James 1 - PDF 無料ダウンロード

Google Project Zero Windows 2

Windows Windows 3

Windows 4

Windows 5

Windows 6

Windows 400 WIN32K 1000 9

Windows 7 SP1 Windows 8.1 Windows 10 サービス 150 169 196 ドライバ 238 253 291 7 8 10 10

Windows 7 SP1 Windows 8.1 Windows 10 Local System 53.69% 56.89% 61.14% Local Service 32.21% 31.14% 28.50% Network Service 14.09% 11.98% 10.36% 7 8 10 11

Windows 7 Windows 8.1 Windows 10 自動 30.07% 26.19% 24.10% 無効 5.23% 3.57% 2.05% 手動 53.59% 43.45% 42.56% 自動 ( 遅延開始 ) 11.11% 26.79% 31.28% 7 8 10 12

Mozilla /** * Main entry point when running as a service. */ void WINAPI SvcMain(DWORD argc, LPWSTR *argv) { //... ExecuteServiceCommand(argc, argv); } 15

C# class Program { static void Main(string[] args) { if (args.length < 1) { Console.WriteLine("Usage: ServiceName args"); Environment.Exit(1); } } } ServiceController service = new ServiceController(args[0]); if (service.status == ServiceControllerStatus.Stopped) { service.start(args); } 17

RPC 18

COM Menu: Registry > Local Services 19

Windows 7 Windows 8.1 Windows 10 読取り書込み 64 54 52 読み取りのみ 6 6 5 7 8 10 21

\Device\Harddisk1\SomeName NT

\Device\Harddisk1\SomeName NT \Device\Harddisk1 \SomeName

NTSTATUS DriverEntry(DRIVER_OBJECT *DriverObject,...) { // IoCreateDevice(DriverObject, 0, Name, FILE_DEVICE_UNKNOWN, 0, TRUE, &DeviceObject); // IoCreateDevice(DriverObject, 0, Name, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, TRUE, &DeviceObject); // IoCreateDeviceSecure(DriverObject, 0, Name, FILE_DEVICE_UNKNOWN, 0, TRUE, SecuritySddl, NULL, &DeviceObject); } 26

Windows Linux OS X Windows Ancillary Function (AFD) \Device\Afd \Device\Afd\Endpoint (>_<) DeviceIoControl

BOOL ConnectSocket(HANDLE hsocket, u_short srcport, const SOCKADDR_IN& inaddr) { // hsocket is opened file \Device\Afd\Endpoint ConnectData data = { 0 }; data.sin_family = AF_INET; data.sin_port = htons(srcport); data.inaddr = inaddr; DWORD dwsize; } return DeviceIoControl(hSocket, 0x00012007, &data, sizeof(data), nullptr, 0, &dwsize, nullptr);

IP SMB DCE/RPC https://code.google.com/p/google-security-research/issues/detail?id=222 29

IRP_MJ_DEVICE_CONTROL IRP_MJ_FILE_SYSTEM_CONTROL Classic IOCTL bugs 30-16 15-14 12-2 1-0 FILE_ANY_ACCESS 0 FILE_READ_ACCESS 1 FILE_WRITE_ACCESS 2 METHOD_BUFFERED 0 METHOD_IN_DIRECT 1 METHOD_OUT_DIRECT 2 METHOD_NEITHER 3 30

IOCTL Online decoder: https://www.osronline.com/article.cfm?article=229 31

DosDevice \??\C:\SomePath \Device\XYZ\SomePath 32

const int ProcessDeviceMap = 23; struct PROCESS_DEVICEMAP_INFORMATION { HANDLE DirectoryHandle; }; bool SetProcessDeviceMap(HANDLE hdir) { PROCESS_DEVICEMAP_INFORMATION DeviceMap = {hdir}; NTSTATUS status = NtSetInformationProcess( GetCurrentProcess(), ProcessDeviceMap, &DeviceMap, sizeof(devicemap)); return status == 0; } 33

NTSTATUS DoDeviceIoControl(DRIVER_OBJECT *Driver, PIRP Irp) { // PIO_STACK_LOCATION stack_loc =...; if (stack_loc->deviceiocontrol.iocontrolcode == IOCTL_SOMETHING) { UNICODE_STRING name = L"\\??\\C:"; UNICODE_STRING target = L"\\Device\\Target": IoCreateSymbolicLink(&name, &target); } } HANDLE hdir; UNICODE_STRING name = L"\\GLOBAL??"; NtOpenDirectoryObject(&hDir, DIRECTORY_TRAVERSE, &ObjAttr); SetProcessDeviceMap(hDir); https://code.google.com/p/google-security-research/issues/detail?id=538 34

MS15-111 if (ProcessInformationClass == ProcessDeviceMap) { if (RtlIsSandboxedToken(NULL)) { return STATUS_ACCESS_DENIED; } return ObSetDeviceMap(ProcessHandle, DirectoryHandle); } 35

: C: MS15-038 DLL OBJ_IGNORE_IMPERSONATED_DEVICEMAP DLL https://code.google.com/p/google-security-research/issues/detail? id=240 37

DLL 38

フラグ名値解説 OBJ_CASE_INSENSITIVE OBJ_OPENLINK OBJ_KERNEL_HANDLE OBJ_FORCE_ACCESS_CHECK OBJ_IGNORE_IMPERSONATED_DEVICEMAP 0x0040 0x0100 0x0200 0x0400 0x0800 システムが大文字小文字を識別するように設定された場合に興味深い ( デフォルトは NO) Opens a link オブジェクトを開くレジストリキーのシンボリックリンクを開くことに使用カーネルモードで設定されなかったらハンドルを現行のプロセスに対してさらすカーネルモードで設定されなかったらリソースをセキュリティチェック無しで開くなりすまされたデバイスマップを無視する 39

ACL 3 1 ( ) Owner Group DACL 40

DeviceMap NTSTATUS SeGetTokenDeviceMap(TOKEN *token, DEVICE_MAP **device_map) { if (!token->logonsession->pdevicemap) { swprintf_s( &SourceString, L"\\Sessions\\0\\DosDevices\\%08x-%08x", token->authenticationid.highpart, token->authenticationid.lowpart); InitializeObjectAttributes(&ObjectAttributes, SourceString, OBJ_KERNEL_HANDLE,...); ZwCreateDirectoryObject(&DirectoryHandle, DIRECTORY_ALL_ACCESS, &ObjectAttributes); ObSetDirectoryDeviceMap(&token->LogonSession, DirectoryHandle); } *device_map = token->logonsession->pdevicemap; } 41

Owner DACL 1. (S4U ) 2. 3. 42

Win32 Win32 API API COM1 -> \??\COM1 NUL -> \??\NUL c:\somepath\yourfile 43

Windows Linux OSX Linux OSX... Windows... 44

A B C Path Linux/OSX Windows A/B/C Valid Valid A/B/C/../../B Valid Valid A/B/D/../C Invalid Valid A/B/D /../C Invalid Valid const char* path = "c:\\my\\app.exe\" \\..\\..\\windows\\notepad.exe"; if (CheckSig(path)) { snprintf(cmdline, "\"%s\" arg", path); CreateProcess(NULL, cmdline,...); } 45

NTFS 46

Windows 48

Windows NULL 49

UAC c:\windows\ app.exe c:\windows\tracing\ app.exe 51

c:\windows\ app.exe c:\windows\tracing\ app.exe ALLOWED BANNED 52

AiCheckSecureApplicationDirectory C:\Windows C:\Windows c:\windows\ malicious.exe c:\windows\???? 53

NTFS c:\windows\ tracing:malicious.exe ALLOWED FILE_WRITE_DATA/FILE_ADD_FILE Windows 10 Windows 8.1 54

Windows Windows 2000 2000 2 17 NTFS Windows Vista 2006 11 30 NTFS Windows NT 3.1 1993 7 27 55

NTFS 56

C:\Windows\Temp C:\ProgramData 57

( ) SysInternals Process Explorer Process Monitor WinObj WinDBG Rohitab API Monitor (http://www.rohitab.com/apimonitor) RPCView (http://www.rpcview.org/) OleView.NET (https://github.com/tyranid/oleviewdotnet) Sandbox Analysis Tools ( https://github.com/google/sandbox-attacksurface-analysis-tools IDA Pro 59