Vista bitten by protected processes?

Discussion in 'other security issues & news' started by 666, Apr 8, 2007.

Thread Status:
Not open for further replies.
  1. 666

    666 Registered Member

    Joined:
    Feb 20, 2006
    Posts:
    48
    http://www.alex-ionescu.com/?p=34

    Unforunately, it is trivial to make a process protected or unprotected by bypassing all the Code Integrity checks and sandbox in which protected processes are supposed to run. I wrote a small application which I called D-Pin Purr which does exactly this.


    http://www.alex-ionescu.com/?p=35

    As promised in my earlier blog post, I’ve finalized the utility and made it available for download here. I won’t be releasing source code for the moment because I don’t want to encourage people to start adding this kind of code into their own malware programs, nor to encourage the Symantec folks to start unprotecting every process on the system.


    How long before Symantec or the malware artists (is there a difference?) will exploit this?
     
  2. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    wasn't it a well known way to unlock files that were locked for exclusive I/O? :)

    Moreover, to run this looks like you've to:

    - have administrator rights and of course running it without UAC;
    - run 32bit version of Vista because a unsigned driver is loaded to change a bit on a flag into the EPROCESS.

    If you have both these situations then I think unlocking a protected process is maybe not the first thing to worry about o_O

    Anyway, Alex is really skilled :thumb:
     
    Last edited: Apr 9, 2007
Loading...
Thread Status:
Not open for further replies.