Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vista Protected Processes Bypassed

Posted by CowboyNeal on from the falling-confidence-levels dept.

Anonymous Hero writes "Security Researcher Alex Ionescu strikes again, this time with a proof of concept program that will arbitrarily enable and foremost disable the protection of so-called 'protected processes' in Windows Vista. Not only threatening Vista DRM and friends, it's also another step towards hardened and even more annoying malware. Normally, only specially signed processes made by special companies (decided by Microsoft) can be protected, but now the bad guys can protect any evil process they want, including the latest version of their own keylogger, spambot, or worm, as well as unprotect any 'good' one."

11 of 221 comments (clear)

  1. Can we have Source? by Anonymous Coward · · Score: 2, Interesting

    I most certainlly hope he releases the source for this. We *know* the bad guys will invent the time to figure out how this works. Let's be on level ground, shall we?

  2. Wait, wait... by kripkenstein · · Score: 4, Interesting

    A typical process cannot perform operations such as the following on a protected process:
    [...]
    Access the virtual memory of a protected process
    It's been a while since I knew squat about operating system internals, but aren't processes supposed to not be able to access other processes' memory anyhow? I assume, then, that this means that 'protected processes' are special in that they are also protected from any 'supervisor'-type processes, not just run-of-the-mill? In that case, are 'protected processes' meant to protect the kernel from itself, in some sense?

    Most likely I am missing the point here, and can't understand TFA accordingly. Somebody please set me straight.
    1. Re:Wait, wait... by randyflood · · Score: 2, Interesting

      I could be wrong, but I think Windows (2000, XP) generally allows processes running under the same user to look at each other's memory and such. This is useful when you want to debug a program or whatever. It's generally designed to protect users from each other, rather than protect users from themselves.

      --
      Randy.Flood@RHCE2B.COM
  3. possible silver lining by Trailer+Trash · · Score: 3, Interesting

    Could this technology be used to make a file copy command for Vista that isn't dog slow? Just wondering...

    --
    Do you have ESP?
  4. Again? by Proudrooster · · Score: 2, Interesting

    VISTA hacked again? In about three years I predict this OS will actually be usable due to helper apps which allow end users to use the computer as they see fit, instead of how MS and friends think you should use it. DRM is such a waste of human resources, but I guess this is the game we have to play.

    Bill Gates wants more cheap labor to waste of useless software. What a waste of human intellect and talent. How about making the computer RUN faster, be more intuitive, and reliable?

  5. Looks like 32-bit by figleaf · · Score: 3, Interesting

    I would like to see him do this in 64-bit.
    32-bit allows unsigned code in kernel mode for legacy reasons so its much more easier to inject into 32-bit processes.

  6. Re:Can't beat em, join em? by sjames · · Score: 3, Interesting

    That's MS's big problem. A LOT of people WANT them to fail because they're MS. Because fundamentally, a computer and it's OS is supposed to do what the user wants, not what Bill Gates, the RIAA and the MPAA want it to do. There are enough people out there who know how to hack it up so it actually does do what they want. The more pragmatic ones WANT MS to fail because that's how to crack the content they want.

    Once the hacking is accomplished, a significant number of people will then abuse that code to get other people's computers to do what THEY want rather than what Bill wants (doing what the user wants is simply not up for discussion).

    The real beauty here is that the "bad guys" are turning the OS's own features against the creator (the other bad guys). The divine appropriatness of that is simply irresistable.

  7. Re:In related news by cduffy · · Score: 4, Interesting

    The only infection my home Windows system has ever had came from a MySpace page my wife was browsing. Both of us appreciate good porn, and use that system for viewing it -- and, as I said, the only infection we've ever had was from MySpace.

    The parent is not necessarily too uptight to admit surfing porn.

  8. Re:In related news by erroneus · · Score: 5, Interesting

    I rather liken Vista to WinME. But every time I say so, someone chimes in saying Vista is the best thing Microsoft ever did or that Vista sales have set new records here or there or somewhere.

    Vista goes way ot of its way to reduce functionality for the user in order to make content providers happy. Think of what that really means. Company A sells something to Consumer A but that something is disabled in order to make Company B happy. Company B is happy because they can continue their old business model and maintain their dominance if and when they finally move into new business models when they feel ready. Meanwhile, companies C, D and E through M move to create, innovate and design new things only to be prevented by both Company A and Company B. Depending on how this is done and how much evidence can be produced, this is illegal behavior.

  9. No, debuggers can't have special privileges by DeadCatX2 · · Score: 2, Interesting

    When you start a process, you start it with a certain set of privileges. If you're logged on as administrator, your calls to CreateProcess can start processes with a different set of privileges.

    When you make a Windows API call to something like CreateRemoteThread, you need a handle to the process you're interested in. If the right security bits aren't set (and they get set by the call to CreateProcess), CreateRemoteThread returns unsuccessfully.

    Anyway, what could you do to give debuggers special privileges that you could prevent other people from using?

    --
    :(){ :|:& };:
  10. Re:In related news by Master+of+Transhuman · · Score: 2, Interesting


    I'll tell you, personally I think porn sites don't need malware. They KNOW what you're there for - they don't need to slap adware on your system to get you to come there. I've always had some spyware protection back when I was running mostly on Windows 2000 and XP, and I surfed porn sites frequently (albeit with Opera originally and later Firefox, more than IE, so my exposure to ActiveX was minimal) and I very rarely got any spyware according to my utilities.

    Basically ANY sleazy commercial outfit will slap spyware on your system. I have clients whose kids or spouses spend a lot of time on sports sites and retailers of sport shoes - and they get tons of spyware from those sites. Porn definitely isn't the primary problem.

    --
    Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!