Hi @ll, Windows 8 and newer versions (Windows 7 and Windows Server 2008 R2 with KB2532445 or KB3125574 installed too) don't allow unprivileged callers to circumvent AppLocker and SAFER rules via LoadLibraryEx(TEXT("<arbitrary DLL>"), NULL, LOAD_IGNORE_CODE_AUTHZ_LEVEL); See <https://msdn.microsoft.com/en-us/library/ms684179.aspx> and <https://support.microsoft.com/kb/2532445> | LOAD_IGNORE_CODE_AUTHZ_LEVEL 0x00000010 | | If this value is used, the system does not check AppLocker rules | or apply Software Restriction Policies for the DLL. This action | applies only to the DLL being loaded and not to its dependencies. | This value is recommended for use in setup programs that must | run extracted DLLs during installation. | | Windows Server 2008 R2 and Windows 7: | On systems with KB2532445 installed, the caller must be running | as "LocalSystem" or "TrustedInstaller"; otherwise the system | ignores this flag. Unprivileged users can but bypass AppLocker or SAFER alias Software Restriction Policies via STARTUPINFO si = {sizeof(STARTUPINFO)}; PROCESS_INFORMATION pi = {0}; CreateProcess(TEXT("<arbitrary exe>"), NULL, NULL, NULL, FALSE, CREATE_PRESERVE_CODE_AUTHZ_LEVEL, NULL, NULL, &si, &pi); on ALL versions from Windows XP to Windows 10! See <https://msdn.microsoft.com/en-us/library/ms684863.aspx> | CREATE_PRESERVE_CODE_AUTHZ_LEVEL 0x02000000 | | Allows the caller to execute a child process that bypasses the | process restrictions that would normally be applied automatically | to the process. Mitigation: ~~~~~~~~~~~ Create an "AppCert.Dll" that exports CreateProcessNotify and set the following registry entry [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls] "AppCert.Dll"="<path>\AppCert.Dll" ... Note: AppCertDlls are loaded at the first call of one of the CreateProcess*() functions. Process creation is denied if one of them returns STATUS_UNSUCCESSFUL from its CreateProcessNotify() routine when called with the flag PROCESS_CREATION_QUERY. --- APPCERT.C --- #pragma comment(linker, "/DLL") #ifdef _WIN64 #pragma comment(linker, "/EXPORT:CreateProcessNotify,PRIVATE") #else #pragma comment(linker, "/EXPORT:CreateProcessNotify=_CreateProcessNotify@8,PRIVATE") #endif #pragma comment(linker, "/NOENTRY") #include <windows.h> #define PROCESS_CREATION_QUERY 1L #define PROCESS_CREATION_ALLOWED 2L #define PROCESS_CREATION_DENIED 3L NTSTATUS NTAPI CreateProcessNotify(LPCWSTR lpApplicationName, ULONG ulReason) { NTSTATUS ntStatus = STATUS_SUCCESS; switch (ulReason) { case PROCESS_CREATION_QUERY: // called once for each process that is to be created // return STATUS_SUCCESS to allow process creation or // return STATUS_UNSUCCESSFUL to deny process creation if (forbidden(lpApplicationName)) ntStatus = STATUS_UNSUCCESSFUL; break; case PROCESS_CREATION_ALLOWED: // called once for each process that is allowed creation ... break; case PROCESS_CREATION_DENIED: // called once for each process that is denied creation ... break; default: ; } // the return value is only used for PROCESS_CREATION_QUERY, // all other conditions are ignored return ntStatus; } --- EOF --- stay tuned Stefan Kanthak Timeline: ~~~~~~~~~ 2017-03-10 sent vulnerability report to vendor 2017-03-10 reply from vendor: MSRC case 37727 opened 2017-03-13 reply from vendor: product team is working on case 2017-03-21 reply from vendor: "The product team has finished their investigation and determined this will be serviced in a future version of Windows. AppLocker bypasses are not serviced via monthly security roll-ups; only major version updates." 2017-03-21 <https://support.microsoft.com/kb/2532445> but serviced a bypass with a hotfix which was incorporated in later security updates and is included in the "convenience" rollup <https://support.microsoft.com/en-us/kb/3125574> 2017-03-21 reply from vendor: "If you want this fixed immediately and are an enterprise customer you'll need to work with your Account Manager to open a support case." 2017-03-21 report published