Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Loading DLL into system process problem on Windows 8

Michael_Grabelkovsky-1Michael_Grabelkovsky-1 Member Posts: 33
I have driver which loads DLL inside processes. It use LdrLoadDll() and everything works great under Windows 7 - my DLL is loaded about to any process.

The problem started from Windows 8.
Ordinary processes are loaded.
But when I try to load DLL inside services.exe the following message is in WinDbg:

[\Device\HarddiskVolume2\Program Files\XYZ\XYZ\Client\bin\XYZDll.dll]:[\Device\HarddiskVolume2\Windows\System32\services.exe] 0x8 > 0x1
******************************************************************
* This break indicates this binary is not signed correctly: \Device\HarddiskVolume2\Program Files\XYZ\XYZ\Client\bin\XYZDll.dll
* and does not meet the system policy.
* The binary was attempted to be loaded in the process: \Device\HarddiskVolume2\Windows\System32\services.exe
* This is not a failure in CI, but a problem with the failing binary.
* Please contact the binary owner for getting the binary correctly signed.
******************************************************************
Code Integrity violation: 1068

I found its description on Microsoft https://msdn.microsoft.com/en-us/library/windows/hardware/dn756632(v=vs.85).aspx

From it follows, that DLL has to be signed as "0x8 =Microsoft signed".
Over more, "Windows signed" certificate can't be used!?!
I signed DLL by my Test Certificate which I use for driver, it does not help.

Questions:
1. What "Microsoft signed" certificate means? As I understand from source above it is not same to "Windows signed" certificate. How I may acquire Microsoft certificate?
2. Is it exist other way loading DLL and avoid named problem?

Comments

  • Aleh_KazakevichAleh_Kazakevich Member Posts: 74
    > Michael Grabelkovsky wrote:
    >
    > The problem started from Windows 8.
    > Ordinary processes are loaded.
    > But when I try to load DLL inside services.exe the following message is in
    > WinDbg:
    > ...

    This is a part of Windows 8.1 security model called 'Protected Processes Light' (PPL).
    More details can be found in the Alex Ionescu's blog:

    The Evolution of Protected Processes Part 1: Pass-the-Hash Mitigations in Windows 8.1
    http://www.alex-ionescu.com/?p=97

    The Evolution of Protected Processes Part 2: Exploit/Jailbreak Mitigations, Unkillable Processes and Protected Services
    http://www.alex-ionescu.com/?p=116

    Protected Processes Part 3 : Windows PKI Internals (Signing Levels, Scenarios, Root Keys, EKUs & Runtime Signers)
    http://www.alex-ionescu.com/?p=146

    > It use LdrLoadDll() and everything works great under Windows 7 - my DLL
    > is loaded about to any process.

    This is not true. On Windows 7 and even on Windows Vista your dll injecting
    mechanism will not work for the Vista-style protected processes like audiodg.exe.
    Open the system event log ('security') and you will find some number of 'Audit
    Failure' messages with similar 'symptoms' that are referenced to your
    'wrongly-signed' dll.

    You may resolve a part of this problems if you sign your dll with a proper
    cross-certificate (like a kernel-mode driver) with a /INTEGRITYCHECK and
    /ph (page hashes) options but you cannot bypass the Windows security model
    (or, think about allocating executable memory and place base-independent
    code instead calling LdrLoadDll/LoadLibrary/etc).

    Another solution is calling of the 'PsIsProtectedProcess' (Vista+) and
    'PsIsProtectedProcessLight' (Win8.1+) to detect and skip protected processes.
  • Aleh,
    Thanks a lot for really interesting information and references.
    Now I'm at list understand the subject and problem.

    Unfortunately your recommendations (/INTEGRITYCHECK + /ph) are not sufficient - don't help.

    Skip protected processes is not the goal. If I don't success on instrumentation, they are loading and starting - no problem.
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!