Best strategy to determine if a binary file is being executed from a "user writable" location

NTFSD
1

I am working on yet-another app control PoC and am pretty happy with the results so far.

I am however not sure about the best way to go when it comes to detecting if the PE image is being mapped for execution from a location where non-admin user have write access. It seems I can check the security descriptor in IRP_MJ_CREATE but there i can’t really (or easily) tell whether the file is a PE file and whether it will be loaded for exec.

In my mini-filter driver, I also have pre/post for IRP_MJ_CREATE and IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION, plus process and image callbacks. Is checking the SD against the user token when its image gets mapped (for section sync) correct?

my needs:

. Apply policy X if exe is run from user-writable location. policy could be evaluated during process creation or image load callbacks
. Apply policy Y if DLL is loaded from user-writable location. policy could be evaluated during callbacks, or perhaps even during IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION

thank you in advance for any tip/suggestion.

Marco

2

My feeling is that you are going to have problems with “Apps”. IIRC These can be installed by anyone and are installed to the users’ programdata.

Knowing enough to know that the NT security model is pretty complicated I would BF&I it - on every open for execute I would (in post create) try to open for write with the “don’t check sharing” and the “force security check” bits set (checking for non elevated users only if you wish). If it succeeds then mark the StreamContext appropriately.

Then do a lookup wherever you feel like it. You could even detect that the file **had **been opened for execute.

But that really is brute force and ignorance

3

Thanks Rod,

using a stream context would indeed work well but I need to see how it would affect the current design.

I am also thinking about TOCTOU scenarios where the attacker could write a file to disk, change the SD and then run it. I may also have to check the file owner and who knows what else.

anyway, thanks for the suggestion.

Marco