Playing with utilman.exe, The Motion Picture

Tuesday 5 September 2006

Playing with utilman.exe, The Motion Picture

Filed under: Hacking — Didier Stevens @ 10:00

For a demo of My second playdate with utilman.exe, go here on YouTube.

14 Comments »

I think you will find there is a good audience and a large hunger for security/admin related video demos and such. I know I sponge them up like nothing else, and I see regular requests on mailing list and blog comments as well…and there tend to not be so many of them around. Grab a webcam or digital video camera or even just Camtasia (screen capture) and a distribution path, and you be set! IronGeek is an excellent current example, and people like me with The Broken would get revived…

(Yes, I’ve long thought about it, but I have enough going on in life right now, that I can’t devote to it. )

Comment by LonerVamp — Wednesday 6 September 2006 @ 15:48
I like your idea, and I’m rediscovering IronGeek.

Comment by Didier Stevens — Friday 8 September 2006 @ 16:46
I found another way of replacing the utilman.exe without doing the bartPE or the utilites from SysInternals. If you goto the folder C:\windows\system32\dllcache and replace the utilman.exe with the fake one and then replace the one in the System32 file then on startup it will prompt the user that files have been changed. But if you are using this to gain access to the desktop then as soon as you login you can ignore it and youll never see it again.

Comment by Matt — Wednesday 29 November 2006 @ 20:49
Thanks Matt, I’ll try this.

Comment by Didier Stevens — Wednesday 29 November 2006 @ 20:56
so you frst have to have administrator rights to modify the system befor you can exploit it in person for this tutorial?

Comment by MR_FLIBBLE — Thursday 1 February 2007 @ 6:57
Indeed, this is an example of a backdoor, not privilege escalation.

Comment by Didier Stevens — Thursday 1 February 2007 @ 7:46
Hi there,thank you for that trooly cool trick.
I wanna suggest you kind of technique to backdoor the system not modifying any file.

Here is very interesting regkey:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

using it you could easily backdoor a system.
just create there key named utilman.exe and string param in it named Debugger. Value of this param is the path to file you wanna launch instead of utilman.exe. so

Finaly it’ll look like:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe]
“Debugger”=”\”C:\\windows\\notepad.exe\”"

So notepad will be launched instead of utilman.exe.

Best Regards, Sp00f

Comment by sp0x0f3d_1p — Thursday 22 March 2007 @ 15:05
I’ll have to try this. We use this key to debug programs, but it didn’t occur to me to use it for utilman. Your example with notepad will launch notepad on the services desktop, so you will not see it on your desktop.

Comment by Didier Stevens — Saturday 24 March 2007 @ 7:39
yeah,i know,but you have already shown how to write launcher to attach process at current desktop.so the main goal of tech i described is to run the attack without rebooting and overwiting system files…so you dont have to bypass any windos file protection…and more..if it’s impossible to get launcher on the target sys it’s possible to override the call of utilman and pass some arguments to our intercepting prog(cmd for example)and to run smth.
But in most cases we will be able to deliver the launcher to the target system.and even more…if you patch dll or overwite util man..and after that target will check system integrity..you will be detected…and if you yo use debugger interception..nothing will break system untegrity coz using that registry key is legal from the point of view of most AV and other sec software.
But if you still want to break WFP you could use more stealth tech.we assume that you already have Admin Rights on target system.so you could easily bypass WFP and again without modifying any dll..you just have to openprocess() winlogon and to cut its handles to c:\windows(dir) c:\windows\system32(dir) and dllcahe(dir) and now untill next reboot WFP will be blind to your activity..and after rbooting it will not detect that you changed smth.
Waiting for your comments.
best Regards, Sp00f.
PS i’m gonna write small prog utilizing the tech described..could send you if you are interested.

Comment by sp0x0f3d_1p — Monday 26 March 2007 @ 6:14
Looks interesting. If you do make the prog, please send it to me.

Comment by Didier Stevens — Tuesday 27 March 2007 @ 20:30
I’ve been a regular viewer here for a little while but missed this one. What an intriguing trick!

Like you, I’ve been thinking a little laterally. There are plenty of articles around about disabling WFP, either temporarily or permanently, but what about *adding* a file to WFP? I realise that the appropriate file will have to be put into the cache, but I foresee problems editing %systemroot%\sfcfiles.dll. When utilman.exe entries are zeroed, the length of %systemroot%\sfcfiles.dll remains the same but the CRC must be changed and I can understand that. However, if I wanted to add myfile.exe to %systemroot%\sfcfiles.dll, I’d have to add it several times and that will increase the length of %systemroot%\sfcfiles.dll. Will that matter? I don’t have a spare “lab” PC at present to play around and I don’t feel inclined to use my working PC!

I don’t have any need for adding myfile.exe to WFP, I just put my brain into gear and let it run: “how does WFP really work?” and “what else can be done?”.

Regards

Dave

Comment by Dave — Wednesday 27 June 2007 @ 18:30
Very interesting idea. The length of sfcfiles.dll doesn’t necessarily have to increase. You see, there is a bit of spare room in PE files. The size of each section in a PE file is rounded (up to the nearest 0×100 multiple, if I remember correctly). So on average, you’ll have 128 bytes of spare room to add your file.

Comment by Didier Stevens — Thursday 28 June 2007 @ 20:26
very interesting, but I don’t agree with you
Idetrorce

Comment by Idetrorce — Saturday 15 December 2007 @ 10:58
anyone help how to get this work with regedit?

Comment by Thim — Monday 16 June 2008 @ 15:24