Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vista Protected Processes Bypassed

Posted by CowboyNeal on from the falling-confidence-levels dept.

Anonymous Hero writes "Security Researcher Alex Ionescu strikes again, this time with a proof of concept program that will arbitrarily enable and foremost disable the protection of so-called 'protected processes' in Windows Vista. Not only threatening Vista DRM and friends, it's also another step towards hardened and even more annoying malware. Normally, only specially signed processes made by special companies (decided by Microsoft) can be protected, but now the bad guys can protect any evil process they want, including the latest version of their own keylogger, spambot, or worm, as well as unprotect any 'good' one."

4 of 221 comments (clear)

  1. Re:Wait, wait... by Guilly · · Score: 4, Informative

    There are ways, using the windows API, for any process run with Debugger privileges (any Administrator really) to read,write,terminate,create threads, etc in any other process. This was true in Windows 95 and still is in XP and probably Vista, except for protected processes.

    It's not like they can just create a pointer and address the other memory space but using the API they can achieve the same thing.

    This is what allows programs like xfire to inject into your game process or (as they mention in TFA) allows Warden to peek inside all processes to see if they are evil.

  2. This is how it's done by Anonymous Coward · · Score: 5, Informative

    The tool needs to be run with elevated privileges (otherwise it will not work). It decompresses a 848 bytes driver and loads the driver. The driver does nothing but set bit 11 (ProtectedProcess) of the Flags2 bitfield (offset 0x224) of the corresponding _EPROCESS structure of the process to be modified. However, this requires the neccessary rights to load and install a driver...and as we all know, once being in kernel mode there's no real protection against malicious code...

  3. Re:Source code by eddy · · Score: 4, Informative

    Seems to contain a compressed buffer with a .sys driver that is decompressed with a call to RtlDecompressBuffer and hidden away by writing it to the alternate stream "%SystemRoot%\system32\drivers\crusoe.sys:drmkaud. sys", and then there's a registry update to load the driver.

    Someone who cares should write out the compressed buffer and disassemble that.

    --
    Belief is the currency of delusion.
  4. Re:Other OSes by I(rispee_I(reme · · Score: 4, Informative

    Actually, Windows versions as early as 2000 use a whitelist method of "protecting" processes: If the process name matches a hardcoded list, then task manager will refuse to kill it. This is so broken it's ludicrous- simply rename your process to any of the ones on the list, and it becomes unkillable. Programs such as PSkill will kill all processes, regardless of name.