This document discusses Windows Vista's User Interface Privilege Isolation (UIPI) security feature. It covers UIPI initialization, how processes, threads and window messages are handled under UIPI. It describes functions like InitUIPI(), xxxInitProcessInfo(), xxxInitThreadInfo() and how they relate to UIPI. The document also discusses special cases like how the CSRSS process is an exception to UIPI rules. It analyzes how functions like PostThreadMessage(), AttachThreadMessage() work in the context of UIPI.
Windows 8 just launched. Its best ever gift to all Security Aspirants to know about its back drops and advantages.
For any query contact: nutan.appin@gmail.com
The PPT describes:-
- What is Low level hook-up.
- Windows assemblies required for low level hook-up
- A flowchart explaining how a low level hook-up works.
- Implementation with an example (in C#)
Windows 8 just launched. Its best ever gift to all Security Aspirants to know about its back drops and advantages.
For any query contact: nutan.appin@gmail.com
The PPT describes:-
- What is Low level hook-up.
- Windows assemblies required for low level hook-up
- A flowchart explaining how a low level hook-up works.
- Implementation with an example (in C#)
Windows Server 2008 will be launched in Q1 2008. Come and learn what’s new in this release for developers.
Agenda:
Whether you are building Web applications or writing core server-based system services, Windows Server 2008 provides many new features that you can leverage to build more secure, flexible, and innovative applications. In this 2-session event we will go through the “Top 7 Ways to Light Up Your Apps on Windows Server 2008”. Demos will include IIS7, PowerShell, Transactional File System (TxF), restart/recovery APIs plus more.
For more details and the original slidedeck visit http://www.microsoft.com/uk/msdn/events/new/Detail.aspx?id=136
Join this video course on Udemy. Click the below link
https://www.udemy.com/mastering-rtos-hands-on-with-freertos-arduino-and-stm32fx/?couponCode=SLIDESHARE
>> The Complete FreeRTOS Course with Programming and Debugging <<
"The Biggest objective of this course is to demystifying RTOS practically using FreeRTOS and STM32 MCUs"
STEP-by-STEP guide to port/run FreeRTOS using development setup which includes,
1) Eclipse + STM32F4xx + FreeRTOS + SEGGER SystemView
2) FreeRTOS+Simulator (For windows)
Demystifying the complete Architecture (ARM Cortex M) related code of FreeRTOS which will massively help you to put this kernel on any target hardware of your choice.
windows programs that don't have just a
black screen. Well, these GUI1 programs are called Win32 API programs.
Learn how to make API calls with a black screen and other GUI objects in
Win 32 programming.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Windows Server 2008 will be launched in Q1 2008. Come and learn what’s new in this release for developers.
Agenda:
Whether you are building Web applications or writing core server-based system services, Windows Server 2008 provides many new features that you can leverage to build more secure, flexible, and innovative applications. In this 2-session event we will go through the “Top 7 Ways to Light Up Your Apps on Windows Server 2008”. Demos will include IIS7, PowerShell, Transactional File System (TxF), restart/recovery APIs plus more.
For more details and the original slidedeck visit http://www.microsoft.com/uk/msdn/events/new/Detail.aspx?id=136
Join this video course on Udemy. Click the below link
https://www.udemy.com/mastering-rtos-hands-on-with-freertos-arduino-and-stm32fx/?couponCode=SLIDESHARE
>> The Complete FreeRTOS Course with Programming and Debugging <<
"The Biggest objective of this course is to demystifying RTOS practically using FreeRTOS and STM32 MCUs"
STEP-by-STEP guide to port/run FreeRTOS using development setup which includes,
1) Eclipse + STM32F4xx + FreeRTOS + SEGGER SystemView
2) FreeRTOS+Simulator (For windows)
Demystifying the complete Architecture (ARM Cortex M) related code of FreeRTOS which will massively help you to put this kernel on any target hardware of your choice.
windows programs that don't have just a
black screen. Well, these GUI1 programs are called Win32 API programs.
Learn how to make API calls with a black screen and other GUI objects in
Win 32 programming.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
2. Speaker Info
Edgar Barbosa
Security researcher
Currently employed at COSEINC
Experience with reverse engineering of
Windows kernel executables
Published some articles at rootkit.com
Participated in the creation of bluepill, a
hardware-virtualization based rootkit
3. Windows Vista UIPI
Shatter attacks
Integrity Levels
UIPI initialization
Process and thread initialization
Window messages
UIPI in action
Special cases
4. Why UIPI?
Reasons to learn about UIPI internals:
It’s not well documented
The new book “Writing secure code for Windows
Vista” dedicates only one page to discuss UIPI
UIPI affects several applications and API
functions
There are some possible vectors of attacks
against UIPI
To understand how windows messages are
internally processed
Understand how some internal function works
under the hood
5. Shatter attacks
Published by Chris Paget in 2002
Process by which one application could
execute arbitrary code in another application
Uses the window messaging system to send
messages from an unprivileged app to the
window message procedure of a privilege
application.
WM_TIMER could be sent with a callback
pointer parameter
6. UIPI
Stands for “User Interface Privilege Isolation”
New for Windows Vista Operating System
Vista now uses Integrity Levels for each
running process:
0x1000 - Low integrity
0x2000 - Medium integrity
0x3000 - High integrity
0x4000 - System Integrity
Each application runs with one assigned IL.
7. UIPI
A lower privilege application cannot [1] :
Perform a window handle validation of higher
process privilege
SendMessage or PostMessage to higher privilege
application windows ( block “Shatter attacks” )
Use thread hooks to attach to a higher privilege
process
Use journal hooks to monitor a higher privilege
process
Perform DLL injection to a higher privilege
process
9. UIPI initialization
The UIPI initialization process occurs in the
load time of the graphical subsystem module
(win32k.sys)
DriverEntry will call Win32UserInitialize
function which will call:
InitUIPI (win32k)
RtlQueryElevationFlags (ntoskrnl)
InitClipFormatExceptionList (win32k)
10. UIPI initialization
KUSER_SHARED_DATA
Is a memory area shared between the user
mode and kernel mode space
Mapped for each running process
Initialized by the OS executive - ntoskrnl
It contains very important system variables:
KdDebuggerEnabled, SystemCall, TickCount
DbgElevationEnabled, DbgVirtEnabled, ….
It is protected:
Read-only access for user mode code
11. UIPI initialization
RtlQueryElevationFlags
Undocumented function exported by ntoskrnl.exe
and the ntdll.dll
Prototype:
NTSTATUS RtlQueryElevationFlags( OUT ULONG
*Flags );
Retrieve UAC system information from the shared
memory area (KUSER_SHARED_DATA)
Return flags:
ElevationEnabled (0x01) - UAC is enabled
VirtEnabled (0x02) - Virtualization is enabled
InstallerDetectEnabled (0x04) - Detection of installers
12. UIPI initialization
VOID InitUIPI();
UIPI is initialized by the InitUIPI function
implemented inside the win32k kernel module
Calls the RtlQueryElevationFlags to check if
elevation is enabled (ElevationEnabled).
If elevation is enabled, then check the value
“EnableUIPI” inside the system policies
registry key.
If EnableUIPI value is set to true, the system
set the global variable gbEnforceUipi to TRUE.
UIPI is only active if gbEnforceUipi is equal
TRUE.
13. UIPI initialization
InitClipFormatExceptionList
Called immediately after InitUIPI if
gbEnforceUipi value is true.
Responsible for reading the values of the
registry key:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemUIPIClip
boardExceptionFormats
gpClipFormatExceptionList:
Pointer to a list of Clipboard Format values, e.g. CF_OEMTEXT
(0x07)
gcClipFormatExceptionList:
Global counter of the number of elements inside the list pointed
by the gpClipFormatExceptionList pointer.
17. EPROCESS
Each process is represented by an executive
process object structure (EPROCESS)
Accessible only for kernel mode code
Some EPROCESS data information includes:
Handle table pointer
Virtual Address space Descriptors (VAD)
Access token
PROCESSINFO pointer
18. PROCESSINFO
Structure used by win32k to store all the
USER32 related information about a process.
Created at the first time that the process calls
a USER32 syscall and it is initialized by the
xxxInitProcessInfo function
Address stored at EPROCESS-
>Win32Process
Data information includes:
Pointer to EPROCESS
Desktop, UserHandleCount, WinStation
information
….
20. xxxInitProcessInfo
Prototype
NTSTATUS xxxInitProcessInfo( PROCESSINFO
*pi );
Responsible for the initialization of the
PROCESSINFO structure
Open the primary token of the process with
PsReferencePrimaryToken and
Get the Integrity Level of the process by calling
SeQueryInformationToken with the
TOKEN_INTEGRITY_LEVEL information
class
21. xxxInitProcessInfo
If gbEnforceUIPI == TRUE
Copy the Integrity Level value at pi-
>IntegrityLevel
Check for the TokenUIAccess flag using
SeQueryInformationToken function. If the flag
is set, set the correspondent flag at pi->Flags
The TokenUIAccess importance will be
presented soon.
22. Thread initialization and UIPI
Data structures:
ETHREAD
THREADINFO
Functions:
xxxInitThreadInfo
NtUserCheckAccessForIntegrityLevel
23. ETHREAD
Structure used by the kernel to represent a
thread (ETHREAD)
Each ETHREAD is always owned by an
EPROCESS structure ( ETHREAD-
>Tcb.Process )
Linked to other threads by the ThreadListEntry
pointer
Some fields:
InitialStack, StartAddress, ThreadListEntry,
ApcState
Priority, Affinity, THREADINFO, ...
24. THREADINFO
Undocumented structure used by win32k to
store USER32 information related to a thread
Created only if the thread calls a USER32
function
THREADINFO address stored at
ETHREAD->Tcb.Win32Thread
Some fields:
pq ( Input message queue )
mlPost ( Post message queue )
Send message queue
Windows hook information...
25. xxxCreateThreadInfo()
Function called to allocated and initialize the
THREADINFO structure
Some responsibilities:
Allocate and initialize the input, send and post
message queues.
Set desktop
Set integrity level of the message queue
Set foreground priority
27. NtUserCheckAccessForIntegrity
Level
Undocumented syscall which can be used by
usermode programs (not officially supported)
It’s used by the USER32 usermode functions:
TileWindows()
CascadeWindows()
NTSTATUS
NtUserCheckAccessForIntegrityLevel ( Pid1,
Pid2, *BOOL Result );
It checks the current process PROCESSINFO
integrity level against the integrity level of the
target process PROCESSINFO.
29. Window messages
Data structures:
Message Queue
Functions:
ChangeWindowMessageFilter
30. Window messages
Each window has a window procedure.
Window messages are used by the system to
send events to a window procedure.
Each windows, which is identified by a window
handle (HWND), is always owned by a thread.
But each thread can own more than one
window
Range 0x0 -> 0xffff (available to programmer)
0x10000 -> 0x1ffff ( reserved to system )
31. Message Queues
Each received message is sent to a message
queue
The window message queues are
implemented in the THREADINFO structure
There are 3 queues:
Input queue (SendInput, mouse and keyboard
msgs)
Post queue ( PostMessage )
Send queue ( SendMessage )
The Input Queue structure, a.k.a Virtualized
Input Queue (VIQ), Integrity Level field.
32. Message Queues
The VIQ structure is allocated by the
AllocQueue() function, which is called by the
xxxCreateThreadInfo() function.
AllocQueue() returns a pointer to the VIQ
address.
If the owner process of the Queue is the
CSRSS process, the Queue->IntegrityLevel
will be set equal 0x2000
(MEDIUM_INTEGRITY). If not, it will be set
equal the PROCESSINFO->IntegrityLevel.
34. ChangeWindowMessageFilter
Documented API directly related to UIPI
New for Window Vista.
Can be used to add or remove Window messages from the
message filter
If a message is added to the filter, any other process is able
to send that message to the process, regardless of the
integrity level of the processes.
Prototype:
BOOL ChangeWindowMessageFilter( UINT msg, DWORD
dwFlag );
dwFlag:
MSGFLT_ADD: Adds the message to the filter
MSGFLT_REMOVE: Removes the message from the filter
35. Window Message Filter
implementation
Message Filter is implemented in the
PROCESSINFO.
Message queues are implemented per-thread, but
all threads (windows) share the same Message
Filter.
Can’t be used by LOW_INTEGRITY processes!
win32k!_ChangeWindowMessageFilter function is
the real code responsible for the filter
management.
The filter is implemented using bitmap structures:
0 = message is not allowed
1 = message is allowed
The address of the bitmap tables is stored at
PROCESSINFO->MessageFilter
38. UIPI in action
How PostThreadMessage function works
internally in Windows Vista?
Functions:
PostThreadMessage
NtUserPostThreadMessage
AllowMessageAcrossIL
CheckForMessageAccessCrossIL
CheckAccessForIntegrityLevel
39. PostThreadMessage
PostThreadMessage function posts a
message to the message queue of the
specified thread.
It returns without waiting for the thread to
process the message.
It uses the syscall NtUserPostThreadMessage
40. NtUserPostThreadMessage
Kernel mode implementation of
PostThreadMessage
Prototype:
BOOL NtUserPostThreadMessage( DWORD
idThread, UINT msg, WPARAM wParam,
LPARAM lParam );
Flow:
Get the address of the THREADINFO structure of
the current thread and save it in the _gptiCurrent
variable.
Get the THREADINFO of the target idThread
using the PtiFromThreadId( ) function.
41. NtUserPostThreadMessage
If they are from the same desktop, it calls the
CheckForMessageAccessCrossIL() function,
which will verify if the destination thread allows
the window message to be posted in the target
thread post message queue.
If the return code of
CheckForMessageAccessCrossIL is TRUE, the
PostThreadMessage is called
PostThreadMessage allocates a new queue entry
(AllocQEntry), stores the message
(StoreQMessage) and set the wake message
flags (SetWakeBit)
44. CheckAccessForIntegrityLevel
Internal win32k function extremelly used
Prototype:
BOOL CheckAccessForIntegrityLevel( ULONG
SourceIntegrityLevel, ULONG
TargetIntegrityLevel );
If the SourceIntegrityLevel <
TargetIntegrityLevel, returns FALSE
If SourceIntegrityLevel >= TargetIntegrityLevel,
returns TRUE.
45. AllowMessageCrossIL
Internal win32k function
Prototype:
BOOL AllowMessageCrossIL( PROCESSINFO
*pi, UINT msg );
This function uses the MessageFilter bitmap
structures created by the
ChangeWindowMessageFilter function.
Return:
If TRUE, the target thread will accept the
message
If FALSE, doesn’t mean nothing! Why?
46. CheckForMessageAccessCross
IL
Prototype:
BOOL CheckForMessageAccessCrossIL (
PROCESSINFO *piSource, PROCESSINFO
*piTarget, UINT msg, WPARAM wParam );
How it works?
It compares the piSource against piTarget. If
equal, return TRUE. There’s no reason in
checking threads of the same processinfo.
If different, calls the AllowMessageAcrossIL(
piTarget, msg ), but it do not check the return
value immediately!
47. CheckForMessageAccessCross
IL
It now compares the msg with a list of always allowed
messages:
0x000 - WM_NULL
0x003 - WM_MOVE
0x005 - WM_SIZE
0x00D - WM_GETTEXT
0x00E - WM_GETTEXTLENGTH
0x033 - WM_GETHOTKEY
0x07F - WM_GETICON
0x305 - WM_RENDERFORMAT
0x308 - WM_DRAWCLIPBOARD
0x30D - WM_CHANGECBCHAIN
0x31A - WM_THEMECHANGED
0x313, 0x31B (WM_???)
48. CheckForMessageAccessCross
IL
If the message is in the list of always allowed,
return TRUE immediately.
If not, checks now the returned value of the
CheckForMessageAccessCrossIL() . If equal true,
then returns TRUE.
If false, compare the current IL against the target
IL using the CheckAccessForIntegrityLevel. If the
current thread has a IL greater or equal than the
target thread IL, returns TRUE.
Check if CSRSS is the owner process of the
target thread and allow the message if it is.
51. CSRSS threads
The CSRSS process is responsible for the
creation of the console window for console-
mode applications.
Each console window is controled by a
CSRSS thread (ConsoleInputThread function )
inside winsrv.dll
It registers the window class
“ConsoleWindowClass”
ProcessCreateConsoleWindow creates the
console window
ConsoleWindowProc is the window procedure.
52. CSRSS threads
As exception, CSRSS threads that creates
windows will have the THREADINFO-
>IntegrityLevel set equal 0x2000 (
MEDIUM_INTEGRITY ) by the
xxxCreateThreadInfo function, regardless of
the CSRSS IL.
The address of the PROCESSINFO structure
of csrss process is stored at win32k.sys in the
global variable _gpepCSRSS
How is this related to UIPI?
53. CSRSS threads
Windows owned by CSRSS threads are the
great exception rule in UIPI!
In February 2007, Joanna Rutkowska
published in her blog [2] that is possible to send
WM_KEYDOWN messages to a open
Administrative Shell (cmd.exe) running at
HIGH IL from a LOW IL program.
This is not only possible with cmd.exe, but with
any console mode program running regardless
of the its integrity level.
54. CSRSS threads
The CheckForMessageAccessCrossIL() and
xxxInterSendMsgEx() functions checks if the
process owner of the target thread is CSRSS
(gpepCSRSS)
If CSRSS is the owner, the message is sent or
posted even if the IL of the source thread is
lesser than the IL of the target thread.
Message is allowed even if the target’s
message filter do not allow the message.
55. TokenUIAccess
TokenUIAccess is a new token flag (at enum
TOKEN_INFORMATION_CLASS)
At the PROCESSINFO initialization process,
the system checks for the TokenUIAccess flag
in the primary token of the process.
If the flag is present, the TokenUIAccess is set
in the Flags field of PROCESSINFO.
This flag allows application to potentially
override some UIPI restrictions [3]
58. AttachThreadInput
Input messages ( keyboard, mouse, SendInput )
are inserted at the Virtualized Input Queue of the
THREADINFO.
With the AttachThreadInput function, two threads
can share their VIQ.
Prototype:
BOOL AttachThreadInput( tidAttach, tidAttachTo,
fAttach );
When 2 thread share their input queues, input
messages will be processed synchronously.
If one thread hangs, the other thread will hang
too.
61. AttachThreadInput
Must be used very carefully because it affects
the robustness of the window message
processing of the threads.
NtUserAttachThreadInput is the syscall used
by the user32 AttachThreadInput
It is affected by UIPI, because the
zzzAttachThreadInput function will check the
Queue->IntegrityLevel of calling thread against
the ProcessInfo->IntegrityLevel of the target
thread.
62. MSCTF.DLL
There are a DLL located in the system32
folder called MSCTF.dll which is used by the
user32.dll.
Practically all running programs in the Vista
system loads msctf.dll
63. MSCTF.DLL
MSCTF.dll is one of the few DLLs in Vista that uses
the new ChangeWindowMessageFilter() function.
How this new API is being used by the MSCTF?
The first step is to call the internal function
EnsurePrivateMessages()
EnsurePrivateMessages() internals:
Uses the USER32!RegisterWindowMessage function to
register several window messages
RegisterWindowMessage takes as parameter a string and
returns a window message that is guaranteed to be unique
througout the system.
It now uses the returned window message and calls
ChangeWindowMessageFilter() function
64. MSCTF.DLL
Example:
gAttMsg =
RegisterWindowMessage(“MSUIM.Msg.AttachThreadInput”);
If (gAttMsg)
ChangeWindowMessageFilter( gAttMsg, MSGFLT_ADD );
After EnsurePrivateMessages(), MSCTF will
register a window class
“CicMarshallWndClass” with the window
procedure CicMarshallWndProc();
Where is the problem?
The problem is inside the CicMarshallWndProc()
code responsible for the processing of gAttMsg
message
65. MSCTF.DLL
The code is:
curThread = GetCurrentThreadId();
AttachThreadInput( curThread, wParam, lParam);
If a low integrity thread calls
AttachThreadInput against a higher integrity
thread, the call will fail.
But now, if the higher IL thread uses the
MSCTF.dll, we can simply send a gAttMsg
message and the target thread will call
AttachThreadInput for us
SendMessage(targetwnd, gAttMsg, GetCurrentThreadId(),TRUE);
66. DoS attack
Using the AttachThreadInput message created by
msctf.dll, we can create a Denial of Service tool
which will hang all application running on the
system with the msctf.dll loaded.
Due to the fact that attach thread processes input
messages synchronously, a low IL program is
able to hang even higher integrity applications.
One interesting consequence of attaching the
virtualized input queue of two thread of different
integrity levels is the elevation of the integrity level
of the queue of the less privileged thread.
67. Queue integrity level elevation
Each input queue (VIQ) has it’s own Integrity
Level
VIQ IL is assigned by xxxCreateThreadInfo
function
If a medium integrity level (0x2000) thread
uses the Msctf AttachThreadInput message to
attach to a high integrity level (0x3000) thread,
the AttachThreadInput function
(zzzAttachToQueue) will elevate the queue IL
from 0x2000 to 0x3000
68. Final notes
UIPI has some weird rules
The always allowed window messages list is
not public and documented
We will probably see malwares using the UIPI
exception rules, like the CSRSS case
ChangeWindowMessageFilter function must
be carefully used to avoid unprivileged
processes to control privileged processes, like
the MSCTF AttachThreadInput example.