search

googleprojectzero / sandbox-attacksurface-analysis-tools

Set of tools to analyze Windows sandboxes for exposed attack surface.
Apache License 2.0
2.05k stars 428 forks source link

Get-AccessibleWnf: Access denied errors #78

Closed leechristensen closed 3 months ago

leechristensen commented 3 months ago

Running Get-AccessibleWnf results in an access denied error when running as a lower-privileged user:

Get-AccessibleWnf : (0xC0000022) - {Access Denied}
A process has requested access to an object, but has not been granted those access rights.

The exception's stacktrace shows the following:

PS C:\> error[0].Exception.StackTrace
   at NtApiDotNet.NtObjectUtils.CreateResult[T](NtStatus status, Boolean throw_on_error, Func`2 create_func, Action`1 error_func) in C:\code\sandbox-attacksurface-analysis-tools\NtApiDotNet\NtObjectUtils.cs:line 566
   at NtApiDotNet.NtObjectUtils.CreateResult[T](NtStatus status, Boolean throw_on_error, Func`1 create_func) in C:\code\sandbox-attacksurface-analysis-tools\NtApiDotNet\NtObjectUtils.cs:line 533
   at NtApiDotNet.NtWnf.Query[T](UInt64 state_name, WnfStateNameInformation info_class, Boolean throw_on_error) in C:\code\sandbox-attacksurface-analysis-tools\NtApiDotNet\NtWnf.cs:line 0
   at NtApiDotNet.NtWnf.get_SubscribersPresent() in C:\code\sandbox-attacksurface-analysis-tools\NtApiDotNet\NtWnf.cs:line 310
   at NtObjectManager.Cmdlets.Accessible.WnfAccessCheckResult..ctor(NtWnf wnf, AccessMask granted_access, SecurityDescriptor sd, TokenInformation token_info) in C:\code\sandbox-attacksurface-analysis-tools\NtObjectManager\Cmdlets\Accessible\WnfAccessCheckResult.cs:line 42
   at NtObjectManager.Cmdlets.Accessible.GetAccessibleWnfCmdlet.RunAccessCheck(IEnumerable`1 tokens) in C:\code\sandbox-attacksurface-analysis-tools\NtObjectManager\Cmdlets\Accessible\GetAccessibleWnfCmdlet.cs:line 74
   at NtObjectManager.Cmdlets.Accessible.CommonAccessBaseCmdlet.ProcessRecord() in C:\code\sandbox-attacksurface-analysis-tools\NtObjectManager\Cmdlets\Accessible\CommonAccessBaseCmdlet.cs:line 282
   at System.Management.Automation.CommandProcessor.ProcessRecord()

I worked around it temporarily by setting this code to not throw errors, but don't know how much that changes expected behavior elsewhere:

public bool SubscribersPresent => Query<int>(StateName, WnfStateNameInformation.SubscribersPresent, false).Result != 0;
tyranid commented 3 months ago

Thx.