⬆️ ⬇️

New mitigation mechanisms in Windows 8.1

Earlier we wrote about some of the mechanisms of operational difficulties (mitigation) for Windows and applications that Microsoft was trying to bring with the release of new operating systems. As a rule, such mechanisms are based on the following conceptual approaches:









')

The last point deserves special attention, since this innovation was added by MS in Windows 8.1 as an extension for AppContainer mode or Integrity Level. Relatively speaking, the untrusted aka restricted caller application (whose Integrity Level < Medium ) does not have the right to obtain information about the addresses of various objects in the kernel mode, which means the actual compromise of the KASLR restrictions and the subsequent possible operation of the LPE (Local Privelege Escalation). The main functions of disclosing such information were of course NtQuerySystemInformation with various classes, as well as NtQueryProcessInformation . Access to the corresponding applications is limited to these functions.



In the case of NtQuerySystemInformation, the application with a low Integrity Level will be returned STATUS_ACCESS_DENIED if it requests information on the following classes:









Fig. The call points of the Integrity Level check function in the application access token that is trying to access ntoskrnl! NtQuerySystemInformation . ntoskrnl! ExpQuerySystemInformation is responsible for collecting information for the corresponding classes, and the ntoskrnl! ExIsRestrictedCaller function is executed in it, which performs the check itself.



In addition to NtQuerySystemInformation, access is also blocked to the NtQueryInformationProcess function, through which the application can access the addresses of various objects. For the ProcessHandleTracing , ProcessWorkingSetWatch / ProcessWorkingSetWatchEx classes, the corresponding error status is also returned.



www.alex-ionescu.com/?p=82

Source: https://habr.com/ru/post/202548/



All Articles