IRC Log Viewer » #firebreath » 2010-12-23

IRC Nick Time (GMT-7) Message
neilg_ 11:12 So... has anybody had any luck launching processes from IE in protected mode? We're struggling at that right now, we've read all the (limited amount of) documentation and, in theory, it should work. But doesn't!
nitrogenycs 11:12 it works for me :)
taxilian 13:12 neilg_: it's always worked for me too
neilg_ 13:12 Yes, you can launch them as low-integrity - but not medium-integrity
Not without some specialized code
:(
taxilian 13:12 neilg_: it's always worked for me
did you add the registry key?
to flag the process as okay to launch in medium?
nitrogenycs 13:12 neilg_: Did my code help?
neilg_ 13:12 Yep, it's added
nitrogenycs: I guess not, it works perfectly for launching processes at low-integrity but gives error 1314 when calling SetTokenInformation when requestion medium-integrity
*requesting
nitrogenycs 13:12 `neilg_: I've never seen that, it has always worked for me
are you sure about your registry key?
can you export the relevant portion into a .reg file and upload it somewhere/send it by mail to me?
taxilian 13:12 you guys know you can copy the .rgs file to your plugin dir and customize it, right?
nitrogenycs 13:12 what rgs file?
neilg_ 13:12 It's not on my machine, it's on my colleagues - but it seems like it has nothing to do with the registry at that point. That should only come into play when calling CreateProcessAsUser (and without the key it would bring up the UAC prompt). At least from what I've read. The fact it's failing there is incredibly weird - but perhaps because he's on Windows 7 64-bit?
nitrogenycs 13:12 I am on win7 64-bit too
taxilian 13:12 shouldn't matter; I've done it on all versions of windows (vista and on)
nitrogenycs 13:12 what error message is connected with 1314?
and I found the rgs file. I suppose back when I ran fbgen it wasn't part of the system :)
no, forget about that. fbgen doesnt even use it
neilg_: you are not the only one it seems: http://social.msdn.microsoft.com/Forums/en-US/windowssecurity/thread/e0cab182-0aa9-422c-bcc3-259d761d43b7/
neilg_ 13:12 It's really strange
nitrogenycs 13:12 did you sysadmin setup some strange protection?
neilg_ 13:12 I don't think he did. I'm trying to find a solution too since I'm the one who found out that we could do this through IE... only to be blocked at this point. Doh! :)
taxilian 13:12 neilg_: I don't have the code anymore (previous job), but I don't remember ever needing to call SetTokenInformation
IIRC, I just launched the process and it launched in medium integrity because the info was in the registry
neilg_ 14:12 Just to be sure, you're talking about the registry keys as referred to here? http://msdn.microsoft.com/en-us/library/bb250462(v=vs.85).aspx#wpm_elebp
taxilian 14:12 neilg_: lol. I was about to send you that link: http://msdn.microsoft.com/en-us/library/bb250462%28v=vs.85%29.aspx#wpm_elebp
neilg_ 14:12 Or HKLM\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{Some GUID}
taxilian 14:12 just FYI you can put that in HKCU as well
neilg_ 14:12 Yup, we have that (in both the Wow6432Node and the other)
taxilian 14:12 you shouldn't need to do that
just put it in the normal place
let windows figure out the registry virtualization stuff
if you try to second guess it you'll probably end up shooting yourself in the toe
neilg_ 14:12 How did you execute it then? Use CreateProcess() or CreateProcessAsUser() or some other way?
taxilian 14:12 I *think* it was CreateProcess
but as I said I don't have the code anymore :-/
brb
neilg_ 14:12 Hmm. I'm fairly sure that's what Matt (my colleague) did in the first place but I'll pass the info on just to be sure. Thanks!
taxilian 14:12 I might be able to find more info, but not for a few more weeks
neilg_ 14:12 Aha!
It now works
nitrogenycs 14:12 what was it?!
neilg_ 14:12 Turns out that it was because he was passing in the path to the program in the first parameter (lpApplicationName) which works in all instances EXCEPT when you're in low-integrity mode. For it to work properly you have to pass the path as the *second* argument (lpCommandLine)
(I suspect passing it into both arguments is also fine)
Looks like the registry magic only occurs through the command line argument though
It's documented as "The lpCommandLine parameter can be NULL. In that case, the function uses the string pointed to by lpApplicationName as the command line."
That isn't the case in low-integrity processes it appears
nitrogenycs 14:12 hey, my code had that right :)
neilg_ 14:12 I bet it did too (I honestly didn't look, I just forwarded the email) but I think he'd read so much saying that you had to do it that way that he was looking at the wrong function!
nitrogenycs 14:12 you are right though, the documentation does not mention anything
except that the "The lpApplicationName parameter can be NULL, in which case the executable name must be the first white space?delimited string in lpCommandLine" part appears under "Security Remarks"
probably they chose to ignore the deprecated looking applicationName in this security sensitive context
gotta love those dark corners of the win32 api :)
neilg_ 14:12 My (educated) guess is that IE redirects calls to CreateProcess but doesn't obey the documentation for the _real_ CreateProcess and just uses the second parameter
It explains a lot. Thank you both for your help, he's very excited now and I'm pleased that we finally have a plugin that works properly across all the popular Windows browsers!
neilg_ 15:12 Well, Merry Christmas to everybody. I'll probably be out of here until the new year. Thanks again for everybody's help today!
kylehuff 15:12 Merry Christmas neilg_