Press Play to Restart: Under the Hood of the Windows Restart Manager

Presented at REcon 2023, June 10, 2023, 2 p.m. (60 minutes)

From the early days of operating systems, malware authors have attempted to hijack legitimate OS components for malicious purposes, which makes it essential to identify and understand the potential threats they represent. Today, let’s explore one uncommonly hijacked Windows component: the Restart Manager. Introduced in Windows Vista, the Restart Manager aims to help reduce the number of reboots required during software updates. During updates, files that need to get updated can be locked by various applications, preventing the process responsible for the update from modifying them. The Restart Manager enables processes to request the lock release of the resource that they need to access, killing processes that are using it if the required conditions are met. However, this mechanism can be hijacked by third parties to serve malicious purposes. This talk will first introduce the Restart Manager, diving into its architecture and mechanisms to provide a better understanding of how the component works. We’ll observe a legitimate use case of the Restart Manager by an installer, and will detail what happens under the hood. Next, we’ll look at real world examples to see how the Restart Manager can also be used for several malicious purposes, and will explain the rationale of each technique. Then, we’ll play around with the different functionalities of the Restart Manager through a live demo, and will explore one funny use case. Finally, we will conclude this presentation by presenting some of the methods that processes can use to defend themselves against this type of threat.

Presenters:

• Mathilde Venault
  Mathilde Venault is a security researcher at CrowdStrike, specializing in the Windows operating system. Her work focuses on malware analysis and EDR detection capabilities improvements, and she also likes spending her spare time reverse engineering undocumented Windows mechanisms. Mathilde has spoken at multiple conferences such as Black Hat USA and c0c0n, and has published articles sharing her findings. As a typical French, she's always up to share a meal with some bread and cheese.

Links:

• https://cfp.recon.cx/2023/talk/7HYRDB/

Similar Presentations:

• PancakesCon 3 (2022) Virtual / What to look for in a manager, and pottery!
• DEF CON 30 (2022) / Pulling Passwords out of Configuration Manager: Practical Attacks against Microsoft's Endpoint Management Software
• ToorCon: Seattle (Beta) (2007) / Memory Manager Attack and Defense