Slashdot Mirror
Vista Protected Processes Bypassed
Anonymous Hero writes "Security Researcher Alex Ionescu strikes again, this time with a proof of concept program that will arbitrarily enable and foremost disable the protection of so-called 'protected processes' in Windows Vista. Not only threatening Vista DRM and friends, it's also another step towards hardened and even more annoying malware. Normally, only specially signed processes made by special companies (decided by Microsoft) can be protected, but now the bad guys can protect any evil process they want, including the latest version of their own keylogger, spambot, or worm, as well as unprotect any 'good' one."
I most certainlly hope he releases the source for this. We *know* the bad guys will invent the time to figure out how this works. Let's be on level ground, shall we?
All of this "security" is just crap if it can apparently be exploited so easily.
No, this feature is available only in Windows Vista.
With that OS protected space in Windows ME?
I clearly remember being called to help a friend with a spyware/malware problem, discoverng he had ME, and going out to buy a copy of XP to replace it.
I like you, Stuart. You're not like everyone else, here, at Slashdot.
The problem with this is that the said paid hackers get better pay working on the exploits on their own and selling them in the black market. A lot of exploit code goes for $5000 a pop to the people who use it, and there are plenty of buyers (and it is not like they can't sell to multiple people, and make N*$5000 for a single good exploit). Heck, something like the above would easily sell hundreds or possibly thousands of times for $5000 a pop. Can most software companies afford to pay hackers the $300,000-500,000 a year that a good one could easily make off a single exploit?
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
...to start considering Vista as an usable OS.
Most likely I am missing the point here, and can't understand TFA accordingly. Somebody please set me straight.
http://nyamenation.org/
I miss the days when I gave my computer commands not suggestions. This whole "protected area" stuff just pisses me off.
We are all just people.
He [Alex Ionescu] is also a Microsoft Student Ambassador and is representing the company on campus as a Technical Rep.
not for long, I bet.
Stop Computers/Cars Analogies on S
>>Can most software companies afford to pay hackers the $300,000-500,000 a year that a good one could easily make off a single exploit?
Microsoft can.
yes, it would make a nice tool for you to administer your systems. or for anyone out there to "administer" for you.
We are all just people.
Sure, but what kind of employees do these people make? And will they have the same motivation if they are being paid to do it? It is highly variable. You're little website is one thing, but if you're microsoft, you have a lot to lose. Maybe the hacker just wants to get on the inside to get better info for future illicit hacks... or worse, put in backdoors.
-matthew
"THERE IS NO JUSTICE, THERE IS ONLY ME." -Death
No, other operative systems don't have this stupid notion of "protected processes", not even XP has it, only vista.
Do you really think so? Why would MS pay someone $300,000-500,000 when they have people who get $70,000 that could simply scan the code itself? They won't upset their current pay scales and pay grades to place "hackers" into their business units. For one, many of those "hackers" are hackers because they have a record of conduct that does not work in a normal business environment. Be it social, societal or other issues (potentially and not limited to criminal and trust issues). In fact, some people many not even be employable due to said activities due to security reasons.
Again, MS sure isn't going to hire a hacker who is paid more then their bosses and that is for sure.
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
no one is a low life for holding on to their code. this guy just cracked the one of the strongest features of Vista. A system that took five years and a billion dollars to produce. About two months after public release and this guy has broken the "heightened security" wide open. If Symantec wants the code they should pay for it or figure it out themselves. Symantec doesn't give me anything for free. If you're using Vista, then you're an early adopter and need to deal with that, just thank this "low life" for providing you with a binary tool you can use if you get into trouble.
Under the influence of Post-Cyberpunk Gonzo Journalism
Genuine Advantage seems to now benefit the bastards too.
Could this technology be used to make a file copy command for Vista that isn't dog slow? Just wondering...
Do you have ESP?
If you build a house out of hardened excrements, it is still a house built out of shit even if you paint it pink.
[alk]
Considering the executable is just about 6K and doesn't seem protected/compressed, reversing it ought to be fairly trivial. Try the demo version of IDA.
Belief is the currency of delusion.
VISTA hacked again? In about three years I predict this OS will actually be usable due to helper apps which allow end users to use the computer as they see fit, instead of how MS and friends think you should use it. DRM is such a waste of human resources, but I guess this is the game we have to play.
Bill Gates wants more cheap labor to waste of useless software. What a waste of human intellect and talent. How about making the computer RUN faster, be more intuitive, and reliable?
all DRM issues aside, i'm surprised nobody has brought up new antitrust charges, especially in europe, for this idea that microsoft is allowed to deny a company the ability to use process protection.
by doing that they give incumbents an advantage over others and are using their OS to exapand monopoly interests into other sectors.
VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
"Protected processes" are a reasonable idea. They're certainly better than putting video and audio processing in the kernel as part of the DRM system. But apparently Microsoft botched the implementation.
Microsoft has for some years allowed processes to do too much to other processes. Things like "injecting" a DLL or thread into a running process from the outside, or "hooking" system calls, are inherently security problems. In the Windows world, normal processes can do that to each other. This tends to be overdone, with too much "hooking" of system calls and such, a tradition from the DOS era. The UNIX/Linux world doesn't have that tradition. Fortunately.
In the Linux world, the things you can't do to a Microsoft "protected process" are roughly equivalent to the functions of the PTRACE call. In SElinux, the mandatory security system controls which processes can use PTRACE on which other processes. So SELinux already has "protected processes", but with a better security model.
If we have to have DRM, protected processes aren't a bad idea. But what you want is for them to be compartmented, not privileged. They should be running in a compartment which prevents other processes from attaching to them, but they don't need the privilege of attaching to other processes. So the video decoder can be protected, but doesn't have enough privileges to act as an aimbot for some game. The security system for a game should be able to lock the game processes into a compartment which other processes cannot enter, preventing cheats. Enforce separation, not privilege.
So get off your old, tired, 20th Century horse and get with the new paradigm.
Just a suggestion of course.
Faster! Faster! Faster would be better!
> Why can XP and Windows 2000 play encrypted files?
The ability to play some DRM'd files was also added to XP and Windows 2000. I assume you already knew that though...
I'll probably be modded down for this...
http://www.microsoft.com/whdc/system/vista/process _Vista.mspx
Protected processes have additional security restrictions, but apparently in vista, they are strange beasts. Parent processes can always obtain a handle to a child process. So, you can't have a child process become a true daemon?
Processes can "inject threads" into other processes? Buhuh?
Here's apparently more of what processes can't do to Protected Processes do in Windows:
Inject a thread into a protected process
Access the virtual memory of a protected process
Debug an active protected process
Duplicate a handle from a protected process
Change the quota or working set of a protected process
So yer telling me, normal processes can do this to other normal processes in windows?
Irrespective of any kind of access restrictions on Linux, process memory space is a lot more sacrosanct. To even get the same level of process seperation would apparently require the setting of a lot of ACLs in windows, if it can be done at all.
The footnote at the end is the best though!
"Do not attempt to circumvent this restriction by installing a kernel-mode component to access the memory of a protected process because the system and third-party applications may rely on the fact that protected processes are signed code that is run in a contained environment. "
Please play nice with our restriction scheme!
I bet this is what our enterprising hacker has done.
Before MS sics their lawyers on me, the above quotes were used for the purposes of review.
The tool needs to be run with elevated privileges (otherwise it will not work). It decompresses a 848 bytes driver and loads the driver. The driver does nothing but set bit 11 (ProtectedProcess) of the Flags2 bitfield (offset 0x224) of the corresponding _EPROCESS structure of the process to be modified. However, this requires the neccessary rights to load and install a driver...and as we all know, once being in kernel mode there's no real protection against malicious code...
Seems to contain a compressed buffer with a .sys driver that is decompressed with a call to RtlDecompressBuffer and hidden away by writing it to the alternate stream "%SystemRoot%\system32\drivers\crusoe.sys:drmkaud. sys", and then there's a registry update to load the driver.
Someone who cares should write out the compressed buffer and disassemble that.
Belief is the currency of delusion.
I think history has shown that no matter how hard you try you cannot create a doorway in software protection and only expect to let those you want get through. The nature of software today is so fluid that it's possible to make your way through the door by imitation, brute force, social engineering, etc. Microsoft does not seem to grog this. Neither do DRM propenents. Information will find a way to get through, around, over and above, and beneath all obstacles.
So what do you do? Well, one thing you don't do is provide special security rights to only certain approved software.
The only true answer is open software and education. People who don't know how to use their computers will be attacked. They will be compromised. If you can't control yourself on the internet and local networks, you will lose the right to control your computer because someone will take it from you. If you run unknown and untrusted programs, you face the risks. Your online habits help determine your exposure. If you absolutely must visit 'free porn', warez, social networks like MySpace, etc websites, then do so with caution tempered by proper education on how to isolate your important, sensitive data, from the rest of the crap you are willing to lose. You are better off simply not visiting sites of that nature. But if you are going to, at least understand how to keep yourself safe. Because no software written today is going to be able to do it for you. There will always be software out there capable of getting around it.
In the end, to the wolves go the slowest, weakest sheep. It's natural. Don't be one of them.
I do not respond to cowards. Especially anonymous ones.
I would like to see him do this in 64-bit.
32-bit allows unsigned code in kernel mode for legacy reasons so its much more easier to inject into 32-bit processes.
Why would anyone bother putting in more backdoors to the OS equivalent of Goatse ?
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
That's MS's big problem. A LOT of people WANT them to fail because they're MS. Because fundamentally, a computer and it's OS is supposed to do what the user wants, not what Bill Gates, the RIAA and the MPAA want it to do. There are enough people out there who know how to hack it up so it actually does do what they want. The more pragmatic ones WANT MS to fail because that's how to crack the content they want.
Once the hacking is accomplished, a significant number of people will then abuse that code to get other people's computers to do what THEY want rather than what Bill wants (doing what the user wants is simply not up for discussion).
The real beauty here is that the "bad guys" are turning the OS's own features against the creator (the other bad guys). The divine appropriatness of that is simply irresistable.
When you start a process, you start it with a certain set of privileges. If you're logged on as administrator, your calls to CreateProcess can start processes with a different set of privileges.
When you make a Windows API call to something like CreateRemoteThread, you need a handle to the process you're interested in. If the right security bits aren't set (and they get set by the call to CreateProcess), CreateRemoteThread returns unsuccessfully.
Anyway, what could you do to give debuggers special privileges that you could prevent other people from using?
:(){
Actually, Windows versions as early as 2000 use a whitelist method of "protecting" processes: If the process name matches a hardcoded list, then task manager will refuse to kill it. This is so broken it's ludicrous- simply rename your process to any of the ones on the list, and it becomes unkillable. Programs such as PSkill will kill all processes, regardless of name.
Agree with you. If I am the computer _administrator_, I want complete and utter control over what is running on the machine. It's all or nothing.
The vista model of watered-down administrator may make life easier for migrants from Win 9x, but ultimately restricts the functionality for high-end users.
I'd rather they still allowed full, uber-privileged rights to one account - be it administrator or whatever, irrespectve of what additional restrictions MS choose to place on other "administrator" accounts (which are apparently degraded to "power user" accounts these days anyway).
Anyway, as I may have stated previously, Windows 2003 Server for the win.
F_T