Bypassing the Secure Desktop Protections presented at Thotcon 2015

by Bruno Oliveira, Marcio Almeida Macedo,

Summary : Abstract: The Secure Desktop is a feature of Windows API that creates a separated desktop to run programs/processes. This feature doesn't allow processes or programs running in other desktops to capture keystrokes or screen. The Secure Desktop's primary difference from the User Desktop is that only trusted processes running as SYSTEM are allowed to run here (i.e. nothing running at the user's privilege level) and the path to get to the Secure Desktop from the User Desktop must also be trusted through the entire chain. Because of the main feature provided by the Secure Desktop, a lot of applications are developed using this protection, trying to avoid malware to interact with the user input (KeyLoggers) or screen (ScreenLoggers) and that way providing a secure environment for that application, where the main objective is protecting the final user from those well-known attacks. Like every feature, if it isn't well implemented, it can provide a fake security sensation. If an application is running in a secure desktop, using some tricks, an attacker is able to "escape the sandbox" and run malicious programs into the secure desktop where this approach will bypass the "Desktop Isolation Protection," allowing those malicious programs to capture the keystrokes or screen. The main goal of this talk is to present some real world examples that use secure desktop and show how to sniff the keystrokes or screen capture in the secured desktops, bypassing the main feature of Windows secure desktop. We will also discuss some possible solutions/workarounds that developers can apply into their software to avoid our attack.