Archive for November 2014

Taking a memory dump of a Protected process on windows 8.1

Let’s imagine we’d like to inspect the memory of the SCM (services.exe) process for some reason, the best option would be taking a memory dump. However, since Windows 8.1, a hindrance was added in doing this and most other actions that touch that process, and a few other system processes. That hindrance is called Protected processes.

Introduction to protected processes

The goal of protected processes is adding another layer of protection between regular user processes (even those running as administrator) and some system processes. It started for mostly DRM related processes at Windows Vista and at Windows 8.1 it extended to other system processes. Probably the most important one is the security related process lsass.exe because its compromise may lead to the compromise of a domain network. The protection is manifested by the fact that regular (not protected) processes are unable to perform most actions on protected processes, and that includes taking a memory dump.

That system isn’t completely sealed yet: for obvious reasons the protection isn’t enforced in kernel mode and there exist few signed drivers who can help regular processes to bypass some of the protection, since regular processes running as an administrator can launch drivers.

What makes a process protected during its runtime is a field in the EPROCESS kernel structure: it used to be a bit field named ProtectedProcess since Vista, and as a few protection options were added in 8.1 it changed to a byte sized structure field named Protection. You can strip the protection of a protected process or turn a regular process into a protected one by modifying this field, which would also allow it to access a protected process.

For more in depth info on protected processes you can read this series, and this post (updated to Vista) which also displays the method of taking a memory dump of a protected process in Vista. I’ll use a similar method but adjusted to the 8.1 EPROCESS structure changes.

Taking a memory dump of a protected process

We start with local kernel debugging, let’s assume we want to take the memory dump of services.exe with Task Manager (TaskMgr.exe).

We first need to get the offset of the Protection field:

0: kd> dt _EPROCESS -y Protection
nt!_EPROCESS
+0x67a Protection : _PS_PROTECTION


Next we want to check the protection of services.exe to adjust Task Manager’s protection to it (simply setting its protection field to a non-zero value may not be enough as there is some isolation between different types of protected processes, more on this in the series I linked above), so we’ll find its EPROCESS address:

0: kd> !process 0 0 services.exe 
PROCESS ffffe0001a644900
SessionId: 0 Cid: 0304 Peb: 7ff65bf4c000 ParentCid: 0298
DirBase: 1520e1000 ObjectTable: ffffc00088b4ad80 HandleCount: <Data Not Accessible>
Image: services.exe


Now we can dump its Protection field:

0: kd> dt _PS_PROTECTION ffffe0001a644900+0x67a
nt!_PS_PROTECTION
+0x000 Level : 0x61 'a'
+0x000 Type : 0y001
+0x000 Audit : 0y0
+0x000 Signer : 0y0110


Now let’s find Task Manager’s EPROCESS location:

0: kd> !process 0 0 TaskMgr.exe 
PROCESS ffffe0001d489080
SessionId: 1 Cid: 1b20 Peb: 7ff65480f000 ParentCid: 0418
DirBase: 17ad18000 ObjectTable: ffffc0009f0a9380 HandleCount: <Data Not Accessible>
Image: Taskmgr.exe


Before we change its protection let’s check its current value:

0: kd> dt _PS_PROTECTION ffffe0001d489080+0x67a
nt!_PS_PROTECTION
+0x000 Level : 0 ''
+0x000 Type : 0y000
+0x000 Audit : 0y0
+0x000 Signer : 0y0000


So there’s no protection, Now we can adjust it to the protection of services.exe:

0: kd> eb ffffe0001d489080+0x67a 0x61


Finally we can use the right click menu to create a dump of services.exe:image

Posted in: , by . No comments