Let us start by saying, I do not recommend making a virus or a program with ill intent. This post is just to raise awareness of the potential threat your PC may face and how you could learn from it. I am not responsible for any damages caused by abusing or trying to hijack such programs
Well, let’s begin explaining why this a somewhat a big issue. I know that viruses and such have been abusing system programs forever now and I would say that this is quite shocking. Mostly due to the fact that system programs such as lsass.exe, csrss.exe and a few other minor programs have handles with full access/permissions to pretty much, every program ran by the user or ran by the OS. This can set off a lot of red flags. The virus which has injected itself into a system program, can pretty much gain full control of your PC without you even knowing it. Yes, there are Anti Viruses which just tries to strip handle permissions for things like csrss and lsass from programs ran by users to avoid a potential attack. However, sad to say that a few top Anti Viruses that I have tested on simply does not bother protecting the programs ( Windows 7 x 64 ). I am fully aware that in Windows 8.1 and up has an “Anti-Malware” has a “Feature?” which protects system processes. Remember that Windows below 8.1 does not include this feature.
Grabbing A Handle
So, we now know that these two system programs known as csrss and lsass do store handles which has full permissions/access to pretty much all programs. There are quite a few ways of doing this, once such way is just by going through the list of handles that the program has and filtering it till you reach a handle of your choice. Note that there are things which will not allow you to duplicate the handle, callbacks such as ObRegisterCallbacks can strip handle permissions or just strip the handle itself from trying to duplicate the handle. This callback is one of the reasons why abusing system programs are so great, as you can get a handle without being stripped by an Anti Virus driver or something that is just not allowing you to gain full access to the handle. Note that you do need SeDebugPriv to be able to inject into a system program, you also need to manual map into it or it will be most likely blocked.
Problems You Could Occur
Remember the feature that tries to protect system programs? Yes, this plays quite a role to not allow you to be able to inject into a system program. This can be bypassed like pretty much everything else. Other problems such as trying to make a GUI or an Overlay will not work. Even a simple message box. This is due to the fact that programs such as lsass and csrss run in something called “Session 0”. Session 0 is reserved for services and other non-interactive user applications and important processes to “protect” them and “isolate” them from the rest of the programs. Last thing to note, since these programs are important, if your dll somehow gets a runtime error or just crashes bringing the hijacked program along, your PC will need to be restarted.
Well, so you might ask. How do I even use the Handle if I can’t even properly interact with lsass or csrss? Simple enough, you can make a program which runs in session 1 or higher which communicates with those programs with handle permissions. Things such as using named pipes, RPC and windows sockets. You can even make a thread in lsass which waits for requests from your program to do something. So let’s say if I wanted to make an injector which uses lsass’s handles by injecting into lsass, I can simply just inject into lsass and wait for a request with the process id and dll path then either inject or wait for the process to run.
To start off, it is extremely hard to know if something has injected into lsass or not. The best bet of really defending yourself is getting an Anti Virus which just doesn’t allow random programs from injecting to system programs. Also, make sure to think twice before running something with admin rights. If you are windows 8 and above with a decent Anti Virus, you should be fine. Other things such as viewing for named pipes that suddenly appear from programs such as lsass and csrss should cause some alarm.
If you really need a message box of some sort to confirm that the dll has been injected, you may use WTSSendMessageA which works the same way as a message box.
So, let’s just recap a bit. System programs have handles and permissions to basically all programs and can pretty much a lot with them. Remember that they are also system programs, so they have pretty high privileges. Viruses often use these programs to get a handle of an Anti Virus to simply terminate it or just suspend a few threads for it. Note that some Anti Virus does not allow programs to simply inject into programs such as lsass and even go as far to strip permissions needed to inject. Other than that, that’s pretty much it.