Frida is failing with processes running in Low Integrity Level #50
Comments
|
Some more information about this: http://go4answers.webhost4life.com/Example/named-pipes-not-working-logged-standard-177282.aspx See 'Answer 7': {{{ It seems that there is no way to modify the permissions of a named pipe after it has been created. The DACL code was pasted above in an earlier thread and the SACL can be created as follows:
}}} |
|
w00t, awesome! Feel like submitting a PR? |
|
@oleavr Before submitting a PR I need to test that code and see if everything is working as expected. Just give me some time :) |
|
You rock! 💪 |
|
Implemented in a95a5e6. |
|
Thanks Ole!. I'll test it out. |
Frida is failing with processes running in Low Integrity Level
I'm trying to implement a script in Python to work with a process running in Low Integrity Level under Windows 7 SP0 x86.The specific process is IE, Internet Explorer, the child not the broker. When I run the script (frida-process-low-il-test.py), I get the following error:
{{{
C:\Users\defcon\Documents>python frida-process-low-il-test.py 2892
Traceback (most recent call last):
File "frida-process-low-il-test.py", line 27, in
main(target_process)
File "frida-process-low-il-test.py", line 9, in main
session = frida.attach(target_process)
File "C:\Python27\lib\site-packages\frida__init__.py", line 55, in attach
return get_local_device().attach(target)
File "C:\Python27\lib\site-packages\frida\core.py", line 87, in attach
return Session(self._impl.attach(self._pid_of(target)))
frida.ProcessNotRespondingError: timed out while waiting for session to establish
}}}
But if I run it against other process, for example, notepad, I get the following result:
{{{
C:\Users\defcon\Documents>python frida-process-low-il-test.py 1544
[+] Received msg from process: Hello from my process
[!] Press at any time to detach from instrumented program.
}}}
I was talking with @oleavr and we think it is a problem with the named pipe's permissions. It seems that frida can inject the library into the process running with Low IL but then the process can't write to the pipe. This make sense because the idea to have a process running in Low IL is to isolate it from processes with more privileges to avoid privilege escalations. In fact, if I disable UAC (User Account Control), IE child process will run with High IL and frida client would be able to write to the pipe.
This is considered as the expected behavior according to the "Communication between low-integrity and higher-integrity processes" in this article from MSDN: https://msdn.microsoft.com/en-us/library/bb625960.aspx
However, I'm in a situation where I need to communicate with a process running with Low IL. Even though it is not a good idea to allow a process running in Low IL to write to a named pipe it would be a good idea to add a parameter (for xample: child_could_write_pipe=True) to allow this behavior. I would use it like this:
{{{
session = frida.attach(target_process, child_could_write_pipe=True)
}}}
According to the previous link, in order to allow this behavior over named pipes "the creator explicitly sets the mandatory label on the pipe to allow access to lower-integrity processes".
I was experimenting with the SetLowLabelToFile() function mentioned on that article but without luck.
Looking for some more detailed information, I found this: http://blogs.msdn.com/b/cjacks/archive/2006/10/24/modifying-the-mandatory-integrity-level-for-a-securable-object-in-windows-vista.aspx which takes me to the AddMandatoryAce API which seems to be the answer to the problem.
I'm attaching a script to reproduce the issue. Just run IE or any other process with Low IL and then attach to it like 'python frida-process-low-il-test.py '.
I'm also attaching the pipe-windows.c (this file goes to frida-core\lib\pipe) with the modified SetLowLabelToFile (in my case the function is called SetLowLabelToPipe()) and the compiled _frida.pyd (for Python 2.7 x86).
You can get the files here (github doesn't allow me to upload the files right here): https://www.dropbox.com/s/4tmwofru9hd9kp2/frida-low-il.zip?dl=0
The text was updated successfully, but these errors were encountered: