x33fcon 2022 - AppLockwork Orange
AppLocker is great, but not 100% watertight. Know its weaknesses to deploy it better, or just enjoy listening about Microsoft solution imperfections.
Latest
Accessing files with no access
Just to make it clear, this time I will address only one “no access” scenario you probably know: the process cannot access the file because it is being used by another process. Something I have referred to in my “Locker” message couple of weeks ago.
If you didn’t play
Impersonating
Impersonating a process identity is an essential feature that Windows users rely on daily.
This capability spans from Windows Services running local or domain accounts to the use of runas.exe, as well as other “magical” solutions that allow processes to run on behalf of other users.
When a child
MOVEFILE_DELAY_UNTIL_REBOOT
Some time ago, I have described ShareAccess parameter present in API functions responsible for opening files. If you don’t remember it, try to find “Locker” email in your inbox, somewhere near mid-August. I have intentionally focused on mechanisms and not on dealing with them, and today I will focus
Program Information File
Security professionals do not trust Windows Explorer when it comes to the drive content. And for a reason.
Since Windows 95, Explorer was designed to be a GUI and/or Shell, not a tool for browsing files and folders. There are many reasons why the folder content in the Explorer
Disabling remote access to Windows Services
When it comes to Windows Services, there are a lot of things that make hackers excited.
One of the most important features is the ability to manage Services remotely. Almost everything one can do with Services locally can be performed on a remote computer as well. It’s worth noting
Locker
Each file open operation in Windows (leading at the very end to NtOpenFile/NtCreateFile syscall) requires two separate parameters to be passed: DesiredAccess and ShareAccess.
The first one seems to be clear - the opening party tells the Operating System about way how to open the file: for reading, for
RDP Cache
The RDP protocol is known to be related to many attacks, even if most of them are not related at all to the protocol itself. Regardless of the impact on the security, the RDP protocol is very interesting, and of course, it spreads across different layers of the communication stack.
Portable Executable Exports
Portable Executable (PE) is an official name of the executable file format used in Windows. In the user mode we use mostly EXEs and DLLs, both sharing the same format but with some important differences in their functionality. I will not cover all differences here, but in general DLLs must
Service ACLs
A couple of months ago I have described WerSvc service starting on ETW and WNF. I have quickly mentioned Service ACLs and I believe it’s high time to dig in.
Services are not regular Windows Objects, and their ACLs are somewhat different, especially when you look inside, but they
FMAPI
The File Management API (FMAPI) from the end user perspective seems to be one of the less useful APIs in the Windows operating system.
Fmapi.dll contains only eight exported functions, but it does not work anyway, returning ERROR_NOT_SUPPORTED if you call them from the regular Windows environment.
Offline SAM Editing
The crucial role of the SAM database makes it an obvious target for manipulations, especially offline ones. It's why different reversing approaches happened since '90s, not always following changes in the database format. Starting from Windows 10, the situation changed a bit, as each system is fitted
AppLocker’s blind spot
Application whitelisting remains one of the most effective protections against malicious applications. You don’t have to care about identifying all potentially harmful apps. If you do not allow specific application explicitly, it will not run, even if it uses the most unusual obfuscating technique and no single antivirus has
Dangers of sfc.exe
SFC (a.k.a.) System File Checker is a built-in tool, checking Windows binaries, and identifying if any of them were manipulated (modified, replaced, broken, etc.). Sfc.exe will clearly tell you if someone replaces utilman.exe with cmd.exe or if file corruption happened due to disk errors.
For