BPMTK

Jan 1 2009 in Articles by articles |

BPMTK

BPMTK

Security issues arise from the fact that a limited user has full control over his own processes on the Windows platform. Security mechanisms implemented in the user’s own processes can be bypassed.
Author: DIDIER STEVENS
Source: Hakin9 1/2009 http://hakin9.org

WHAT YOU WILL LEARN…

Why your applications running in a limited user context are still vulnerable to attacks and malware

WHAT YOU SHOULD KNOW…

A minimum understanding of user processes running under Windows

We will illustrate techniques to bypass said security mechanisms and show Proof of Concept (PoC) techniques for malware. The Basic Process Manipulation Tool Kit (bpmtk) is a utility developed specifically to manipulate processes (running programs) on Windows. Here are some of the design goals of the toolkit:

  • the toolkit must support limited accounts (accounts that are not local administrators) as much as possible
  • flexibility: provide a set of commands that can be assembled in a configuration file to execute a given task
  • the toolkit must be able to operate as a single EXE, without requiring the installation of supporting environments like Python
  • it must be a command-line tool.

The toolkit has commands to search and replace data inside the memory of processes, dump memory or strings, inject DLLs, patch import address tables, … It’s open source (put in the public domain), and a new version with several new PoC programs showcased here will be released. Research has shown that there are several security mechanisms (for the Windows platform) that are implemented in the user’s own processes. The problem with these mechanisms is that their design is fundamentally flawed, because a limited user has full control over his own processes and can thus bypass the security mechanism. He just needs internal knowledge about the mechanisms (or a tool), and then he can bypass it because he has the rights to do so. Disabling GPOs The first security mechanism we will bypass is Software Restriction Policies (SRP), a feature of Group Policies (GPO) in Microsoft’s Active Directory (AD). This technique works for all Windows versions starting with Windows 2000. SRP policies allow the administrator to impose restrictions on the programs a user is allowed to execute. If a limited user tries to start a program that isn’t authorized by the policy, SRP will prevent the execution of this program. GPOs are enforced by functions in the advapi32.dll. This DLL is loaded in many user programs, like explorer.exe (the program that gives you your desktop and start menu). When you start a program (for example via the start menu), explorer.exe will call functions of the advapi32.dll to check if this is allowed by the policies defined in the GPOs.

Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks
  • PDF

Tags: , , , , , , , ,
No Comments »

Leave a Reply

You must be logged in to post a comment.

«
»
EN
  • IT security audits, services, penetration testing - PenTest Magazine
  • Hacking, hackers, security zone, security, cyber attacks
  • Software Developer's Journal for developers by developers
  • Web application design - Flesh & Flex developer's magazine
  • BSD, open source, magazine, tutorials bsd - BSD Magazine
  • Best solutions for e-Commerce marketing: PHP Solutions
PL
  • Software Developer's Journal for developers by developers
  • Łamanie zabezpieczeń, skuteczna ochrona komputera - magazyn o bezpieczeństwie w IT - Securitymag.pl
FR
  • Creation site e-commerce : PHP Solutions
  • psd photoshop magazine - photoshop, illustrator, indesign
  • Hacking, hackers, security zone, security, cyber attacks
DE
  • Hacking, hackers, security zone, security, cyber attacks


Software Press Sp. z o.o. Sp. Komandytowa 02-682 Warszawa, ul. Bokserska 1, NIP 9512279582, REGON 141804060, KRS: 0000327578

Advertisement