Another attack stopped by Process Guard - an attack on Windows File Protection

Discussion in 'ProcessGuard' started by Wayne - DiamondCS, Dec 22, 2003.

Thread Status:
Not open for further replies.
  1. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Here is yet another process attack that Process Guard blocks and protects against. :)
    This time the attack is against sfc.dll (Windows File Protection), which a trojan may want to disable so as to be able to modify system files.

    The foundations for the attack are described here by James Kirby, but put simply, Windows File Protection is made possible thanks to sfc.dll, which is loaded by winlogon.exe. This DLL file exports an unnamed and undocumented function known simply by it's Ordinal - #2, which essentially unloads file protection. The attack is simple: the address of Ordinal #2 is determined, then a call to CreateRemoteThread is made, with the thread start address being the address of Ordinal #2. The thread begins execution and Windows File Protection unloads immediately.

    Process Guard (even with just the default, wizard-generated configuration) protects against this by blocking the attacking process from creating a remote thread in winlogon.exe by denying write access (required to create remote threads) - it's that simple.

    Here's a screenshot of the attack being blocked. The configuration as you can see is simply the one generated automatically by the wizard (which adds protection for winlogon.exe, amongst others):
    http://www.diamondcs.com.au/processguard/images/pg-wfp.gif
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Re:Another attack stopped by Process Guard - an attack on Windows File Protectio

    Splendid :cool: Have a cookie, Wayne and Jason as well for that matter ;)

    regards.

    paul
     
  3. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Re:Another attack stopped by Process Guard - an attack on Windows File Protectio

    Good news, we see again that Process Guard is a "must to have" product :)
     
  4. ano1

    ano1 Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    27
    Re:Another attack stopped by Process Guard - an attack on Windows File Protectio

    Still nice! (although the server deleted my first post)
     
  5. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Re:Another attack stopped by Process Guard - an attack on Windows File Protectio

    Well at least the server is back up :)
     
  6. an07

    an07 Guest

    Re:Another attack stopped by Process Guard - an attack on Windows File Protectio

    Wayne:

    Have you tried this one?
    1.
    "This example shows the method for a new
    startup method. Simply put we are going
    to replace a system process, userinit.exe
    so that each time someone logs on windows,
    our version is executed instead of the
    real version.

    This requires system file protection
    to be bypassed for userinit.exe so
    we can modify it.

    Below is the replacement userinit.exe
    which loads usersvc.cpl, our SFP hook and
    then creates a process for usersvc.exe
    which is the backup copy of the original
    userinit.exe. We must keep this file and
    run it each time we ran otherwise windows
    will not load properly."

    in connection with ...

    2.
    "As a new feature windows keeps a catalog of hashes
    for several files deemed critical. One of which is
    userinit. This example shows how to make a clean
    backup of userinit and then redirect the system file
    protection scanner to the clean backup, allowing
    the original to be modified or even deleted.

    This is accomplished not by disabling the protection
    completely but merely for a select file or files by
    hooking NtOpenFile in ntdll.dll."


    This method should already be covered by PG, right?
     
    Last edited by a moderator: Aug 7, 2005
  7. Marine06

    Marine06 Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    17
    Re:Another attack stopped by Process Guard - an attack on Windows File Protectio

    Very nice! I say have two cookies.. mmmmmmmmmm
     
Thread Status:
Not open for further replies.