Exetools  

Go Back   Exetools > General > Community Tools

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 02-17-2020, 03:12
DavidXanatos DavidXanatos is offline
Family
 
Join Date: Jun 2018
Posts: 114
Rept. Given: 0
Rept. Rcvd 25 Times in 18 Posts
Thanks Given: 31
Thanks Rcvd at 233 Times in 77 Posts
DavidXanatos Reputation: 25
A driver to make windows Ignore ACLs

I wanted today to weasel around in my C:\Program Files\WindowsApps folder,
unfortunately that is more difficult than one may think like described here: https://superuser.com/questions/940693/editing-creating-files-in-c-program-files-windowsapps
One can try messing with permissions but that may result in problems down the road.
And it does not solve all issues anyways.

So I was looking for a more "safe" solution like making windows temporarily ignore all permission settings

After some research I found this approach and created an open source implementation: https://github.com/DavidXanatos/IgnoreACLs

When applied to C: anyone can access C:\Program Files\WindowsApps for reading modifying, and deleting existing files.
What does not work is creating new files or folders, for that i would have to modify the SecurityContext in some smart way.
Attached Files
File Type: zip IgnoreACLs.zip (3.2 KB, 16 views)
File Type: zip IgnoreACLs_src.zip (6.6 KB, 15 views)
Reply With Quote
The Following User Gave Reputation+1 to DavidXanatos For This Useful Post:
niculaita (02-17-2020)
The Following 11 Users Say Thank You to DavidXanatos For This Useful Post:
cgrs (02-17-2020), chants (02-20-2020), Corsten (02-21-2020), cyantea (03-02-2020), deepzero (02-17-2020), dosprog (03-26-2020), Mahmoudnia (02-17-2020), MarcElBichon (02-17-2020), niculaita (02-17-2020), NoneForce (02-20-2020), ontryit (02-17-2020)
  #2  
Old 02-17-2020, 19:04
cgrs cgrs is offline
Friend
 
Join Date: May 2017
Location: Spain
Posts: 5
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 7
Thanks Rcvd at 3 Times in 3 Posts
cgrs Reputation: 0
Nice work! I have a question though: isn't it dangerous to disable ACLs in Windows?
Reply With Quote
  #3  
Old 02-17-2020, 20:48
DavidXanatos DavidXanatos is offline
Family
 
Join Date: Jun 2018
Posts: 114
Rept. Given: 0
Rept. Rcvd 25 Times in 18 Posts
Thanks Given: 31
Thanks Rcvd at 233 Times in 77 Posts
DavidXanatos Reputation: 25
Quote:
Originally Posted by cgrs View Post
Nice work! I have a question though: isn't it dangerous to disable ACLs in Windows?
Well, you shouldn't start any malware processes while your ACLs are disabled, that much is obvious.

The driver is not intended to be always active, the idea is that you can attach it to the partition on which you want to have full access and when you are done doing whatever it is you wanted to do you detach it and the access restrictions are back in place.


Its a mater of Principle that the owner of a PC should be able to write to any location on disk if so desired.

The PC's belong to us, their respective owners, not to Microsoft.


BTW: a short update on the effects of this hack, creating files in protected locations works fine, what does not is renaming them or moving files into protected locations. I don't see a simple way to fix this.
And what I still don't understand is why creating of folders fails with the current approach.
Reply With Quote
  #4  
Old 02-19-2020, 22:17
TmC TmC is offline
VIP
 
Join Date: Aug 2004
Posts: 291
Rept. Given: 1
Rept. Rcvd 13 Times in 7 Posts
Thanks Given: 2
Thanks Rcvd at 12 Times in 9 Posts
TmC Reputation: 13
Does this work also with remote Active Directory Domains? Are there any workarounds to access AD folders to which rights are not granted?
Reply With Quote
  #5  
Old 02-20-2020, 16:08
chants chants is offline
Family
 
Join Date: Jul 2016
Posts: 530
Rept. Given: 5
Rept. Rcvd 35 Times in 21 Posts
Thanks Given: 441
Thanks Rcvd at 793 Times in 370 Posts
chants Reputation: 35
If an app depends on ACL semantics for data storage and retrieval this could also be dangerous. Could the driver inspect the process is cmd.exe or explorer.exe or anything from a whitelist? Also registry permissions are equally annoying and it would be nice to have those temporarily disabled as well.

Messing with security permissions is not so bad if you meticulously restore them when finished which is a laborious task. Sysinternals has a run as utility that can let you launch a command prompt as SYSTEM and so far that has been a favorite solution and typically but not always SYSTEM has full permissions across the whole drive. Can even launch regedit from that command prompt.
Reply With Quote
  #6  
Old 02-20-2020, 19:34
DavidXanatos DavidXanatos is offline
Family
 
Join Date: Jun 2018
Posts: 114
Rept. Given: 0
Rept. Rcvd 25 Times in 18 Posts
Thanks Given: 31
Thanks Rcvd at 233 Times in 77 Posts
DavidXanatos Reputation: 25
This workaround driver only allows to access files and folders on local partitions with disregard of ACL's.
So it won't allow the user to access remote resources he is not permitted to access.

The driver does not mess with ACL's it just makes them ineffective. So nothing to be restored and it should not break anything eider.

Adding some sort of white-list to not fully compromise the security is a good idea, although I would probably try to go for checking if a process having admin privileges instead of a static list.

IMHO when we start i.e. cmd.exe "as administrator" we deserve to be able to access anything everywhere, so this would be a reasonable approach.


For me the main motivation behind this driver is that even as SYSTEM/TrustedInstaller I couldn't modify files under C:\Program Files\WindowsApps, the most strange thing was that even after taking ownership and removing all ACL entries except my user having all permission I still couldn't modify those files.

Even when the partition in question was not the running windows but one that was offline. Trying to access it from windows 10 was enough to make it inaccessible.
Doing the same with a windows 7 as host allowed me full access.

Duno what MSFT exactly set on this directories but actually it seams pretty clear that its something different than ACL's
Even taking ownership under windows 7 removing all ACL entries, adding new once to grant full access to the administrators and everyone group, does not allow me to access this files when using a windows 10 host.

Anyone have any idea what they may have did here?
Reply With Quote
  #7  
Old 02-20-2020, 22:33
chants chants is offline
Family
 
Join Date: Jul 2016
Posts: 530
Rept. Given: 5
Rept. Rcvd 35 Times in 21 Posts
Thanks Given: 441
Thanks Rcvd at 793 Times in 370 Posts
chants Reputation: 35
Imagine an app running with admin though or elevated, and it checks permission to write its data in c:\windows\system32. If it fails access check then it writes to the user profile folder. Such a driver would start to change behavior of normally not possible scenarios. A small point maybe but some apps are coded this way.

The only thing I can think of is that the ownership and ACL changes both need to be recursively applied and hence dangerously destructive. But strange Win7 can access it. TrustedInstaller has always been enough for me unless an app was doing some special permission hacks. Especially surprising for command prompt as explorer has it's own special settings.
Reply With Quote
  #8  
Old 02-20-2020, 22:39
DavidXanatos DavidXanatos is offline
Family
 
Join Date: Jun 2018
Posts: 114
Rept. Given: 0
Rept. Rcvd 25 Times in 18 Posts
Thanks Given: 31
Thanks Rcvd at 233 Times in 77 Posts
DavidXanatos Reputation: 25
hmm... indeed that particular scenario would get broken.

About C:\Program Files\WindowsApps get a VM and try it for yourself, you will be surprised how nasty windows is with regard to some of the sub-folders in this location.

iirc. with System/TrustedInstaller permissions you at least can create new files but no chance modifying existing once.

I think windows 10 is using here some additional flags/attributes to protect these locations.
Reply With Quote
The Following User Says Thank You to DavidXanatos For This Useful Post:
chants (02-23-2020)
  #9  
Old 02-21-2020, 07:29
niculaita's Avatar
niculaita niculaita is offline
Family
 
Join Date: Jun 2011
Location: here
Posts: 1,166
Rept. Given: 870
Rept. Rcvd 85 Times in 57 Posts
Thanks Given: 2,795
Thanks Rcvd at 436 Times in 313 Posts
niculaita Reputation: 85
in gpt/mbr tables ... ?
__________________
Decode and Conquer
Reply With Quote
The Following User Says Thank You to niculaita For This Useful Post:
chants (02-23-2020)
  #10  
Old 02-21-2020, 18:51
DavidXanatos DavidXanatos is offline
Family
 
Join Date: Jun 2018
Posts: 114
Rept. Given: 0
Rept. Rcvd 25 Times in 18 Posts
Thanks Given: 31
Thanks Rcvd at 233 Times in 77 Posts
DavidXanatos Reputation: 25
After some more investigation it seams that what sets this extra protection is IRP_MJ_SET_SECURITY with (Cbd->Iopb->Parameters.SetSecurity.SecurityInformation == PROCESS_TRUST_LABEL_SECURITY_INFORMATION)

About PROCESS_TRUST_LABEL_SECURITY_INFORMATION Microsoft's documentation says only Reserved.
it seams this sets a ACL's entry S-1-19-512-4096I)(RX,D,WDAC,WO,WA) which is not being shown in the file properties security tab and can not easily be removed.

With this information google starts finally being usefully and one of the results is: https://docs.microsoft.com/en-us/archive/blogs/winsdk/why-cant-i-restore-files-even-when-i-have-backuprestore-privileges-enabled
Which lists the C:\Program Files\WindowsApps and displays details about this new Security Flag.
Reply With Quote
The Following 3 Users Say Thank You to DavidXanatos For This Useful Post:
chants (02-23-2020), niculaita (02-22-2020), Stingered (02-22-2020)
  #11  
Old 02-22-2020, 02:57
CodeCracker CodeCracker is offline
Family
 
Join Date: Jun 2011
Posts: 297
Rept. Given: 18
Rept. Rcvd 245 Times in 68 Posts
Thanks Given: 12
Thanks Rcvd at 1,005 Times in 222 Posts
CodeCracker Reputation: 200-299 CodeCracker Reputation: 200-299 CodeCracker Reputation: 200-299
Quote:
Well, you shouldn't start any malware processes while your ACLs are disabled, that much is obvious.
You shouldn't start any malware: period! (With or without ACL).
Is there any way to be able to extract files to the folder C:\WINDOWS\WinSxS
???
Reply With Quote
The Following User Says Thank You to CodeCracker For This Useful Post:
niculaita (02-22-2020)
  #12  
Old 02-22-2020, 16:02
DavidXanatos DavidXanatos is offline
Family
 
Join Date: Jun 2018
Posts: 114
Rept. Given: 0
Rept. Rcvd 25 Times in 18 Posts
Thanks Given: 31
Thanks Rcvd at 233 Times in 77 Posts
DavidXanatos Reputation: 25
Quote:
Originally Posted by CodeCracker View Post
Is there any way to be able to extract files to the folder C:\WINDOWS\WinSxS
On a first glance if you start a cmd.exe as TrustedInstaller you can access the C:\WINDOWS\WinSxS folder without restrictions.
Reply With Quote
The Following User Says Thank You to DavidXanatos For This Useful Post:
niculaita (02-22-2020)
  #13  
Old 02-23-2020, 16:43
chants chants is offline
Family
 
Join Date: Jul 2016
Posts: 530
Rept. Given: 5
Rept. Rcvd 35 Times in 21 Posts
Thanks Given: 441
Thanks Rcvd at 793 Times in 370 Posts
chants Reputation: 35
I agree the WindowsApps folder is a nightmare for access control. Fortunately most of us are probably still using 95% desktop apps and not the Metro/UWP apps. Though with Win10 forced updates and migration slowly in that direction, reversing these will become more important. So I completely understand why you wrote this app now .

Can a process with a high enough integrity level running as TrustedInstaller modify ACLs without the driver? I know process integrity level was added a while back and it tends to be weighed in access checks.
Reply With Quote
  #14  
Old 02-27-2020, 01:15
foosaa foosaa is online now
Friend
 
Join Date: Dec 2005
Posts: 83
Rept. Given: 34
Rept. Rcvd 11 Times in 9 Posts
Thanks Given: 122
Thanks Rcvd at 71 Times in 28 Posts
foosaa Reputation: 11
Is it possible to upload the files to some download host please? People like me are unable to download them. Thank you.
Reply With Quote
  #15  
Old 02-27-2020, 02:59
Rasmus Rasmus is offline
Friend
 
Join Date: Jul 2019
Posts: 29
Rept. Given: 0
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 9
Thanks Rcvd at 11 Times in 9 Posts
Rasmus Reputation: 2
Quote:
Originally Posted by foosaa View Post
Is it possible to upload the files to some download host please? People like me are unable to download them. Thank you.
Files attached are same as the ones found here:
Code:
https://github.com/DavidXanatos/IgnoreACLs/releases
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Driver Signing on x64 Windows _MAX_ x64 OS 7 10-22-2012 15:47
WDF (Windows Driver Foundation) vodu General Discussion 2 06-29-2005 06:06
Windows 2000 Device Driver Book + Inside Windows 2000 at FTP dynio General Discussion 16 09-19-2003 23:21


All times are GMT +8. The time now is 00:22.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2020 )