (mathematics) 1 (number) Content (media) Sound effect Infinity Parameter (computer programming) Equivalence relation Wave packet Computer animation Hacker (term) Videoconferencing Flag Freeware Window Computing platform Asynchronous Transfer Mode
Degree (graph theory) Kernel (computing) Process (computing) Computer animation Block (periodic table) 1 (number) Sound effect Data structure Parameter (computer programming) System call Asynchronous Transfer Mode
Authentication User interface Functional (mathematics) Process (computing) Information Computer file INTEGRAL Sheaf (mathematics) Revision control Medical imaging Mechanism design Computer animation Hypermedia Different (Kate Ryan album) Flag Window
Group action Identifiability Service (economics) Computer file Decision theory Sheaf (mathematics) Mereology Different (Kate Ryan album) Boundary value problem Information security Physical system User interface Thermodynamischer Prozess Stapeldatei Process (computing) Debugger Cartesian coordinate system Sphere Vector potential Radical (chemistry) Kernel (computing) Numeral (linguistics) Computer animation Right angle Quicksort
Game controller Service (economics) Process (computing) Inheritance (object-oriented programming) Insertion loss Cartesian coordinate system Theory Neuroinformatik Computer animation Semiconductor memory Operator (mathematics) Operating system Right angle Quicksort Local ring Window Physical system Exception handling
Subject indexing Sign (mathematics) Process (computing) Service (economics) Computer animation Inheritance (object-oriented programming) System administrator Interactive television Bit Insertion loss Local ring Physical system
Thermodynamischer Prozess Default (computer science) Group action Process (computing) Inheritance (object-oriented programming) Token ring 1 (number) Theory Sign (mathematics) Computer animation Limit set Physical system Identity management
User interface Default (computer science) Process (computing) Demo (music) Computer file Inheritance (object-oriented programming) Execution unit Shared memory Electronic mailing list Mereology Software bug Computer animation Personal digital assistant Energy level Boundary value problem Window
Thermodynamischer Prozess Dynamical system Scheduling (computing) Dependent and independent variables Process (computing) Service (economics) Information Multiplication sign Mathematical analysis Primitive (album) Computer programming Software bug Goodness of fit Computer animation Quicksort Fiber bundle Information security Window Physical system Social class Reverse engineering
Point (geometry) Thermodynamischer Prozess Process (computing) Service (economics) Computer file Token ring System call Message passing Computer animation Operator (mathematics) Right angle Physical system Identity management
Thermodynamischer Prozess Game controller Process (computing) Computer file Code Sheaf (mathematics) Electronic mailing list Cartesian coordinate system Computer animation Semiconductor memory String (computer science) Password Object (grammar) Lie group Window Physical system
Group action Process (computing) Computer animation Personal digital assistant Operator (mathematics) Online help Right angle Computer font Information security
Ocean current Process (computing) Service (economics) Hoax Link (knot theory) Inheritance (object-oriented programming) Computer file Surface Physical law Content (media) Directory service Number Software bug Category of being Uniform resource locator Computer animation Gastropod shell Writing Physical system Library (computing) Cholesky-Verfahren
Windows Registry Functional (mathematics) Service (economics) Process (computing) Token ring Source code Virtual machine Vapor Virtualization Student's t-test System call Software bug Type theory Computer animation Term (mathematics) Personal digital assistant Hypermedia Quicksort Proxy server Social class Physical system
Preprocessor Type theory Thermodynamischer Prozess Group action Process (computing) Computer animation Token ring Energy level Client (computing) Object (grammar) Mereology
User interface Slide rule Process (computing) Service (economics) Computer file Link (knot theory) Token ring Namespace Multiplication sign Sheaf (mathematics) Parameter (computer programming) Directory service Cartesian coordinate system Symbol table Type theory Data management Computer animation Order (biology) Object (grammar) Information security Resultant Task (computing) Physical system
Ocean current Point (geometry) Dynamical system Group action Service (economics) Computer file State of matter Ferry Corsten Multiplication sign Sheaf (mathematics) Perspective (visual) Code Software bug Operator (mathematics) Information security Physical system Thermodynamischer Prozess Process (computing) Mathematical analysis Bit Kernel (computing) Computer animation Order (biology) Video game Quicksort Object (grammar) Window
Default (computer science) Pointer (computer programming) Process (computing) Kernel (computing) Computer animation Computer file Code Sheaf (mathematics) Object (grammar) Data structure Quicksort
Thermodynamischer Prozess Group action Process (computing) Ferry Corsten Token ring Consistency Electronic mailing list Affine space Number Radical (chemistry) Goodness of fit Kernel (computing) Computer animation Query language Semiconductor memory Different (Kate Ryan album) Data structure Quicksort Object (grammar) Physical system
Functional (mathematics) Mobile app Process (computing) Token ring Direction (geometry) Electronic mailing list Bit Total S.A. Cartesian coordinate system System call Software bug Computer animation Lattice (group) Semiconductor memory Configuration space Video game Object (grammar) Cycle (graph theory) Traffic reporting
Thermodynamischer Prozess Server (computing) Process (computing) State of matter Token ring System administrator Interactive television Mereology Radical (chemistry) Type theory Computer animation Term (mathematics) Diagram Cycle (graph theory)
Thermodynamischer Prozess Dependent and independent variables Process (computing) Computer animation Enumerated type View (database) Sheaf (mathematics) p-adische Zahl Cuboid Bit Incidence algebra Software bug
Thermodynamischer Prozess Process (computing) Computer file Demo (music) Code Electronic mailing list Sheaf (mathematics) Letterpress printing Process capability index Cartesian coordinate system System call Medical imaging Computer animation Different (Kate Ryan album) Hacker (term) Query language Video game Object (grammar) Data structure
Protein folding Process (computing) Computer animation Integrated development environment Hacker (term) Enumerated type Mereology Window Computer icon
Point (geometry) Trail Addition Process (computing) Quantum state Demo (music) Computer file Electronic mailing list Online help Medical imaging Data management Computer animation File system Right angle Quicksort Remote procedure call Office suite Reading (process) Task (computing) Asynchronous Transfer Mode
Medical imaging Word Process (computing) Computer animation Computer file Semiconductor memory Shared memory Sheaf (mathematics) Cartesian coordinate system
Medical imaging Computer animation Computer file Semiconductor memory Hacker (term) String (computer science) Sheaf (mathematics)
Point (geometry) Process (computing) Computer animation Computer file Network topology Operator (mathematics) Sheaf (mathematics) 1 (number) Device driver Bit Line (geometry) Entire function
User interface Point (geometry) Thermodynamischer Prozess Process (computing) Computer file INTEGRAL Weight Cartesian coordinate system Computer programming Computer icon Kernel (computing) Computer animation Personal digital assistant Filesharing-System Inverter (logic gate)
Computer animation Computer file Closed set
Presentation of a group Functional (mathematics) Coefficient of determination Dynamical system Computer animation Computer file Term (mathematics) Sound effect Series (mathematics)
Thermodynamischer Prozess Process (computing) Computer animation Computer file Information Personal digital assistant Structural load Flag
Computer animation Oval Alphabet (computer science) Order (biology) Bit Software testing Complete metric space Asynchronous Transfer Mode Product (business)
Dependent and independent variables Server (computing) Process (computing) System administrator Multiplication sign Motion capture Counting Bit Software bug Radical (chemistry) Mechanism design Computer animation Cycle (graph theory)
Computer animation
if prime and at the time and then there are of them and I uh and and the
had that so high and then after the return from on Roberts and uh it so I know we talking about um Windows processes and uh the usual ways in which the printing processes can really screw you up sometimes and so supposed to be
going to start talking about uh when nistration API suppresses Krishna guys and some a bit of low-level stuff regarding that I'm not gonna go slow down the level of like the individuals of creation of the to address information thing that but the sort of more top level and information you may find interesting but we about some classic bugs which I discovered over the years in code we creates processes of code which handles processes which can then be used to be things that privilege escalation hopefully evolving time I'm going to go through some sort of silly tricks that um if you're feeling taking mean to the instance responder um you can confuse them and give them give my heart attack and this is all based on the Windows 10 stuff the with pointing out I'm I'm not going to talk about like state spaces in unquoted command-line pasta anything so um you sorted on that 1 the that thank Alex and interface to the right by persons hacker uh they don't of the research in this side as well and and they are very knowledgeable in process related internals spreads iteration a
guys so is a bit of a mess if you
if you look at it from the user level the user API level it's all over the place as you can see I don't quite he boxes in here um anything in blue is stuff which a user application could call to these are sort of directly documented interfaces for example order is the function when exact and what exactly is the is a holdover from 16 bit Windows is how on 16 Windows you create a new processes these days isn't isn't there for maintaining compatibility with lazy shellcode writers because they they perceive any profits tree process on the news when exact the this other stuff which elects Q which is actually part of the shell itself and this is more for generic I want to create something which handles the DOC file so I tell Chile that he to run . doc and it will lowered forming a beagle she's it's run executable files as well but they both a funnel down to create process which is the main entry point but in winter 2 API to actually press iterations then there's other stuff there's various services which will get involved if you course and things for example the UAC all act info service is responsible for elevating processes on listed above if you core-shell executables masses of feed off to that atom service but there is no documented interface to calling out of it and I shall excuse and then this thing like the 2nd the lot on service for using prostatectomy the but all that take into account everything and feeds down into 1 function cry process internal and then eventually ends up entity DLL which ends up at the Windows come itself but that you come from a Unix
background and no now how presses address in United's thing can be really really simple I why would anyone design a really complicated process of creating new uh new processes Gauss obviously and he didn't take that approach has probably fairly common so who in the beginning and this is sort of pre uh this uh will you had is a system core called and create process to think OK is pretty process must be simple pass the name of the file it runs it job done obviously I will be describing this afoul of max the case to say why she happens differs opens the file and this is all happening in user mode calls the system called me if I'll get a final then goes OK about ahead needs to be a memory-mapped sections article and secret section with the fire and get back in this section finally finally we go again the preprocessed passing on in section to it and it creates a new process for an awesome job done with the running process but we haven't always go is a process we still need to craft friend in that process and finally now in theory we should be able to execute can so this year simple process for a more steps to create a basic process How could happen that was the hero now yes you API itself
is is relatively simple as owners of free parameters that you really care about you can get a Windows handle to the parent process uh some flags which just basically change the way in which the process created and then your section handled but interestingly this section hand with optional you don't have to actually specify a new section for your new process so what happens if you don't specify what effects we will you get useful you get the Windows equivalent of 40 doesn't work very well but it is actually then it was built in from day 1 into Windows just is not really very well exposed from the API acts the this the
broader problem in much of infinite wisdom and default well if we don't do something about these horrible hackers trying to steal protected content no one's gonna want to run uh videos of at commercial videos of commercial audio on on the Windows platform so we need some way of stopping those nasty nasty hackers undergoing trust that nasty hackathon not be administrator on the inbox because the majority of consumers of windows of probably admin already so they came up with the wheeze of protective processes which sounds or grandiose but actually wasn't actually quite that that useful because all they did was detected against user-mode come but left them with the problem how do we create a process in user mode which required all these various steps to to succeed without like the train leaking um the access to this process so investor they
created the NT create user process system call which instead of require you to do all these intermediate steps in user mode did it all in the kernel for you as all makes it much simpler much easier yeah L. unsurprisingly and degrees
of process has that 1 or 2 more um promises you need to pass as uh the main ones are the 3 at the end the freedom and the first one is something called the
user process parameters and effectively these are ignored by the kernel more or less this and that don't do they have to inspect them and make sure the valid but they don't do a lot with em effects we'll be do they inject them into the new process attach appointed to them from the the process of mom what paired structure in the the process and then that process convergence of things that the command line obviously you pass a command line this block and that command line to be read out by idea uh into process which knows about the structure of the PEP but next 1 is the current infrastructure and
this contains some of the basics of information about what you wanting to create hasn't flags as an additional some features and what authentic comes back is all the stuff which you kind of use to get in the good old days on integrate process things like handle to a file on a handle to a section without actually having to do that in user-mode itself and so so they give you back some interesting information which will will see later that media have amusing the and the
final thing is basically the mechanism through which you extend this function rather than having integrate user process EXE X 2001 over much of decided to basically have a list of arbitary add to these you can specify so for example you can say I want to create this process for the different parame process or all you have to specify the image name and image name is the path to the file you want work so this can be extended um as you go along so for example the latest version of Windows 10 has more of these activities and so they got to change the interface that can just add these are tragedies on top yes the
but due to paraphrase Monty Python what has 3 present 0 now do does for us what wise even there anymore well unfortunately winter it is not the kind of a simple as the the kernel layer allows you got to the various different things to actually support what went to uh behaviors are expected of process of things like you need to register the side-by-side manifest the spheres are assessed why did you notice that you have to and if you don't do so creating processes like no other ixi will tend to fail in and give you horrible scary warring mornings it also does stuff like if you pass it a batch file it has that emulates that along action Run command lecture on this batch file instead of trying to just executed directly so the kernel doesn't realize how to execute batch files decree presentational knows how to do that the and also um if you have encountered suffer restriction policy this is where s of restriction policies enforced no this is not apt locker this is the old X P user-mode um application restriction policies that technology which again I'll show an interesting I a consequence of that of that decision
can't now each process runs in score session so um my expresses each user when you log into a system is assigned some sort of session which is identified using a numeric identifier which we just like 0 I want to you by um any all always use processes run within that section this is sort of like an isolation boundary between different parts of the the operate system as basically to allow things like the windowing system to display a window but not allow you to interact with the windowing system of another user on the same block special terminal services is quite important as is this the right when he on expertise to log in to the front end and it would give you section 0 concessions there had a few benefits of being sessions era which had potential security complications so in this we I normally you cannot log in session 0 least directly can always such a 0 that's reserve purely for services and everything else is given a a numeric identifier on top of yeah we can
set a session ID but kind of listen to fall only if your running as local system if you're running is the TCB uh have TCP privilege or a trusted computing base privilege only then the set 1 of the session ID is an offense we create a new session and run something in a different sessions but are some exceptions to that and I'll show you some examples of this as we go along but basically if you have certain access system processes you can actually circumvent this TCP requirement so now a sort
of a somewhat different from from over operating system you can say explicitly what process is your parent this was again sort of added this to support you that a user account control UAC because when you create an appropriate process you kind of wanted to sort of run underneath the process which lasts for it to be created but of course it's a separate service which is doing its in theory it would be parented by that service and you may know on what happened so you Windows now allows you to specify an explicit parent do you need a certain axis right and this axis right is basically sort of a right privilege and if you have a right privilege to process you can modify that memory loss of society non users invariably can't access this on users to thereby onstage but of other uh and past operators canon style shown example now so
as I go along with the denizens shared and 1 common thing and people do that won't say uh a process running of of local systems
like a system has more privileges but he'll be also want interactive process loss the self and generally um like the way you do that is you download Pearce exactly off of the of the Internet and run that was minus x minus sign aguish creation instructors system processes all service or this so the good stuff of the leaves of a bit of a trace and and a bit of an obvious like your trying to spawn a system process but all you're administrator you can she opened a system process specified as your parent and it will create you an interactive system process on your desktop that you can't play with so I've got just a simple um but as you see Meyer that's so the I got I've written up some basic API used to play with and past with a partial hope that can release these and fairly soon after the Conference on the clean them up a basin is somebody here that the terrible cared um but always does is it umble spawn a process uh using this and look for specifically search index VECSYS search indexer taxi in this
one's running of the system it so I have the thoroughness we should have
it OK so we've got a process of we can look at that and we should have them of
xt running is as low system and it's obviously interactive because we can say on our desktop as as a really easy way you can do that using create processes user that no the decree process API directly in a simple basic hopefully say from the BA can do that if you want to say
it now each process has an identity of some kind and its identity is defined by the process token and it basically the token contain things I your groups you use right and see what privileges you have excetera now when you create the process you can in theory specify new token by default it will inherit the token as we saw from the parent of the parent is local system then the new prices will be like a system you can specify an explicit 1 now in that you have problems to do so you she got only a limited set of tokens you can assign and that's like related to its parent or sibling um uh total relationship and if you don't have that relationship you can't sign it if you had the privilege and so this idea to do things like sandbox creations crater restricted process you can't create a system process just because you've got access to it yeah we know about sort of
CSR assessment and the pain that causes um shares are assessing shouldn't be for most part of you who process on Windows without requiring C our sense at all but so many of the winter 2 API is rely on CSR says being up be initialized that basically you can't get really get by about which is kind of a ship now fortunately if you're just playing with a low level API is you can actually create process and as long as it's a doesn't require side-by-side manifest it will generally work that a demo I just had is a really really simple winter 80 process but have not actually registered a side-by-side assembly because of a lot of extra and complication to advocate the so instead um it created the fortunately new process will register itself with CSR assess which is kind of important and when you see a bug in that
and love it OK so you again if you compare units world you probably are custom to inheritance all file descriptors where you for a process your file descriptors by default will be inherited across that process boundary now windows but not the case in Windows you have to explicitly say I want to inherit person handles from 1 process to another and not only that when when you do so you need to mark each handle you want to inherit explicitly saying this handle is inheritable and now courses actually she causes an interesting problems and which they try to solve using a handle lists and now you can specify exactly what and you want to inherit B you can still only inherit handles which are Martin heritable and you've also start to specify the handle and parameter which that
again so this is sort of the the bad this to the background of the applies it to be important for this of later and later information in % so what this that now is talking about but classes you can find in Windows usually does not too many them and if I'm not paid more out than of the the unloading a very good job but the log of typical classes about you can find which are related process handling which you can end is used to do elevation of privilege and you can find them and if you look for reverse engineering sticking in either or the summer basics of dynamic analysis of the of the system you have 3 can find these bugs the 1st few are
related very specifically to peruse process creation not so recreating primitive processes by having a privileged service which on your behalf is creating new processes so a good example for example is the task scheduler detached schedular are you specify a program you want to run at a certain time but the time runs at system run that appear in a privileged account to needs to create that process for you at some later date but needs to do it securely can't spawn system responses system well you just got trivial primitives questions so it is a created as a known user and it needs to do that in a secure way because if it mishandled the API is the could be a security issues associated with so there is I don't know whether this
is actually documented by myself anywhere but there is kind of a chemical safe way of creating processes and this is basically what you're supposed to do say for example the user requests a service to process for you but wanted to be done under its own use right and the you 1st need to get a impersonation token for that user and that could come from RBC could come from Named Pipes depends on how you calling the user it many suppose that impersonate that users so that any answer any subsequent access can only run with the rights of about user the you find it and call crate processes user which is the wind fate API to specify an explicit token the passing of the token you want pretty under while still impersonating user and that's very very important because if you
don't bad things can happen because if you look at how long the underlying API spray processes the when it open the file is 1st goes OK I need to open this file I'm going to make sure that I force and axis check I'm going to make sure that this user is allowed to open this file it is not obvious follow the c axis then I'd get stuff away but costs um there's no impersonation at this point the token you've passed as the primary process token is not referenced in any way during this operation so the only person the any identity it'll get 1 and is the caller's identity which if it's a system so this is the system process the system uses which means you could potentially open also by to access so the 1st about like is this 1
so if your if you find a piece a code which creates a user process but forgets to impersonate the user while doing sigh you can basically access files they should notify axis I've got an
example here and if you 6 1 6 1 says quite old issue With tested on Windows 8 the got to do this and basically allowed you to spawn object processes even though you could Maxus EXE file itself so you could bypass the access control list on the EXE file and create new process for the user because it away um the works once you open that file it doesn't matter that the user can't directly access that volatile because it's already spawned the process and mapped in the section mapped in memory so you can access wasn't so this is obviously potentially you could find interesting things if a process has lie bed strings embedded passwords which normally would be at away you could get instant open it's in an extra data but as an added bonus because you're running this system In those craters and on user actually bypasses the suffer restriction policy enforce it doesn't seem to bypass applica because of the way Apple who works but does bypass the old XP-style suffer restriction policies to be find about that at and you have you encounter some piece as some application which actually they're deploying a South pay you can basically use that bypasses the
by looking it from a different way what if you're impersonating a user but something traits of privilege process while doing so not talking about like the previous you may not think that action issue the worst case scenario is it may fail to access is an executable father would normally be expected to to access and bear in mind this crate process called doesn't have to be explicit it could be something buried deep down in guys somewhere calls an API which calls an API which eventually spawned the help process not actually take into account that someone higher up is such impersonating this user yeah but is both have an interest in security issues namely that the Cray
process they create follow operation which happens in anti freeze a process does not take into account that impersonated user can redirect the C drive somewhere else so you trying traits something under the seat right for example if you're impersonating user and something doesn't specify this extra fonts which alas she added because i . did used to the altitude is a deal else now of successively more serious fun ability than than this 1 but because it doesn't Davis you can redirect seed this seed routing the base is something like this you find
your problem service which does something I don't care what something that they may have to be crania processor could be completely unrelated but all you know is is going to properties process while impersonating up our current user but police service in says and then calls great privilege process now before we did this we added a link to large device-mapper said the C drive for us person made is this on the location of the here it's fake directory number 1 so it's completely unrelated to the normalcy drive creative process goes OK I will call that W open file I want open see called slash some file for example so we have considered but because for impersonating it Akashi redirects that access request to somewhere else under the user's control now it's kind of important to note that when you create a process while impersonating it doesn't inherit impersonation token instead is still is whatever the parent token its surface coming from a system process you could be impersonating Joe Bloggs and it was still prey system process unless explicitly tell it not but so obviously what happens if we if we pointed to and malicious by taxi and Bang all of a sudden we got to this process writing and because we redirect the achievable access to someone
yeah so can you find any scenarios in which is actually occurs whoa back in 2014 dollars but which admits the i didn't find on on on a claim uh credit for that 1 but it was a bug shell execute specifically it was a bug in the way show XQ handled xt file content while running system and what you could do if you're impersonating user and core-shell execute you could basically calls the exercise be redirected anyway liked the and much suffix this over yet to ever be able to track down exactly what system services laws which is being abused perhaps use a third-party library which is causing it to cause problems but you think that the find if you find anything calling Cholesky while impersonating user and in a system service that is like automatically vulnerable to to these issues the so you
can kind of take a step back and think about again we've got 2 types of but classes is actually is a more general bypass related to that and it turned out some of the readers virtually the but classes is are you impersonating the user which doesn't match up with the token you're gonna create that process and and this sort of mismatched impersonation um obviously is can be a sort of like specified in terms of to bypass this is sort of the general case so it is possible to find bugs which actually exploit this particular scenario was well actually like this whole I mean person the 1 used by doing something else for the different is and you can go and look
up an issue to use to 9th that's I 6 9 2 i which is was about I found in in theUS are assessed of sensory it was that that helps the user in some way but ultimately then led let itself to so the vapor just of and related to uh system service very are assessed you have an RPC so and was a RPC call called check media and the purpose of this function was to check whether the virtual DOS machine uh was installed and enabled emotional y sources had to do this but the assess apparently had students so it check the registry is OK the dust told so I could just fail about synoptically nicer instead and we really helpful and to create new process on the user's desktop we says hey you may want to sort of EDM will get the administrative medium and therein lies the problem but because this call basically
what it did the 1st impersonated declined recall and said OK I'm gonna take your process your impersonation token and use that as the token I'm going to create a new process and the the it then did the right thing impersonates the client process over the called preprocessors user surely that shouldn't be a problem well instead of impersonating the token already had said it opens the calling process object itself extracted its primary token and use that as the impersonation token they just so turns out that the the user your calling CSR as as does not have in any way have to match the primary token you're running a process on the so the
thing I used to be used this is something called the anonymous type and the anonymous token is any have built-in token you can get calling an entity in person a anonymous user and everyone can do it everyone can use this and for the most part it's utterly useless the token itself is totally totally on interesting whatsoever you have no groups your intact the level is basically focal and that likely you do nothing with it for all intents and purposes but crucially what it does have it has a session ID said 0 and that kind of thing is interesting because they find rare processes sessions there many reactant is something more interesting so what happens is basically this our
user in in Section X calls based search began yeah by causing the CSR assessed and we do this while impersonating enormous taken is basically no security in stopping you from doing it shouldn't you can impersonate enormous token Augustus yes CSR assess goes cold I'll use the Yourdon are mistaken my primary token it then opens the user's process takes the process token and impersonates the user and is not the crucial because as the anonymous has 0 right basically if it didn't do this I couldn't you couldn't even access the DNA xt file in order to spawn the process in the 1st place if using same anonymous trick so by mismatching the uh the impersonation token to the primary token we can use the use of open the EXE file and then signed anonymous taken as our primary task and the ultimate result that is we've got a new process running in session 0 because they have no no better argument for it running as the anonymous user the so what this is the anonymous user you still got focal axis you have forgotten before naive even the less less active site what we did well as long as we stop that process starting we can use the API to set a new process token and wanna think I I point on the earlier slide is if you set a token to a process in a different session that token automatically has a session ID set to the target process so now we've got a sessions their application running as a normal user and we um do some fun stuff OK so what fun stuff greedy well
OK fine maybe the wrong with this and you have to that thing you have to be uh a long time windows research at get excited about them about sessions 0 access basically 1 1 of the interesting things in session year 0 & is given a special place basically whenever you create a named objects in session 0 is put under a slash BaseNamedObjects directory in the the Object Manager namespace now the problem that in that system services also use that because there are also running sessions 0 and that would be a problem so what happens is anything which is in session 0 is not allowed to create 2 crucial types of objects inside the directory the concrete section objects in a concrete symbolic link objects but otherwise you could do some fun stuff and basically named squat on system service resources you can create a service which made try axis a section do some fun stuff of it you already sat there with the name and and and redirected to your and and uh so they can help them with the imprimatur the the fortunately if you're running in session 0 you can do all the names costing you like you can squat everywhere and and use that to basically um abuse existing systems services such NASA's Vista because system services don't even expect that it can even happen anymore shouldn't even be possible for normal use to a b session 0 the so always but you can
find if you stick in order uh if you're so inclined um the trouble with this is a lotta relies on the sort of current state of the operation that whose impersonating what and I sheets divide is really more of a dynamic analysis kind of thing so the bomb the best ways I ideas you Process Monitor just use presses monitor looks for anything where is opening a file for execute access go that's kind of a rare thing to do most the time father not directly at compressed gasses and as the DLs and economic limited to direct the files and be sure that it will actually work and oversee it has therefore it has a a section of its their details which says Weber's perspective not doing a simple felt like this you can see any operation which either is impersonating and present a process or not and those making Graham process it was worth pointing out you can also look for things which with the mismatched uh creation of a CIA looking for say something impersonating system or some of the user and creates here with a different user unfortunately but not quite easy the season Process Monitor but you with a bit of playing around you can't see it so these those were bugs
where there's of manifest because of incorrect coding in provides services and doing stuff on the user's behalf because unfortunate is no easy way all of the known as a sound labor-short necessary documents to be exact like you must do this otherwise tension is security should could be somewhere I'm sure Alex when when I may be documents but this then this is a more in how Windows actually works and how Windows handles kernel objects and how wind and handles processes when you care process your process ends up honest and initialize of some kind it's currently not running at these nice to initialize itself most DLL loaded yet but when you 1st start the initial Fred it will transition into a running state will start to its initialisation start running you can then is active you can go from running suspended mice this life your debugging whenever you break point I'm afraid may just all the other friends down suspending the process and finally oversee the process exits or explicitly is terminated ends up in a terminated state very simple now underneath the hood
a process has a kernel objects and the process structure which represents what that that President he does and kernel objects on lazily delete their reference counted objects and until all references go away and it will maintain not that object indefinitely now to reference counts the speaker object reference can this is a kernel the kernel can access the pointer and is increment reference can directly but also user-mode code can yeah handles the process which also has an implicit reference can so until both of those values get a 0 that process will stick around forever now actually like a process
isn't sort of an isolated objects it has references the of objects and you can see various different things here you got section object and file object this refer references to the file section I was created from it has a token object but then all of the other side is led the Fred of the process and they also reference the process structure and has become quite important because when you turn process by default what
happens is everything goes away except the process structure and the token structure everything else is the reference uh doesn't mean it goes away but everything else gets the reference to you maintain a handle to a process um after is terminated the process still sticks around and intentional the reason for that for example if I want to know the exit status of a process what common affine X to save the process if the kernel is deleted the process of after terminated so long as you handle to it you can still query exit status so and you know you find the most
systems and number of terminator process which is just sort of sitting around doing nothing
and groups it is not run so on here for example I have 3 processes which have just sort of exited the something is maintaining a reference to them consonants and then maintaining reference him but if you go and look at the list of processes you probably won't find these processes in the unless that kind of hidden from the system because they don't run animal but they are still around the kernel object still sit there in memory and can be interact but now accessing my own process isn't actually I interesting but 1 interesting scenario is what if terminator process from me was was in a different sessions and it's gone the something kept it lying around so that we don't have to late it would that be interesting good Oscars I've got a
bug report about his and this is bug um which basically allowed you to you can be a bit more about in the ball past that it
um the basically the integral above token function which is used to create tokens for AP contain applications I took a list of handles this is extensively for maintaining all your app container-specific configuration and object directions influence but never checked what panels you're passing so for example you pass it a float handle and it would take a reference to the Fred handle and the reference would be maintained as long as the token survive she do something like this I
can create a token object which references in existing friend and now the total object call holds a hard reference to my Fred object the I can then assign that token as impersonation token 2 different another Fred many the hard reference my token object and obviously that's a that's a reference cycle and there's no way of breaking a reference cycle of dis disassociating attempted now because my friend is maintained it maintains the process the process maintains its token object and the this is unkillable life is already dead is terminated but there's nothing you Primož nothing you can do about it like it's just sitting there in memory stuff because the reference like operate 297 lattice say for
example by is to a terminal server and I'm running in sessions at ii do my reference cycle trick and I I log out and I killed every process but it doesn't actually kill my processes so the sits there forever like in an undead state I can then log back in and because I already I not process I can reopen it and as much as I like but reopen a process I get back a process token with sessions that normally I would not be allowed to set sessions that explicitly but I can get a use after free effectively associated radical so I did I clear the reference cycle so that the session can no and you end that now organized unused pristine session just waiting waiting for someone off long in that flea like an admin you utility at taxable any other problem with the term was silicon in his long in places like this um but whatever the the way in which we have a
user you can then impersonate use token because B uh diagram I showed before process tokens is the same as users as impersonation type of I can impersonate a never token quite happily as long as it's me by investing the and fairly easy to resonate itself is um it's then I'm that we then impersonates ourselves what that does is to create a new process running in session said because when face the process never bothered to check that it shouldn't create something and if the session it just blindly trusted you they you give me this impersonation token I assume you recession said I never create your process that you know which point you could start interacts with parts of their this admin session and start doing nasty things that OK so you can
you can see if you look at some the bugs and that of C a bit more information and improve the concepts you can play the there's Bob about this but I thought maybe I should do something a little bit different lost my usual bulk talks like let's taking into account adic represses API is due can I just be a bastard to incident responders in some way is the the things like and then you by low-level tricks that if they if they come and trying inspects my machine and either get the wrong answer all and they find that the process that were looking at some is in another castles of 1 section let's start off with a
filling the my and double my seems have been had a resurgence of light the rest because PowerShell makes it really easy to and Robert W. my not the W. might ECC like these days to go to thing like I'm going to inspect these remote system I want to know processor running on a captain enumerate processes ever done in my job done that gives me the most present in that box also my no problems there so it we can be interesting if we get high processes from from the view my now but mostly I haven't found a way of hiding processes but I can trick w mine in such a way that it thinks my process is a completely different person and to
understand why that happens we just have to look the w myself now most um life you run PCI process hacker and it give you the list of of X he was running they'll tell you say notepad is running 1 0 days find that out and invariably will will open the process and use an API call to get back the file name for that process and I'll tell you exactly what is because is based on the file object in the section of the which was created that we might as ended up at risk of w my when this code was written maybe the API was and reliable or didn't exist as possible is that the possible today different tact instead it reaches into the process and start reading out data that's why use a process from the structure in the now these oppressive prompt the structure as i showed that start is just copied verbatim into the processes in fact even an existing process commodifies and use a process prompt so what we can do we can specify innovatory image path and completely confuse double my into where actually are code is running from
the so as a quick demo so we've got trick w my the i'm gonna run by a demo application and and I'll I'll print out the process name which will prove that I've created a under a different process and a run and the simple double my query which why she returned me back that the assumed executes will path without excuse so that's but so we have a process and if we look here
so we've opened uh such been flushed notepad jobs is not see Windows Notepad but if I w mice concerned we're running see Windows meant that and um now presses hackers and fold and you can see and I've lived
environment that no part of the process hacker is quite happy to say that the prep place and if you run that wonderful tool and presses explorer and you find as you see it deftly fixes notepad and engage the icon 3 days after tricky icon if thing that lazy the and thing that process monstrosity uses w might be the initial and enumeration of all finance and this kind interesting it again get
so Robert achieving about points among sort of remote or is only list listening to press Explorer because the task managers also clever enough to work out what is the correct on there's using the same API is so how about we I she just the rays are tracks like can we get rid of the process have yet to find uh way of getting a process created which actually isn't backed by an excuse pond scum sure maybe there's a way but obviously is a leading means that the present the main OK may delete a file or even override the fossil that you can't see it what he trying do that with a running process need tend to work so well um the way complains that demoed xt is open in demoed IIxi thanks I for image and this we can't inferior delete alright 295 the this but if we go
back to help create user process opens files wanted to some interesting when you create any user process and this is kind of as a side because this is the behavior of of Craig process originally when it's all done in user mode and it allows you to open a file with additional file access you can specify like I want to open with the same access rights as use the Cray process because crib process once built to read the executable file half office to it specifies say I want to read data permission on this file when trade user presses returns to return the fond that and you can create process tell them read out quite happily but no restriction on what 5 axis we can specify so what if we specify right access to that but we had a right to handle I will be done folly
of was saved the erased files
so 1 doing here i'm gonna go crazy
process I've specify but I want uh generic right additional access to the file and now when it comes back I can get my fire and all I can do based the slack it with zeros is get rid of the executable file and because way image the image sections work intersections loaded In the memory so the process runs but the file you no zeros in is empty so this if I works so run it's not we would have a recon and I just X that interestingly while you maintain a right axis fast and no 1 can open that file because it a to share access words so I I close the damn and then goes what just process
hacker the and and like you might like OK I wanna inspects um so I want respect strings in memory OK to go to the at the memory sections of non-essential murdered and I think I'm going sledding
mad it going press press explorer so as you say obviously in the image there's no strings at all then you may
think big deal but only memory to the string either and I mean as because it's reading the PE file to work out where the image section data should be need to work out a string well and the there is no PE files so in the as completely confused and if you'd say
example go bad press Explorer it has like inspect button they said the
there is a line out too much yeah we've
just got um an empty file on
this very and so
in that so and all zeroed
out and can't imagine of the good dear dCq deleted if he said I had I
would be great if your should delete the file of well and um and deleting the father bit awkward again you can kind of this is funny easier if unity uh preprocessed by then you gotta do all the horrible stuff actually be trapped in the entire process and he's trees prices and this really is when Ukraine intersection it's the operators to lock stuff file virtually human try an issue with the league commands to the file the or the end of this try the dissidents sorry and that file locked you can't actually see you want deleted they interestingly you can uh specify the beforehand you want to delete a file and that the follow only get deleted when the last handle of that file closes unfortunately if you close it while a file is locked in driver goes so at sorry about that fathers locked to still deleted under you say you can lead to the company's trust me so we need to somehow make the deletes impose file close after are process goes way because remember all process when it closes is terminated its file-handling section handle goes away that then unlocks the file and then we can actually lead to that point so I can really likes of here
so this kind of itself lesions ish self deletion in inverted commas really the union of integrated process originally this we can do we can open if Italy access the original file and we can do this because or for whatever reason the kernel opens the file share the lead which means that it can share a far hand with the with the fire and the with the delete privilege a delete mission but we then crayon you program that the process and give it it's handle this this is that the come close handle for program that do whatever you want the now in this case program is a command-line application which in S 8 above creates the con host xt process McConnell sexy is what actually displays the at the consul window and again will be do to pass the hand the winter con has the sexy but the reason for this is we know Commerzbank more weight for all of processes to go away I once predilection closes host sexy wake up go I now need to terminate any to close my window and old tonight but at this point the process is gone all the press is gone and we can actually close oddly employers volunteer why she deleted for us as a basically if you um if you kill program that xt icon has the xt will go away and um the follow get deleted and you find animal there if it terminates euphonic gets a lot and succeeds so very good
her self to meet so in this case
the we pre open the file for the access we specify delete some closes 1 of our access requirements so that when all the hands Close would do it and then we create a process and you'll just then the magic happens some definition of magic so because
the self sitting there i waiting to be deleted we can also see that commenters
see actually has a file handle to self by exceed the
don't so if we now know that it's because Don you can
see it should time right and so if we
enter in series self dikes should go away of supply and present oneself ixi goes away and it's confident OK the last 1 this suggests that this
is something which I would Alex mention beautiful the I see just demonstrated this kind of like unexpected functionality and when you as you see yeah how are they got all that effort suitable to block this if you drank a a a a x he's squeezing a DLL file will fail and what kind of makes intuitive sense why would you trying Creador xt the dog DLL like a deal of dynamical ibut it seems to make no sense at all and the did he do not is overseeing effect the term now it doesn't have to be
the way it can be something else entirely basic represses internal and consider special flag in the creation info which says if by executable file is a DLL this don't allow it this is actually just the standard bitmask so for example if you're feeling like desperate that's 7 day you can tell it's I want you to care process from a file which is not actually executable probably won't work very well but it does actually work strangely enough um Lee if you if you 0 this out out you can create processes which are she backed by DLL files so final them out of the day
and that so in this case I process from the DL and I'm also gonna run the DLL enriched 32 loads of uh DLL file middle just demonstrate that we can actually the same thing twice and it why she would pay for it so here are 5 to got to obviously uh nice now when
there's not modes of Wu that if and then if we do
this really NXT is apparently and test the LL according to this so the money's the low but could just be renamed that eggs he's out there have to be called directly from the coast of
course if we look we can see that just now material is running in bits of the and we should have an test available somewhere for apparently not of very demonstration that the mistress some underlying true but there is a product and in complete absence of of um alphabetical order this topic t in the top
so you can do that and people with a baby original respond will get harder the this kind of all right why was it why is it really a DLL them and then again 6 the grappled so obviously like the the underlying API is have some unexpected behaviors when it comes to it but also the documentation enlightened size is a bit lacking when it comes she securely creating new processes in in in an In some preserves especially and also dealing with the the reference psychology my initial for when I found the reference cycle was it's a local DOS you can basic captures the fire handle and never let up in the the admin consi processing conquer with even if they could see the process and that actually would help the but I she's a fairly like potentially dangerous and some are at and and is not even as they eat a bug for example in a terminal server scenario if you have to users who cooperate 1 user can open 1 of the user's processing use of a user as a mechanism through which to maintain a reference count and so you potentially there's some fun to be had and American so thanks for listening to me and I will then I'm willing to answer
the questions that thing I basically when I have time and that's a unique hatchery and later in the day or tomorrow and I'll be around thanks very much you mean right