Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Loading DLL into system process problem on Windows 8

Michael_Grabelkovsky-1Michael_Grabelkovsky-1 Member Posts: 33
I have driver which loads DLL inside processes. It use LdrLoadDll() and everything works great under Windows 7 - my DLL is loaded about to any process.

The problem started from Windows 8.
Ordinary processes are loaded.
But when I try to load DLL inside services.exe the following message is in WinDbg:

[\Device\HarddiskVolume2\Program Files\XYZ\XYZ\Client\bin\XYZDll.dll]:[\Device\HarddiskVolume2\Windows\System32\services.exe] 0x8 > 0x1
******************************************************************
* This break indicates this binary is not signed correctly: \Device\HarddiskVolume2\Program Files\XYZ\XYZ\Client\bin\XYZDll.dll
* and does not meet the system policy.
* The binary was attempted to be loaded in the process: \Device\HarddiskVolume2\Windows\System32\services.exe
* This is not a failure in CI, but a problem with the failing binary.
* Please contact the binary owner for getting the binary correctly signed.
******************************************************************
Code Integrity violation: 1068

I found its description on Microsoft https://msdn.microsoft.com/en-us/library/windows/hardware/dn756632(v=vs.85).aspx

From it follows, that DLL has to be signed as "0x8 =Microsoft signed".
Over more, "Windows signed" certificate can't be used!?!
I signed DLL by my Test Certificate which I use for driver, it does not help.

Questions:
1. What "Microsoft signed" certificate means? As I understand from source above it is not same to "Windows signed" certificate. How I may acquire Microsoft certificate?
2. Is it exist other way loading DLL and avoid named problem?

Comments

  • Aleh_KazakevichAleh_Kazakevich Member Posts: 74
    > Michael Grabelkovsky wrote:
    >
    > The problem started from Windows 8.
    > Ordinary processes are loaded.
    > But when I try to load DLL inside services.exe the following message is in
    > WinDbg:
    > ...

    This is a part of Windows 8.1 security model called 'Protected Processes Light' (PPL).
    More details can be found in the Alex Ionescu's blog:

    The Evolution of Protected Processes Part 1: Pass-the-Hash Mitigations in Windows 8.1
    http://www.alex-ionescu.com/?p=97

    The Evolution of Protected Processes Part 2: Exploit/Jailbreak Mitigations, Unkillable Processes and Protected Services
    http://www.alex-ionescu.com/?p=116

    Protected Processes Part 3 : Windows PKI Internals (Signing Levels, Scenarios, Root Keys, EKUs & Runtime Signers)
    http://www.alex-ionescu.com/?p=146

    > It use LdrLoadDll() and everything works great under Windows 7 - my DLL
    > is loaded about to any process.

    This is not true. On Windows 7 and even on Windows Vista your dll injecting
    mechanism will not work for the Vista-style protected processes like audiodg.exe.
    Open the system event log ('security') and you will find some number of 'Audit
    Failure' messages with similar 'symptoms' that are referenced to your
    'wrongly-signed' dll.

    You may resolve a part of this problems if you sign your dll with a proper
    cross-certificate (like a kernel-mode driver) with a /INTEGRITYCHECK and
    /ph (page hashes) options but you cannot bypass the Windows security model
    (or, think about allocating executable memory and place base-independent
    code instead calling LdrLoadDll/LoadLibrary/etc).

    Another solution is calling of the 'PsIsProtectedProcess' (Vista+) and
    'PsIsProtectedProcessLight' (Win8.1+) to detect and skip protected processes.
  • Aleh,
    Thanks a lot for really interesting information and references.
    Now I'm at list understand the subject and problem.

    Unfortunately your recommendations (/INTEGRITYCHECK + /ph) are not sufficient - don't help.

    Skip protected processes is not the goal. If I don't success on instrumentation, they are loading and starting - no problem.
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Writing WDF Drivers 25 Feb 2019 OSR Seminar Space
Developing Minifilters 8 April 2019 OSR Seminar Space