Nytro Posted November 22, 2014 Report Posted November 22, 2014 UNREAL MODE:BREAKING PROTECTED PROCESSESAlex IonescuNSC 2014Alex Ionescu’s Blog@aionescuINTRODUCTION•Windows Vista introduced core changes to the kernel to allow atomic, kernel-driven process creation inside of a “protected environment”•Used to protect access to the DRM keys and to secure the System process•Windows 8.1 extends that model in order to protect key non-DRM system processes even from Admin, and to mitigate against pass-the-hash attacks•Digital signatures and code signing now add an additional boundary of protection beyond load/don’t load•Similar to the iOS Entitlement Model•Mechanisms change a few core security paradigms:•Admin == Kernel is something that Microsoft has sometimes disagreed with, especially in light of PatchGuard, Code Signing and DRM. Now it’s really !=•Unkillableprocesses and unstoppable services are now something supported and documented for developer (mis)useDownload: http://www.nosuchcon.org/talks/2014/D3_05_Alex_ionescu_Breaking_protected_processes.pdf Quote
