Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV

Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Detect escalation privileges

newuser159newuser159 Member Posts: 3

Hi everyone, I'm a newbie in Windows Security. I want to detect escalation privileges (UM or KM) , can anyone give me an idea how to do it.
My solution is checking the process/ thread privileges every time it calls common API like CreateProcess, CreateFile, OpenProcess, ... by hooking. Does it possible?
I think Windows checks process permission when it changes the resource, I thinks based on this I can scan in real time . Can someone please explain it to me or share any documentation that describes it.

Comments

  • MBond2MBond2 Member Posts: 494

    'escalation privileges' is not a standard term in windows security so it is hard to know what you are asking, but here are some basics

    Windows security is based on security principals, access control lists and privleges

    A security principal is an entity who can act - typically a user or computer account.

    An access control list is a list of security principals or groups that are assigned allow or deny to a set of rights.

    Privleges control special access that isn't covered by ACLs

    Every process and thread has a security token and when a thread calls an API to open a new handle, that security token (which encapsulates a security principal) is used to check the ACL for the right to open a handle to the desired resource with the specified access. Security is not checked when the handle is used. There are many more details, but that's the basic model

    What you might be asking about is UAC. When UAC is active, standard processes are started with security tokens that do not include all of the SIDs that it could be, but elevated processes are.

    there are many more details here

    https://learn.microsoft.com/en-us/windows/win32/secauthz/access-control

    but it should also be noted that the UM / KM boundary is an essential part of enforcing this security model, and that it inherently focuses on UM and network access. It is not designed to protect one KM component from another

  • Nathan_KiddNathan_Kidd Member - All Emails Posts: 25

    I like that concise summary. I with I had it when I started working with these things years ago.

  • newuser159newuser159 Member Posts: 3

    @Nathan_Kidd said:
    I like that concise summary. I with I had it when I started working with these things years ago.

    Please let me know a little detail your experiment or solution for this problem. I look forward to hearing from you.

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 14,402

    Please let me know a little detail your experiment or solution for this problem.

    What problem? As Mr Bond pointed out, your question does not make sense.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • MecanikMecanik Member Posts: 41

    @newuser159 said:
    Hi everyone, I'm a newbie in Windows Security. I want to detect escalation privileges (UM or KM) , can anyone give me an idea how to do it.
    My solution is checking the process/ thread privileges every time it calls common API like CreateProcess, CreateFile, OpenProcess, ... by hooking. Does it possible?
    I think Windows checks process permission when it changes the resource, I thinks based on this I can scan in real time . Can someone please explain it to me or share any documentation that describes it.

    Short answer: you can't. Not reliably anyway. An escalation of privileges is a bug/flaw in the OS itself and must be fixed by the OS developers. Unfortunately.

    A5EF6AC930666A823A905224B7829A417718CA3360E62B9F890B722B20B8BDA5AE187C20E8F7070EADC6B82998999F02

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 January 2023 Live, Online
Developing Minifilters 20 March 2023 Live, Online
Writing WDF Drivers TBD 2023 Live, Online
Internals & Software Drivers 17 April 2023 Live, Online