DropMyRights tool -- DMR_zone beta 1011

Trespasser mentioned he was using DMR. I put together a quick little tool for him to use, that makes it a bit more convenient to use DMR. I called it DMR_zone. Yeah, not very original. Wait till you see the icon lol.

Anyway, the idea is pretty basic. Place the executable on your desktop for example. Then...

Drag and drop one or more items, .exe's or .lnk's onto the program icon. You can drop it onto the executable icon itself, or an icon that is just a shortcut to the executable. Anyway, it will then start anything dropped on it.

Run the tool DMR_zone, and a small GUI window appears. Right click on the title bar to change whether it is modal or not (stays on top or not), as well as add 3 context menu entries.

When the GUI is showing, context menu entries do not work. But with the GUI you again simply drag and drop one or more items into the area, and they start with DMR.

The 3 context menus are:
For any item a menu for DMR_run, which will pass the item to DMR_zone and start it with DMR.
For folders a menu for DMR_Explore opens, which is basically just opening explorer.exe with DMR.
For any item a menu for DMR_cmd, which basically opens a command prompt with DMR.

There is another tool I know of that allow passing parameters to and then starts programs like DMR does. The other one could for instance open explorer.exe to the folder you clicked on the context menu for. Or it could open a command prompt with reduced rights like DMR, execept because you can pass parameters, you could changed the color or title so you know it was a reduced privelage window. Maybe few other ideas floating around in the old melon.

Here is the link
http://mrwoojoo.com/sg/index.htm
the tool is called DMR_zone and you should find it no problem.

It will be intersting to see if it is of use to anyone.

There is only one downfall to this DMR you will notice, and that is that you may start programs, like notepad.exe, but not documents like MyDocument.txt. This is because DMR accepts no parameters. ShellExecute's might work, but I won't devote much more time to this unless there is some real interest.

So Trespasser, hopefully you find it useful and perhaps someone else as well.

Enjoy.
Sul.

 

Reminds me of the discontinued runsafe. Anything to save time and make it easier to use Sul . As you know there's not much code in reducing privilege and your little tool, perhaps you could show multiple program shortcuts like runsafe.

 

Thanks, Sully. . I'll give it a go a little later today.

 

Are you suggesting that I create a method into this that instead of running the chosen program in DMR, it simply creates a shortcut for you? I think that is what you are saying. And I had that in the back of me head, as it would be easy to create the shortcut. I was unsure really which way to go. Trespasser commented about needing the shortcut for anything DMR does, so I though if you just keep your shortcuts in place on desktop or wherever like normal, all you really need to do is drop the shortcut on top of my app's icon, and it starts it with DMR. Or the context menu's work just as easy I suppose.

You are 100% correct.. anything to save time. I am interested in your idea, care to slightly expand on what you were thinking? You have got to be a coder from the things I see you reply on, and probably more experienced than I, so I will glean some experience if you don't mind sharing.

Sul.

 

Yes, you could use a configuration file for the link to the original file and for any changes. A context menu would be great as well.

 

I was thinking how best to save time, having shortcuts docked in a place where you could add or remove by drag and drop or right click - you could have pre-defined common internet facing apps already or even better you could scan for them. Launching could also be right click or double clicking the icon inside the window. Only a couple of things to add would be to highlight the reduced privilege window and a very simple allow/deny for programs that may also start or spawned as a result of launching a program.

 

Hmm. Interesting. If the GUI was started rather than drag/drop on icon or context usage, yes that might be an idea. Perhaps an expand button that opens GUI further to show some common icons for found applications (common ones like browsers etc). This way if you don't want to see those you don't have to. Or, perhaps it is a portion of the tool to find common programs for use with DMR and just create the icon/shortcut for you, or an area to drag and drop the targets into that creates the shortcuts.

Yes I had thought of highlighting a window. I have not looked at existing functions for that yet though. The only issue I see with that is the PID returned is always DropMyRights, not what DMR starts. I will look further to that.

Hooking for parent process spawning child process, again depends on getting the PID of the parent from the call. Very intersting thoughts, sure to give me some 'light reading' tonight lol.

Sul.

 

On further inspection I believe I will do a little something with DMR, but perhaps I will also make something to use with StripMyRights, as it allows parameters to be passed to the program, such as notepad.exe c:\document.txt, which is something DMR cannot do. Also SMR has an option that may be useful to get the pid of the process for such things as a border highlight.

Of course, one may wonder really why to even use DMR/SMR. I use PGS to create SRP rules, which is very nice when you know what you are going to start as a User or Deny. But there are times when as an Admin, I just want to start something very occassionally as a User. I see a drag and drop or context menu for DMR/SMR useful in this instance.

Further, I had partially working my own code for the workings of DMR, perhaps I should finish that to enhance some features. But for now I will whip something up for both DMR and SMR, for those who still will run as Admin but want an easy method to reduce rights when needed.

Sul.

 

It would seem that to create a colored border around a window can be done, but to make it stay when you move it or resize it, the app that makes this color needs to stay resident. SBIE creates a colored edge, but it is resident. I think to make a nifty ease of use tool to start DMR apps, I see no reason to keep the tool running just to have a colored edge.

However, I do now have SAFER working in my own, and can currently pass parameters. I have also now successfully changed the window title, similar to what SBIE does. I am thinking to create a method to open a command prompt (as a trial) and change it's background etc as a test.

How many could give me some input on what sort of symbols should be appended to the window title? So for instance, if you open notepad.exe in DMR, the window title will be "Untitled - Notepad", and I can append something like this

. Suggestions welcome.

As well, there is the problem I have not seen yet resolved in any versions of this, where you have to pass parameters of known values. That is, if you open notepad.exe, it is fine. If you want to open c:\mytext.txt, you would have to pass notepad.exe c:\mytext.txt.

Also it is easily possible to examine shorcuts to find the working directory, so a shortcut would have the data for what the file is to open, and the file to open it with, I think.

But I have a routine to check on the associated application, and this would be much better. This way, via a context menu or a drag and drop, you could start anything, with the application associated to it. I have not seen another SAFER tool do this.

As well, it would seem more testing would be nice to the Basic User vs. Constrained usage. I have read now that contrained really is the proper method for maximum security, due to it being locked out from current user process tricking, as it only uses group-wise tokens. This is somewhat interesting, as it could also apply to SRP.

I looked into the NTCreateProcessEx(), which is supposedly the way SRP should have been implemented instead of CreateProcessAsUser(), but it is sort of not well documented in the same fashion. lol, this did lead to learning of a method to monitor or any ntdll.dll (hooking) and an easy way to stop a process from starting based on a whitelist. A driver is needed for this, but it may be a nice winter project to create a bare-bones application blocker of some sorts.

Anyway, I am intersted in any opinions, if you can cipher what I speak of lol.

Sul.

 

I'm paying attention here, so keep going. I've used DMR and SetSafer successfully. StripMyRights I can't figure out. RunSafe I've never seen before.

Prefer context menu or a docked area like runsafe.

I saw a post elsewhere on this forum that mentions the account created by the control panel is really a power user rather than a limited user, and that a true limited user is created by the group policy editor. Is this what you are referring to?

 

I have mentioned that creating a user from control panel vs. computer management snap-in creates power user or user. But no, I am not referring to that.

I am referring to the following, although I was mistaken in that it is untrusted that is to be beneficial, not constrained. Observe the following.

Since creating the routine that DMR uses, as well as probably StripMyRights with the parameter, it could be easy to implement the Basic User and untrusted levels based on a trigger of some kind. Maybe context, or a registry value as preference, etc. The more important question now is to test the untrusted level, and see what it's downfalls are. I understand how the untrusted token would basically 'strip' the user from the process, that is, not the User as in group, but the user as in the users ownerships etc that could be used against the token (if using restricted token that is).

Follow? lol.

Sul.

 

Strip my rights is DMR, but with command line parameter included. You only need to pass the application, or application and parameter.

Such as, passing c:\windows\notepad.exe will open notepad.
Passing c:\windows\log.txt will end in an error. You must pass
c:\windows\notepad.exe c:\windows\log.txt to open notepad WITH a parameter.

This is always why I used SRP more than DMR, because DMR without help cannot just run any file, only the application for that file. There are easy ways to implement this. However, what I have currently working is allowing me to start an application, and get the handle to the application (or PID), then change the text of the title bar to something that could indicate you are running that window in DMR, much like SBIE does with its # window # symbols.

Either way, having the ability to drop a text file on an icon, or a context menu, with the application being able to determine what the parent program is, THEN start the parent program passing the object to it, with restricted tokens, is what I am talking about doing.

Perhaps another cup of java would be in order lol.

Sul.

 

@Meriadoc

Unless I miss some method, only a resident application will be capable of watching for children to spawn from the parent. If I presented an application that monitors for processes whose parents are DMR'd, it would not be too hard. Simply examine each process for it's parent PID or hWnd, and if found change it's title to match some string as an ID, even to indicate it is both DMR ran and its parent.

It is also possible perhaps, I have not looked yet, to examine the token of each process started. Still, as with the window hi-lighting, it requires a process to run. Unfortunately I am deficient in creating services, or it might be an easy one to do. It might even be that a service could be made, a small c++ one, that could simply check all processes for restricted SAFER tokens, and append the title's to indicate such. It would then work with SRP as well as DMR because they use the same functionality. I for one would like to see when an SRP restricted process is running.

Sul.

 

Wouldn't it be better to create something that reduces rights for certain programs by default ala SetSafer, which also provide an indication of reduced rights ala Sandboxie, then create a context menu or dock to run the program as admin for updates? Sounds like a simplified version of AppGuard.

That way when I open a PDF with an exploit Adobe, Foxit, or whatever will automatically run with reduced rights.

 

You bring up some good points that I have thought out. Remember SetSafer is only .xml method of creating same thing PGS does, or a .reg file, or even .vbs can do it too.

First, to create something that reduces rights by default, is already done in the form of SRP. It uses the same SAFER tokens that DMR uses. But, any process is examined to see if it needs restriction. I figure, why try to build a resident tool to do what is already being done?

Second, it is true, a resident tool could start applications like SRP does, but also because one could code it, do the SBIE style indicators.

Third, as for starting a default restricted program as Admin for update purposes, again SRP already does this, by changing the name of the .exe, or the path, it is easy enough to bypass SRP and open as Admin for updates etc.

AppGuard, not quite. In concept AppGuard protects the userspace, and segregates areas. It does so with a different method, a precursor to CreateProcessAsUser I assume, which they call filelock. It is much more robust, but an underlying idea is somewhat similar.

On opening pdf with an exploit, and you want to be sure the reader program is reduced, you have multiple ways to accomplish this. First, you run in LUA, so of course, it is taken care of. Second, you start the browser as restricted with SRP/DMR, and anything which it spawns should then inherit the same rights. Lastly, if just executing a pdf file from explorer for example, you could have your pdf readers in SRP as I do, so no matter where the .pdf lives, the reader itself is restricted.

That is the nice part of SRP, it is build into every process being created to check if SAFER values exist in the registry/GPO, so you can make one rule and it is good.

What I am after here, is not to create something new, so much as enhance SRP. DMR is nice, as you don't need a rule to be set in place like you would with SRP. DMR is not as easy to use as I would like it. So my little beta tool makes it easier. However, I want the ability to drop a parameter not just the parent program. I also want to drop documents or shortcuts, and have the tool figure out itself what the parent application would be (through file associations).

Other areas, many of them require some program or service to be made that runs all the while, to watch for things. While a nice small C tool could do just that, I have yet to see how built-in SRP and the supplement of some form of DMR approach could enhance SRP and make it easier. I suppose this could even be a form of RunAs since you can reverse the token to have admin rights.

So, maybe you see, how some of this is already taken care of, and figuring how to exactly augment SRP with an easy use of DMR could make it more convenient without static rules, as well as inication of restricted processes.

Sul.

 

I'll be watching for whatever you come up with.

 

In regards to a title for the app when it's running with your tool, how about "DMR @ whatever" with DMR in a different font? Everything else you've written about is waaaaaay over my head!!!
Allen

 

For those who might be watching this thread, I have some good news. I have labeled this tool SAFER_Zone. It can as of tonight, start so far any object dropped onto it. That is, you may drop

an .exe, such as notepad.exe
an .lnk, which is pointing to anywhere
an .abc - .xyz file. It finds the proper application registered to open the file type, and uses it with whatever syntax is available.
an directory - it opens explorer.exe to that directory.

It basically now is smart enough to find what it is you are opening, and what to open it with. Of course, if you try to open fileobject.dork, and you have no .dork file association established, it will not work. The answer is to right click the .dork file, and open with notepad or whatever it is, and use the checkbox to remember the answer. Then it will work.

In this process, one that I was hoping to get working, I found that if you create an .ini file with all associations and command parameters in it, speed of starting said application is greatly improved.

Compare, dropping in an .mp3 file, program must find the correct (and current default) application to start .mp3 with. A manual scan on an amd 2400 xp with older XP Pro installation, takes approximately 3900 ms, where the same operation if an .ini file has been built takes around 180 ms. That is a good improvement. I have now a feature to build the .ini file. It takes approximately 10 seconds to create a file with about 225 associations and parameters, of around 450 total file extensions known in my computer.

What does this mean? It means simply that this little tool is fast lol. And that it is smart enough to start just about anything, and restrict it the same as DropMyRights or StripMyRights does. The best part, is that it is stand-alone. You don't have to have DMR in sysdir or windir at all. It also is capable of sitting happily on your desktop, and you drop one or more objects onto it and it starts them all. Or you start the app and a small GUI window operates in the same fashion.

Even creating a shortcut on your desktop to this tool works in the same manner it seems. Just drag and drop.

Alpha versions running smoothly. GUI is still needing work, although there is not much GUI to it. Also need to incorporate some .ini settings for tweaking purposes. As well, it also renames the title of whatever it opens, by appending @ SAFER_Zone to the end. So far only explorer windows refuse renaming. I have yet to try it with d3d or ogl programs, it may throw errors there.

So far the bug I note is that if you start somethign that needs admin rights, like PGS, and you don't cancel, the program hangs if in GUI mode. Closing it is fine, but it will not accept any more drops until it is closed and restrarted. There is some process hanging in the background but I cannot locate it.

I also believe it will run things like rundll32.exe <parms 1, 2, 3>. I have not tried yet though.

So for those who may still run as admin, and want an easy way to just start something restricted, this might be of interest to you. We shall see very soon.

Sul.

 

Excellent tool , thank you Sul .

I've noticed that Opera refuses renaming, too. Also if Opera is running, droping some Opera associated file on SAFER_Zone will close SAFER_Zone.

 

Hmm. I will try to reproduce that. Or maybe put in a debug switch for the GUI. I don't usually have the GUI open. I have a link on my desktop and quick launch and drop items on the link.

Maybe the browser title bar changes so much, I had not thought about that. Perhaps for a browser an icon could be replaced. I think what happens is when the program is fired, it changes the title, but if the program changes the title itself, there is no more checks. I don't really want this to continue to run and try to maintain all the processes it starts. Other programs can do that better than this. So there are some limitations.

But thanks for trying and the feedback.

Sul.