PEB file name spoofing - Sysinternals Forums

Nope, I changed Length in the UNICODE_STRING to 0x9999 and PE didn't crash. But the real bug (and security issue) is the fact that PE is vulnerable to file name spoofing.

I'm pretty sure I'm running a release newer than the "next release" he was talking about! So, I guess people should get reminded of this since it wasn't fixed.

It turns out this is actually quite old - I'm suprised PE has this bug! See http://www.matousec.com/info/advisories/Bypassing-process-identification-serveral-personal-firewalls-HIPS.php

Edited by wj32 - 21 January 2009 at 10:29am

I've just thought of an idea... PEB image file name spoofing! The basic idea is that we modify RTL_USER_PROCESS_PARAMETERS, referenced by the PEB, so that the ImageFileName UNICODE_STRING points to our custom string. I've attached an example program. You can use it like this:

C:\...>FileNameSpoofTest.exe "C:\Windows\system32\csrss.exe"
PEB is at 0x7ffd5000
RTL_USER_PROCESS_PARAMETERS is at 0x2212e8
Current Command Line is FileNameSpoofTest.exe "C:\Windows\system32\csrss.exe"
Current Image Path Name is C:\...\FileNameSpoofTest.exe
Setting Command Line to nothing and setting Image Path Name to the argument...
Press ENTER to close this program

At this point, don't close the program (obviously). If you've got PE running, restart it (just in case), and if you haven't, start it. Take a look at FileNameSpoofTest.exe in the process tree and its description. Click Verify in process properties.

Suprisingly, good old Task Manger isn't affected and knows its true file name. Even HijackFree isn't fooled. Simple tools like HijackThis which have a hardcoded process safelist are affected.

My guess is that Task Manager uses the "proper" way of getting process file names, NtQueryInformationProcess with ProcessImageFileName. I think that HijackFree simply uses the main module file name, and so isn't affected. .NET programs are also unaffected due to the laziness of whoever programmed the System.Diagnostics.Process class (it uses the main module file name as well).

So:

Mark should fix this, since this affects the power users and not the normal users! (Based on the assumption that normal users don't use PE.)
Are there ways to spoof the file names of loaded modules in a process?

uploads/20090121_094546_FileNameSpoofTe.zip

Author	Message Share Topic Printable Version Delicious Digg Facebook Furl Google MySpace Newsvine reddit StumbleUpon Translate Twitter Windows Live Yahoo Bookmarks Topic Search Topic Options Post Reply Create New Topic
wj32 Members Profile Send Private Message Find Members Posts Visit Members Homepage Add to Buddy List Senior Member Joined: 16 January 2009 Location: Australia Online Status: Offline Posts: 704	Post Options Post Reply Quote wj32 Report Post Quote Reply Topic: PEB file name spoofing Posted: 21 January 2009 at 10:26pm
	Nope, I changed Length in the UNICODE_STRING to 0x9999 and PE didn't crash. But the real bug (and security issue) is the fact that PE is vulnerable to file name spoofing.

molotov Members Profile Send Private Message Find Members Posts Visit Members Homepage Add to Buddy List Moderator Group Joined: 04 October 2006 Online Status: Offline Posts: 17492	Post Options Post Reply Quote molotov Report Post Quote Reply Posted: 21 January 2009 at 9:12pm
	For better or worse, I think the fix was relating to the crash. Or do you still experience a crash?
	Daily affirmation: net helpmsg 4006

wj32 Members Profile Send Private Message Find Members Posts Visit Members Homepage Add to Buddy List Senior Member Joined: 16 January 2009 Location: Australia Online Status: Offline Posts: 704	Post Options Post Reply Quote wj32 Report Post Quote Reply Posted: 21 January 2009 at 9:00pm
	I'm pretty sure I'm running a release newer than the "next release" he was talking about! So, I guess people should get reminded of this since it wasn't fixed.

molotov Members Profile Send Private Message Find Members Posts Visit Members Homepage Add to Buddy List Moderator Group Joined: 04 October 2006 Online Status: Offline Posts: 17492	Post Options Post Reply Quote molotov Report Post Quote Reply Posted: 21 January 2009 at 11:07am
	Hi wj32, Seems at least similar to this.
	Daily affirmation: net helpmsg 4006

wj32 Members Profile Send Private Message Find Members Posts Visit Members Homepage Add to Buddy List Senior Member Joined: 16 January 2009 Location: Australia Online Status: Offline Posts: 704	Post Options Post Reply Quote wj32 Report Post Quote Reply Posted: 21 January 2009 at 10:25am
	It turns out this is actually quite old - I'm suprised PE has this bug! See http://www.matousec.com/info/advisories/Bypassing-process-identification-serveral-personal-firewalls-HIPS.php Edited by wj32 - 21 January 2009 at 10:29am

wj32 Members Profile Send Private Message Find Members Posts Visit Members Homepage Add to Buddy List Senior Member Joined: 16 January 2009 Location: Australia Online Status: Offline Posts: 704	Post Options Post Reply Quote wj32 Report Post Quote Reply Posted: 21 January 2009 at 10:14am
	Actually, .NET programs ARE affected. I didn't do enough testing... The main module file name is actually blanked - you can check in Process Explorer! Yay for me!

wj32 Members Profile Send Private Message Find Members Posts Visit Members Homepage Add to Buddy List Senior Member Joined: 16 January 2009 Location: Australia Online Status: Offline Posts: 704	Post Options Post Reply Quote wj32 Report Post Quote Reply Posted: 21 January 2009 at 10:11am
	I've just thought of an idea... PEB image file name spoofing! The basic idea is that we modify RTL_USER_PROCESS_PARAMETERS, referenced by the PEB, so that the ImageFileName UNICODE_STRING points to our custom string. I've attached an example program. You can use it like this: C:\...>FileNameSpoofTest.exe "C:\Windows\system32\csrss.exe" PEB is at 0x7ffd5000 RTL_USER_PROCESS_PARAMETERS is at 0x2212e8 Current Command Line is FileNameSpoofTest.exe "C:\Windows\system32\csrss.exe" Current Image Path Name is C:\...\FileNameSpoofTest.exe Setting Command Line to nothing and setting Image Path Name to the argument... Press ENTER to close this program At this point, don't close the program (obviously). If you've got PE running, restart it (just in case), and if you haven't, start it. Take a look at FileNameSpoofTest.exe in the process tree and its description. Click Verify in process properties. Suprisingly, good old Task Manger isn't affected and knows its true file name. Even HijackFree isn't fooled. Simple tools like HijackThis which have a hardcoded process safelist are affected. My guess is that Task Manager uses the "proper" way of getting process file names, NtQueryInformationProcess with ProcessImageFileName. I think that HijackFree simply uses the main module file name, and so isn't affected. .NET programs are also unaffected due to the laziness of whoever programmed the System.Diagnostics.Process class (it uses the main module file name as well). So: Mark should fix this, since this affects the power users and not the normal users! (Based on the assumption that normal users don't use PE.) Are there ways to spoof the file names of loaded modules in a process? uploads/20090121_094546_FileNameSpoofTe.zip