|
|
|
|
|
|
by zvrba
2640 days ago
|
|
|
Weird approach by Huawei. If you want a program to stay up and running, you write a windows service; autostart with restart for recovery in case of crash. The service process can set its own DAC so that only SYSTEM can open its handle, hence the process in inaccessible/unkillable to ordinary users, even administrators. The knowledge needed to do so is far less than what is needed to pull the hack that Huawei did. So to quote another user: > Problem: any well written exploit will be designed to look like a mistake. and given the above, I'm inclined to believe that this was meant as a deniable exploit ("honest mistake"). What I wrote above is what I miss in the MS's analysis. There are cleaner and simpler ways to achieve what Huawei tried to accomplish. I would be astonished that the person(s) having knowledge to write a kernel driver don't know about DACLs and how to use them to prevent tampering with a process. EDIT: The article does end with guidelines. However, I'd be more happy if MS explicitly wrote "They should have done THIS (using exising, well-documented, UM only OS functionality) instead to achieve their goal." |
|
|
Considering the physical memory mapping stuff, I wouldn't be surprised if the service doesn't have some roles firmware should have had - for example ensuring the battery charger is stopped when the battery is fully charged to prevent a fire.