Maximize
Bookmark

VX Heavens

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Infecting Winlogon

Ratter
29a [6]
March 2002

[Back to index] [Comments (0)]

Abstract

You've probably tried to open winlogon process via OpenProcess api with desired access to write. And you've probably failed :) Why? Winlogon is one of the main Win32 subsystem components and thus is protected from other user-mode processes to modify him. As other components runs with the system privileges and thats why he's very interesting for us.

Imagine a situation: Your virus is runned under normal user security context, but yet you're allowed to modify winlogon. What does it mean for you (except that you can turn off the sfp and install a password trojan :))? Everything runned in the winlogon process (ie also your remote thread) is runned under the system privileges which are equal to administrators ones. So put everything admin-neede in your virus to a remote thread in winlogon and you'll win :)

So the key question is. How to make the system to let you modify winlogon and other win32 subsystems? Afaik there are two user-mode ways to achieve it.

[Read the article]

deenesitfrplruua