Wednesday, November 13, 2019

Process Mitigations in 2019 (1)

ProcessImageLoadPolicy
In the recent years,Microsoft has add many mitigations in the Windows system. In this article i will show you the implementation of these mitigations.
The first question is how many mitigations have been added in Windows and what they are.
If you have even used a process manager tool which named Process Hacker, you can query each process's mitigation status.For example:
QQ图片20191109201759.png-106.3kB
In fact, there is a struct named PROCESS_MITIGATION_POLICY in the SDK header file.
    

  1. typedef enum _PROCESS_MITIGATION_POLICY {
    2. 

  2.     ProcessDEPPolicy,
    3. 

  3.     ProcessASLRPolicy,
    4. 

  4.     ProcessDynamicCodePolicy,
    5. 

  5.     ProcessStrictHandleCheckPolicy,
    6. 

  6.     ProcessSystemCallDisablePolicy,
    7. 

  7.     ProcessMitigationOptionsMask,
    8. 

  8.     ProcessExtensionPointDisablePolicy,
    9. 

  9.     ProcessControlFlowGuardPolicy,
    10. 

  10.     ProcessSignaturePolicy,
    11. 

  11.     ProcessFontDisablePolicy,
    12. 

  12.     ProcessImageLoadPolicy,
    13. 

  13.     ProcessSystemCallFilterPolicy,
    14. 

  14.     ProcessPayloadRestrictionPolicy,
    15. 

  15.     ProcessChildProcessPolicy,
    16. 

  16.     ProcessSideChannelIsolationPolicy,
    17. 

  17.     MaxProcessMitigationPolicy
    18. 

  18. } PROCESS_MITIGATION_POLICY, *PPROCESS_MITIGATION_POLICY;
    19.
If you want to know the mitigation status of a process, you can use the Windows Native API NtQueryInformationProcess.
NtQueryInformationProcess declaration is following:
    

  1. NTSYSCALLAPI
    2. 

  2. NTSTATUS
    3. 

  3. NTAPI
    4. 

  4. NtQueryInformationProcess(
    5. 

  5.     _In_ HANDLE ProcessHandle,
    6. 

  6.     _In_ PROCESSINFOCLASS ProcessInformationClass,
    7. 

  7.     _Out_writes_bytes_(ProcessInformationLength) PVOID ProcessInformation,
    8. 

  8.     _In_ ULONG ProcessInformationLength,
    9. 

  9.     _Out_opt_ PULONG ReturnLength
    10. 

  10.     );
    11.
ProcessInformationClass is an enumeration that indicate the function code. ProcessMitigationPolicy(52) is used for querying the process mitigation policy. When you assign ProcessInformationClass argument as ProcessMitigationPolicy,the ProcessInformationLength is a pointer to a PROCESS_MITIGATION_POLICY_INFORMATION.
    

  1. typedef struct _PROCESS_MITIGATION_POLICY_INFORMATION
    2. 

  2. {
    3. 

  3.     PROCESS_MITIGATION_POLICY Policy;
    4. 

  4.     union
    5. 

  5.     {
    6. 

  6.         PROCESS_MITIGATION_ASLR_POLICY ASLRPolicy;
    7. 

  7.         PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY StrictHandleCheckPolicy;
    8. 

  8.         PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY SystemCallDisablePolicy;
    9. 

  9.         PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY ExtensionPointDisablePolicy;
    10. 

  10.         PROCESS_MITIGATION_DYNAMIC_CODE_POLICY DynamicCodePolicy;
    11. 

  11.         PROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY ControlFlowGuardPolicy;
    12. 

  12.         PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY SignaturePolicy;
    13. 

  13.         PROCESS_MITIGATION_FONT_DISABLE_POLICY FontDisablePolicy;
    14. 

  14.         PROCESS_MITIGATION_IMAGE_LOAD_POLICY ImageLoadPolicy;
    15. 

  15.         PROCESS_MITIGATION_SYSTEM_CALL_FILTER_POLICY SystemCallFilterPolicy;
    16. 

  16.         PROCESS_MITIGATION_PAYLOAD_RESTRICTION_POLICY PayloadRestrictionPolicy;
    17. 

  17.         PROCESS_MITIGATION_CHILD_PROCESS_POLICY ChildProcessPolicy;
    18. 

  18.         PROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY SideChannelIsolationPolicy;
    19. 

  19.     };
    20. 

  20. } PROCESS_MITIGATION_POLICY_INFORMATION, *PPROCESS_MITIGATION_POLICY_INFORMATION;
    21.
This is a peach of NtQueryInformationProcess disassembly code in the ntoskrnl.By the reserve enginning we found that we must have the PROCESS_QUERY_INFORMATION permission with the process handle to invoke this function. 
    

  1. case 52:                                    // ProcessMitigationPolicy
    2. 

  2.       if (ProcessInformationLength != 8 )
    3. 

  3.         return 0xC0000004;
    4. 

  4.       MitigationCode = *(_DWORD *)ProcessInformation;
    5. 

  5.       if ( Handle == (HANDLE)-1i64 )
    6. 

  6.       {
    7. 

  7.         pObject = (PEPROCESS)PsGetCurrentProcess();
    8. 

  8.       }
    9. 

  9.       else
    10. 

  10.       {
    11. 

  11.         result = ObReferenceObjectByHandleWithTag(
    12. 

  12.                    (ULONG_PTR)Handle,
    13. 

  13.                    0x400,              //PROCESS_QUERY_INFORMATION
    14. 

  14.                    PsProcessType,
    15. 

  15.                    PreviousMode,
    16. 

  16.                    'yQsP',
    17. 

  17.                    (__int64)&pObject,
    18. 

  18.                    0i64);
    19. 

  19.         if ( result < 0 )
    20. 

  20.           return result;
    21. 

  21.       }
    22.
So we can write a simple progarm to query the mitigation status of a process. It look like this:
    

  1. ClientId.UniqueProcess = PID;
    2. 

    3. 

  3. NtOpenProcess(
    4. 

  4.     &ProcHandle,
    5. 

  5.     PROCESS_QUERY_INFORMATION,
    6. 

  6.     &ObjAttr,
    7. 

  7.     &ClientId);
    8. 

    9. 

  9. NtQueryInformationProcess(
    10. 

  10.     ProcHandle,
    11. 

  11.     ProcessMitigationPolicy,
    12. 

  12.     RecvBuffer,
    13. 

  13.     RecvBufferSize,
    14. 

  14.     &RetSize);
    15.
Then i query the Microsoft Edge content process by this tool, and get the mitigation policy information as below.
    

  1. [*]ProcessDEPPolicy:
    2. 

  2. MEM_EXECUTE_OPTION_DISABLE 1
    3. 

  3. MEM_EXECUTE_OPTION_ENABLE 0
    4. 

  4. MEM_EXECUTE_OPTION_DISABLE_THUNK_EMULATION 1
    5. 

  5. MEM_EXECUTE_OPTION_PERMANENT 1
    6. 

  6. MEM_EXECUTE_OPTION_EXECUTE_DISPATCH_ENABLE 0
    7. 

  7. MEM_EXECUTE_OPTION_IMAGE_DISPATCH_ENABLE 0
    8. 

  8. MEM_EXECUTE_OPTION_VALID_FLAGS 1
    9. 

    10. 

  10. [*]ProcessASLRPolicy:
    11. 

  11. EnableBottomUpRandomization 1
    12. 

  12. EnableForceRelocateImages 1
    13. 

  13. EnableHighEntropy 1
    14. 

  14. DisallowStrippedImages 1
    15. 

    16. 

  16. [*]ProcessDynamicCodePolicy:
    17. 

  17. ProhibitDynamicCode 0
    18. 

  18. AllowThreadOptOut 0
    19. 

  19. AllowRemoteDowngrade 0
    20. 

  20. AuditProhibitDynamicCode 0
    21. 

    22. 

  22. [*]StrictHandleCheckPolicy:
    23. 

  23. RaiseExceptionOnInvalidHandleReference 1
    24. 

  24. HandleExceptionsPermanentlyEnabled 1
    25. 

    26. 

  26. [*]SystemCallDisablePolicy:
    27. 

  27. DisallowWin32kSystemCalls 0
    28. 

  28. AuditDisallowWin32kSystemCalls 0
    29. 

  29. ProcessExtensionPointDisablePolicy:
    30. 

  30. DisableExtensionPoints 0
    31. 

    32. 

  32. [*]ProcessControlFlowGuardPolicy:
    33. 

  33. EnableControlFlowGuard 1
    34. 

  34. EnableExportSuppression 1
    35. 

  35. StrictMode 0
    36. 

    37. 

  37. [*]ProcessSignaturePolicy:
    38. 

  38. MicrosoftSignedOnly 0
    39. 

  39. StoreSignedOnly 0
    40. 

  40. MitigationOptIn 0
    41. 

  41. AuditMicrosoftSignedOnly 0
    42. 

  42. AuditStoreSignedOnly 0
    43. 

    44. 

  44. [*]ProcessFontDisablePolicy:
    45. 

  45. DisableNonSystemFonts 0
    46. 

  46. AuditNonSystemFontLoading 0
    47. 

    48. 

  48. [*]ProcessImageLoadPolicy:
    49. 

  49. NoRemoteImages 1
    50. 

  50. NoLowMandatoryLabelImages 1
    51. 

  51. PreferSystem32Images 0
    52. 

  52. AuditNoRemoteImages 0
    53. 

  53. AuditNoLowMandatoryLabelImages 0
    54. 

    55. 

  55. [*]SystemCallFilterPolicy:
    56. 

  56. FilterId 0
    57. 

    58. 

  58. [*]PayloadRestrictionPolicy:
    59. 

  59. EnableExportAddressFilter 0
    60. 

  60. AuditExportAddressFilter 0
    61. 

  61. EnableExportAddressFilterPlus 0
    62. 

  62. AuditExportAddressFilterPlus 0
    63. 

  63. EnableImportAddressFilter 0
    64. 

  64. AuditImportAddressFilter 0
    65. 

  65. EnableRopStackPivot 0
    66. 

  66. AuditRopStackPivot 0
    67. 

  67. EnableRopCallerCheck 0
    68. 

  68. AuditRopCallerCheck 0
    69. 

  69. EnableRopSimExec 0
    70. 

  70. AuditRopSimExec 0
    71. 

    72. 

  72. [*]ProcessChildProcessPolicy:
    73. 

  73. NoChildProcessCreation 1
    74. 

  74. AuditNoChildProcessCreation 0
    75. 

  75. AllowSecureProcessCreation 0
    76. 

    77. 

  77. [*]ProcessSideChannelIsolationPolicy:
    78. 

  78. SmtBranchTargetIsolation 0
    79. 

  79. IsolateSecurityDomain 0
    80. 

  80. DisablePageCombine 0
    81. 

  81. SpeculativeStoreBypassDisable 0
    82.

ProcessImageLoadPolicy

When get or set ProcessImageLoadPolicy mitigation by PROCESS_MITIGATION_IMAGE_LOAD_POLICY struct. And this struct's declaration is below.We can see there are 5 levels restricted for image loading.
    

  1. typedef struct _PROCESS_MITIGATION_IMAGE_LOAD_POLICY {
    2. 

  2.     union {
    3. 

  3.         DWORD Flags;
    4. 

  4.         struct {
    5. 

  5.             DWORD NoRemoteImages : 1;
    6. 

  6.             DWORD NoLowMandatoryLabelImages : 1;
    7. 

  7.             DWORD PreferSystem32Images : 1;
    8. 

  8.             DWORD AuditNoRemoteImages : 1;
    9. 

  9.             DWORD AuditNoLowMandatoryLabelImages : 1;
    10. 

  10.             DWORD ReservedFlags : 27;
    11. 

  11.         } DUMMYSTRUCTNAME;
    12. 

  12.     } DUMMYUNIONNAME;
    13. 

  13. } PROCESS_MITIGATION_IMAGE_LOAD_POLICY, *PPROCESS_MITIGATION_IMAGE_LOAD_POLICY;
    14.
In the Windows kernel section has three types.
    

  1. PhysicalSection
    2. 

  2. ImageSection
    3. 

  3. DataSection
    4.
NtCreateSection is the interface to create a section object in Windows.If we specify SEC_IMAGE flag when invoke NtCreateSection ,it will set a bit flag named MMSECTION_FLAGS in section.ControlArea after the section object has be created. Then it will execute into the MiMapViewOfImageSection when we call the NtMapViewOfSection function with this section handle.
    

  1. 1.NtMapViewOfSection
    2. 

  2. 2.MiMapViewOfSection
    3. 

  3. 3.MiMapViewOfImageSection
    4. 

  4. 4.MiAllowImageMap
    5.
The ProcessImageLoadPolicy mitigation is implement in the MiAllowImageMap function.
MiAllowImageMap is splice into two piece.
Firstly, it check for remote image load.
    

  1. IsProhibitRemoteImageMapEnable = Process->MitigationFlags & 0x80000; // ProhibitRemoteImageMap 
    2. 

  2. IsAuditProhibitRemoteImageMap = Process->MitigationFlags & 0x100000; // AuditProhibitRemoteImageMap 
    3. 

  3. if ((IsProhibitRemoteImageMapEnable || IsAuditProhibitRemoteImageMap) &&
    4. 

  4.     (Section->u1.ControlArea & 3))                                   // AuditProhibitRemoteImageMap 
    5. 

  5. {
    6. 

  6.     if ( IsProhibitRemoteImageMapEnable )
    7. 

  7.       return STATUS_ACCESS_DENIED;
    8. 

  8. }
    9.
Secondly, it checks for integrity level. It checks the source image file's integrity level by the image file's file object's security descripter.
    

  1. MitigationFlags = Process->MitigationFlags;
    2. 

  2. IsAuditProhibitLowILImageMap = MitigationFlags & 0x400000; // AuditProhibitLowILImageMap 
    3. 

  3. IsProhibitLowILImageMap      = MitigationFlags & 0x200000; // ProhibitLowILImageMap 
    4. 

  4. if ( IsProhibitLowILImageMap || IsAuditProhibitLowILImageMap )
    5. 

  5. {
    6. 

  6.     MemoryAllocated = 0;
    7. 

  7.     FileObject = MiReferenceControlAreaFile(pControlArea);
    8. 

  8.     status = ObpGetObjectSecurity(FileObject, &SecurityDescriptor, &MemoryAllocated);
    9. 

  9.     if (!NT_SUCCESS(status))
    10. 

  10.     {
    11. 

  11.       status = STATUS_ACCESS_DENIED;
    12. 

  12.     }
    13. 

  13.     else
    14. 

  14.     {
    15. 

  15.         if (SeQueryMandatoryLabel(SecurityDescriptor) <= 0x1000 && 
    16. 

  16.         !SeGetTrustLabelAce(SecurityDescriptor) )
    17. 

  17.             status = STATUS_ACCESS_DENIED;
    18. 

  18.         ObReleaseObjectSecurity(SecurityDescriptor, MemoryAllocated);
    19. 

  19.     }
    20. 

  20.     MiDereferenceControlAreaFile(pControlArea, FileObject);
    21. 

  21. }
    22.
SeQueryMandatoryLabel is a function for getting the integrity level, it's return value indicates the integrity level value.This is because of the mandatory label is a series of SID which have the same format. You can find them out in the MSDN document,And Microsoft named them as well-known SID.
    

  1. SID: S-1-16-0
    2. 

  2. Name: Untrusted Mandatory Level
    3. 

  3. Description: An untrusted integrity level. Note Added in Windows Vista and Windows Server 2008
    4. 

    5. 

  5. Note Added in Windows Vista and Windows Server 2008
    6. 

  6. SID: S-1-16-4096
    7. 

  7. Name: Low Mandatory Level
    8. 

  8. Description: A low integrity level.
    9. 

    10. 

  10. Note Added in Windows Vista and Windows Server 2008
    11. 

  11. SID: S-1-16-8192
    12. 

  12. Name: Medium Mandatory Level
    13. 

  13. Description: A medium integrity level.
    14. 

    15. 

  15. Note Added in Windows Vista and Windows Server 2008
    16. 

  16. SID: S-1-16-8448
    17. 

  17. Name: Medium Plus Mandatory Level
    18. 

  18. Description: A medium plus integrity level.
    19. 

    20. 

  20. Note Added in Windows Vista and Windows Server 2008
    21. 

  21. SID: S-1-16-12288
    22. 

  22. Name: High Mandatory Level
    23. 

  23. Description: A high integrity level.
    24. 

    25. 

  25. Note Added in Windows Vista and Windows Server 2008
    26. 

  26. SID: S-1-16-16384
    27. 

  27. Name: System Mandatory Level
    28. 

  28. Description: A system integrity level.
    29. 

    30. 

  30. Note Added in Windows Vista and Windows Server 2008
    31. 

  31. SID: S-1-16-20480
    32. 

  32. Name: Protected Process Mandatory Level
    33. 

  33. Description: A protected-process integrity level.
    34. 

    35. 

  35. Note Added in Windows Vista and Windows Server 2008
    36. 

  36. SID: S-1-16-28672
    37. 

  37. Name: Secure Process Mandatory Level
    38. 

  38. Description: A secure process integrity level.
    39. 

    40. 

  40. Note Added in Windows Vista and Windows Server 2008
    41.
According to this, we known if the return value less than 0x1000 it indicate the security descripter's mandatory label is equal or less than Low Mandatory Level.

ProcessChildProcessPolicy

ProcessChildProcessPolicy has tree levels.
    

  1. typedef struct _PROCESS_MITIGATION_CHILD_PROCESS_POLICY {
    2. 

  2.     union {
    3. 

  3.         DWORD Flags;
    4. 

  4.         struct {
    5. 

  5.             DWORD NoChildProcessCreation : 1;
    6. 

  6.             DWORD AuditNoChildProcessCreation : 1;
    7. 

  7.             DWORD AllowSecureProcessCreation : 1;
    8. 

  8.             DWORD ReservedFlags : 29;
    9. 

  9.         } DUMMYSTRUCTNAME;
    10. 

  10.     } DUMMYUNIONNAME;
    11. 

  11. } PROCESS_MITIGATION_CHILD_PROCESS_POLICY, *PPROCESS_MITIGATION_CHILD_PROCESS_POLICY;
    12.
At the branch that handles ProcessChildProcessPolicy logic, it invokes a function named PspGetNoChildProcessRestrictedPolicy for getting the current process's child process mitigation policy status.
    

  1. ChildPolicyLevel = PspGetNoChildProcessRestrictedPolicy(TargetProcess);
    2. 

    3. 

  3. if(ChildPolicyLevel == 1)
    4. 

  4. {
    5. 

  5.     PolicyInfo.NoChildProcessCreation = 1;
    6. 

  6. }
    7. 

  7. else if(ChildPolicyLevel == 2)
    8. 

  8. {
    9. 

  9.     PolicyInfo.NoChildProcessCreation = 1;
    10. 

  10.     PolicyInfo.AllowSecureProcessCreation = 1;
    11. 

  11. }
    12. 

  12. else if(ChildPolicyLevel == 3)
    13. 

  13. {
    14. 

  14.     PolicyInfo.AuditNoChildProcessCreation = 1;
    15. 

  15. }
    16.
Unusually, it does not get the policy status from the EPROCESS's MitigationFlags field.In fact, it get some bit flags from the process token's TokenFlags field.The fake code look like this.
    

  1. CurThread = KeGetCurrentThread();
    2. 

  2. TokenFlags = PrimaryToken->TokenFlags;
    3. 

  3. *NoChildProcessCreationFlag = (TokenFlags >> 19) & 1;      // 20 bit
    4. 

  4. *AllowSecureProcessCreationFlag = (TokenFlags >> 20) & 1;  // 21 bit
    5. 

  5. *AuditNoChildProcessCreationFlag = (TokenFlags >> 21) & 1; // 22 bit
    6.
There two ways to create a process.One is the NtCreateUserProcess function, and the other is the NtCreateProcess/NtCreateProcessEx.The NtCreateUserProcess is a newer native invoke that was introduced in Windows Vista. When we call CreateProcessW in user mode code, it will invoke NtCreateUserProcess function finally.
The ProcessChildProcessPolicy mitigation is implementation in the SeSubProcessToken.
    

  1. 1.NtCreateUserProcess
    2. 

  2. 2.PspAllocateProcess
    3. 

  3. 3.PspInitializeProcessSecurity
    4. 

  4. 4.SeSubProcessToken
    5.
The SeSubProcessToken function is also invoke the PspGetNoChildProcessRestrictedPolicy to determine the the child can be created.If the creation desired is refused the NtCreateUserProcess will return the STATUS_CHILD_PROCESS_BLOCKED.
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

ACCESS_MASK: Specific rights of NT objects

#define FILE_READ_DATA            ( 0x0001 )    // file & pipe #define FILE_LIST_DIRECTORY       ( 0x0001 )    // directory #define FILE...