Jump to content
Nytro

[Kernel Hack] Hooking SeSinglePrivilegeCheck to bypass privilege checks

By Nytro, in Programare

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

[h=1][Kernel Hack] Hooking SeSinglePrivilegeCheck to bypass privilege checks[/h]

[h=3]zwclose7[/h]

Recently, I written a driver that hook the SeSinglePrivilege function. SeSinglePrivilegeCheck is a kernel mode function used to perform privilege checks. Some functions, such as NtLoadDriver and NtShutdownSystem, use the SeSinglePrivilegeCheck function to check for required privilege. For example, NtLoadDriver will use SeSinglePrivilegeCheck function to check for the SeLoadDriverPrivilege, and will return STATUS_PRIVILEGE_NOT_HELD if the caller do not have the SeLoadDriverPrivilege enabled. The NtShutdownSystem function also use SeSinglePrivilegeCheck function to check for SeShutdownPrivilege, and will return STATUS_PRIVILEGE_NOT_HELD if the caller do not have the SeShutdownPrivilege. Privilege checks are only performed if the caller is from user mode. If the caller is from kernel mode, the system will not perform the privilege checks. My hook driver will hook the SeSinglePrivilegeCheck function to cause the function to always return TRUE to the caller. By hooking the SeSinglePrivilegeCheck function, all privilege checks will be bypassed.

In the following video, I will test my hook driver on a virtual machine with Windows XP installed. I will use the WinAPIOverride to call the NtShutdownSystem function in the explorer.exe process. The first call failed with STATUS_PRIVILEGE_NOT_HELD because the explorer.exe process do not have the SeShutdownPrivilege enabled. After loading the hook driver, the SeSinglePrivilegeCheck function will be hooked, and all privilege checks will be bypassed. The second NtShutdownSystem call succeed even the caller do not have the SeShutdownPrivilege enabled because the privilege check has been bypassed, and the NtShutdownSystem function successfully shutted down the virtual machine.

Download src:

http://www.rohitab.com/discuss/index.php?app=core&module=attach&section=attach&attach_id=3889

Sursa: [Kernel Hack] Hooking SeSinglePrivilegeCheck to bypass privilege checks - rohitab.com - Forums

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...