Do Windows Vista Protected Processes = Rootkits?
Monday, April 16th, 2007When Windows Vista came along we were told that no Rootkits could run in Vista because of all the various security enhancements within. Then over the months since the Beta versions of Vista various people have come up with ways that may be able to install a rootkit ( see Microsoft Vista Kernel Protection is Cracked and MS Watches as Vista Gets ‘0wn3d’ by Rootkit).
Since the official release of Windows Vista earlier this year there has been a concerted effort by Security Researchers to come up with a ways to install rootkits or hide processes within Vista.
Security researcher Alex Ionescu is one such researcher who has done a lot of work in the area of Protected Processes in Vista.
From Microsoft:
“The Microsoft® Windows Vista™ operating system introduces a new type of process known as a protected process to enhance support for Digital Rights Management functionality in Windows Vista. These protected processes exist alongside other processes in Windows Vista.”
and
“Constraints on protected processes. A typical process cannot perform operations such as the following on a protected process:
· Inject a thread into a protected process
· Access the virtual memory of a protected process
· Debug an active protected process
· Duplicate a handle from a protected process
· Change the quota or working set of a protected process”
So it looks like a Protected Process has some immunity from being interfered with and thus checked for badness. This sounds very Rootkit like to me. Although a rootkit is designed to hide processes, among other things, the main reason is to avoid programs from seeing what it is up to. A rootkit may be hiding a Keylogger from being detected and the same could be said for a keylogger in Vista after it has become a protected process.
Alex Ionescu has released a tool called D-Pin Purr that can both Protect and Unprotect a Protected Process in Vista.
From Alex’s Blog:
“It’s based on the Microsoft documentation which says “Please don’t use a driver to bypass this”, which led me to believe that it would be possible to do this (which wouldn’t work on 64-bit Vista, of course).”
“Unforunately, it is trivial to make a process protected or unprotected by bypassing all the Code Integrity checks and sandbox in which protected processes are supposed to run. I wrote a small application which I called D-Pin Purr which does exactly this. I tried it on the only two protected processes I know on Vista (audiodg.exe and mfpmp.exe).”
“Being able to play with the PMP application isn’t really what I was interested in, since most of the high-level security is in the kernel anyway. The intersting thing is that I can make any application of my choosing protected, and thus undebuggable, uninjectable and with its address space secure.”
Well I’m off to have a good mess around Alex’s tool and I’ll report back some findings.
Keep Safe,
regards
Steo
www.antirootkit.com
References:
Why Protected Processes Are A Bad Idea
rootkit