BATTLE OF SKM AND IUM
blackhat2015
blackhat2015
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
TRUSTLET ALPC ENDPOINT CONNECTIONS<br />
• Each Trustlet can create its own ALPC / RPC Endpoints<br />
• For example, LSA Trustlet (LSAISO.EXE) creates LSA_ISO_RPC_SERVER<br />
• However, when a Trustlet crashes, the Windows Error Reporting Service (WER) creates a special ondemand<br />
ALPC port \<strong>IUM</strong>_TRUSTLET_DUMP_SERVER<br />
• The SK will connect to this (SkpAlpcConnectWerPort) whenever it crashes, and send the encrypted pages to it<br />
• WER will write the encrypted pages to disk (<strong>IUM</strong>-name-date-time-pid.dmp) that are sent via<br />
SkpAlpcSendReceiveWer<br />
• One start message<br />
• N chunk messages<br />
• One end message<br />
• One could arguably use this interface from a Trustlet as a way to write arbitrary files to disk, but the<br />
location/name is somewhat limited