A
Archimedes.Syracuse
Guest
Hello. We have 2 components.
Recently a researcher found a number of vulnerabilities by sending malicious RPC commands/args to the service. Now whilst we are taking the effort in locking down the commands, how can one just eliminate the process injection techniques to stop the root of these attacks *without the requirement of a driver*.
Every one of his bugs, relies on creating the MI process suspended, Write Process Memory() and writing the DLL name, then changing EntryPoint to Kernel32!Load Library() and run Create Remote Thread() to run his malicious unsigned DLL at start, and then send malicious commands/args to the service. No certificate checks help here as he uses a signed process.
How can I stop my process from loading unsigned DLLs. I know there are registry wide settings, but we can't risk affecting other software adversely. I just want my process to be prevented from having unsigned DLLs loaded.
Can the service check for any threads created originate from a signed region of memory i.e. our main image, or a MS signed dll etc, and not his injected memory via Write Process Memory.
Can I block Create Remote Thread/Write Process Memory against our process, from the service?
If I generated Page Hashes via signtool, can that prevent the MI process from executing code that is not originated from the signed hashes?
Again I know a kernel driver with Ob callbacks could resolve this, but it is too heavyweight for this minor application.
Continue reading...
- Medium Integrity (MI) - C# .NET program that can take input from standard user, does download of update packages etc
- High Integrity (HI) - C# .NET service that does privileged tasks, and accepts RPC commands from the medium integrity software
Recently a researcher found a number of vulnerabilities by sending malicious RPC commands/args to the service. Now whilst we are taking the effort in locking down the commands, how can one just eliminate the process injection techniques to stop the root of these attacks *without the requirement of a driver*.
Every one of his bugs, relies on creating the MI process suspended, Write Process Memory() and writing the DLL name, then changing EntryPoint to Kernel32!Load Library() and run Create Remote Thread() to run his malicious unsigned DLL at start, and then send malicious commands/args to the service. No certificate checks help here as he uses a signed process.
How can I stop my process from loading unsigned DLLs. I know there are registry wide settings, but we can't risk affecting other software adversely. I just want my process to be prevented from having unsigned DLLs loaded.
Can the service check for any threads created originate from a signed region of memory i.e. our main image, or a MS signed dll etc, and not his injected memory via Write Process Memory.
Can I block Create Remote Thread/Write Process Memory against our process, from the service?
If I generated Page Hashes via signtool, can that prevent the MI process from executing code that is not originated from the signed hashes?
Again I know a kernel driver with Ob callbacks could resolve this, but it is too heavyweight for this minor application.
Continue reading...