Bypassing the Secure Desktop Protections

Presented at THOTCON 0x6 (2015), May 14, 2015, 5:30 p.m. (25 minutes)

The Secure Desktop is a feature of Windows API that creates a separated desktop to run programs/processes. This feature doesn't allow processes or programs running in other desktops to capture keystrokes or screen. The Secure Desktop's primary difference from the User Desktop is that only trusted processes running as SYSTEM are allowed to run here (i.e. nothing running at the user's privilege level) and the path to get to the Secure Desktop from the User Desktop must also be trusted through the entire chain. Because of the main feature provided by the Secure Desktop, a lot of applications are developed using this protection, trying to avoid malware to interact with the user input (KeyLoggers) or screen (ScreenLoggers) and that way providing a secure environment for that application, where the main objective is protecting the final user from those well-known attacks. Like every feature, if it isn't well implemented, it can provide a fake security sensation. If an application is running in a secure desktop, using some tricks, an attacker is able to "escape the sandbox" and run malicious programs into the secure desktop where this approach will bypass the "Desktop Isolation Protection," allowing those malicious programs to capture the keystrokes or screen. The main goal of this talk is to present some real world examples that use secure desktop and show how to sniff the keystrokes or screen capture in the secured desktops, bypassing the main feature of Windows secure desktop. We will also discuss some possible solutions/workarounds that developers can apply into their software to avoid our attack.


Presenters:

  • Marcio Almeida de Macedo
    Marcio Almeida is a Security Consultant within the Application Security practice at Trustwave's SpiderLabs. He has a Master Degree (UFPE) focusing in Web Application Security and has more than seven years of experience hacking stuff in app & net penetration tests. Marcio also is a Crypto Geek, E-Music Lover and a little bit crazy (who isn't?! :-P). He has previously spoken at BlackHat Regional Summit, You Sh0t the Sheriff, PasswordsCon Las Vegas, Ekoparty and Alligator Security Conference.
  • Bruno Oliveira
    Bruno Gonçalves de Oliveira is a MSc candidate at UTFPR, computer engineer and senior security consultant at Trustwave’s SpiderLabs where his duties are mostly focused in offensive security, doing hundreds of penetration tests from common systems and environments to embedded and uncommon devices. Bruno loves german fast cars (a.k.a BMWs), good ol' Jack and also stout/ale beers. Previously spoken at Black Hat SP, Ekoparty, PasswordCon, AppSec USA, THOTCON, SOURCE Boston, Black Hat DC, SOURCE Barcelona, DEFCON, Hack In The Box, ToorCon, You Sh0t the Sheriff and H2HC.

Similar Presentations: