I have driver which loads DLL inside processes. It use LdrLoadDll() and everything works great under Windows 7 - my DLL is loaded about to any process.
The problem started from Windows 8.
Ordinary processes are loaded.
But when I try to load DLL inside services.exe the following message is in WinDbg:
[\Device\HarddiskVolume2\Program Files\XYZ\XYZ\Client\bin\XYZDll.dll]:[\Device\HarddiskVolume2\Windows\System32\services.exe] 0x8 > 0x1
******************************************************************
* This break indicates this binary is not signed correctly: \Device\HarddiskVolume2\Program Files\XYZ\XYZ\Client\bin\XYZDll.dll
* and does not meet the system policy.
* The binary was attempted to be loaded in the process: \Device\HarddiskVolume2\Windows\System32\services.exe
* This is not a failure in CI, but a problem with the failing binary.
* Please contact the binary owner for getting the binary correctly signed.
******************************************************************
Code Integrity violation: 1068
I found its description on Microsoft https://msdn.microsoft.com/en-us/library/windows/hardware/dn756632(v=vs.85).aspx
From it follows, that DLL has to be signed as “0x8 =Microsoft signed”.
Over more, “Windows signed” certificate can’t be used!?!
I signed DLL by my Test Certificate which I use for driver, it does not help.
Questions:
- What “Microsoft signed” certificate means? As I understand from source above it is not same to “Windows signed” certificate. How I may acquire Microsoft certificate?
- Is it exist other way loading DLL and avoid named problem?
> Michael Grabelkovsky wrote:
The problem started from Windows 8.
Ordinary processes are loaded.
But when I try to load DLL inside services.exe the following message is in
WinDbg:
…
This is a part of Windows 8.1 security model called ‘Protected Processes Light’ (PPL).
More details can be found in the Alex Ionescu’s blog:
The Evolution of Protected Processes Part 1: Pass-the-Hash Mitigations in Windows 8.1
http://www.alex-ionescu.com/?p=97
The Evolution of Protected Processes Part 2: Exploit/Jailbreak Mitigations, Unkillable Processes and Protected Services
http://www.alex-ionescu.com/?p=116
Protected Processes Part 3 : Windows PKI Internals (Signing Levels, Scenarios, Root Keys, EKUs & Runtime Signers)
http://www.alex-ionescu.com/?p=146
It use LdrLoadDll() and everything works great under Windows 7 - my DLL
is loaded about to any process.
This is not true. On Windows 7 and even on Windows Vista your dll injecting
mechanism will not work for the Vista-style protected processes like audiodg.exe.
Open the system event log (‘security’) and you will find some number of ‘Audit
Failure’ messages with similar ‘symptoms’ that are referenced to your
‘wrongly-signed’ dll.
You may resolve a part of this problems if you sign your dll with a proper
cross-certificate (like a kernel-mode driver) with a /INTEGRITYCHECK and
/ph (page hashes) options but you cannot bypass the Windows security model
(or, think about allocating executable memory and place base-independent
code instead calling LdrLoadDll/LoadLibrary/etc).
Another solution is calling of the ‘PsIsProtectedProcess’ (Vista+) and
‘PsIsProtectedProcessLight’ (Win8.1+) to detect and skip protected processes.
Aleh,
Thanks a lot for really interesting information and references.
Now I’m at list understand the subject and problem.
Unfortunately your recommendations (/INTEGRITYCHECK + /ph) are not sufficient - don’t help.
Skip protected processes is not the goal. If I don’t success on instrumentation, they are loading and starting - no problem.