Wayne - DiamondCS
December 22nd, 2003, 08:13 AM
Here is yet another process attack that Process Guard blocks and protects against. :)
This time the attack is against sfc.dll (Windows File Protection), which a trojan may want to disable so as to be able to modify system files.
The foundations for the attack are described here (http://www.ntdev.org/archive/ntdev0007/msg0130.html) by James Kirby, but put simply, Windows File Protection is made possible thanks to sfc.dll, which is loaded by winlogon.exe. This DLL file exports an unnamed and undocumented function known simply by it's Ordinal - #2, which essentially unloads file protection. The attack is simple: the address of Ordinal #2 is determined, then a call to CreateRemoteThread is made, with the thread start address being the address of Ordinal #2. The thread begins execution and Windows File Protection unloads immediately.
Process Guard (even with just the default, wizard-generated configuration) protects against this by blocking the attacking process from creating a remote thread in winlogon.exe by denying write access (required to create remote threads) - it's that simple.
Here's a screenshot of the attack being blocked. The configuration as you can see is simply the one generated automatically by the wizard (which adds protection for winlogon.exe, amongst others):
http://www.diamondcs.com.au/processguard/images/pg-wfp.gif
This time the attack is against sfc.dll (Windows File Protection), which a trojan may want to disable so as to be able to modify system files.
The foundations for the attack are described here (http://www.ntdev.org/archive/ntdev0007/msg0130.html) by James Kirby, but put simply, Windows File Protection is made possible thanks to sfc.dll, which is loaded by winlogon.exe. This DLL file exports an unnamed and undocumented function known simply by it's Ordinal - #2, which essentially unloads file protection. The attack is simple: the address of Ordinal #2 is determined, then a call to CreateRemoteThread is made, with the thread start address being the address of Ordinal #2. The thread begins execution and Windows File Protection unloads immediately.
Process Guard (even with just the default, wizard-generated configuration) protects against this by blocking the attacking process from creating a remote thread in winlogon.exe by denying write access (required to create remote threads) - it's that simple.
Here's a screenshot of the attack being blocked. The configuration as you can see is simply the one generated automatically by the wizard (which adds protection for winlogon.exe, amongst others):
http://www.diamondcs.com.au/processguard/images/pg-wfp.gif