Vista Protected Processes Bypassed

Anonymous Hero writes "Security Researcher Alex Ionescu strikes again, this time with a proof of concept program that will arbitrarily enable and foremost disable the protection of so-called 'protected processes' in Windows Vista. Not only threatening Vista DRM and friends, it's also another step towards hardened and even more annoying malware. Normally, only specially signed processes made by special companies (decided by Microsoft) can be protected, but now the bad guys can protect any evil process they want, including the latest version of their own keylogger, spambot, or worm, as well as unprotect any 'good' one."

In related news

A spokesperson for Microsoft was quoted as saying :

This is only an issue if you're downloading and watching porn. You should be watching only wholesome media, like "What About Bob [wikipedia.org]", instead.

Re:In related news

A spokesperson for Microsoft was quoted as saying :

        This is only an issue if you're downloading and watching porn. You should be watching only wholesome media, like "What About Bob", instead.

People are modding this as flamebait, but I've seen far, FAR too many IT professionals take that stance with Spyware / Malware. I've seen a system get all sorts of nasty winlogon-enabled Spyware within minutes of being hooked up to a network, with no action on the user's part. Not only that, in a world where banner ad companies can get infected with trojans [out-law.com] the idea of people only getting infected if they're doing something "shady" on their machine is utterly absurd.

Re:In related news

People are modding this as flamebait, but I've seen far, FAR too many IT professionals take that stance with Spyware / Malware. I've seen a system get all sorts of nasty winlogon-enabled Spyware within minutes of being hooked up to a network, with no action on the user's part. Not only that, in a world where banner ad companies can get infected with trojans the idea of people only getting infected if they're doing something "shady" on their machine is utterly absurd.

It was a joke, just a joke and only a joke.

The link given is to Microsoft Bob, which Microsoft gave up on shortly after launching it and (according to Wikipedia) later admitted the product was their single largest failure in their company history.

You'd need to remember Bob in order to appreciate that Vista is well on its way to being "Bob 2".

I suppose any joke could be taken as flamebait lol, but really, its just a joke. Better put in /. terms :

its funny, laugh. .. or perhaps not, since I had to explain it :)

Re:In related news

I rather liken Vista to WinME. But every time I say so, someone chimes in saying Vista is the best thing Microsoft ever did or that Vista sales have set new records here or there or somewhere.

Vista goes way ot of its way to reduce functionality for the user in order to make content providers happy. Think of what that really means. Company A sells something to Consumer A but that something is disabled in order to make Company B happy. Company B is happy because they can continue their old business model and maintain their dominance if and when they finally move into new business models when they feel ready. Meanwhile, companies C, D and E through M move to create, innovate and design new things only to be prevented by both Company A and Company B. Depending on how this is done and how much evidence can be produced, this is illegal behavior.

Re:In related news

The only infection my home Windows system has ever had came from a MySpace page my wife was browsing. Both of us appreciate good porn, and use that system for viewing it -- and, as I said, the only infection we've ever had was from MySpace.

The parent is not necessarily too uptight to admit surfing porn.

Re:In related news

I have to ask. If both you *and* your wife enjoy porn, how do you find time to post on /.?

Re:In related news

You're wrong. The "collective observations of thousands of admins" is in fact little more than assumptions and anecdotes perpetuated by people such as yourself.

Do a significant proportion of porn sites have malware? Probably.

Is there a greater risk of getting infected by malware when surfing for porn than doing "wholesome" surfing? Perhaps.

Is a malware infection reason enough to presume that they got it from browsing porn and/or piracy-related sites? Not in the slightest in my experience. If you've got differing experiences that prove me wrong, by all means collate your data and present your findings because I and I'm sure many other people working in admin or IT roles would love some hard numbers on the nature of malware sources online. Until then I'll have to assume the "observations of thousands of admins" you speak of are in fact nothing more than your own pre-conceptions.

Can we have Source?

I most certainlly hope he releases the source for this. We *know* the bad guys will invent the time to figure out how this works. Let's be on level ground, shall we?

Why do they even bother?

All of this "security" is just crap if it can apparently be exploited so easily.

Re:Why do they even bother?

no it's worse than crap when it can be exploited so easily. I read it as malware can become a "protected process", as in protected processes that the administrator doesn't have control over.

Re:Why do they even bother?

after a $b investment over five years from the dominant player in operating systems, yes "The WOW starts Now!"

Re:Why do they even bother?

I agree.

The problem with Microsoft is not so much one of bugs as it is a problem with their general design philosophy.

Such as providing mechanisms for your own developers to bypass the security of the entire system to make some friggin media clips play more smoothly. News flash, idiots: if you provide two paths through security, a strongly checked path and a weakly checked path, you incentivize attackers to take the weak path! And if you provide those hooks for your own developers to bypass security, then attackers can use them too!

They were probably praying that no one would ever figure out that those hooks were there... and security by obscurity is very, very poor design.

My inclinations against myself or my family running vista just got a +1 Justification.

Can't beat em, join em?

Can you imagine if companies actually recruited these people who were skilled enough to break their OSs? I know I've paid someone who hacked into my site, to find any further holes (fortunately they didnt!) and its far cheaper in the long run..

Re:Can't beat em, join em?

The problem with this is that the said paid hackers get better pay working on the exploits on their own and selling them in the black market. A lot of exploit code goes for $5000 a pop to the people who use it, and there are plenty of buyers (and it is not like they can't sell to multiple people, and make N*$5000 for a single good exploit). Heck, something like the above would easily sell hundreds or possibly thousands of times for $5000 a pop. Can most software companies afford to pay hackers the $300,000-500,000 a year that a good one could easily make off a single exploit?

Re:You think so?

Right, like those code scanners that preemptively found the second ANI bug after the first was found. Those code scanners?

Re:Can't beat em, join em?

Sure, but what kind of employees do these people make? And will they have the same motivation if they are being paid to do it? It is highly variable. You're little website is one thing, but if you're microsoft, you have a lot to lose. Maybe the hacker just wants to get on the inside to get better info for future illicit hacks... or worse, put in backdoors.

-matthew

Re:Can't beat em, join em?

You're little website is one thing, but if you're microsoft, you have a lot to lose. Maybe the hacker just wants to get on the inside to get better info for future illicit hacks... or worse, put in backdoors.

Why would anyone bother putting in more backdoors to the OS equivalent of Goatse ?

Re:Can't beat em, join em?

That's MS's big problem. A LOT of people WANT them to fail because they're MS. Because fundamentally, a computer and it's OS is supposed to do what the user wants, not what Bill Gates, the RIAA and the MPAA want it to do. There are enough people out there who know how to hack it up so it actually does do what they want. The more pragmatic ones WANT MS to fail because that's how to crack the content they want.

Once the hacking is accomplished, a significant number of people will then abuse that code to get other people's computers to do what THEY want rather than what Bill wants (doing what the user wants is simply not up for discussion).

The real beauty here is that the "bad guys" are turning the OS's own features against the creator (the other bad guys). The divine appropriatness of that is simply irresistable.

Highly amusing!

At the moment these people are doing great work. Just take the promises MS made and see them being invalidated pice by pice!

The bottom line is that no matter what OS, competent system administration is essentlial. However MS makes system administration a lot harder, than it is on other systems.

Didn't we see this before...

With that OS protected space in Windows ME?

I clearly remember being called to help a friend with a spyware/malware problem, discoverng he had ME, and going out to buy a copy of XP to replace it.

Re:Didn't we see this before...

I clearly remember being called to help a friend with a spyware/malware problem, discoverng he had ME, and going out to buy a copy of XP to replace it.

Well, it looks like you might be doing it again. Helping a friend with a malware problem, finding out that he has Vista, and buying a copy of XP to replace it.

Source code

The guy is a low life for not releasing the source code. We need administration tools to manage our own systems, and yes Symantec would be one company with legitimate use of this functionality.

Re:Source code

Seems to contain a compressed buffer with a .sys driver that is decompressed with a call to RtlDecompressBuffer and hidden away by writing it to the alternate stream "%SystemRoot%\system32\drivers\crusoe.sys:drmkaud. sys", and then there's a registry update to load the driver.

Someone who cares should write out the compressed buffer and disassemble that.

Re:Source code

no one is a low life for holding on to their code. this guy just cracked the one of the strongest features of Vista. A system that took five years and a billion dollars to produce. About two months after public release and this guy has broken the "heightened security" wide open. If Symantec wants the code they should pay for it or figure it out themselves. Symantec doesn't give me anything for free. If you're using Vista, then you're an early adopter and need to deal with that, just thank this "low life" for providing you with a binary tool you can use if you get into trouble.

DRM in Vista is misunderstood

> Not only threatening Vista DRM and friends

The DRM in Vista is not intended to lock down your computer so that evil companies can control what you watch. This is impossible to do without a TPM chip. Microsoft knows this.

The addition of DRM in Vista allows you to play DRM-encrypted files on your computer. Without this feature, you would not be able to play DRM'd songs. Now at least you have the choice.

'Cracking' DRM is on about the same level as downloading illegal copies online. Useful in some cases (such as when you bought a DRM'd song by mistake and wish to play it on your MP3 player/iPod), but still illegal (in the US at least).

Now mod me down, Vista bashers!

Re:DRM in Vista is misunderstood

The addition of DRM in Vista allows you to play DRM-encrypted files on your computer. Without this feature, you would not be able to play DRM'd songs. Now at least you have the choice.

You can't possibly mean what you just wrote. Vista's DRM is needed to play DRM-encrypted files? Why can XP and Windows 2000 play encrypted files?

this is just an another step

...to start considering Vista as an usable OS.

Wait, wait...

A typical process cannot perform operations such as the following on a protected process:
[...]
Access the virtual memory of a protected process

It's been a while since I knew squat about operating system internals, but aren't processes supposed to not be able to access other processes' memory anyhow? I assume, then, that this means that 'protected processes' are special in that they are also protected from any 'supervisor'-type processes, not just run-of-the-mill? In that case, are 'protected processes' meant to protect the kernel from itself, in some sense?

Most likely I am missing the point here, and can't understand TFA accordingly. Somebody please set me straight.

Re:Wait, wait...

There are ways, using the windows API, for any process run with Debugger privileges (any Administrator really) to read,write,terminate,create threads, etc in any other process. This was true in Windows 95 and still is in XP and probably Vista, except for protected processes.

It's not like they can just create a pointer and address the other memory space but using the API they can achieve the same thing.

This is what allows programs like xfire to inject into your game process or (as they mention in TFA) allows Warden to peek inside all processes to see if they are evil.

Ever since DOS

I miss the days when I gave my computer commands not suggestions. This whole "protected area" stuff just pisses me off.

Re:Ever since DOS

I miss the days when I gave my computer commands not suggestions.

You are becoming nostalgic, Deny or Allow?

It's really Melinda's fault

Want your missing is the higher social value of interacting with your computer on a more equal basis. Just like women, Computers are complex, pretty, expensive and inscrutable. Just like women, they are best handled with suggestions, not commands.

So get off your old, tired, 20th Century horse and get with the new paradigm.

Just a suggestion of course.

Re:Ever since DOS

I miss the days when I gave my computer commands not suggestions. This whole "protected area" stuff just pisses me off.

So, is using a Vista PC like talking to the bomb in Dark Star?

biting the hand that feeds you

He [Alex Ionescu] is also a Microsoft Student Ambassador and is representing the company on campus as a Technical Rep.

not for long, I bet.

New Meaning for "Genuine Advantage"

Genuine Advantage seems to now benefit the bastards too.

possible silver lining

Could this technology be used to make a file copy command for Vista that isn't dog slow? Just wondering...

No reason to run Vista

Outside of being forced to use it at work, at home it brings nothing of VALUE.

Surprising really?

If you build a house out of hardened excrements, it is still a house built out of shit even if you paint it pink.

Again?

VISTA hacked again? In about three years I predict this OS will actually be usable due to helper apps which allow end users to use the computer as they see fit, instead of how MS and friends think you should use it. DRM is such a waste of human resources, but I guess this is the game we have to play.

Bill Gates wants more cheap labor [infoworld.com] to waste of useless software [theinquirer.net]. What a waste of human intellect and talent. How about making the computer RUN faster, be more intuitive, and reliable?

Good, now MS cant dictate software advantage

all DRM issues aside, i'm surprised nobody has brought up new antitrust charges, especially in europe, for this idea that microsoft is allowed to deny a company the ability to use process protection.

by doing that they give incumbents an advantage over others and are using their OS to exapand monopoly interests into other sectors.

Good idea, bad implementation.

"Protected processes" are a reasonable idea. They're certainly better than putting video and audio processing in the kernel as part of the DRM system. But apparently Microsoft botched the implementation.

Microsoft has for some years allowed processes to do too much to other processes. Things like "injecting" a DLL or thread into a running process from the outside, or "hooking" system calls, are inherently security problems. In the Windows world, normal processes can do that to each other. This tends to be overdone, with too much "hooking" of system calls and such, a tradition from the DOS era. The UNIX/Linux world doesn't have that tradition. Fortunately.

In the Linux world, the things you can't do to a Microsoft "protected process" are roughly equivalent to the functions of the PTRACE [linuxgazette.net] call. In SElinux, the mandatory security system controls which processes can use PTRACE on which other processes. [12.110.110.204] So SELinux already has "protected processes", but with a better security model.

If we have to have DRM, protected processes aren't a bad idea. But what you want is for them to be compartmented, not privileged. They should be running in a compartment which prevents other processes from attaching to them, but they don't need the privilege of attaching to other processes. So the video decoder can be protected, but doesn't have enough privileges to act as an aimbot for some game. The security system for a game should be able to lock the game processes into a compartment which other processes cannot enter, preventing cheats. Enforce separation, not privilege.

Re:Good idea, bad implementation.

Protected processes are a terrible idea, and they have no analog in Unix. You have misunderstand the purpose of protected processes. It has nothing to do with protecting processes from each other for better security. It is *only* about protection from the *user* for media. Protected processes cannot be written by anyone but Microsoft and "trusted" partners (theoretically) and are supposed to be immune from tampering by every user, even one with the highest possible administrative rights. No Unix has this concept, because it is retarded. It removes your own control over what your computer is doing and hands it to Microsoft and a few "trusted" companies which are allowed to write protected processes.

WHat the heck? Windows processes are WEIRD

http://www.microsoft.com/whdc/system/vista/process _Vista.mspx [microsoft.com]

Protected processes have additional security restrictions, but apparently in vista, they are strange beasts. Parent processes can always obtain a handle to a child process. So, you can't have a child process become a true daemon?

Processes can "inject threads" into other processes? Buhuh?

Here's apparently more of what processes can't do to Protected Processes do in Windows:

Inject a thread into a protected process
Access the virtual memory of a protected process
Debug an active protected process
Duplicate a handle from a protected process
Change the quota or working set of a protected process

So yer telling me, normal processes can do this to other normal processes in windows?

Irrespective of any kind of access restrictions on Linux, process memory space is a lot more sacrosanct. To even get the same level of process seperation would apparently require the setting of a lot of ACLs in windows, if it can be done at all.

The footnote at the end is the best though!

"Do not attempt to circumvent this restriction by installing a kernel-mode component to access the memory of a protected process because the system and third-party applications may rely on the fact that protected processes are signed code that is run in a contained environment. "

Please play nice with our restriction scheme!

I bet this is what our enterprising hacker has done.

Before MS sics their lawyers on me, the above quotes were used for the purposes of review.

This is how it's done

The tool needs to be run with elevated privileges (otherwise it will not work). It decompresses a 848 bytes driver and loads the driver. The driver does nothing but set bit 11 (ProtectedProcess) of the Flags2 bitfield (offset 0x224) of the corresponding _EPROCESS structure of the process to be modified. However, this requires the neccessary rights to load and install a driver...and as we all know, once being in kernel mode there's no real protection against malicious code...

The Philosophy of Protection

I think history has shown that no matter how hard you try you cannot create a doorway in software protection and only expect to let those you want get through. The nature of software today is so fluid that it's possible to make your way through the door by imitation, brute force, social engineering, etc. Microsoft does not seem to grog this. Neither do DRM propenents. Information will find a way to get through, around, over and above, and beneath all obstacles.

So what do you do? Well, one thing you don't do is provide special security rights to only certain approved software.

The only true answer is open software and education. People who don't know how to use their computers will be attacked. They will be compromised. If you can't control yourself on the internet and local networks, you will lose the right to control your computer because someone will take it from you. If you run unknown and untrusted programs, you face the risks. Your online habits help determine your exposure. If you absolutely must visit 'free porn', warez, social networks like MySpace, etc websites, then do so with caution tempered by proper education on how to isolate your important, sensitive data, from the rest of the crap you are willing to lose. You are better off simply not visiting sites of that nature. But if you are going to, at least understand how to keep yourself safe. Because no software written today is going to be able to do it for you. There will always be software out there capable of getting around it.

In the end, to the wolves go the slowest, weakest sheep. It's natural. Don't be one of them.

Looks like 32-bit

I would like to see him do this in 64-bit.
32-bit allows unsigned code in kernel mode for legacy reasons so its much more easier to inject into 32-bit processes.

That man is a cyber ninja.

Someone give him an internet!

which version

Tell me Bill, which version of Vista are you referring to?

"We made it way harder for guys to do exploits," said Mr. Gates. "The number
[of exploits] will be way less because we've done some dramatic things
[to improve security] in the code base."

http://www.toptechnews.com/story.xhtml?story_id=49 854 [toptechnews.com]

Non-news

The tool need Admin priveledges to work, and guess what you can do with that? Yes! Anything you like! The same goes for Linux too - oddly, with root access you too can do/inject/patch anything at all too.

Tags like: 'haha, defectivebydesign' Show how immature and unwilling to be unbiased some of you lot are. Shame on you. /endRant

Annoying?

Malware is not annoying. It's downright hostile. Once untrusted code has run as administrator/root/system/whatever on your computer, it's the end of the game. You need to reinstall and never trust the compromised data again, as any competent security expert will tell you. Only the anti-malware corporations, unsurprisingly, tell you otherwise.

ignore malware, now i can use ext2 drivers

Personally this sounds like exactly what I've been looking for to get drivers that'll read my Ext3 partitions installed and loaded without all the Vista SDK nonsense required to get past the signing crap. If I'm scared of malware and virii, I'd use something by a company I trust and respect (Kaspersky is my personal favourite, especially since it's easy to exclude files/folders on the basis of "if you detect X here, ignore" so I can keep false positives or test samples or anonymail or etc), not Microsoft! From Microsoft I just want the bare OS, at most. The good things about Windows have always been programs that run ontop of it (EAC, Powertab, Nero, games), anything that restricts what can get installed is another reason for me to use something else.

Job protection for this guy.

Just trying to hold on to his job by helping out the trojan and virus writers.

Just fuckin' great:

Great, just fuckin' great... so M attempts to make a MORE SECURE operating system and instead makes a MORE SECURE OPERATING ENVIRONMENT for malware... M, keeping me in business forever...
They are kind of like a perpetual motion machine for Computer Techs...

Not just Vista

This code is specific to Vista, but it doesn't exploit a Vista vulnerability.

The technique is applicable to any platform and exploits the well understood fact that if you can get a system to run your code at boot time, you can do anything you want with it, assuming you are willing to do the work it takes to do it without triggering wards (e.g. full disk encryption). Alex spent months on this.

I have all the reasons I need to give Vista a pass and wait for the OS Microsoft builds when they come to their senses and go back to a market-driven business model. This isn't one of those reasons.

with linux you can inject code and replace kernel

This is pure fud because this tool requires administrative privileges and this is possible also in linux using the root account. With linux a malware can replace the whole linux kernel with a single command line!!! Linux is unsafer than Vista

I can't imagine this is surprising...

... as every implementation thus far of this kind of walled garden implementation has ended in a single engineer or small group of engineers finding that one critical flaw that busts the entire thing open. Surely, all of these solutions are naive implementations of security through obscurity, which becomes obsolete the moment a sophisticated cracker obtains enough clock cycles to guess enough things about the implementation... i.e., trivial.

its all very simple

Guys, its all very simple. When you realize that fanatic MS users are the same idiots who keep paying taxes, and *helped* Bush into power, you will then understand why all this is happening. You need to face the facts: behind any conjob there is a MJIC (master joo in charge, in this case Gates), and he's just part of the "suck your money and time" scheme to make you into powerless obeying tax-paying sheep that can easily be confused and controlled. Be a man!, install lin