[HN Gopher] Hiding execution of unsigned code in Windows system ...
___________________________________________________________________
Hiding execution of unsigned code in Windows system threads
Author : jm1337
Score : 68 points
Date : 2021-01-13 14:28 UTC (8 hours ago)
(HTM) web link (secret.club)
(TXT) w3m dump (secret.club)
| londons_explore wrote:
| I thought the windows kernel was locked down to signed code only
| by Microsoft's patchguard?
|
| Wouldn't any opportunity to run your own code in the kernel be
| worthy of a bug bounty?
|
| Are the protections nowhere near as strong as intended?
| smileybarry wrote:
| That's two separate mechanisms; PatchGuard protects against
| hooking and rewriting sections of the kernel, and the kernel
| only loads signed drivers (and since 2016-ish only Microsoft-
| signed).
| zinekeller wrote:
| Well, in this case the user really wants to modify the system
| so they can either 1) run it with Secure boot disabled, 2) use
| poorly-coded or outdated kernel drivers such as the list
| mentioned by mckirk
| (https://news.ycombinator.com/item?id=25766871) to bypass NT
| policies, or 3) Install Windows in BIOS/CSM mode (so that the
| only hindrance is the generation of root certificates, unlike
| with UEFI installations which triggers the kernel to check if
| the drivers loaded is blessed by Microsoft).
| userbinator wrote:
| "tamper". That connotation is intentional. MS wants to take
| control away from users and owners, so uses such language.
|
| How about "modify" or "customise"? No, because that wouldn't
| fit their authoritarian narrative.
| zinekeller wrote:
| Noted and changed.
|
| > MS wants to take control away from users and owners, so
| uses such language.
|
| I wanted to clarify this issue in logner detail but
| obviously outside of enterprise settings (which the owner
| does not trust the user).
|
| Now, I'm writing to HN here, which really likes its
| freedoms (and I also want it). But the general pattern
| nowadays is that people value the consistency over
| customisability. The success of locked-down iPhone and
| Android is a great example: sure _some_ users wants to run
| other software on the device but the simple truth is vast
| majority of users prefers to trust Apple or Google to do
| their job properly as their main goal is not to run a
| computer but rather to do their own business (similar to
| how a company often contracts its electricity, water,
| network connectivity, waste management and others).
|
| On a similar vein, the newer versions of Windows will run
| with the secure boot option enabled (which will ensure that
| the system is as intended by Microsoft). Again, _some_
| people wants the system to be easily modifiable, and in
| that case there are ways to lower the guardrails to allow
| you to a certain extent. But the vast majority of users
| trusts Microsoft to manage the system and let them just do
| work.
|
| TLDR: Some users view a computer as something to tinker
| upon but most users see it as a tool to be used.
| AnthonyMouse wrote:
| > The success of locked-down iPhone and Android is a
| great example
|
| It's the example that everybody uses, but because of the
| nature of vertical integration and the network effect,
| you can't use popularity as an indication that people
| actually want any given individual aspect of those
| products.
|
| Suppose it's 2010 and you need an app that only exists on
| iPhone. Well, you might not like that it's locked down,
| but you need that app. Then once you've had one for three
| years you're locked into their ecosystem indefinitely.
|
| It's also a trap. When the lockdown first comes, they say
| they're just using it to exclude malware and other things
| you actually don't want. You have to get your apps
| signed, but they sign all the ones you care about, so
| what does it matter?
|
| Only after mobile platforms that don't do this have
| reached negligible market share and have no network
| effect do they start excluding apps you might actually
| want. But by then it's too late.
| zinekeller wrote:
| Now, I do _really_ want to agree to your analysis, but
| knowing how many Desktop Linux users are either just
| using a browser or Electron app (consistency) or Wine
| (consistency) and the fact that essential libraries (from
| the Gnome 2- >3 debacle to systemd to unreliable semantic
| versioning) are much more unstable (which makes a non-
| consistent environment, and even Debian is discussing
| this very issue again), I am not sure if an average user
| really wants to have customisability versus consistency.
| mckirk wrote:
| There is so many ways of running your own code in the kernel
| (mainly thanks to signed, but terribly written drivers [1])
| that PatchGuard really is only a nuisance if you need to
| overwrite some kernel functionality, e.g. for hooking
| functions.
|
| So a rootkit needs to worry about PatchGuard, but if you only
| want to run code at kernel level, you generally don't.
|
| [1]: https://www.unknowncheats.me/forum/anti-cheat-
| bypass/334557-...
| lights0123 wrote:
| APC means _asynchronous procedure call_ , for anyone else
| unfamiliar with the term. https://docs.microsoft.com/en-
| us/windows-hardware/drivers/ke...
___________________________________________________________________
(page generated 2021-01-13 23:01 UTC)