SlideShare una empresa de Scribd logo

Vista uipi.ppt (1)

E
Edgar Barbosa

Windows Vista User Interface Privilege Isolation

Tecnología
1 de 70
Descargar para leer sin conexión
WINDOWS VISTA UIPI User Interface Privilege Isolation
Speaker Info Edgar Barbosa Security researcher Currently employed at COSEINC Experience with reverse engineering of Windows kernel executables Published some articles at rootkit.com Participated in the creation of bluepill, a hardware-virtualization based rootkit
Windows Vista UIPI Shatter attacks Integrity Levels UIPI initialization Process and thread initialization Window messages UIPI in action Special cases
Why UIPI? Reasons to learn about UIPI internals: It’s not well documented The new book “Writing secure code for Windows Vista” dedicates only one page to discuss UIPI UIPI affects several applications and API functions There are some possible vectors of attacks against UIPI To understand how windows messages are internally processed Understand how some internal function works under the hood
Shatter attacks Published by Chris Paget in 2002 Process by which one application could execute arbitrary code in another application Uses the window messaging system to send messages from an unprivileged app to the window message procedure of a privilege application. WM_TIMER could be sent with a callback pointer parameter
UIPI Stands for “User Interface Privilege Isolation” New for Windows Vista Operating System Vista now uses Integrity Levels for each running process: 0x1000 - Low integrity 0x2000 - Medium integrity 0x3000 - High integrity 0x4000 - System Integrity Each application runs with one assigned IL.
UIPI A lower privilege application cannot [1] : Perform a window handle validation of higher process privilege SendMessage or PostMessage to higher privilege application windows ( block “Shatter attacks” ) Use thread hooks to attach to a higher privilege process Use journal hooks to monitor a higher privilege process Perform DLL injection to a higher privilege process
UIPI initialization Windows Vista UIPI
UIPI initialization The UIPI initialization process occurs in the load time of the graphical subsystem module (win32k.sys) DriverEntry will call Win32UserInitialize function which will call: InitUIPI (win32k) RtlQueryElevationFlags (ntoskrnl) InitClipFormatExceptionList (win32k)
UIPI initialization KUSER_SHARED_DATA Is a memory area shared between the user mode and kernel mode space Mapped for each running process Initialized by the OS executive - ntoskrnl It contains very important system variables: KdDebuggerEnabled, SystemCall, TickCount DbgElevationEnabled, DbgVirtEnabled, …. It is protected: Read-only access for user mode code
UIPI initialization RtlQueryElevationFlags Undocumented function exported by ntoskrnl.exe and the ntdll.dll Prototype: NTSTATUS RtlQueryElevationFlags( OUT ULONG *Flags ); Retrieve UAC system information from the shared memory area (KUSER_SHARED_DATA) Return flags: ElevationEnabled (0x01) - UAC is enabled VirtEnabled (0x02) - Virtualization is enabled InstallerDetectEnabled (0x04) - Detection of installers
UIPI initialization VOID InitUIPI(); UIPI is initialized by the InitUIPI function implemented inside the win32k kernel module Calls the RtlQueryElevationFlags to check if elevation is enabled (ElevationEnabled). If elevation is enabled, then check the value “EnableUIPI” inside the system policies registry key. If EnableUIPI value is set to true, the system set the global variable gbEnforceUipi to TRUE. UIPI is only active if gbEnforceUipi is equal TRUE.
UIPI initialization InitClipFormatExceptionList Called immediately after InitUIPI if gbEnforceUipi value is true. Responsible for reading the values of the registry key: HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemUIPIClip boardExceptionFormats gpClipFormatExceptionList: Pointer to a list of Clipboard Format values, e.g. CF_OEMTEXT (0x07) gcClipFormatExceptionList: Global counter of the number of elements inside the list pointed by the gpClipFormatExceptionList pointer.
UIPI Initialization
Processes, threads and UIPI Windows Vista UIPI
Process initialization and UIPI Data structures: EPROCESS PROCESSINFO Functions: xxxInitProcessInfo()
EPROCESS Each process is represented by an executive process object structure (EPROCESS) Accessible only for kernel mode code Some EPROCESS data information includes: Handle table pointer Virtual Address space Descriptors (VAD) Access token PROCESSINFO pointer
PROCESSINFO Structure used by win32k to store all the USER32 related information about a process. Created at the first time that the process calls a USER32 syscall and it is initialized by the xxxInitProcessInfo function Address stored at EPROCESS- >Win32Process Data information includes: Pointer to EPROCESS Desktop, UserHandleCount, WinStation information ….
EPROCESS and PROCESSINFO
xxxInitProcessInfo Prototype NTSTATUS xxxInitProcessInfo( PROCESSINFO *pi ); Responsible for the initialization of the PROCESSINFO structure Open the primary token of the process with PsReferencePrimaryToken and Get the Integrity Level of the process by calling SeQueryInformationToken with the TOKEN_INTEGRITY_LEVEL information class
xxxInitProcessInfo If gbEnforceUIPI == TRUE Copy the Integrity Level value at pi- >IntegrityLevel Check for the TokenUIAccess flag using SeQueryInformationToken function. If the flag is set, set the correspondent flag at pi->Flags The TokenUIAccess importance will be presented soon.
Thread initialization and UIPI Data structures: ETHREAD THREADINFO Functions: xxxInitThreadInfo NtUserCheckAccessForIntegrityLevel
ETHREAD Structure used by the kernel to represent a thread (ETHREAD) Each ETHREAD is always owned by an EPROCESS structure ( ETHREAD- >Tcb.Process ) Linked to other threads by the ThreadListEntry pointer Some fields: InitialStack, StartAddress, ThreadListEntry, ApcState Priority, Affinity, THREADINFO, ...
THREADINFO Undocumented structure used by win32k to store USER32 information related to a thread Created only if the thread calls a USER32 function THREADINFO address stored at ETHREAD->Tcb.Win32Thread Some fields: pq ( Input message queue ) mlPost ( Post message queue ) Send message queue Windows hook information...
xxxCreateThreadInfo() Function called to allocated and initialize the THREADINFO structure Some responsibilities: Allocate and initialize the input, send and post message queues. Set desktop Set integrity level of the message queue Set foreground priority
Kernel structures
NtUserCheckAccessForIntegrity Level Undocumented syscall which can be used by usermode programs (not officially supported) It’s used by the USER32 usermode functions: TileWindows() CascadeWindows() NTSTATUS NtUserCheckAccessForIntegrityLevel ( Pid1, Pid2, *BOOL Result ); It checks the current process PROCESSINFO integrity level against the integrity level of the target process PROCESSINFO.
Window messages Windows Vista UIPI
Window messages Data structures: Message Queue Functions: ChangeWindowMessageFilter
Window messages Each window has a window procedure. Window messages are used by the system to send events to a window procedure. Each windows, which is identified by a window handle (HWND), is always owned by a thread. But each thread can own more than one window Range 0x0 -> 0xffff (available to programmer) 0x10000 -> 0x1ffff ( reserved to system )
Message Queues Each received message is sent to a message queue The window message queues are implemented in the THREADINFO structure There are 3 queues: Input queue (SendInput, mouse and keyboard msgs) Post queue ( PostMessage ) Send queue ( SendMessage ) The Input Queue structure, a.k.a Virtualized Input Queue (VIQ), Integrity Level field.
Message Queues The VIQ structure is allocated by the AllocQueue() function, which is called by the xxxCreateThreadInfo() function. AllocQueue() returns a pointer to the VIQ address. If the owner process of the Queue is the CSRSS process, the Queue->IntegrityLevel will be set equal 0x2000 (MEDIUM_INTEGRITY). If not, it will be set equal the PROCESSINFO->IntegrityLevel.
VIQ, IntegrityLevel and Messages
ChangeWindowMessageFilter Documented API directly related to UIPI New for Window Vista. Can be used to add or remove Window messages from the message filter If a message is added to the filter, any other process is able to send that message to the process, regardless of the integrity level of the processes. Prototype: BOOL ChangeWindowMessageFilter( UINT msg, DWORD dwFlag ); dwFlag: MSGFLT_ADD: Adds the message to the filter MSGFLT_REMOVE: Removes the message from the filter
Window Message Filter implementation Message Filter is implemented in the PROCESSINFO. Message queues are implemented per-thread, but all threads (windows) share the same Message Filter. Can’t be used by LOW_INTEGRITY processes! win32k!_ChangeWindowMessageFilter function is the real code responsible for the filter management. The filter is implemented using bitmap structures: 0 = message is not allowed 1 = message is allowed The address of the bitmap tables is stored at PROCESSINFO->MessageFilter
Message Filter implementation
UIPI in action Windows Vista UIPI
UIPI in action How PostThreadMessage function works internally in Windows Vista? Functions: PostThreadMessage NtUserPostThreadMessage AllowMessageAcrossIL CheckForMessageAccessCrossIL CheckAccessForIntegrityLevel
PostThreadMessage PostThreadMessage function posts a message to the message queue of the specified thread. It returns without waiting for the thread to process the message. It uses the syscall NtUserPostThreadMessage
NtUserPostThreadMessage Kernel mode implementation of PostThreadMessage Prototype: BOOL NtUserPostThreadMessage( DWORD idThread, UINT msg, WPARAM wParam, LPARAM lParam ); Flow: Get the address of the THREADINFO structure of the current thread and save it in the _gptiCurrent variable. Get the THREADINFO of the target idThread using the PtiFromThreadId( ) function.
NtUserPostThreadMessage If they are from the same desktop, it calls the CheckForMessageAccessCrossIL() function, which will verify if the destination thread allows the window message to be posted in the target thread post message queue. If the return code of CheckForMessageAccessCrossIL is TRUE, the PostThreadMessage is called PostThreadMessage allocates a new queue entry (AllocQEntry), stores the message (StoreQMessage) and set the wake message flags (SetWakeBit)
NtUserPostThreadMessage
CheckForMessageAccessCross IL CheckForMessageAccessCrossIL is a complex function We will analyze now each function used by CheckForMessageAccessCrossIL: CheckAccessForIntegrityLevel() AllowMessageCrossIL()
CheckAccessForIntegrityLevel Internal win32k function extremelly used Prototype: BOOL CheckAccessForIntegrityLevel( ULONG SourceIntegrityLevel, ULONG TargetIntegrityLevel ); If the SourceIntegrityLevel < TargetIntegrityLevel, returns FALSE If SourceIntegrityLevel >= TargetIntegrityLevel, returns TRUE.
AllowMessageCrossIL Internal win32k function Prototype: BOOL AllowMessageCrossIL( PROCESSINFO *pi, UINT msg ); This function uses the MessageFilter bitmap structures created by the ChangeWindowMessageFilter function. Return: If TRUE, the target thread will accept the message If FALSE, doesn’t mean nothing! Why?
CheckForMessageAccessCross IL Prototype: BOOL CheckForMessageAccessCrossIL ( PROCESSINFO *piSource, PROCESSINFO *piTarget, UINT msg, WPARAM wParam ); How it works? It compares the piSource against piTarget. If equal, return TRUE. There’s no reason in checking threads of the same processinfo. If different, calls the AllowMessageAcrossIL( piTarget, msg ), but it do not check the return value immediately!
CheckForMessageAccessCross IL It now compares the msg with a list of always allowed messages: 0x000 - WM_NULL 0x003 - WM_MOVE 0x005 - WM_SIZE 0x00D - WM_GETTEXT 0x00E - WM_GETTEXTLENGTH 0x033 - WM_GETHOTKEY 0x07F - WM_GETICON 0x305 - WM_RENDERFORMAT 0x308 - WM_DRAWCLIPBOARD 0x30D - WM_CHANGECBCHAIN 0x31A - WM_THEMECHANGED 0x313, 0x31B (WM_???)
CheckForMessageAccessCross IL If the message is in the list of always allowed, return TRUE immediately. If not, checks now the returned value of the CheckForMessageAccessCrossIL() . If equal true, then returns TRUE. If false, compare the current IL against the target IL using the CheckAccessForIntegrityLevel. If the current thread has a IL greater or equal than the target thread IL, returns TRUE. Check if CSRSS is the owner process of the target thread and allow the message if it is.
UIPI special cases Windows Vista UIPI
Special cases CSRSS TokenUIAccess
CSRSS threads The CSRSS process is responsible for the creation of the console window for console- mode applications. Each console window is controled by a CSRSS thread (ConsoleInputThread function ) inside winsrv.dll It registers the window class “ConsoleWindowClass” ProcessCreateConsoleWindow creates the console window ConsoleWindowProc is the window procedure.
CSRSS threads As exception, CSRSS threads that creates windows will have the THREADINFO- >IntegrityLevel set equal 0x2000 ( MEDIUM_INTEGRITY ) by the xxxCreateThreadInfo function, regardless of the CSRSS IL. The address of the PROCESSINFO structure of csrss process is stored at win32k.sys in the global variable _gpepCSRSS How is this related to UIPI?
CSRSS threads Windows owned by CSRSS threads are the great exception rule in UIPI! In February 2007, Joanna Rutkowska published in her blog [2] that is possible to send WM_KEYDOWN messages to a open Administrative Shell (cmd.exe) running at HIGH IL from a LOW IL program. This is not only possible with cmd.exe, but with any console mode program running regardless of the its integrity level.
CSRSS threads The CheckForMessageAccessCrossIL() and xxxInterSendMsgEx() functions checks if the process owner of the target thread is CSRSS (gpepCSRSS) If CSRSS is the owner, the message is sent or posted even if the IL of the source thread is lesser than the IL of the target thread. Message is allowed even if the target’s message filter do not allow the message.
TokenUIAccess TokenUIAccess is a new token flag (at enum TOKEN_INFORMATION_CLASS) At the PROCESSINFO initialization process, the system checks for the TokenUIAccess flag in the primary token of the process. If the flag is present, the TokenUIAccess is set in the Flags field of PROCESSINFO. This flag allows application to potentially override some UIPI restrictions [3]
MSCTF.DLL and UIPI Windows Vista UIPI
MSCTF.dll AttachThreadInput MSCTF.DLL DoS attack Queue integrity level elevation
AttachThreadInput Input messages ( keyboard, mouse, SendInput ) are inserted at the Virtualized Input Queue of the THREADINFO. With the AttachThreadInput function, two threads can share their VIQ. Prototype: BOOL AttachThreadInput( tidAttach, tidAttachTo, fAttach ); When 2 thread share their input queues, input messages will be processed synchronously. If one thread hangs, the other thread will hang too.
Before AttachThreadInput
After AttachThreadInput
AttachThreadInput Must be used very carefully because it affects the robustness of the window message processing of the threads. NtUserAttachThreadInput is the syscall used by the user32 AttachThreadInput It is affected by UIPI, because the zzzAttachThreadInput function will check the Queue->IntegrityLevel of calling thread against the ProcessInfo->IntegrityLevel of the target thread.
MSCTF.DLL There are a DLL located in the system32 folder called MSCTF.dll which is used by the user32.dll. Practically all running programs in the Vista system loads msctf.dll
MSCTF.DLL MSCTF.dll is one of the few DLLs in Vista that uses the new ChangeWindowMessageFilter() function. How this new API is being used by the MSCTF? The first step is to call the internal function EnsurePrivateMessages() EnsurePrivateMessages() internals: Uses the USER32!RegisterWindowMessage function to register several window messages RegisterWindowMessage takes as parameter a string and returns a window message that is guaranteed to be unique througout the system. It now uses the returned window message and calls ChangeWindowMessageFilter() function
MSCTF.DLL Example: gAttMsg = RegisterWindowMessage(“MSUIM.Msg.AttachThreadInput”); If (gAttMsg) ChangeWindowMessageFilter( gAttMsg, MSGFLT_ADD ); After EnsurePrivateMessages(), MSCTF will register a window class “CicMarshallWndClass” with the window procedure CicMarshallWndProc(); Where is the problem? The problem is inside the CicMarshallWndProc() code responsible for the processing of gAttMsg message
MSCTF.DLL The code is: curThread = GetCurrentThreadId(); AttachThreadInput( curThread, wParam, lParam); If a low integrity thread calls AttachThreadInput against a higher integrity thread, the call will fail. But now, if the higher IL thread uses the MSCTF.dll, we can simply send a gAttMsg message and the target thread will call AttachThreadInput for us SendMessage(targetwnd, gAttMsg, GetCurrentThreadId(),TRUE);
DoS attack Using the AttachThreadInput message created by msctf.dll, we can create a Denial of Service tool which will hang all application running on the system with the msctf.dll loaded. Due to the fact that attach thread processes input messages synchronously, a low IL program is able to hang even higher integrity applications. One interesting consequence of attaching the virtualized input queue of two thread of different integrity levels is the elevation of the integrity level of the queue of the less privileged thread.
Queue integrity level elevation Each input queue (VIQ) has it’s own Integrity Level VIQ IL is assigned by xxxCreateThreadInfo function If a medium integrity level (0x2000) thread uses the Msctf AttachThreadInput message to attach to a high integrity level (0x3000) thread, the AttachThreadInput function (zzzAttachToQueue) will elevate the queue IL from 0x2000 to 0x3000
Final notes UIPI has some weird rules The always allowed window messages list is not public and documented We will probably see malwares using the UIPI exception rules, like the CSRSS case ChangeWindowMessageFilter function must be carefully used to avoid unprivileged processes to control privileged processes, like the MSCTF AttachThreadInput example.
References [1]http://blogs.msdn.com/vishalsi/archive/2006/11/30/what-is-user-interface- privilege-isolation-uipi-on-vista.aspx [2] http://theinvisiblethings.blogspot.com/2007/02/running-vista-every- day.html [3] M. Howard and D. LeBlanc - Writing Secure Code for Windows Vista - 2007. page 24.
Questions? Thank you for your time!

Recomendados

Win 8 password cracking
Win 8 password crackingWin 8 password cracking
Win 8 password crackingNutan Kumar Panda
 
CORE JAVA-2
CORE JAVA-2CORE JAVA-2
CORE JAVA-2PUNE VIDYARTHI GRIHA'S COLLEGE OF ENGINEERING, NASHIK
 
Taint analysis
Taint analysisTaint analysis
Taint analysisEdgar Barbosa
 
Hypervisor Framework
Hypervisor FrameworkHypervisor Framework
Hypervisor FrameworkEdgar Barbosa
 
Detecting hardware virtualization rootkits
Detecting hardware virtualization rootkitsDetecting hardware virtualization rootkits
Detecting hardware virtualization rootkitsEdgar Barbosa
 
Sami Laiho - Black belt troubleshooting windows 8.1
Sami Laiho - Black belt troubleshooting windows 8.1Sami Laiho - Black belt troubleshooting windows 8.1
Sami Laiho - Black belt troubleshooting windows 8.1Nordic Infrastructure Conference
 
Low level hookup
Low level hookupLow level hookup
Low level hookupAnkush Asthana
 
The Ring programming language version 1.5.1 book - Part 67 of 180
The Ring programming language version 1.5.1 book - Part 67 of 180The Ring programming language version 1.5.1 book - Part 67 of 180
The Ring programming language version 1.5.1 book - Part 67 of 180Mahmoud Samir Fayed
 

Recomendados

Win 8 password cracking
Win 8 password crackingWin 8 password cracking
Win 8 password crackingNutan Kumar Panda
 
CORE JAVA-2
CORE JAVA-2CORE JAVA-2
CORE JAVA-2PUNE VIDYARTHI GRIHA'S COLLEGE OF ENGINEERING, NASHIK
 
Taint analysis
Taint analysisTaint analysis
Taint analysisEdgar Barbosa
 
Hypervisor Framework
Hypervisor FrameworkHypervisor Framework
Hypervisor FrameworkEdgar Barbosa
 
Detecting hardware virtualization rootkits
Detecting hardware virtualization rootkitsDetecting hardware virtualization rootkits
Detecting hardware virtualization rootkitsEdgar Barbosa
 
Sami Laiho - Black belt troubleshooting windows 8.1
Sami Laiho - Black belt troubleshooting windows 8.1Sami Laiho - Black belt troubleshooting windows 8.1
Sami Laiho - Black belt troubleshooting windows 8.1Nordic Infrastructure Conference
 
Low level hookup
Low level hookupLow level hookup
Low level hookupAnkush Asthana
 
The Ring programming language version 1.5.1 book - Part 67 of 180
The Ring programming language version 1.5.1 book - Part 67 of 180The Ring programming language version 1.5.1 book - Part 67 of 180
The Ring programming language version 1.5.1 book - Part 67 of 180Mahmoud Samir Fayed
 
Os notes
Os notesOs notes
Os notesLakshmiSarvani6
 
Compromising windows 8 with metasploit’s exploit
Compromising windows 8 with metasploit’s exploitCompromising windows 8 with metasploit’s exploit
Compromising windows 8 with metasploit’s exploitIOSR Journals
 
Developing on Windows 8
Developing on Windows 8Developing on Windows 8
Developing on Windows 8Einar Ingebrigtsen
 
nullcon 2011 - Automatic Program Analysis using Dynamic Binary Instrumentation
nullcon 2011 - Automatic Program Analysis using Dynamic Binary Instrumentationnullcon 2011 - Automatic Program Analysis using Dynamic Binary Instrumentation
nullcon 2011 - Automatic Program Analysis using Dynamic Binary Instrumentationn|u - The Open Security Community
 
JEDI Slides-Intro2-Chapter20-GUI Event Handling.pdf
JEDI Slides-Intro2-Chapter20-GUI Event Handling.pdfJEDI Slides-Intro2-Chapter20-GUI Event Handling.pdf
JEDI Slides-Intro2-Chapter20-GUI Event Handling.pdfMarlouFelixIIICunana
 
Python GUI
Python GUIPython GUI
Python GUILusciousLarryDas
 
Windows Server 2008 for Developers - Part 2
Windows Server 2008 for Developers - Part 2Windows Server 2008 for Developers - Part 2
Windows Server 2008 for Developers - Part 2ukdpe
 
Double agent zero-day code injection and persistence technique
Double agent zero-day code injection and persistence techniqueDouble agent zero-day code injection and persistence technique
Double agent zero-day code injection and persistence techniqueKarlFrank99
 
Introtodotnet
IntrotodotnetIntrotodotnet
Introtodotnetrashmix
 
IntroToDotNetTech
IntroToDotNetTechIntroToDotNetTech
IntroToDotNetTechrashmix
 
PART-2 : Mastering RTOS FreeRTOS and STM32Fx with Debugging
PART-2 : Mastering RTOS FreeRTOS and STM32Fx with DebuggingPART-2 : Mastering RTOS FreeRTOS and STM32Fx with Debugging
PART-2 : Mastering RTOS FreeRTOS and STM32Fx with DebuggingFastBit Embedded Brain Academy
 
Activity 5
Activity 5Activity 5
Activity 5Heidi Owens
 
Controller
ControllerController
ControllerIniya Kannan
 
03 gui 04
03 gui 0403 gui 04
03 gui 04Niit Care
 
PyQt.pptx
PyQt.pptxPyQt.pptx
PyQt.pptxmanishgupta316325
 
Tutorial 37 API Coding
Tutorial 37 API CodingTutorial 37 API Coding
Tutorial 37 API CodingMax Kleiner
 
Web services, WCF services and Multi Threading with Windows Forms
Web services, WCF services and Multi Threading with Windows FormsWeb services, WCF services and Multi Threading with Windows Forms
Web services, WCF services and Multi Threading with Windows FormsPeter Gfader
 
2.5 gui
2.5 gui2.5 gui
2.5 guiJyothi Vbs
 
The Ring programming language version 1.9 book - Part 82 of 210
The Ring programming language version 1.9 book - Part 82 of 210The Ring programming language version 1.9 book - Part 82 of 210
The Ring programming language version 1.9 book - Part 82 of 210Mahmoud Samir Fayed
 
Finfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtFinfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtSecurity Bootcamp
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 

Más contenido relacionado

Similar a Vista uipi.ppt (1)

Compromising windows 8 with metasploit’s exploit
Compromising windows 8 with metasploit’s exploitCompromising windows 8 with metasploit’s exploit
Compromising windows 8 with metasploit’s exploitIOSR Journals
 
nullcon 2011 - Automatic Program Analysis using Dynamic Binary Instrumentation
nullcon 2011 - Automatic Program Analysis using Dynamic Binary Instrumentationnullcon 2011 - Automatic Program Analysis using Dynamic Binary Instrumentation
nullcon 2011 - Automatic Program Analysis using Dynamic Binary Instrumentationn|u - The Open Security Community
 
JEDI Slides-Intro2-Chapter20-GUI Event Handling.pdf
JEDI Slides-Intro2-Chapter20-GUI Event Handling.pdfJEDI Slides-Intro2-Chapter20-GUI Event Handling.pdf
JEDI Slides-Intro2-Chapter20-GUI Event Handling.pdfMarlouFelixIIICunana
 
Windows Server 2008 for Developers - Part 2
Windows Server 2008 for Developers - Part 2Windows Server 2008 for Developers - Part 2
Windows Server 2008 for Developers - Part 2ukdpe
 
Double agent zero-day code injection and persistence technique
Double agent zero-day code injection and persistence techniqueDouble agent zero-day code injection and persistence technique
Double agent zero-day code injection and persistence techniqueKarlFrank99
 
Introtodotnet
IntrotodotnetIntrotodotnet
Introtodotnetrashmix
 
IntroToDotNetTech
IntroToDotNetTechIntroToDotNetTech
IntroToDotNetTechrashmix
 
PART-2 : Mastering RTOS FreeRTOS and STM32Fx with Debugging
PART-2 : Mastering RTOS FreeRTOS and STM32Fx with DebuggingPART-2 : Mastering RTOS FreeRTOS and STM32Fx with Debugging
PART-2 : Mastering RTOS FreeRTOS and STM32Fx with DebuggingFastBit Embedded Brain Academy
 
Tutorial 37 API Coding
Tutorial 37 API CodingTutorial 37 API Coding
Tutorial 37 API CodingMax Kleiner
 
Web services, WCF services and Multi Threading with Windows Forms
Web services, WCF services and Multi Threading with Windows FormsWeb services, WCF services and Multi Threading with Windows Forms
Web services, WCF services and Multi Threading with Windows FormsPeter Gfader
 
The Ring programming language version 1.9 book - Part 82 of 210
The Ring programming language version 1.9 book - Part 82 of 210The Ring programming language version 1.9 book - Part 82 of 210
The Ring programming language version 1.9 book - Part 82 of 210Mahmoud Samir Fayed
 
Finfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtFinfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtSecurity Bootcamp
 

Similar a Vista uipi.ppt (1) (20)

Os notes
Os notesOs notes
Os notes
 
Compromising windows 8 with metasploit’s exploit
Compromising windows 8 with metasploit’s exploitCompromising windows 8 with metasploit’s exploit
Compromising windows 8 with metasploit’s exploit
 
Developing on Windows 8
Developing on Windows 8Developing on Windows 8
Developing on Windows 8
 
nullcon 2011 - Automatic Program Analysis using Dynamic Binary Instrumentation
nullcon 2011 - Automatic Program Analysis using Dynamic Binary Instrumentationnullcon 2011 - Automatic Program Analysis using Dynamic Binary Instrumentation
nullcon 2011 - Automatic Program Analysis using Dynamic Binary Instrumentation
 
JEDI Slides-Intro2-Chapter20-GUI Event Handling.pdf
JEDI Slides-Intro2-Chapter20-GUI Event Handling.pdfJEDI Slides-Intro2-Chapter20-GUI Event Handling.pdf
JEDI Slides-Intro2-Chapter20-GUI Event Handling.pdf
 
Python GUI
Python GUIPython GUI
Python GUI
 
Windows Server 2008 for Developers - Part 2
Windows Server 2008 for Developers - Part 2Windows Server 2008 for Developers - Part 2
Windows Server 2008 for Developers - Part 2
 
Double agent zero-day code injection and persistence technique
Double agent zero-day code injection and persistence techniqueDouble agent zero-day code injection and persistence technique
Double agent zero-day code injection and persistence technique
 
Introtodotnet
IntrotodotnetIntrotodotnet
Introtodotnet
 
IntroToDotNetTech
IntroToDotNetTechIntroToDotNetTech
IntroToDotNetTech
 
PART-2 : Mastering RTOS FreeRTOS and STM32Fx with Debugging
PART-2 : Mastering RTOS FreeRTOS and STM32Fx with DebuggingPART-2 : Mastering RTOS FreeRTOS and STM32Fx with Debugging
PART-2 : Mastering RTOS FreeRTOS and STM32Fx with Debugging
 
Activity 5
Activity 5Activity 5
Activity 5
 
Controller
ControllerController
Controller
 
03 gui 04
03 gui 0403 gui 04
03 gui 04
 
PyQt.pptx
PyQt.pptxPyQt.pptx
PyQt.pptx
 
Tutorial 37 API Coding
Tutorial 37 API CodingTutorial 37 API Coding
Tutorial 37 API Coding
 
Web services, WCF services and Multi Threading with Windows Forms
Web services, WCF services and Multi Threading with Windows FormsWeb services, WCF services and Multi Threading with Windows Forms
Web services, WCF services and Multi Threading with Windows Forms
 
2.5 gui
2.5 gui2.5 gui
2.5 gui
 
The Ring programming language version 1.9 book - Part 82 of 210
The Ring programming language version 1.9 book - Part 82 of 210The Ring programming language version 1.9 book - Part 82 of 210
The Ring programming language version 1.9 book - Part 82 of 210
 
Finfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtFinfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn Việt
 

Último

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 

Último (20)

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 

Vista uipi.ppt (1)

  • 1. WINDOWS VISTA UIPI User Interface Privilege Isolation
  • 2. Speaker Info Edgar Barbosa Security researcher Currently employed at COSEINC Experience with reverse engineering of Windows kernel executables Published some articles at rootkit.com Participated in the creation of bluepill, a hardware-virtualization based rootkit
  • 3. Windows Vista UIPI Shatter attacks Integrity Levels UIPI initialization Process and thread initialization Window messages UIPI in action Special cases
  • 4. Why UIPI? Reasons to learn about UIPI internals: It’s not well documented The new book “Writing secure code for Windows Vista” dedicates only one page to discuss UIPI UIPI affects several applications and API functions There are some possible vectors of attacks against UIPI To understand how windows messages are internally processed Understand how some internal function works under the hood
  • 5. Shatter attacks Published by Chris Paget in 2002 Process by which one application could execute arbitrary code in another application Uses the window messaging system to send messages from an unprivileged app to the window message procedure of a privilege application. WM_TIMER could be sent with a callback pointer parameter
  • 6. UIPI Stands for “User Interface Privilege Isolation” New for Windows Vista Operating System Vista now uses Integrity Levels for each running process: 0x1000 - Low integrity 0x2000 - Medium integrity 0x3000 - High integrity 0x4000 - System Integrity Each application runs with one assigned IL.
  • 7. UIPI A lower privilege application cannot [1] : Perform a window handle validation of higher process privilege SendMessage or PostMessage to higher privilege application windows ( block “Shatter attacks” ) Use thread hooks to attach to a higher privilege process Use journal hooks to monitor a higher privilege process Perform DLL injection to a higher privilege process
  • 9. UIPI initialization The UIPI initialization process occurs in the load time of the graphical subsystem module (win32k.sys) DriverEntry will call Win32UserInitialize function which will call: InitUIPI (win32k) RtlQueryElevationFlags (ntoskrnl) InitClipFormatExceptionList (win32k)
  • 10. UIPI initialization KUSER_SHARED_DATA Is a memory area shared between the user mode and kernel mode space Mapped for each running process Initialized by the OS executive - ntoskrnl It contains very important system variables: KdDebuggerEnabled, SystemCall, TickCount DbgElevationEnabled, DbgVirtEnabled, …. It is protected: Read-only access for user mode code
  • 11. UIPI initialization RtlQueryElevationFlags Undocumented function exported by ntoskrnl.exe and the ntdll.dll Prototype: NTSTATUS RtlQueryElevationFlags( OUT ULONG *Flags ); Retrieve UAC system information from the shared memory area (KUSER_SHARED_DATA) Return flags: ElevationEnabled (0x01) - UAC is enabled VirtEnabled (0x02) - Virtualization is enabled InstallerDetectEnabled (0x04) - Detection of installers
  • 12. UIPI initialization VOID InitUIPI(); UIPI is initialized by the InitUIPI function implemented inside the win32k kernel module Calls the RtlQueryElevationFlags to check if elevation is enabled (ElevationEnabled). If elevation is enabled, then check the value “EnableUIPI” inside the system policies registry key. If EnableUIPI value is set to true, the system set the global variable gbEnforceUipi to TRUE. UIPI is only active if gbEnforceUipi is equal TRUE.
  • 13. UIPI initialization InitClipFormatExceptionList Called immediately after InitUIPI if gbEnforceUipi value is true. Responsible for reading the values of the registry key: HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemUIPIClip boardExceptionFormats gpClipFormatExceptionList: Pointer to a list of Clipboard Format values, e.g. CF_OEMTEXT (0x07) gcClipFormatExceptionList: Global counter of the number of elements inside the list pointed by the gpClipFormatExceptionList pointer.
  • 15. Processes, threads and UIPI Windows Vista UIPI
  • 16. Process initialization and UIPI Data structures: EPROCESS PROCESSINFO Functions: xxxInitProcessInfo()
  • 17. EPROCESS Each process is represented by an executive process object structure (EPROCESS) Accessible only for kernel mode code Some EPROCESS data information includes: Handle table pointer Virtual Address space Descriptors (VAD) Access token PROCESSINFO pointer
  • 18. PROCESSINFO Structure used by win32k to store all the USER32 related information about a process. Created at the first time that the process calls a USER32 syscall and it is initialized by the xxxInitProcessInfo function Address stored at EPROCESS- >Win32Process Data information includes: Pointer to EPROCESS Desktop, UserHandleCount, WinStation information ….
  • 20. xxxInitProcessInfo Prototype NTSTATUS xxxInitProcessInfo( PROCESSINFO *pi ); Responsible for the initialization of the PROCESSINFO structure Open the primary token of the process with PsReferencePrimaryToken and Get the Integrity Level of the process by calling SeQueryInformationToken with the TOKEN_INTEGRITY_LEVEL information class
  • 21. xxxInitProcessInfo If gbEnforceUIPI == TRUE Copy the Integrity Level value at pi- >IntegrityLevel Check for the TokenUIAccess flag using SeQueryInformationToken function. If the flag is set, set the correspondent flag at pi->Flags The TokenUIAccess importance will be presented soon.
  • 22. Thread initialization and UIPI Data structures: ETHREAD THREADINFO Functions: xxxInitThreadInfo NtUserCheckAccessForIntegrityLevel
  • 23. ETHREAD Structure used by the kernel to represent a thread (ETHREAD) Each ETHREAD is always owned by an EPROCESS structure ( ETHREAD- >Tcb.Process ) Linked to other threads by the ThreadListEntry pointer Some fields: InitialStack, StartAddress, ThreadListEntry, ApcState Priority, Affinity, THREADINFO, ...
  • 24. THREADINFO Undocumented structure used by win32k to store USER32 information related to a thread Created only if the thread calls a USER32 function THREADINFO address stored at ETHREAD->Tcb.Win32Thread Some fields: pq ( Input message queue ) mlPost ( Post message queue ) Send message queue Windows hook information...
  • 25. xxxCreateThreadInfo() Function called to allocated and initialize the THREADINFO structure Some responsibilities: Allocate and initialize the input, send and post message queues. Set desktop Set integrity level of the message queue Set foreground priority
  • 27. NtUserCheckAccessForIntegrity Level Undocumented syscall which can be used by usermode programs (not officially supported) It’s used by the USER32 usermode functions: TileWindows() CascadeWindows() NTSTATUS NtUserCheckAccessForIntegrityLevel ( Pid1, Pid2, *BOOL Result ); It checks the current process PROCESSINFO integrity level against the integrity level of the target process PROCESSINFO.
  • 29. Window messages Data structures: Message Queue Functions: ChangeWindowMessageFilter
  • 30. Window messages Each window has a window procedure. Window messages are used by the system to send events to a window procedure. Each windows, which is identified by a window handle (HWND), is always owned by a thread. But each thread can own more than one window Range 0x0 -> 0xffff (available to programmer) 0x10000 -> 0x1ffff ( reserved to system )
  • 31. Message Queues Each received message is sent to a message queue The window message queues are implemented in the THREADINFO structure There are 3 queues: Input queue (SendInput, mouse and keyboard msgs) Post queue ( PostMessage ) Send queue ( SendMessage ) The Input Queue structure, a.k.a Virtualized Input Queue (VIQ), Integrity Level field.
  • 32. Message Queues The VIQ structure is allocated by the AllocQueue() function, which is called by the xxxCreateThreadInfo() function. AllocQueue() returns a pointer to the VIQ address. If the owner process of the Queue is the CSRSS process, the Queue->IntegrityLevel will be set equal 0x2000 (MEDIUM_INTEGRITY). If not, it will be set equal the PROCESSINFO->IntegrityLevel.
  • 34. ChangeWindowMessageFilter Documented API directly related to UIPI New for Window Vista. Can be used to add or remove Window messages from the message filter If a message is added to the filter, any other process is able to send that message to the process, regardless of the integrity level of the processes. Prototype: BOOL ChangeWindowMessageFilter( UINT msg, DWORD dwFlag ); dwFlag: MSGFLT_ADD: Adds the message to the filter MSGFLT_REMOVE: Removes the message from the filter
  • 35. Window Message Filter implementation Message Filter is implemented in the PROCESSINFO. Message queues are implemented per-thread, but all threads (windows) share the same Message Filter. Can’t be used by LOW_INTEGRITY processes! win32k!_ChangeWindowMessageFilter function is the real code responsible for the filter management. The filter is implemented using bitmap structures: 0 = message is not allowed 1 = message is allowed The address of the bitmap tables is stored at PROCESSINFO->MessageFilter
  • 38. UIPI in action How PostThreadMessage function works internally in Windows Vista? Functions: PostThreadMessage NtUserPostThreadMessage AllowMessageAcrossIL CheckForMessageAccessCrossIL CheckAccessForIntegrityLevel
  • 39. PostThreadMessage PostThreadMessage function posts a message to the message queue of the specified thread. It returns without waiting for the thread to process the message. It uses the syscall NtUserPostThreadMessage
  • 40. NtUserPostThreadMessage Kernel mode implementation of PostThreadMessage Prototype: BOOL NtUserPostThreadMessage( DWORD idThread, UINT msg, WPARAM wParam, LPARAM lParam ); Flow: Get the address of the THREADINFO structure of the current thread and save it in the _gptiCurrent variable. Get the THREADINFO of the target idThread using the PtiFromThreadId( ) function.
  • 41. NtUserPostThreadMessage If they are from the same desktop, it calls the CheckForMessageAccessCrossIL() function, which will verify if the destination thread allows the window message to be posted in the target thread post message queue. If the return code of CheckForMessageAccessCrossIL is TRUE, the PostThreadMessage is called PostThreadMessage allocates a new queue entry (AllocQEntry), stores the message (StoreQMessage) and set the wake message flags (SetWakeBit)
  • 43. CheckForMessageAccessCross IL CheckForMessageAccessCrossIL is a complex function We will analyze now each function used by CheckForMessageAccessCrossIL: CheckAccessForIntegrityLevel() AllowMessageCrossIL()
  • 44. CheckAccessForIntegrityLevel Internal win32k function extremelly used Prototype: BOOL CheckAccessForIntegrityLevel( ULONG SourceIntegrityLevel, ULONG TargetIntegrityLevel ); If the SourceIntegrityLevel < TargetIntegrityLevel, returns FALSE If SourceIntegrityLevel >= TargetIntegrityLevel, returns TRUE.
  • 45. AllowMessageCrossIL Internal win32k function Prototype: BOOL AllowMessageCrossIL( PROCESSINFO *pi, UINT msg ); This function uses the MessageFilter bitmap structures created by the ChangeWindowMessageFilter function. Return: If TRUE, the target thread will accept the message If FALSE, doesn’t mean nothing! Why?
  • 46. CheckForMessageAccessCross IL Prototype: BOOL CheckForMessageAccessCrossIL ( PROCESSINFO *piSource, PROCESSINFO *piTarget, UINT msg, WPARAM wParam ); How it works? It compares the piSource against piTarget. If equal, return TRUE. There’s no reason in checking threads of the same processinfo. If different, calls the AllowMessageAcrossIL( piTarget, msg ), but it do not check the return value immediately!
  • 47. CheckForMessageAccessCross IL It now compares the msg with a list of always allowed messages: 0x000 - WM_NULL 0x003 - WM_MOVE 0x005 - WM_SIZE 0x00D - WM_GETTEXT 0x00E - WM_GETTEXTLENGTH 0x033 - WM_GETHOTKEY 0x07F - WM_GETICON 0x305 - WM_RENDERFORMAT 0x308 - WM_DRAWCLIPBOARD 0x30D - WM_CHANGECBCHAIN 0x31A - WM_THEMECHANGED 0x313, 0x31B (WM_???)
  • 48. CheckForMessageAccessCross IL If the message is in the list of always allowed, return TRUE immediately. If not, checks now the returned value of the CheckForMessageAccessCrossIL() . If equal true, then returns TRUE. If false, compare the current IL against the target IL using the CheckAccessForIntegrityLevel. If the current thread has a IL greater or equal than the target thread IL, returns TRUE. Check if CSRSS is the owner process of the target thread and allow the message if it is.
  • 50. Special cases CSRSS TokenUIAccess
  • 51. CSRSS threads The CSRSS process is responsible for the creation of the console window for console- mode applications. Each console window is controled by a CSRSS thread (ConsoleInputThread function ) inside winsrv.dll It registers the window class “ConsoleWindowClass” ProcessCreateConsoleWindow creates the console window ConsoleWindowProc is the window procedure.
  • 52. CSRSS threads As exception, CSRSS threads that creates windows will have the THREADINFO- >IntegrityLevel set equal 0x2000 ( MEDIUM_INTEGRITY ) by the xxxCreateThreadInfo function, regardless of the CSRSS IL. The address of the PROCESSINFO structure of csrss process is stored at win32k.sys in the global variable _gpepCSRSS How is this related to UIPI?
  • 53. CSRSS threads Windows owned by CSRSS threads are the great exception rule in UIPI! In February 2007, Joanna Rutkowska published in her blog [2] that is possible to send WM_KEYDOWN messages to a open Administrative Shell (cmd.exe) running at HIGH IL from a LOW IL program. This is not only possible with cmd.exe, but with any console mode program running regardless of the its integrity level.
  • 54. CSRSS threads The CheckForMessageAccessCrossIL() and xxxInterSendMsgEx() functions checks if the process owner of the target thread is CSRSS (gpepCSRSS) If CSRSS is the owner, the message is sent or posted even if the IL of the source thread is lesser than the IL of the target thread. Message is allowed even if the target’s message filter do not allow the message.
  • 55. TokenUIAccess TokenUIAccess is a new token flag (at enum TOKEN_INFORMATION_CLASS) At the PROCESSINFO initialization process, the system checks for the TokenUIAccess flag in the primary token of the process. If the flag is present, the TokenUIAccess is set in the Flags field of PROCESSINFO. This flag allows application to potentially override some UIPI restrictions [3]
  • 57. MSCTF.dll AttachThreadInput MSCTF.DLL DoS attack Queue integrity level elevation
  • 58. AttachThreadInput Input messages ( keyboard, mouse, SendInput ) are inserted at the Virtualized Input Queue of the THREADINFO. With the AttachThreadInput function, two threads can share their VIQ. Prototype: BOOL AttachThreadInput( tidAttach, tidAttachTo, fAttach ); When 2 thread share their input queues, input messages will be processed synchronously. If one thread hangs, the other thread will hang too.
  • 61. AttachThreadInput Must be used very carefully because it affects the robustness of the window message processing of the threads. NtUserAttachThreadInput is the syscall used by the user32 AttachThreadInput It is affected by UIPI, because the zzzAttachThreadInput function will check the Queue->IntegrityLevel of calling thread against the ProcessInfo->IntegrityLevel of the target thread.
  • 62. MSCTF.DLL There are a DLL located in the system32 folder called MSCTF.dll which is used by the user32.dll. Practically all running programs in the Vista system loads msctf.dll
  • 63. MSCTF.DLL MSCTF.dll is one of the few DLLs in Vista that uses the new ChangeWindowMessageFilter() function. How this new API is being used by the MSCTF? The first step is to call the internal function EnsurePrivateMessages() EnsurePrivateMessages() internals: Uses the USER32!RegisterWindowMessage function to register several window messages RegisterWindowMessage takes as parameter a string and returns a window message that is guaranteed to be unique througout the system. It now uses the returned window message and calls ChangeWindowMessageFilter() function
  • 64. MSCTF.DLL Example: gAttMsg = RegisterWindowMessage(“MSUIM.Msg.AttachThreadInput”); If (gAttMsg) ChangeWindowMessageFilter( gAttMsg, MSGFLT_ADD ); After EnsurePrivateMessages(), MSCTF will register a window class “CicMarshallWndClass” with the window procedure CicMarshallWndProc(); Where is the problem? The problem is inside the CicMarshallWndProc() code responsible for the processing of gAttMsg message
  • 65. MSCTF.DLL The code is: curThread = GetCurrentThreadId(); AttachThreadInput( curThread, wParam, lParam); If a low integrity thread calls AttachThreadInput against a higher integrity thread, the call will fail. But now, if the higher IL thread uses the MSCTF.dll, we can simply send a gAttMsg message and the target thread will call AttachThreadInput for us SendMessage(targetwnd, gAttMsg, GetCurrentThreadId(),TRUE);
  • 66. DoS attack Using the AttachThreadInput message created by msctf.dll, we can create a Denial of Service tool which will hang all application running on the system with the msctf.dll loaded. Due to the fact that attach thread processes input messages synchronously, a low IL program is able to hang even higher integrity applications. One interesting consequence of attaching the virtualized input queue of two thread of different integrity levels is the elevation of the integrity level of the queue of the less privileged thread.
  • 67. Queue integrity level elevation Each input queue (VIQ) has it’s own Integrity Level VIQ IL is assigned by xxxCreateThreadInfo function If a medium integrity level (0x2000) thread uses the Msctf AttachThreadInput message to attach to a high integrity level (0x3000) thread, the AttachThreadInput function (zzzAttachToQueue) will elevate the queue IL from 0x2000 to 0x3000
  • 68. Final notes UIPI has some weird rules The always allowed window messages list is not public and documented We will probably see malwares using the UIPI exception rules, like the CSRSS case ChangeWindowMessageFilter function must be carefully used to avoid unprivileged processes to control privileged processes, like the MSCTF AttachThreadInput example.
  • 69. References [1]http://blogs.msdn.com/vishalsi/archive/2006/11/30/what-is-user-interface- privilege-isolation-uipi-on-vista.aspx [2] http://theinvisiblethings.blogspot.com/2007/02/running-vista-every- day.html [3] M. Howard and D. LeBlanc - Writing Secure Code for Windows Vista - 2007. page 24.
  • 70. Questions? Thank you for your time!