3

I've come across a troublesome process which refuses to allow CreateToolhelp32Snapshot().

I also noticed that in sysinternals process explorer it shows "Access Denied" for other things too, such as file path, even when running as admin or even NT AUTHORITY\SYSTEM.

Does anyone have any idea how they could've achieved this? The only way I could think of would be using some sort of kernel mode driver and doing some voodoo magic.

I'd appreciate any ideas

Cherona
  • 129
  • 1
  • There are numerous ways to achieve this. Arguably the easiest would be to set the ACEs of the process appropriately. Being LocalSystem doesn't mean access everywhere, because that's still governed by the ACEs. However, being LocalSystem means you can forcibly take ownership of objects and basically replace whole ACLs. Other possibilities include some kind of SSDT hooking from a driver. Nebbett describesd how the ToolHelp32 APIs work and so by looking at the underlying native APIs you will get a feeling which ones could be hooked to prevent access. – 0xC0000022L Apr 06 '20 at 09:08
  • Another potential cause could be a PPL (protected process light). Which has been introduced in Windows 8, IIRC. Antimalware solutions use that sometimes. But you don't give enough details to give you more than guesses (not to mention that you answered your question). – 0xC0000022L Apr 06 '20 at 09:09
  • @0xC0000022L I apologise, i'm new to this, what sort of information and details about the process would be helpful? – Cherona Apr 06 '20 at 14:27
  • Names, perhaps the files themselves or at least their file names and versions. Just put yourself in the shoes of someone not having access to your computer (and brain) and try to fill in all the blanks compared to the existing question. No need to apologize. The mechanism on this site used for the purpose is upvotes and downvotes. Basically the goal is to create a library of questions and answers that are useful for future visitors. And while your question certainly has some "meat" it provides too little of it to give you more than guesses in turn. – 0xC0000022L Apr 06 '20 at 14:34
  • @0xC0000022L You mentioned that they could've used SSDT hooking - how are they allowed to do this? Does Windows not have some sort of anti tampering in place? Or does it turn a blind eye to system drivers – Cherona Apr 06 '20 at 15:39
  • you mean PatchGuard, yep. Not sure for the very latest versions of Windows 10. But until recently there were ways to circumvent PatchGuard. Which makes sense considering a monolithic kernel with drivers running equally privileged as the kernel. Possible some more recent virtualization-based features thwart those tricks, though. – 0xC0000022L Apr 07 '20 at 06:31

1 Answers1

-1

Turns out the process was using a driver, now I don't know what exactly that driver was doing (probably some voodoo magic). But it was preventing CreateToolhelp32Snapshot() and some other stuff.

Cherona
  • 129
  • 1
  • Hi and welcome to RE.SE. While this may answer your immediate question from your own perspective, it won't be helpful to any future visitors finding this answer. – 0xC0000022L Apr 06 '20 at 09:10