Disabling Hardware-enforced Stack Protection

[DavidXanatos]

Some application nowadays have the compiler flag set to use Hardware-enforced Stack Protection from the get go.
That shows to be problematic with some code injection strategies, for example like done by sandboxie...

So I wonder how to best disable this for starting processes...

I have looked a bit into the kernel and how these flags are set,
it seams the NtCreateUserProcess is setting a dword at EPROCESS + 0x09D4
which indicates if these mitigation are in place,
I found these offset by looking at NtSetInformationProcess so there may be additional flags I'm not aware of...
I deduce that NtCreateUserProcess sets them as it reads the "MitigationOptions" from "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TestApp.exe" where TestApp.exe is the name of the process being created.


I have tried to set EPROCESS + 0x09D4 to 0 during a callback registered with PsSetCreateProcessNotifyRoutineEx
but this did not work, logging registry accesses to the "Image File Execution Options" key and the creation callback it looks this:

Code:

key access: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe  ->  UseFilter
key access: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe  ->  LoadCHPEBinaries????????
key access: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe  ->  UseFilter
key access: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe  ->  Debugger
key access: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe  ->  UseLargePages
key access: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe  ->  NodeOptions
key access: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe  ->  ForceWakeCharge
key access: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe  ->  AllowedCpuSets
key access: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe  ->  MitigationOptions
key access: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe  ->  MitigationAuditOptions
Process_NotifyProcessEx pid=1564 parent=6320 current=6320 created=y notepad.exe flag: 00000000
key access: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe  ->  UseFilter
key access: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe  ->  DisableHeapLookaside????
key access: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe  ->  FrontEndHeapDebugOptions
key access: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe  ->  ShutdownFlagsebugOptions

So apparently the MitigationOptions are read and applied before the callback what is really a problem, when i would want to decide in PsSetCreateProcessNotifyRoutineEx if the process should be sandboxed or not and prepare teh right registry entry to avoid this mitigation being enabled.....
And resetting the flag as mentioned did not have the desired effect, probably there is a second flag or something that would need tempering with as well,
or possibly its not even possible to disable it at this stage as the shadow stack and variouse other things are already configured for that initial thread...
Not cool not cool at all...



Anyhow I was wondering if anyone here would have an idea how to elegantly exclude processes from having this mitigation applied, or how to properly disable this mitigation from the kernel?