Unknown Known DLLs and other Code Integrity Trust Violations presented at ReconMontreal2018 2018

by Alex Ionescu, James Forshaw,

Summary : This talk will go over a number of code integrity technologies in Windows and their implementation and guarantees as well as the various system components that take dependencies on them. Numerous flaws in the robustness of code integrity checks against a privileged Administrator will be shown, and we’ll be hustling backwards to showcase a few demos and their implications for vendors and users taking similar dependencies (as well as the OS’s own components). To mount our attacks, we’ll be visiting a plethora of Windows Internals concepts, such as Protected Processes and their Light brethren, Trust SIDs and Trust ACEs, Trust Links in Tokens, Known DLLs and Section Object Mappings, as well as NTFS Extended Attributes and the USN Change Journal. Implications for Anti-Cheat, Anti-Malware, Licensing (Anti-User) and Anti-Exploit technologies will be focused on.