Hi,
The point of December 04, 2018.
The following processes load the DLL defined in "AppInit_DLLs": Winlogon, Svchost,....
But the process "winint.exe" and "services.exe" Do not load this hook.
PROCEXP displays for "services. exe": "protected: PSPROTECTEDSIGNERWINTCB-Light " and does not display the list of loaded DLLs (so really propected)
PROCMON shows that:
- "Winlogon" loads the DLL defined in "AppInit_DLLs" when calling the function "RegisterLogonProcess" contained in a DLL whose load is deferred (using user32.dll)
- "Services" never tests "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWindowsAppInit_DLLs" (not using user32.dll ?)
-These two processes test several times the key "Minint" at different moments
-they run in parallel
So it is difficult to guarantee the correct positioning of the key for each of these processes
Reminder of constraints:
- "Services. exe " is protected and the change of one byte in the file prohibits its launch
- "Services. exe " does not load the DL defined in "AppInit_DLLs "
DOC about PPL security
Http://www.alex-ionescu.com/?p=34
http://www.alex-ionescu.com/?p=97
http://www.alex-ionescu.com/?p=116
http://www.alex-ionescu.com/?p=146
Www.nosuchcon.org/talks/2014/D3_05_Alex_ionescu_Breaking_protected_processes.pdf
New Idea for my next try: use Hook DLL with target "OpenRegKeyExW" in wingolon
Create a DLL and place it in AppInit_DLLs for:
Target only "Winlogon"
Delete the key "Minint"
Install a hook to intercept calls from "Winlogon" When it tests the key "Minit"
How to inject the interceptor hook of "OpenRegKeyExW" in "Winlogon"? Use a tool like "Detour", "mhook"... : complex for me
The function "Hook_OpenRegKeyExW_wingolon":
If the target key is "Minint" then return "OK" else call OpenRegKeyExW
Other idea:
Is it possible to target a DLL loaded by "services. exe" to inject the hook into this DLL?
How to do it? Change the code of the DLL "target "?
Another idea too complex for me:
Create a driver to change the string in the process code "Services" when it is loaded.
2 possibilities from a driver:
-Write the installation of a hook on the correct API "OpenRegKeyExW "
-If the call comes from "Services", return the correct information ( "missing key")
-Behave like a debugger:
When loading "Services", attach to this process
If necessary, inject a thread into this process
Search the chain and change it
About Native (Really fun and educational tool) :
NativeShell 64 bits works well in a VHD used with a physical machine.
But it lacks commands for "registry" and commands do not work
PB with NativeShell:
No keyboard in a VM under HyperV ( api ntcreatefile "\device\kerboardclass0" ...api ntwaitforsingleobject doesn't return)
No display if code is compiled in mode "Console" and launched normally (in VS2017)
no idea?
Edited by noel, 04 December 2018 - 01:46 PM.