BATTLE OF SKM AND IUM
blackhat2015
blackhat2015
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
TRUSTLET POLICY / <strong>IUM</strong> POLICY METADATA<br />
• When a Trustlet loads, it must have a Trustlet Policy associated with it<br />
• Stored in a variable called s_IumPolicyMetadata, which must be exported<br />
• Must be located in a PE section called “.tpolicy”, which must be IMAGE_SCN_CNT_INITIALIZED_DATA |<br />
IMAGE_SCN_MEM_READ<br />
• The Truslet Policy contains a version (must be 1) and the Trustlet ID of the process<br />
• This must match the Secure Process Process Attribute that was passed to CreateProcess<br />
• The rest of the policy contains entries for different kinds of features that the Trustlet is allowed to use<br />
• EtwAllowed – Sets flag 0x20 in the SKPROCESS structure<br />
• Blob is saved at offset 0xC0 in SKPROCESS, to be checked later<br />
• Options include DebugEnabled, CrashdumpEnabled, CrashdumpKeyGuid, CrashdumpKey<br />
• Checked at runtime by SkpspFindPolicy<br />
• SkpsIsProcessDebuggingAllowed, SkpsIsProcessDumpEnabled, SkpsGetTrustletCrashdumpKey