Protected Processes
Windows Vista introduces new type of processes, so called "protected processes". The access to the processes is restricted regardless of actual access control lists and assigned integrity levels. Only limited subset of operations is allowed, such as termination, suspending, resuming, retrieving process image name and synchronization. Whenever a process is opened system performs following access checks:
- Access control checks according to integrity levels;
- Standard access control for DACL;
- Protected process checks.
 |
Process/Thread specific checks are based on examining protection attribute for both acting and target processes.
 |
 |
The same access checks are applied for threads that belong to protected processes.
By default following processes are started as protected:
- System
- audiodg.exe
- mfpmp.exe
- WerFault.exe
- WerFaultSecure.exe
- wermgr.exe
Protected processes are started via CreateProcess, CreateProcessAsUser, CreateProcessWithToken, etc. APIs by supplying CREATE_PROTECTED_PROCESS flag in CreationFlags parameter.
When the flag is specified system creates an executable section (ZwCreateSection) with SEC_PROTECTED_IMAGE flag which forces signature checking. If an executable has no specific signature CreateProcess returns ERROR_INVALID_IMAGE_HASH. The signature could be embedded or provided in installed catalog file. Additionally signature checking is performed for all DLLs loaded into protected process. It means Microsoft limits usage of protected processes by third parties. Protected Media Path program provides a way to supply signed modules for audiodg.exe and mfpmp.exe processes.
The control over protected processes code is justified as a protected process may receive unrestricted access to other protected processes. Hence a custom protected processes with random code breaks the whole concept.
The purpose of protected processes is not only providing environment for DRM solutions but also protecting kernel integrity. System process contains kernel mode threads and handles for many critical objects. For example, an unrestricted access to System process would effectively diminish kernel protection (aka Driver Signing) in Windows Vista x64.
Apparently there are other applications which could be started protected beside the listed above. For example, Microsoft Debugging Tools contain few utilities which may start as protected. You may find such applications by pplauncher.exe tool. The tool just probes for protected process launching by legitimate means, it does not use drivers and might run without administrative privileges. Do not mix it up with Alex Ionescu's tool that based on modification of kernel structures.
 |
Note protection attribute is a part of EPROCESS structure and could be adjusted by kernel mode driver or debugger, which is illustrated by following experiment with Windows Task Manager.
Initially TaskManager is not protected and as result cannot create memory dump of protected processes.
 |
 |
Dumping EPROCESS structure in debugger reveals ProtectedProcess bit flag:
kd> dt _EPROCESS 8bb8a020
...
+0x14c ImageFileName : [16] "taskmgr.exe"
...
+0x224 Flags2 : 0xd000
+0x224 JobNotReallyActive : 0y0
+0x224 AccountingFolded : 0y0
+0x224 NewProcessReported : 0y0
+0x224 ExitProcessReported : 0y0
+0x224 ReportCommitChanges : 0y0
+0x224 LastReportMemory : 0y0
+0x224 ReportPhysicalPageChanges : 0y0
+0x224 HandleTableRundown : 0y0
+0x224 NeedsHandleRundown : 0y0
+0x224 RefTraceEnabled : 0y0
+0x224 NumaAware : 0y0
+0x224 ProtectedProcess : 0y0
+0x224 DefaultPagePriority : 0y101
+0x224 PrimaryTokenFrozen : 0y1
+0x224 ProcessVerifierTarget : 0y0
+0x224 StackRandomizationDisabled : 0y0
+0x228 Flags : 0x144d0801
...
Modification of the flag makes TaskManager a protected process.
kd> ed 8bb8a020+224 0xd800
kd> dt _EPROCESS 8bb8a020
...
+0x14c ImageFileName : [16] "taskmgr.exe"
...
+0x224 ProtectedProcess : 0y1
...
 |
The flag modification is used by Alex Ionescu's tool.
출처 : http://www.gentlesecurity.com/blog/blog5.php/2008/03/04/protected-processes
