Analyzing Privileges

Question 1

SeBackupPrivilege

Answer 1

This grants read access to any file on the file system, regardless of its specified ACL. Attackers can leverage this privilege to copy locked files.

Question 2

SeDebugPrivilege

Answer 2

This grants the ability to read or write to another process’ private memory space. It allows malware to bypass the security boundaries that typically isolate processes. Practically all malware that performs code injection from user mode relies on enabling this privilege.

Question 3

SeLoadDriverPrivilege

Answer 3

This grants the ability to load or unload kernel drivers.

Question 4

SeChangeNotifyPrivilege

Answer 4

This allows the caller to register a callback function that gets executed when specific files and directories change. Attackers can use this to determine immediately when one of their configuration or executable files are removed by antivirus or administrators.

Question 5

SeShutdownPrivilege

Answer 5

This allows the caller to reboot or shut down the system. Some infections, such as those that modify the MBR don’t activate until the next time the system boots. Thus, you’ll often see malware trying to manually speed up the procedure by invoking a reboot.

Question 6

Handle

Answer 6

A reference to an open instance of a kernel, object, such as a file, registry key, mutex, process, or thread. Can be used to determine what process was reading or writing a particular file, what process accessed one of the registry run keys, and which process mapped remote file systems. A pointer to a _FILE_OBJECT is placed in a handle table and index is returned.

Question 7

_EPROCESS.ObjectTable

Answer 7

points to a handle table (_HANDLE_TABLE). Structure has a TableCode that specifies the number of levels in the table and points to the base address of the first level.

Question 8

_HANDLE_TABLE - TableCode

Answer 8

specifies the number of levels in the table and points to the base address of the first level.

Question 9

_HANDLE_TABLE - QuotaProcess

Answer 9

A pointer to the process to which the handle table belongs. It can come in handy if you find handle tables using the pool-scanning approach rather than following the ObjectTable pointer.

Question 10

_HANDLE_TABLE - HandleTableList

Answer 10

A linked list of process handle tables in kernel memory. You can use it to locate other handle tables– potentially even those for processes that have been unlinked from the process list.

Question 11

_HANDLE_TABLE - HandleCount

Answer 11

The total number of handle table entries that are currently in use by the process. (Removed starting in Winows 8 and Server 2012)

Question 12

_HANDLE_TABLE_ENTRY

Answer 12

Indexes in _HANDLE_TABLE contain _HANDLE_TABLE_ENTRY structures if they’re in use; otherwise, they’re zeroed out.

Question 13

_HANDLE_TABLE_ENTRY -> Object

Answer 13

This member points to the _Object_HEADER of the corresponding object. The _EX_FAST_REF is a special data type that combines the reference count information into the least significatn bits of the pointer.

Question 14

_HANDLE_TABLE_ENTRY -> GrantedAccess

Answer 14

A bit mask that specifies the granted access rights (read, write, delete, synchronize, etc.) that the owning process has obtained for the object.

Question 15

PID 1544

Answer 15

Process ID for cmd.exe