OS Internals

Data alignment and performance

I read an informative IBM article about data alignment and its importance when developing native code.

Data alignment is an important issue for all programmers who directly use memory. Data alignment affects how well your software performs, and even if your software runs at all. As this article illustrates, understanding the nature of alignment can also explain some of the “weird” behaviors of some processors.

Delphi (my preferred native Windows programming language) supports the $CODEALIGN compiler directive , as well as another interesting custom alignment method. The Delphi code below sets 128 byte boundaries:

procedure TForm1.Button1Click(Sender: TObject);
type
  TFFTData = array[0..63535] of double;
  PFFTData = ^TFFTData;
var
  Buffer: pointer;
  FFTDataPtr: PFFTData;
  i: integer;
const
  Alignment = 128; // needs to be power of 2
begin
  GetMem(Buffer, SizeOf(TFFTData) + Alignment);
  try
    FFTDataPtr := PFFTData((LongWord(Buffer) + Alignment - 1)
                           and not (Alignment - 1));

    // use data...
    for i := Low(TFFTData) to High(TFFTData) do
      FFTDataPtr[i] := i * pi;

  finally
    FreeMem(Buffer);
  end;
end;

source: http://stackoverflow.com/a/847044/12458

Capturing credentials from ‘Encrypted RunAs’ software

UPDATED:  5/30/2013 to cover same flaw in EnSc.exe.

There is a reason that the RunAs program doesn’t accept credentials on the command line…because people would embed passwords. Microsoft developer Raymond Chen writes:

If this offends you and you want to be insecure and pass the password on the command line anyway (for everyone to see in the command window title bar), you can write your own program that calls the CreateProcessWithLogonW function.

Enter the many products that offer a way to “securely” embed credentials in a shortcut or file in order to launch an executable as an administrator.

Wingnut Software offers their commercial ‘Encrypted RunAs‘ application as a way for administrators to created encrypted shortcut commands that will launch applications with Administrative credentials. The selling point is that these credentials (which an administrator would provide when creating the shortcut) are protected in an encrypted command.

So I thought I’d download it and take a look at how it protects against the username and password being monitored and captured by a user with only standard USER rights. Note that I am *not* testing how well ERunAs encrypts the command…it appears to encrypt the command and credentials as strongly as advertised. However, I’m looking to see what happens after ERunAs decrypts everything and has to pass data to the operating system (and if I can capture that).

Spoiler, as a standard user I could monitor the parameters passed by ERunAs to the CreateProcessWithLogonW API and see the administrator’s username and password that were encrypted in the shortcut:

cap

Encrypted RunAs is a small utility that is designed to make the job of Administrators a little easier, it can be used to run applications or software installations with access rights a standard user does not have.

erunas

I created an encrypted shortcut to run “notepad.exe” as the local administrator named “ALincoln” with a password of “Fubard123″.

Using the free API Monitor application, I was able to run it as a standard user (see below, I’m demonstrating I’m a standard user and that API Monitor is not elevated, but running with limited user rights), and I set a filter within API Monitor on the CreateProcessWithLogonW API.

notadmin

From there I called ERunAs.exe, supplying the “Notepad.eras” file as it’s parameter (just like the shortcut does that Encrypted RunAs creates):

apimonitor1

And seconds after clicking OK, I can see that the CreateProcessWithLogonW API was called by ERunAs.exe and I can see the parameters passed in clear text:

cap

This means that if a standard user can access ERunAs.exe and the command it uses, the user can capture the administrative credentials used.

Now, I’ve been picking on 1 product so far, but I’ve confirmed this same method works to capture credentials from JoeWare’s CPAU, and Quimeras’ TqcRunas. I would expect this to work with any application that passes credentials to the CreateProcessWithLogonW API.

UPDATE

Based on feedback from a commenter, I also looked at EnSc (Encrypted Shortcut Creator). I found that using the same method as above, I can still capture the administrator’s credentials at the time the process is called. This can be done by a user without administrative rights…meaning any user that runs an EnSc created shortcut or has access to the shortcut, and the “ensc.db” file created by the program on first run (when master password is set).

ensc1

ensc2 ensc3

inception — unlock any machine via firewire and then defeat BitLocker, TrueCrypt, FileVault, etc

https://github.com/carmaa/inception

Inception is a FireWire physical memory manipulation and hacking tool exploiting IEEE 1394 SBP-2 DMA. The tool can unlock (any password accepted) and escalate privileges to Administrator/root on almost any machine you have physical access to.

Inception aims to provide a stable and easy way of performing intrusive and non-intrusive memory hacks in order to unlock live computers using FireWire SBP-2 DMA. It it primarily attended to do its magic against computers that utilize full disk encryption such as BitLocker, FileVault, TrueCrypt or Pointsec. There are plenty of other (and better) ways to hack a machine that doesn’t pack encryption.

The tool works over any interface that expands and can master the PCIe bus. This includes FireWire, Thunderbolt, ExpressCard and PCMCIA (PC-Card).

More importantly, this works on Windows 8/7/Vista/XP, Mac OSX 10.5 -> 10.8, Ubuntu 11.04+, and Linux Mint 12+.

How it works

http://www.breaknenter.org/projects/inception

Inception’s main mode works as follows: By presenting a Serial Bus Protocol 2 (SBP-2) unit directory to the victim machine over the IEEE1394 FireWire interface, the victim operating system thinks that a SBP-2 device has connected to the FireWire port. Since SBP-2 devices utilize Direct Memory Access (DMA) for fast, large bulk data transfers (e.g., FireWire hard drives and digital camcorders), the victim lowers its shields and enables DMA for the device. The tool now has full read/write access to the lower 4GB of RAM on the victim. Once DMA is granted, the tool proceeds to search through available memory pages for signatures at certain offsets in the operating system’s password authentication modules. Once found, the tool short circuits the code that is triggered if an incorrect password is entered.

An analogy for this operation is planting an idea into the memory of the machine; the idea that every password is correct. In other words, the nerdy equivalent of a memory inception.

This will certainly add a new dimension to penetration tests that I perform…

Update a registry key for ALL users on a system

Have you ever needed to update a registry key that is stored in each user’s HKEY_CURRENT_USER or HKEY_CLASSES_ROOT hive? Have you also ever needed to update it for ALL users on the system, as well as make it the default setting when a new user profile is created?

That can be a bit of a daunting task. One solution is to add the registry key update to the user’s logon script.

However, there is another way and I wrote a vbscript to make it easy.

The source code (vbscript) is available here: https://github.com/MicksMix/RegUpdateAllUsers

CHANGELOG

  • Nov 15, 2013 – Able to update NTUSER.DAT and/or USRCLASS.DAT (HKCU and/or HKCR)
  • Aug 25, 2013 – Added ability to delete keys
  • Apr 23, 2013 – Added ability to write REG_BINARY values
  • Apr 11, 2013 – Fixed bug where it wouldn’t work when run by SYSTEM account
  • Mar 28, 2013 – Huge code cleanup and bug fixes
  • Jan 13, 2012 – Initial release

The script can  set REG_BINARY keys as long as they are in the format used by a regedit.exe export. For example:

[HKEY_CURRENT_USER\Software\_Test\MyTestBinarySubkey]
"My Test Binary Value"=hex:23,00,41,00,43,00,42,00,6c,00

To set this binary value using the script, you would modify line 82 to be:
SetBinaryRegKeys sRegistryRootToUse, strRegPathParent03, “My Test Binary Value”,“hex:23,00,41,00,43,00,42,00,6c,00″

The script works correctly even when run under the SYSTEM account.

The general way this script works:

  1. Update the currently logged on user’s HKCU (that’s easy enough)
  2. Then you must enumerate every profile on the system
  3. Find their ntuser.dat file (ntuser.dat contains the contents of the user’s HKCU hive)
  4. Find their usrclass.dat file (usrclass.dat contains the user’s HKCR hive)
  5. Load ntuser.dat and/or usrclass.dat into a temporary key in the HKLM hive (programmatically or using reg.exe)
  6. I use ‘HKLM\TempHive’ as the temporary key
  7. Then when you write to “HKLM\TempHive”you are actually editing that user’s HKCU hive.
  8. If you load ntuser.dat/usrclass.dat for the “Default” user, the settings will take effect for any NEW user profile created on the system
  9. If more than 1 user is currently logged on, you can edit their HKCU/HKCR hive by looking the user up by their SID under HKEY_USERS and writing to it at that location.

It’s a bit of a tedious job, so I wrote a VBScript that takes care of all of the steps listed above. This script has been tested on Windows XP and Windows 7 (x64), but should work on Windows 2000 and newer. It relies on “reg.exe” which ships with all versions of Windows.

Some have requested to make a donation to thank me for this work. That’s certainly optional, but if you’d like to do that, you can do so from FastSpring’s secure website here.

The Windows “App Paths” Registry Key

This was news to me. Basically, not every app has to be on your PATH to be launched via executable name only (from anywhere).

For example, on my x64 Windows 7 machine, WordPad is located at:

<C:\Program Files\Windows NT\Accessories\wordpad.exe>

This is *not* set in my PATH environment variable. But I can go to Start > Run, and type wordpad, and it launches.

Why does this work? Because of “App Paths”.

<HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths>

http://helgeklein.com/blog/2010/08/how-the-app-paths-registry-key-makes-windows-both-faster-and-safer/

Why can you start Mozilla Firefox by typing “firefox” in the Run dialog and press enter? Firefox.exe is not located in any directory in the path. The same with Outlook (type “outlook”), PowerShell (“powershell”), VMware Workstation (“vmware”) or Adobe Reader (“acrord32″). This “magic application starting thingy” works because of a little-known Windows feature based on the “App Paths” registry key.

Windows API developer Raymond Chen has more detail on the feature and history on why “App Paths” registry key was created in the first place.

http://blogs.msdn.com/b/oldnewthing/archive/2011/07/25/10189298.aspx

Also note that malware could use this as well. Raymond Chen clarifies it well:

Now, the intent was that the registered full path to the application is the same as the registered short name, just with a full path in front. For example, wordpad.exe registers the full path of %ProgramFiles%\Windows NT\Accessories\WORDPAD.EXE.

But there’s no check that the two file names match. The Pbrush folks took advantage of this by registering an application path entry for pbrush.exe with a full path of %SystemRoot%\System32\mspaint.exe: That way, when somebody types pbrush into the Run dialog, they get redirected to mspaint.exe.