[C++] Win8: Inject code into protected process.

Discussion in 'Mixed Languages' started by Bob65536, Sep 10, 2012.

  1. Bob65536

    Bob65536 MDL Novice

    Sep 1, 2012
    I would like to be able to inject code into a protected system process to help with analyzing the program. In particular the "Software Protection" service (sppsvc).

    Standard DLL injection methods like SetWindowsHookEx or CreateRemoteThread won't work because the injecting process doesn't have access to the protected process. If you could run the injecting process with higher rights it MAY work.

    The only method I found is a program called DevxExec to run a program as TrustedInstaller or NETWORK_SERVICE, but it seems to crash every time I try to use it on Win8.

    So I thought well this is simple. Rename some DLL on the file system that the protected process loads and replace it with a crafted DLL that provides redirection to the renamed DLL. It turns out there is a two stage protection called "windows resource protection" and "code integrity".

    Whenever a protected process loads a DLL it checks its hash against a hash that has been signed. There is also a manifest that contains an unsigned hash, but there is a signed hash of the manifest as well as an unsigned hash of the manifest hidden in the registry. These files have backups too in case of corruption. So I modified everything that is unsigned to be correct. It even passes sfc.exe /scannow, but the signed hashes prevent it from being loaded.

    So I thought there must be some way to turn off the code integrity check. I tried:
    bcdedit.exe -set loadoptions DISABLE_INTEGRITY_CHECKS
    bcdedit.exe -set TESTSIGNING ON
    Option 7 on advanced boot. (Disable code signing for drivers requirement)
    But none of these disable code integrity for sppsvc.

    So my next thought is to generate my own public/private keys and update the signed hashes. There is a public key stored in the manifest for each file and a public key stored in the registry for each manifest. I'm sure it won't be that simple though.

    But before I go through any more work I thought I might see if anyone here has any better ideas or experience with this. It seems like there should be an easier way. Or maybe I am just remembering the days when an admin could do whatever they wanted to their system.
  2. Calistoga

    Calistoga MDL Senior Member

    Jul 25, 2009
    Interesting problem, I would also like to know more about this.

    But then you might hurt™ yourself®! :D

  3. woot332

    woot332 MDL Senior Member

    Feb 18, 2011
  4. Bob65536

    Bob65536 MDL Novice

    Sep 1, 2012
    None of those methods will work because of security restrictions.

    Best quote ever

    I have been looking into resigning existing files but it looks like a lot of work.

    • WinSxS\Manifests: Manifests that may describe multiple files, registry keys, etc. This may contain public keys and hashes for each element.
    • WinSxS\FileMaps: Contains a file for each directory with protected files. Inside these files is a list of all the protected files. It lists much of the information in a manifest including public key.
    • WinSxS: Has a copy of each protected file. Each file is in its own directory encoded using information from its manifest.
    • WinSxS\Backup: Backup of the protected files and manifests in case of corruption. (optional)
    • WinSxS\Catalogs: Catalog files contain signed hashes of manifests and the elements they contain. The file name of a catalog is the sha256 hash of itself.

    There is a registry hive located in System32\config\COMPONENTS

    • COMPONENTS\DerivedData\Components: One element for each manifest. Contains hash and public key of manifest. Also has name of deployment.
    • COMPONENTS\CanonicalData\Deployments: One element for each deployment gives the hash of the catalog if one is included for that deployment.
    • COMPONENTS\CanonicalData\Catalogs: Key names given by catalog hash and list all of the deployments that it contains hashes for.

    Modifying a catalog requires modifying every element. Plus you have to make the root CA that you sign it with trusted.

    I'm not sure what elements of a manifest it hashes in the catalog. The process here didn't work for Windows 8 OS manifests I tested.
    msdn.microsoft .com/en-us/library/windows/desktop/aa375139%28v=vs.85%29.aspx

    A little more info on code integrity.
    technet.microsoft .com/en-us/library/cc733982%28v=ws.10%29