Most users run as local administrators, which is good news for malware authors. This means that the user has administrator access on the machine, and can give the malware those same privileges.
The security community recommends not running as local administrator, so that if you accidentally run malware, it won’t automatically have full access to your system. If a user launches malware on a system but is not running with administrator rights, the malware will usually need to perform a privilege-escalation attack to gain full access.
The majority of privilege-escalation attacks are known exploits or zero-day attacks against the local OS, many of which can be found in the Metasploit Framework (http://www.metasploit.com/). DLL load-order hijacking can even be used for a privilege escalation. If the directory where the malicious DLL is located is writable by the user, and the process that loads the DLL is run at a higher privilege level, then the malicious DLL will gain escalated privileges. Malware that includes privilege escalation is relatively rare, but common enough that an analyst should be able to recognize it.
Sometimes, even when the user is running as local administrator, the malware will require privilege escalation. Processes running on a Windows machine are run either at the user or the system level. Users generally can’t manipulate system-level processes, even if they are administrators. Next, we’ll discuss a common way that malware gains the privileges necessary to attack system-level processes on Windows machines.
Processes run by a user don’t have free access to everything, and can’t, for
instance, call functions like TerminateProcess
or CreateRemoteThread
on remote processes. One way that malware gains access
to such functions is by setting the access token’s rights to enable SeDebugPrivilege
. In Windows systems, an access token is an object
that contains the security descriptor of a process. The security descriptor is used to specify the
access rights of the owner—in this case, the process. An access token can be adjusted by
calling AdjustTokenPrivileges
.
The SeDebugPrivilege
privilege was created as a tool for
system-level debugging, but malware authors exploit it to gain full access to a system-level
process. By default, SeDebugPrivilege
is given only to local
administrator accounts, and it is recognized that granting SeDebugPrivilege
to anyone is essentially equivalent to giving them LocalSystem account
access. A normal user account cannot give itself SeDebugPrivilege
; the request will be denied.
Example 11-6 shows how malware enables its
SeDebugPrivilege
.
Example 11-6. Setting the access token to SeDebugPrivilege
00401003 lea eax, [esp+1Ch+TokenHandle] 00401006 push eax ; TokenHandle 00401007 push (TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY) ; DesiredAccess 00401009 call ds:GetCurrentProcess 0040100F push eax ; ProcessHandle 00401010 call ds:OpenProcessToken ❶ 00401016 test eax, eax 00401018 jz short loc_401080 0040101A lea ecx, [esp+1Ch+Luid] 0040101E push ecx ; lpLuid 0040101F push offset Name ; "SeDebugPrivilege" 00401024 push 0 ; lpSystemName 00401026 call ds:LookupPrivilegeValueA 0040102C test eax, eax 0040102E jnz short loc_40103E ... 0040103E mov eax, [esp+1Ch+Luid.LowPart] 00401042 mov ecx, [esp+1Ch+Luid.HighPart] 00401046 push 0 ; ReturnLength 00401048 push 0 ; PreviousState 0040104A push 10h ; BufferLength 0040104C lea edx, [esp+28h+NewState] 00401050 push edx ; NewState 00401051 mov [esp+2Ch+NewState.Privileges.Luid.LowPt], eax ❸ 00401055 mov eax, [esp+2Ch+TokenHandle] 00401059 push 0 ; DisableAllPrivileges 0040105B push eax ; TokenHandle 0040105C mov [esp+34h+NewState.PrivilegeCount], 1 00401064 mov [esp+34h+NewState.Privileges.Luid.HighPt], ecx ❹ 00401068 mov [esp+34h+NewState.Privileges.Attributes], SE_PRIVILEGE_ENABLED ❺ 00401070 call ds:AdjustTokenPrivileges ❷
The access token is obtained using a call to OpenProcessToken
at ❶ and passing in its
process handle (obtained with the call to GetCurrentProcess
), and
the desired access (in this case, to query and adjust privileges) are passed in. Next, the malware
calls LookupPrivilegeValueA
. which retrieves the
locally unique identifier (LUID). The LUID is a structure that represents the
specified privilege (in this case, SeDebugPrivilege
).
The information obtained from OpenProcessToken
and LookupPrivilegeValueA
is used in the call to AdjustTokenPrivileges
at ❷. A key structure,
PTOKEN_PRIVILEGES
, is also passed to AdjustTokenPrivileges
and labeled as NewState
by IDA
Pro. Notice that this structure sets the low and high bits of the LUID using the result from
LookupPrivilegeValueA
in a two-step process seen at ❸ and ❹. The Attributes
section of the NewState
structure is set to SE_PRIVILEGE_ENABLED
at ❺, in order to enable SeDebugPrivilege
.
This combination of calls often happens before system process manipulation code. When you see a function containing this code, label it and move on. It’s typically not necessary to analyze the intricate details of the escalation method that malware uses.