hfiref0x/KDU

[Information] Microsoft banned Microsoft SysInternals Process Explorer driver

hfiref0x opened this issue · 0 comments

It took them 10+ years and about 4 different APT usages (which I can count/remember) to figure out that something is wrong with it.

Recent update of WDAC blocklist now include block of all Process Explorer drivers with version <=16.x. Since this driver is used in KDU as well (as victim shellcode placeholder/target) this change will also affect KDU.

New 17.x Process Explorer driver bring the following "security" improvements:

First, in IOCTL callable routine responsible for openning handle for given process it now checks whatever this process you want to open is "protected" (PsIsProtectedProcess) and if it is - then sets access flags to PROCESS_QUERY_LIMITED_INFORMATION.

Second, the routine involving ZwDuplicateObject also got similar update not allowing you to duplicate handles of protected processes or PsInitialSystemProcess.