Windows 11 issue

[l-o-l]

Thanks for making this, it’s an extremely useful tool. There appears to be a problem with windows 11 however, where lsass.exe crashes after the first intercept. Is this likely to be a problem with frida?

[l-o-l]

OK, the problem is with new windows 11 security features. I took the shotgun approach to turn everything off, and it starts working. I'll drill down into what exactly needs to be disabled to hook lsass.exe/ncrypt.dll.

[ngo]

Hey @l-o-l, thanks for testing out the tool! I haven't yet had a chance to test win11, so your report on whether it functions properly and what security features need to be turned off would be really valuable.

I'm also really curious to see if tls1.3 session resumption was finally implemented or not (see https://b.poc.fun/decrypting-schannel-tls-part-2/#2-schannel-and-tls-13-session-resumption), and also whether there have been any changes in the APIs that broke the tool.

[l-o-l]

OK, so the minimal change required to get this working on windows 11 (on my machine at least) is the following:

settings->privacy & security->windows security->app&browser control->exploit protection settings

create a new entry under “program settings” for lsass.exe override “hardware-enforced stack protection” (should be set to off)

[l-o-l]

I have tested with wireshark and rdp, and everything is working fine. How to test tls1.3 session resumption?

[ngo]

Thanks for letting me know the results! The setup to test session resumption in tls1.3 is a little bit cumbersome, I had to patch the SSLWrappers code to do that.

Let's start by just checking the tls1.3 works at all. To do that you'll just need to invoke the following powershell: Invoke-WebRequest -SslProtocol Tls13 -uri https://tls13.akamai.io/

And see if this traffic is decryptable in wireshark.

[l-o-l]

tls1.3 works fine using wireshark and the powershell you supplied.

As for session resumption, does [MS-TLSP]: Appendix A: Product Behavior | Microsoft Docshttps://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tlsp/55bb474d-3770-4037-8798-81b2fedf578a imply that this is simply not supported? [https://docs.microsoft.com/en-us/media/logos/logo-ms-social.png]https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tlsp/55bb474d-3770-4037-8798-81b2fedf578a [MS-TLSP]: Appendix A: Product Behavior | Microsoft Docshttps://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tlsp/55bb474d-3770-4037-8798-81b2fedf578a

<2> Section 2.2: [RFC5077] is not supported in Windows XP, through Windows 7 clients and Windows Server 2003 through Windows Server 2008 R2.Only the client side of [RFC5077] is supported in Windows 8 and Windows Server 2012. [RFC7301] is not supported by Windows XP through Windows 8 clients and Windows Server 2003 through Windows Server 2012. docs.microsoft.com ________________________________ From: ngo ***@***.***> Sent: Wednesday, 22 December 2021 22:31 To: ngo/win-frida-scripts ***@***.***> Cc: l-o-l ***@***.***>; Manual ***@***.***> Subject: Re: [ngo/win-frida-scripts] Windows 11 issue (Issue #2) Thanks for letting me know the results! The setup to test session resumption in tls1.3 is a little bit cumbersome, I had to patch the SSLWrappers code to do that. Let's start by just checking the tls1.3 works at all. To do that you'll just need to invoke the following powershell: Invoke-WebRequest -SslProtocol Tls13 -uri https://tls13.akamai.io/ And see if this traffic is decryptable in wireshark. — Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android. You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[ngo]

Great to hear! The RFC5077 reference is related to tls1.0 and tls1.1 only. Tls1.2/1.3 specs include session resumption in the main spec (rfc8446 for tls1.3, sections 2.2 and 4.6.1).

The problem with testing session resumption behavior is that for schannel session resumption is attempted only if two invocations of schannel apis share the same context data. This is usually true for browsers, but not true, for example, for successive Invoke-WebRequest calls in powershell. And windows currently does not have a schannel-based browser that supports tls13 (ie11 does not support tls1.3, and all other browsers including edge are chromium-based and use openssl).

For testing I used a modified SSLWrappers Demo (you can download my version here: poc.fun/sslwrappers.7z), which performs two connections in a row that share the credentials structure - for tls1.2 this resulted in session resumption (on win 10 2004), but for tls1.3, in my tests, it did not.

I did the test as follows:

PS C:\tools\schannel\sslwrappers.works\Debug> .\SSLWrappersDemo.exe 0 tls13.akamai.io 443

Just for the reference, a client that attempts session resumption will have the pre_shared_key extension in their ClientHello message, as seen on the screenshot below:

This screenshot was obtained by going to tls13.akamai.io via firefox (it uses openssl, which indeed supports tls13 session resumption).

So the test that need to be performed here would be as follows:

1. Start wireshark's traffic dump and lsasslkeylog
2. Run the SSLWrappersDemo.exe as specified above
3. Make sure that both HTTP requests are decrypted correctly
4. Check the second ClientHello to see if pre_shared_key extension is present (and also that tls1.3 is used -- wireshark will show tls1.3 in the Protocol column)

[ngo]

OK, so the minimal change required to get this working on windows 11 (on my machine at least) is the following:

settings->privacy & security->windows security->app&browser control->exploit protection settings

create a new entry under “program settings” for lsass.exe override “hardware-enforced stack protection” (should be set to off)

I've added this to the readme.

[l-o-l]

Raymond history

Get Outlook for iOShttps://aka.ms/o0ukef

---

From: ngo @.> Sent: Thursday, December 23, 2021 6:06:45 PM To: ngo/win-frida-scripts @.> Cc: l-o-l @.>; Manual @.> Subject: Re: [ngo/win-frida-scripts] Windows 11 issue (Issue #2)

OK, so the minimal change required to get this working on windows 11 (on my machine at least) is the following:

settings->privacy & security->windows security->app&browser control->exploit protection settings

create a new entry under “program settings” for lsass.exe override “hardware-enforced stack protection” (should be set to off)

I've added this to the readme.

— Reply to this email directly, view it on GitHubhttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fngo%2Fwin-frida-scripts%2Fissues%2F2%23issuecomment-1000090916&data=04%7C01%7C%7Cc97946f5c34845fd90b608d9c5e2c860%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637758400083684084%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=fHNPQrlJlKzObWp9mcYk%2FQfZNwRFBd0YUiWrJ%2FaYJS8%3D&reserved=0, or unsubscribehttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAAXN6Z4KJRLETJS7JC45LLTUSLDALANCNFSM5KPF6IZA&data=04%7C01%7C%7Cc97946f5c34845fd90b608d9c5e2c860%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637758400083684084%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=eC82qIlgOLJT%2FxATB2z%2BA7%2BiT4omB4j08Uo9P2UfJiY%3D&reserved=0. Triage notifications on the go with GitHub Mobile for iOShttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapps.apple.com%2Fapp%2Fapple-store%2Fid1477376905%3Fct%3Dnotification-email%26mt%3D8%26pt%3D524675&data=04%7C01%7C%7Cc97946f5c34845fd90b608d9c5e2c860%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637758400083694084%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=nmD8dVaxIHakjQOrX1OdyJI2WfUcuMbpajtiNL7mVFs%3D&reserved=0 or Androidhttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fplay.google.com%2Fstore%2Fapps%2Fdetails%3Fid%3Dcom.github.android%26referrer%3Dutm_campaign%253Dnotification-email%2526utm_medium%253Demail%2526utm_source%253Dgithub&data=04%7C01%7C%7Cc97946f5c34845fd90b608d9c5e2c860%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637758400083704076%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=EPuIGrjdvqMUJRKlIhzGPnu3BMEd08zSWv9ZV1D9Vzc%3D&reserved=0. You are receiving this because you are subscribed to this thread.Message ID: @.***>

[K4CZP3R]

Disabling hw stack protection does not solve it for me. I'm still getting PS C:\Users\kacpe\Documents\dev\test1> frida-trace lsass.exe Failed to attach: unexpected error allocating memory in target process (VirtualAlloc returned 0x00000005)

[dougbenham]

I'm encountering Failed to attach: unexpected error allocating memory in target process (VirtualAlloc returned 0x00000005) on Windows 10 21H1.. Very strange. Anyone have any ideas?

[ngo]

I've seen reports (https://github.com/frida/frida-python/issues/159) suggesting that this error might be related to using python of wrong bitness. Could you please check if you are using 32bit python and, if so, try using 64bit?

[dougbenham]

Sadly I already swapped from 64 bit python to 32 bit and back to 64 to test if that was the issue.

[l-o-l]

Have you tried turning everything off under

settings->privacy & security->windows security->app&browser control->exploit protection setting for lsass.exe?

That's how I started. Just turn it all off to see if it's the general issue.

Get Outlook for iOShttps://aka.ms/o0ukef

---

From: Doug @.> Sent: Monday, September 12, 2022 5:46:45 PM To: ngo/win-frida-scripts @.> Cc: l-o-l @.>; Manual @.> Subject: Re: [ngo/win-frida-scripts] Windows 11 issue (Issue #2)

Sadly I already swapped from 64 bit python to 32 bit and back to 64 to test if that was the issue.

— Reply to this email directly, view it on GitHubhttps://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fngo%2Fwin-frida-scripts%2Fissues%2F2%23issuecomment-1243344797&data=05%7C01%7C%7C1da322a88f564fd4aec908da9492f17a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637985656095641456%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Sco2laPXmhCftSj%2B0dHSO4gTcWsTD0yJvKeJ889sYNs%3D&reserved=0, or unsubscribehttps://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAAXN6Z4SDCSV7IXP2ILX52DV53NWLANCNFSM5KPF6IZA&data=05%7C01%7C%7C1da322a88f564fd4aec908da9492f17a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637985656095797711%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=9b3HZVMPQt2QryrjUuADwClExfOXnCmfhQBp%2FJvibgA%3D&reserved=0. You are receiving this because you are subscribed to this thread.Message ID: @.***>

[ngo]

FWIW, I've just tested frida-trace on a fresh win11 vm - and it works without a hitch. This is probably due to the fact that virtualization-based security is not enabled (because this is a vm) - e.g. "app&browser control" is completely missing in my Defender settings.

[dougbenham]

I turned off all the protections for lsass.exe and restarted my machine. Still same result. Also checked here to see if Credential Guard is running: But nothing..

[dougbenham]

See #4 for solution

[l-o-l]

Fantastic! Hopefully this will help someone else out with the same issue.

Virus scanners, the most insidious malware of all.

Get Outlook for iOShttps://aka.ms/o0ukef

---

From: Doug @.> Sent: Tuesday, September 13, 2022 6:51:59 AM To: ngo/win-frida-scripts @.> Cc: l-o-l @.>; Manual @.> Subject: Re: [ngo/win-frida-scripts] Windows 11 issue (Issue #2)

Right before throwing in the towel and reinstalling Windows I decided to look into Avast some more. I have been running my tests with Avast shields fully disabled but figured there might be something more.. Turns out they have LSA protection that runs even when you turn off all the "protection shields": [image]https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fuser-images.githubusercontent.com%2F5466350%2F189756057-9a05b74d-c30e-4342-8e97-827981e43aae.png&data=05%7C01%7C%7C2223d919c1aa4267144408da9500a37b%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637986127218815080%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=PoDWQRQBnv0oSyR6f355oJxLCEu9NZTlBO53DTMek1o%3D&reserved=0

Disabling this finally allows me to attach to lsass.exe!

— Reply to this email directly, view it on GitHubhttps://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fngo%2Fwin-frida-scripts%2Fissues%2F2%23issuecomment-1244450670&data=05%7C01%7C%7C2223d919c1aa4267144408da9500a37b%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637986127218815080%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=wxmlTolvHmqL7gNJakXtq9l643XTunEjeuiC8nrnDHg%3D&reserved=0, or unsubscribehttps://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAAXN6Z6AW7RYHEB5VYVM2Q3V56JW7ANCNFSM5KPF6IZA&data=05%7C01%7C%7C2223d919c1aa4267144408da9500a37b%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637986127218815080%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Oq%2FWwpM1TcKq8CD7FFiiivBZ9dWV6Te3qh9CuQz6F58%3D&reserved=0. You are receiving this because you are subscribed to this thread.Message ID: @.***>

[ngo]

Thanks again @l-o-l for being active in the resolving of the issue, and to @dougbenham for figuring out the solution and reporting it back. I'm going to close this issue because the original problem was also resolved. @K4CZP3R If you still have your problem with frida, feel free to open a separate issue and we'll try to figure out what is stopping frida from attaching to lsass in your case.