Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Where is SEC_IMAGE AllocationAttribute ?

Gabriel_BerceaGabriel_Bercea Member - All Emails Posts: 464
I may be asking a stupid question but I believe that AllocationAttributes such as SEC_IMAGE are not present in the minifilter callbacks such as AcquireForSectionSynchronization.
If I am correct than this is pretty sad for security developers, since you can run a process that has been opened with PAGE_READONLY but with SEC_IMAGE set.
Not going into too many details but such techniques are already used in process doppelganging attacks and similar class of attacks.
I am wondering, if I am right, is anywone from MSFT going to add these flags in some patch to Filter Manager ?

Thanks,
Gabriel
www.kasardia.com

Cheers,
Gabriel

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!