Comment by int0x29

Comment by int0x29 a day ago

5 replies

View on Hacker News

You can turn off win32k calls for a process if you don't need gui. You can also run the process with a lower privilege access token to reduce file access and some kernel access.

I'd love to see one to block more kernel calls than just win32k. The best method I've come up with is to create a shared memory buffer to a seperate interface process and then unmount ntdll.dll by marking its pages `page_noaccess`. Thanks to win32 weirdness you can still allocate memory into the process without nt calls from the interface process as VirtualAllocEx, VirtualAlloc2, VirtualProtectEx, VirtualFreeEx, VirtualQueryEx, NtAllocateVirtualMemory, NtFreeVirtualMemory, etc take a process handle as an argument. This kinda requires writing a userspace kernel and your own standard library though.

MS please give me a better method to lock down kernel access beyond nowin32k. Hyperv doesn't work for consumer apps as half the consumer versions of windows don't have it.

SpaghettiCthulu 5 hours ago

Correct me if I'm wrong, but ntdll isn't magic. An attacker could just use raw syscall machine code, although they would need to pay close attention to the OS version.

Reply View 0 replies
mike_hearn 12 hours ago

Windows has a fairly capable sandbox called app isolation levels:

https://learn.microsoft.com/en-us/windows/win32/secauthz/app...

Look at how Chrome does it if you want to learn more. The API is classic Win32 unfortunately: extremely complicated, under-documented and full of razor sharp edges. The way Chrome does it also requires custom installer logic. But, it does exist.

Reply View 3 replies
  • mwcampbell 8 hours ago

    Why do you say the way Chrome does it requires custom installer logic? Electron is able to use Chromium's sandbox for renderer processes without imposing any installer requirements as far as I know.

    Reply View 2 replies
    • mike_hearn 6 hours ago

      That's a good question, I'm not sure how Electron does it. Chrome sets things up at install time with special permissions on its own files so the sandboxed processes can read them.

      Reply View 1 reply
      • mwcampbell 5 hours ago

        Ah, OK. Honestly, it wouldn't surprise me if Electron made it work by weakening the sandboxing. Someone should look into that though before we assume that's the case.

        Reply View 0 replies