New program Runasil starts a given program with a given integrity level

Discussion in 'other anti-malware software' started by MrBrian, Dec 18, 2010.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    http://blog.didierstevens.com/2010/12/01/runasil/

    One possible advantage of using Runasil instead of Chml or Icacls to set the integrity level directly on a given program is that one doesn't need to worry about setting the integrity level of the given program every time the program is updated.
     
  2. Didier Stevens

    Didier Stevens Security Researcher

    Joined:
    Nov 19, 2010
    Posts:
    66
    Good point, hadn't thought of that one myself ;-) .
     
  3. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Cool. I was unaware of that registry key and its functionality. Sounds like a little trip around the web is in order.. again :blink:

    Sul.
     
  4. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,875
    We have a triumvirate ...:D ;)
     
  5. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    What do you mean?

    I have never faced a problem such as that. Once the object is assigned an integrity level, it keeps it.
    Well, until you delete it, that is. Is this what you're talking about? In case an update substitutes (as in deletes and replaces) the original object?
     
  6. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    it looks very interesting
     
  7. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,875
    Yes, but for Vista, and onwards...I am still with XP. ;)
     
  8. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Correct. As an example, I run Firefox as a low integrity app. Every time I update Firefox, the new firefox.exe is no longer low integrity, and thus I've had to use chml to set firefox.exe as low integrity.
     
  9. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    OK, thanks. I was wondering if you'd be also seeing that behavior with just replacing, without the previous object being deleted as well. Something would have to be wrong if that was the case. :)
     
  10. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,189
    Location:
    USA
    How is this different than Prio aside from the fact Prio is a Task Manger add on.
     
  11. Didier Stevens

    Didier Stevens Security Researcher

    Joined:
    Nov 19, 2010
    Posts:
    66
    Prio is for process priorities, not for integrity levels. My tool is for integrity levels:
    https://secure.wikimedia.org/wikipedia/en/wiki/Mandatory_Integrity_Control

    Unlike process priority, you can't change the integrity level of an existing process. It is set at process creation time.
     
  12. kC_

    kC_ Registered Member

    Joined:
    Apr 6, 2007
    Posts:
    452
    Would this work?
    win 7 standard user... one application on \\server\share\apploader.exe

    This application requires admin privelages to run. Would setting the integrity level on that make it not require admin rights?
     
  13. Didier Stevens

    Didier Stevens Security Researcher

    Joined:
    Nov 19, 2010
    Posts:
    66
    Not exactly sure what you mean...

    When you use a non-admin account on Windows 7 to start a program with "Run as administrator", you need to provide credentials because you are starting a program to run with the profile of another user (the admin in this case).

    Programs you start with "Run as administrator" run with a high integrity level.
     
  14. kC_

    kC_ Registered Member

    Joined:
    Apr 6, 2007
    Posts:
    452
    Thanks.
    in this case I've had to set the user as a local admin for this 1 application to run.
    ideally we don't want the users to be admins but they do require access to this application.I was wondering if your application could allow this? But seems its something different.
    thanks
     
  15. Didier Stevens

    Didier Stevens Security Researcher

    Joined:
    Nov 19, 2010
    Posts:
    66
    I understand, it's better to use LUAs. But you still have UAC enabled?

    You could try something else: in stead of adding this user to the local admin group, give this user just the necessary rights and privileges for this application to run.

    This will require some trial and error. I know Microsoft has some tools to find out why an application needs admin rights, but I'm not that familiar with them.
    Personally, I would use Procmon to analyze this application and find out what it requires.

    Then I would set the necessary ACLs (files, registry) just for this user, and maybe set some privileges in the local/group policy.
     
  16. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    If that app doesn't actually need admin rights to function properly, you could try VistaUACMaker. If the app really does need admin rights to function properly, you could create a shortcut to run just that app with admin rights by using the program mentioned in this thread.
     
  17. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  18. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I'm wondering... imagine you set an integrity level either with chml or icacls. If you use runasil to keep the integrity level... would it cause any problems?

    Would it be better to just use runasil? I like what runasil does, but chml has more features.

    Would they "work together" just fine?
     
  19. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    By the way, if you'd like to keep your integrity levels, you don't need Runasil, at all.

    If you're like me, then what I'll mention will suffice.

    In MrBrian's example, he uses Firefox as his browser and everytime the browser upgrades, it will loose the low integrity level.
    I don't use Firefox and I don't know what's your approach, but I only upgrade Chromium at the end of the day, when I'm no longer using it.

    My approach is a bit different with Chromium because I have created a batch file to automatically apply the integrity levels. But, I'll mention Windows Live Mail which I've set to an explicit medium integrity level.

    To be sure that WLM is always with an explicit medium integrity level, just in case it gets updated in my relative's system, via Windows Update, I've created a batch file, and then I scheduled a task that will reapply the integrity level each session logon.

    I used the tool chml to apply the integrity levels, because I'm making use of the flags NoReadUp and NoExecuteUp. Otherwise, Windows tool icacls suffices.

    If you're running a standard user account, just make sure the task is set to execute regardless of the administrator being logged in.

    This does the trick pretty well.

    Maybe something you'd like to try... or not... :D
     
  20. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Rather than schedule a task, you could use a login script, or possibly even autoexec, but I haven't played with autoexec in years and don't know if it behaves in vista/7 the way it used to. You could also put the script in the users startup directory, which will be run on login too. Many ways to do this. The task you made, is it on a certain timetable?

    Sul.
     
  21. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Yes, we can achieve the same goal using different techniques... :D

    I could create a script to verify what's a given process's integrity level and reapply it, and all that. If the process is running, then either give me a message, to give me the choice to terminate it or silently wait for the process to end and reapply the integrity level. And, I will do it, but I'll create a PowerShell script for that. When I get enough knowledge. :D I try to learn a little bit each day. I'm not that great with batch files. Never really learned batching that much, only very basic stuff. On the other hand, PowerShell is something that I do want and am learning, and it's the future.

    Anyway, the batch file is scheduled to run each session logon, regardless of the administrator being logged in.
     
  22. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I've been using a batch file for this for the past month. I run it manually after updating Firefox.
     
Loading...
Thread Status:
Not open for further replies.