WFP firewall filter protection

he_dk · September 10, 2015, 10:14pm

Hello everyone,

The filter of my WFP firewall can be deleted by other programs running by Administrators. After filter deletion my firewall will not work at all.

The deletion procedure will be like this:

enumerate provider keys by using function FwpmProviderEnum, then find interested provider.
delete filters associated with this provider by using function FilterDeleteByKey.

If I don’t want my firewall’s filters to be deleted by other program, what should I do?

I thought about hiding my firewall’s provider key, so that it could not be found in step 1. Certainly my firewall filters will not be deleted by step 2, because the provider key is not revealed. But how to hide provider, I have no idea.

How to protect my firewall’s filters, thank for your ideas in advance. Very appreciated!

Maxim_S_Shatskih · September 11, 2015, 9:42am

You cannot protect anything from the administrator

wrote in message news:xxxxx@ntdev…
> Hello everyone,
>
> The filter of my WFP firewall can be deleted by other programs running by Administrators. After filter deletion my firewall will not work at all.
>
> The deletion procedure will be like this:
>
> 1. enumerate provider keys by using function FwpmProviderEnum, then find interested provider.
>
> 2. delete filters associated with this provider by using function FilterDeleteByKey.
>
> If I don’t want my firewall’s filters to be deleted by other program, what should I do?
>
> I thought about hiding my firewall’s provider key, so that it could not be found in step 1. Certainly my firewall filters will not be deleted by step 2, because the provider key is not revealed. But how to hide provider, I have no idea.
>
> How to protect my firewall’s filters, thank for your ideas in advance. Very appreciated!
>

he_dk · September 13, 2015, 8:25pm

Thanks for your reply Maxim,

I understand that it’s not easy to protect something from administrator.

Currently I am wondering that how about protecting from process, which means only my firewall process can add and delete my firewall’s filters.

Do you think it is possible? Thanks.

Tim_Roberts · September 14, 2015, 4:42pm

xxxxx@gmail.com wrote:

Thanks for your reply Maxim,

I understand that it’s not easy to protect something from administrator.

Currently I am wondering that how about protecting from process, which means only my firewall process can add and delete my firewall’s filters.

Do you think it is possible?

That doesn’t change the question. Everything is a process. If the
process has administrator privileges, it can read and write other
process’ memory.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Alex_Ionescu-2 · September 19, 2015, 12:15am

Tim and Max, please note that the addition of PPLs and VTL1 changes this old-school thinking and paradigm. I dare you to write an admin process that can write to the memory of SMSS.EXE in Windows 8.1. Or to LSAISO.EXE in Windows 10.

Platform security has advanced beyond the XP days guys

–
Best regards,
Alex Ionescu

Maxim_S_Shatskih · September 19, 2015, 7:01am

> Tim and Max, please note that the addition of PPLs and VTL1

Sorry, what is PPLs and VTL1? site:msdn.microsoft.com does not provide any hits. Same is TechNet.

I dare you to write an admin process that can write to the memory of SMSS.EXE in Windows 8.1. Or
to LSAISO.EXE in Windows 10.

SeTcbPrivilege? SeDebugPrivilege?

–
Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com

Volodymyr_M_Shcherbyna-2 · September 19, 2015, 8:46am

Hello Maxim,

I think PPL stands for Protected Process Light and you can see some details about them here http://www.alex-ionescu.com/?p=146 and here http://www.nosuchcon.org/talks/2014/D3_05_Alex_ionescu_Breaking_protected_processes.pdf

Alex_Ionescu-2 · September 28, 2015, 5:49pm

Maxim,

You can find official documentation on Protected Process Light from Microsoft here:

https://msdn.microsoft.com/en-us/library/windows/desktop/dn313124(v=vs.85).aspx

And my blog for unofficial information.

SeDebugPrivilege and SeTcbPrivilege do not grant access. No user-mode process that is not protected, and at the right level, can touch such processes (but kernel still can).

VTL1 is Virtual Trust Level 1.

You can find ‘official’ information on this on Channel 9: https://channel9.msdn.com/Blogs/Seth-Juarez/Isolated-User-Mode-in-Windows-10-with-Dave-Probert

No code, not even in Ring 0, can touch VTL 1 user-mode code.

I also gave a talk at BlackHat, slides will be posted at some point.

–
Best regards,
Alex Ionescu

Paul_McDonough · September 28, 2015, 9:22pm

I’ve been waiting for your BH slides since BH. So hopefully “at some
point” won’t be too much longer.

On Mon, Sep 28, 2015 at 5:49 PM, wrote:

> Maxim,
>
> You can find official documentation on Protected Process Light from
> Microsoft here:
>
>
> https://msdn.microsoft.com/en-us/library/windows/desktop/dn313124(v=vs.85).aspx
>
> And my blog for unofficial information.
>
> SeDebugPrivilege and SeTcbPrivilege do not grant access. No user-mode
> process that is not protected, and at the right level, can touch such
> processes (but kernel still can).
>
> VTL1 is Virtual Trust Level 1.
>
> You can find ‘official’ information on this on Channel 9:
> https://channel9.msdn.com/Blogs/Seth-Juarez/Isolated-User-Mode-in-Windows-10-with-Dave-Probert
>
> No code, not even in Ring 0, can touch VTL 1 user-mode code.
>
> I also gave a talk at BlackHat, slides will be posted at some point.
>
> –
> Best regards,
> Alex Ionescu
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>