mirror of
https://github.com/wavestone-cdt/EDRSandblast.git
synced 2026-06-10 17:31:23 +00:00
clarifies some parts of the README
This commit is contained in:
Maxime Meignan
@@ -280,30 +280,30 @@ For implementation details, check the `unhook()` function's code path when `unho
|
|||||||
|
|
||||||
### RunAsPPL bypass
|
### RunAsPPL bypass
|
||||||
|
|
||||||
The `Local Security Authority (LSA) Protection` mechanism, firstly introduced
|
The `Local Security Authority (LSA) Protection` mechanism, first introduced
|
||||||
in Windows 8.1 and Windows Server 2012 R2, leverage the `Protected Process
|
in Windows 8.1 and Windows Server 2012 R2, leverage the `Protected Process
|
||||||
Light (PPL)` technology to restrict access to the `LSASS` process. The `PPL`
|
Light (PPL)` technology to restrict access to the `LSASS` process. The `PPL`
|
||||||
protection regulates and restricts operations, such as memory injection or
|
protection regulates and restricts operations, such as memory injection or
|
||||||
memory dumping of protected processes, even from process holding the
|
memory dumping of protected processes, even from a process holding the
|
||||||
`SeDebugPrivilege` privilege.
|
`SeDebugPrivilege` privilege. Under the process protection model, only
|
||||||
|
processes running with higher protection levels can perform operations on
|
||||||
|
protected processes.
|
||||||
|
|
||||||
The protection level of a process is defined in its `EPROCESS` structure, used
|
The `_EPROCESS` structure, used by the Windows kernel to represent a process
|
||||||
by the Windows kernel to represent processes in memory. The `EPROCESS`
|
in kernel memory, includes a `_PS_PROTECTION` field defining the protection level
|
||||||
structure includes a `_PS_PROTECTION` field, defining the protection level of a
|
of a process through its `Type` (`_PS_PROTECTED_TYPE`) and `Signer` (`_PS_PROTECTED_SIGNER`)
|
||||||
process through its `Type` (`_PS_PROTECTED_TYPE`) and `Signer`
|
attributes.
|
||||||
(`_PS_PROTECTED_SIGNER`) attributes.
|
|
||||||
|
|
||||||
If no EDR drivers callbacks are detected, the current process is self
|
By writing in kernel memory, the EDRSandblast process is able to upgrade its own
|
||||||
protected as `PsProtectedSignerWinTcb-Light`. This level of protection is
|
protection level to `PsProtectedSignerWinTcb-Light`. This level is sufficient to
|
||||||
sufficient to dump the `LSASS` process memory, with `RunAsPPL` enabled, as
|
dump the `LSASS` process memory, since it "dominates" to `PsProtectedSignerLsa-Light`,
|
||||||
the `PsProtectedSignerWinTcb` signer "dominates" `PsProtectedSignerLsa-Light`
|
the protection level of the `LSASS` process running with the `RunAsPPL` mechanism.
|
||||||
(and both process are of `PsProtectedTypeProtectedLight` type).
|
|
||||||
|
|
||||||
`EDRSandBlast` implements the self protection as follow:
|
`EDRSandBlast` implements the self protection as follow:
|
||||||
- open a handle to the current process
|
- open a handle to the current process
|
||||||
- leak all system handles using `NtQuerySystemInformation` to find the opened
|
- leak all system handles using `NtQuerySystemInformation` to find the opened
|
||||||
handle on the current process (which correspond to the current process'
|
handle on the current process, and the address of the current process'
|
||||||
`EPROCESS` structure in kernel memory).
|
`EPROCESS` structure in kernel memory.
|
||||||
- use the arbitrary read / write vulnerability of the `Micro-Star MSI
|
- use the arbitrary read / write vulnerability of the `Micro-Star MSI
|
||||||
Afterburner` driver to overwrite the `_PS_PROTECTION` field of the current
|
Afterburner` driver to overwrite the `_PS_PROTECTION` field of the current
|
||||||
process in kernel memory. The offsets of the `_PS_PROTECTION` field
|
process in kernel memory. The offsets of the `_PS_PROTECTION` field
|
||||||
|
|||||||
Reference in New Issue
Block a user