Vista Protected Processes Bypassed

Anonymous Hero writes "Security Researcher Alex Ionescu strikes again, this time with a proof of concept program that will arbitrarily enable and foremost disable the protection of so-called 'protected processes' in Windows Vista. Not only threatening Vista DRM and friends, it's also another step towards hardened and even more annoying malware. Normally, only specially signed processes made by special companies (decided by Microsoft) can be protected, but now the bad guys can protect any evil process they want, including the latest version of their own keylogger, spambot, or worm, as well as unprotect any 'good' one."

Didn't we see this before...

[NecroPuppy]

With that OS protected space in Windows ME?

I clearly remember being called to help a friend with a spyware/malware problem, discoverng he had ME, and going out to buy a copy of XP to replace it.

Re:Wait, wait...

[Guilly]

There are ways, using the windows API, for any process run with Debugger privileges (any Administrator really) to read,write,terminate,create threads, etc in any other process. This was true in Windows 95 and still is in XP and probably Vista, except for protected processes.

It's not like they can just create a pointer and address the other memory space but using the API they can achieve the same thing.

This is what allows programs like xfire to inject into your game process or (as they mention in TFA) allows Warden to peek inside all processes to see if they are evil.

Re:cmdrdildo

[dreamchaser]

Ballmer, we told you before not to post here as an AC. Now you're late picking up Bill's dry cleaning, so stop dicking around and get back to work!

You're joking, right?

[MarkByers]

> Why can XP and Windows 2000 play encrypted files?

The ability to play some DRM'd files was also added to XP and Windows 2000. I assume you already knew that though...

This is how it's done

[Anonymous Coward]

The tool needs to be run with elevated privileges (otherwise it will not work). It decompresses a 848 bytes driver and loads the driver. The driver does nothing but set bit 11 (ProtectedProcess) of the Flags2 bitfield (offset 0x224) of the corresponding _EPROCESS structure of the process to be modified. However, this requires the neccessary rights to load and install a driver...and as we all know, once being in kernel mode there's no real protection against malicious code...

Re:Source code

[eddy]

Seems to contain a compressed buffer with a .sys driver that is decompressed with a call to RtlDecompressBuffer and hidden away by writing it to the alternate stream "%SystemRoot%\system32\drivers\crusoe.sys:drmkaud. sys", and then there's a registry update to load the driver.

Someone who cares should write out the compressed buffer and disassemble that.

Re:In related news

[tinkertim]

People are modding this as flamebait, but I've seen far, FAR too many IT professionals take that stance with Spyware / Malware. I've seen a system get all sorts of nasty winlogon-enabled Spyware within minutes of being hooked up to a network, with no action on the user's part. Not only that, in a world where banner ad companies can get infected with trojans the idea of people only getting infected if they're doing something "shady" on their machine is utterly absurd.

It was a joke, just a joke and only a joke.

The link given is to Microsoft Bob, which Microsoft gave up on shortly after launching it and (according to Wikipedia) later admitted the product was their single largest failure in their company history.

You'd need to remember Bob in order to appreciate that Vista is well on its way to being "Bob 2".

I suppose any joke could be taken as flamebait lol, but really, its just a joke. Better put in /. terms :

its funny, laugh. .. or perhaps not, since I had to explain it :)

Re:Other OSes

[I(rispee_I(reme]

Actually, Windows versions as early as 2000 use a whitelist method of "protecting" processes: If the process name matches a hardcoded list [seclists.org], then task manager will refuse to kill it. This is so broken it's ludicrous- simply rename your process to any of the ones on the list, and it becomes unkillable. Programs such as PSkill will kill all processes, regardless of name.

Re:Good idea, bad implementation.

[Spy Hunter]

Protected processes are a terrible idea, and they have no analog in Unix. You have misunderstand the purpose of protected processes. It has nothing to do with protecting processes from each other for better security. It is *only* about protection from the *user* for media. Protected processes cannot be written by anyone but Microsoft and "trusted" partners (theoretically) and are supposed to be immune from tampering by every user, even one with the highest possible administrative rights. No Unix has this concept, because it is retarded. It removes your own control over what your computer is doing and hands it to Microsoft and a few "trusted" companies which are allowed to write protected processes.

Re:In related news

[Lost Engineer]

I am writing on a lappy running Vista. I worked on my grandparents' Windows ME machine earlier tonight. Vista is no ME. Yes, Vista is slow to startup and shutdown, but I've seen no Aero-related slowdown, save for playback of video which is easily worked around by using VLC instead of Media Player. Machines that can run it all, it seems, can handle the load.

I haven't seen a reduction in functionality. Of course, I haven't played any HD-DVDs either, mostly because I don't have an appropriate drive. Vista is not ME, it's XP Second Edition.