Mirrors/wavestone-cdt-edrsandblast
1
0
Fork 0
mirror of https://github.com/wavestone-cdt/EDRSandblast.git synced 2026-06-08 16:37:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

clarifies some parts of the README

Browse Source
This commit is contained in:
Maxime Meignan
2022-01-27 14:20:06 +01:00
parent e8671c36b7
commit 487047f9db
1 changed files with 15 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+15 -15
View File
@@ -280,30 +280,30 @@ For implementation details, check the `unhook()` function's code path when `unho
### RunAsPPL bypass
The `Local Security Authority (LSA) Protection` mechanism, firstly introduced
The `Local Security Authority (LSA) Protection` mechanism, first introduced
in Windows 8.1 and Windows Server 2012 R2, leverage the `Protected Process
Light (PPL)` technology to restrict access to the `LSASS` process. The `PPL`
protection regulates and restricts operations, such as memory injection or
memory dumping of protected processes, even from process holding the
`SeDebugPrivilege` privilege.
memory dumping of protected processes, even from a process holding the
`SeDebugPrivilege` privilege. Under the process protection model, only
processes running with higher protection levels can perform operations on
protected processes.
The protection level of a process is defined in its `EPROCESS` structure, used
by the Windows kernel to represent processes in memory. The `EPROCESS`
structure includes a `_PS_PROTECTION` field, defining the protection level of a
process through its `Type` (`_PS_PROTECTED_TYPE`) and `Signer`
(`_PS_PROTECTED_SIGNER`) attributes.
The `_EPROCESS` structure, used by the Windows kernel to represent a process
in kernel memory, includes a `_PS_PROTECTION` field defining the protection level
of a process through its `Type` (`_PS_PROTECTED_TYPE`) and `Signer` (`_PS_PROTECTED_SIGNER`)
attributes.
If no EDR drivers callbacks are detected, the current process is self
protected as `PsProtectedSignerWinTcb-Light`. This level of protection is
sufficient to dump the `LSASS` process memory, with `RunAsPPL` enabled, as
the `PsProtectedSignerWinTcb` signer "dominates" `PsProtectedSignerLsa-Light`
(and both process are of `PsProtectedTypeProtectedLight` type).
By writing in kernel memory, the EDRSandblast process is able to upgrade its own
protection level to `PsProtectedSignerWinTcb-Light`. This level is sufficient to
dump the `LSASS` process memory, since it "dominates" to `PsProtectedSignerLsa-Light`,
the protection level of the `LSASS` process running with the `RunAsPPL` mechanism.
`EDRSandBlast` implements the self protection as follow:
- open a handle to the current process
- leak all system handles using `NtQuerySystemInformation` to find the opened
handle on the current process (which correspond to the current process'
`EPROCESS` structure in kernel memory).
handle on the current process, and the address of the current process'
`EPROCESS` structure in kernel memory.
- use the arbitrary read / write vulnerability of the `Micro-Star MSI
Afterburner` driver to overwrite the `_PS_PROTECTION` field of the current
process in kernel memory. The offsets of the `_PS_PROTECTION` field