Didier Stevens

Thursday 17 November 2011

Hotfix For SRP/AppLocker Bypass

Filed under: Windows 7 — Didier Stevens @ 10:53

Remember Microsoft has features to bypass its own Software Restriction Policies and AppLocker: Circumventing SRP and AppLocker, By Design and Circumventing SRP and AppLocker to Create a New Process, By Design.

Microsoft has issued a hotfix for this bypass: KB2532445

It is only for Windows 7 and Windows Server 2008 R2 though, it will not help you if you use SRP on Windows XP or Vista.

Thanks to @mount_knowledge.

Circumventing SRP and AppLocker, By Design

5 Comments »

  1. Cool. Have you looked at the hotfix to see what the changed behaviour is?

    Comment by olleB — Friday 18 November 2011 @ 13:57

  2. @olleB I’ve tested my PoCs with a beta version of the hotfix, their actions were blocked by SRP/AppLocker.

    Comment by Didier Stevens — Friday 18 November 2011 @ 17:35

  3. Didier,

    Do you know if microsoft solved this issue in Windows 8?

    Kind Regards
    DFT

    Comment by DFT — Wednesday 31 October 2012 @ 11:40

  4. @DFT I don’t think Microsoft considers this an issue, and that it was not included in Windows 8.

    Comment by Didier Stevens — Wednesday 31 October 2012 @ 19:57

  5. […] here: Microsoft Article ID: 2532445 Credit to security researcher Didier Stevens for his blogs on this subject.Remember the key idea behind Software Restriction Policy: your non-Administrator accounts (or […]

    Pingback by How to Block Installation Software Using GPO – Tech News — Monday 25 July 2016 @ 5:13


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.