Presentation is loading. Please wait.

Presentation is loading. Please wait.

Aaron Margosis Principal Consultant Microsoft Corporation SESSION CODE: WCL301.

Published byKerry Bailey Modified over 8 years ago

Similar presentations

Presentation on theme: "Aaron Margosis Principal Consultant Microsoft Corporation SESSION CODE: WCL301."— Presentation transcript:

1 Aaron Margosis Principal Consultant Microsoft Corporation SESSION CODE: WCL301

2

3

4 (*) Names of apps and vendors have been removed to protect the guilty

5

6

7

8

9

10

11

12

13 Process Kernel32.dllKernel32.dll CreateFileWimplementationCreateFileWimplementation Shim DLL CorrectFilePathsimplementationCorrectFilePathsimplementation App.exeApp.exe IAT CreateFile IAT CreateFile IAT CreateFile IAT CreateFile IAT CreateFile IAT CreateFile IAT CreateFile IAT CreateFile IAT CreateFile IAT CreateFile IAT CreateFile IAT CreateFile

14 API FamilyIntercepted APIs CreateProcess Routines (4) CreateProcess[AW], WinExec, ShellExecute[AW], ShellExecuteEx[AW] Profile (Ini-File) Routines (8) GetPrivateProfileInt[AW], GetPrivateProfileSection[AW], GetPrivateProfileSectionNames[AW], GetPrivateProfileString[AW], GetPrivateProfileStruct[AW], WritePrivateProfileSection[AW], WritePrivateProfileString[AW], WritePrivateProfileStruct[AW] File Routines (22) CopyFile[AW], CopyFileEx[AW], CreateDirectory[AW], CreateDirectoryEx[AW], CreateFile[AW], DeleteFile[AW], FindFirstFile[AW], FindFirstFileEx[AW], GetBinaryType[AW], GetFileAttributes[AW], GetFileAttributesEx[AW], SetFileAttributes[AW], GetTempFileName[AW], GetLongPathName[AW], MoveFile[AW], MoveFileEx[AW], MoveFileWithProgress[AW], RemoveDirectory[AW], SetCurrentDirectory[AW], OpenFile, _lopen, _lcreat ShellLink Routines (4) IShellLink[AW]::SetPath, IShellLink[AW]::SetArguments, IShellLink[AW]::SetIconLocation, IPersistFile::Save LoadImage Routines (1) LoadImageA

15

16

17

18

19

20

21

22

23

24

25

26

27 What is the Springboard Series? To the IT pro, our goal is Be the definitive resource for Desktop IT pros Open, honest; show don’t tell Information at right time, right level across Adoption Lifecycle Inside of Microsoft we are A turnkey IT pro engagement platform for depth and breadth The program to mobilize MS marketing and field to focus on desktop OS IT pros DEPLOYPILOTMANAGEEXPLOREDISCOVER one-Windows TechCenter in 10 languages Virtual Roundtable Events Springboard Technical Experts Panel Event Support and Resources Straight-talk Monthly Feature Articles and Overview Guides TalkingAboutWindows Video Blogs

28 www.microsoft.com/teched www.microsoft.com/learning http://microsoft.com/technet http://microsoft.com/msdn

29

30 Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31 st http://northamerica.msteched.com/registration You can also register at the North America 2011 kiosk located at registration Join us in Atlanta next year

31

32

33

34 Windows APIs Kernel32 Kernel32 User32 User32 Advapi32 Advapi32 OleAut32 OleAut32 … Windows APIs Kernel32 Kernel32 User32 User32 Advapi32 Advapi32 OleAut32 OleAut32 … AppY.exe v 2.3.4.5 Windows loads app. Checks AppCompat DB(s). Match found: Selected API calls intercepted and modified. AppY.exe v 2.3.4.5

35 Problem Type Symptoms Invalid Windows version check Says “This app requires Windows XP” Admin rights issue Says “Requires admin rights”, or Fails non-elevated, works elevated (Caveat about testing elevated) Security configuration Works when Group Policy or security template setting is removed New platform Works with Windows Classic theme

36 Problem Type Shim Bad Windows version checks Version Lie Shims (e.g., WinXPSP3VersionLie) Writing to HKCR at runtime VirtualizeHKCRLite Unnecessary checks for “am I admin?” ForceAdminAccess Writing to WRP-protected keys and files WRPMitigationWRPDllRegisterWRPRegDeleteKey Windows thinks your app is an installer SpecificNonInstaller Writing to protected folder and registry locations CorrectFilePathsVirtualRegistry Using kernel object in global space LocalMappedObject

37

Download ppt "Aaron Margosis Principal Consultant Microsoft Corporation SESSION CODE: WCL301."

Similar presentations

Death of Security: Breached Hosts/Stolen Data/IP Espionage

Death of Security: Breached Hosts/Stolen Data/IP Espionage
Don Jones Senior Partner and Technologist Concentrated Technology, LLC SESSION CODE: WCL308.

Don Jones Senior Partner and Technologist Concentrated Technology, LLC SESSION CODE: WCL308.
Dean Paron Product Unit Manager Microsoft Corporation SESSION CODE: WSV335 © 2010 Microsoft Corporation. All rights reserved.

Dean Paron Product Unit Manager Microsoft Corporation SESSION CODE: WSV335 © 2010 Microsoft Corporation. All rights reserved.
Joey Snow Technical Evanglist Microsoft Corporation SESSION CODE: WSV310.

Joey Snow Technical Evanglist Microsoft Corporation SESSION CODE: WSV310.
Jason Tolley Technical Director ROK Technology Pty Ltd SESSION CODE: WEM305.

Jason Tolley Technical Director ROK Technology Pty Ltd SESSION CODE: WEM305.
Marc Shepard Principal Program Manager Lead Microsoft Corporation SESSION CODE: WCL203.

Marc Shepard Principal Program Manager Lead Microsoft Corporation SESSION CODE: WCL203.
Jay Ferron- Global Knowledge Jeremy Chapman - Microsoft Corporation SESSION CODE: WCL201.

Jay Ferron- Global Knowledge Jeremy Chapman - Microsoft Corporation SESSION CODE: WCL201.
Raymond P.L. Comvalius IT Infrastructure Specialist Invendows BV – The Netherlands SESSION CODE: WCL310.

Raymond P.L. Comvalius IT Infrastructure Specialist Invendows BV – The Netherlands SESSION CODE: WCL310.
Sometimes it is the stuff you know that hinders true progress.

Sometimes it is the stuff you know that hinders true progress.
Jeremy Chapman Stephen RoseBruce Jones Senior Product Manager Senior Marketing ManagerDeployment Services Architect Microsoft Corporation Microsoft CorporationMicrosoft.

Jeremy Chapman Stephen RoseBruce Jones Senior Product Manager Senior Marketing ManagerDeployment Services Architect Microsoft Corporation Microsoft CorporationMicrosoft.
Anthony (A.J.) Smith Senior Product Manager Microsoft Corporation SESSION CODE: WCL307.

Anthony (A.J.) Smith Senior Product Manager Microsoft Corporation SESSION CODE: WCL307.
The Secrets of Effective Technical Talks: How to Explain Tech without Tucking Them In! Presented by Mark Minasi and Mark Russinovich SESSION CODE: SIA334.

The Secrets of Effective Technical Talks: How to Explain Tech without Tucking Them In! Presented by Mark Minasi and Mark Russinovich SESSION CODE: SIA334.
Ashwin Sarin Program Manager Microsoft Corporation SESSION CODE: COS204.

Ashwin Sarin Program Manager Microsoft Corporation SESSION CODE: COS204.
Maciej Pilecki Consultant, SQL Server MVP Project Botticelli Ltd. SESSION CODE: DAT403.

Maciej Pilecki Consultant, SQL Server MVP Project Botticelli Ltd. SESSION CODE: DAT403.
Boris Jabes Senior Program Manager Microsoft Corporation SESSION CODE: DEV319 Scale & Productivity in Visual C++ 2010.

Boris Jabes Senior Program Manager Microsoft Corporation SESSION CODE: DEV319 Scale & Productivity in Visual C
Peter Provost Sr. Program Manager Microsoft Corporation SESSION CODE: DEV403.

Peter Provost Sr. Program Manager Microsoft Corporation SESSION CODE: DEV403.
Joe SchulmanAdrienne WuProgram ManagerMicrosoft Corporation SESSION CODE: SIA319.

Joe SchulmanAdrienne WuProgram ManagerMicrosoft Corporation SESSION CODE: SIA319.
END USER TOOLS AND PERFORMANCE MANAGEMENT APPS Excel PerformancePoint Svcs/ProClarity BI PLATFORM SQL Server Reporting Services SQL Server Reporting Services.

END USER TOOLS AND PERFORMANCE MANAGEMENT APPS Excel PerformancePoint Svcs/ProClarity BI PLATFORM SQL Server Reporting Services SQL Server Reporting Services.
Janssen Jones Virtual Machine MVP Indiana University SESSION CODE: VIR403.

Janssen Jones Virtual Machine MVP Indiana University SESSION CODE: VIR403.
Mark Russinovich Technical Fellow Microsoft Corporation *Portions derived from David Solomon’s Windows Internals Seminar SESSION CODE: WCL402.

Mark Russinovich Technical Fellow Microsoft Corporation *Portions derived from David Solomon’s Windows Internals Seminar SESSION CODE: WCL402.

Similar presentations

Ads by Google