![]() ![]() That being said, with PROCESS_TERMINATE blocked, let’s see if there are other ways we can interfere with it instead. In summary, Windows attempts to protect PPL processes from non-PPL processes, even those with administrative rights. This is because non-PPL processes like taskkill.exe cannot obtain handles with the PROCESS_TERMINATE access right to PPL processes using APIs such as OpenProcess. ![]() You can see PPL in action yourself by running the following from an elevated administrative command prompt on a default Windows 10 install:Īs you can see here, even a user running as SYSTEM (or an elevated administrator) with SeDebugPrivilege cannot terminate the PPL Windows Defender anti-malware Service (MsMpEng.exe). Once this process is complete, the vendor can use this ELAM driver to have Windows protect their anti-malware service by running it as a PPL. To be able to run as a PPL, an anti-malware vendor must apply to Microsoft, prove their identity, sign binding legal documents, implement an Early Launch Anti-Malware (ELAM) driver, run it through a test suite, and submit it to Microsoft for a special Authenticode signature. For more depth, Alex Ionescu goes into great detail on protected processes in his talk at NoSuchCon 2014. For the rest of this article, we call them Protected Process Light (PPL). The goal is to prevent malware from instantly disabling your antivirus and then running amok. Windows also protects these processes from code injection and other attacks from admin processes. ![]() After the service is launched as protected, Windows uses code integrity to only allow trusted code to load into the protected service. In Windows 8.1, a new concept of protected service has been introduced to allow anti-malware user-mode services to be launched as a protected service. Microsoft’s documentation ( archived) describes this as: This enables specially-signed programs to run such that they are immune from tampering and termination, even by administrative users. Windows 8.1 introduced a concept of Protected Antimalware Services. This is of particular interest because we build and maintain two anti-malware products that benefit from this protection. ![]() This article demonstrates a flaw that allows attackers to bypass a Windows security mechanism which protects anti-malware products from various forms of attack. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |