Windows XP expert's help needed...

Maestr0 --> i'm surely interested, although i do not believe it is the ONLY way...

Quote:

---

At that point in time, fsck the messy methods and just install a hardware keylogger onto the keyboard.

---

the main goal isn't retrieving someone elses password, the main goal is retrieving it from memory. you can use such a program for penetration tests, and a hardware keylogger shouldn't be used for pen-testing since it wouldn't be completely fair. it's the same as putting a camera on the keyboard to see what the user types... this should be able to do remotely, and installing a hw keylogger is a hard job doing remotely ;)

I agree with you, white.

The point I was leaning moreso torwards, I guess, is that if they are running "shutdown -a" to save the lsass.exe shutdown.. or injecting a file library protected by the administrator account, then chances are they already have administration access or local access to the machine. This is because the first process requires you having local access (or real time VNC access remotely) with administrative privleges.

The second method of injecting could be done remotely by virus usage or getting a dumb employee to run a precompiled program to preform the injection. But then what? Due to SP2 the windows system files, once loaded in memory, are unable to be modified. Most of their memory registers are also already encrypted on the spot. The only way to overwrite a windows protected system file (exe or dll based, mostly) is by rebooting the computer into Safe Mode and proceeding that way due to the i386 folder kept within the primary Windows folder, which dissallows and immediatally replaces any windows system files that have been modified. Thus, again local access or even remote VNS administrative access would be required.

So, there you have it :) I agree that the point isn't to use something so obvious, but the methods described so far either already require administrative access (and thus already able to control the system and user's passwords) or local access (and thus open up billions of ways to gain passwords from the hard disk).

Of course, this is all academic, and I may have missed something on the whitepaper of SP2 secure file handling.

Quote:

---

The second method of injecting could be done remotely by virus usage or getting a dumb employee to run a precompiled program to preform the injection. But then what? Due to SP2 the windows system files, once loaded in memory, are unable to be modified. Most of their memory registers are also already encrypted on the spot. The only way to overwrite a windows protected system file (exe or dll based, mostly) is by rebooting the computer into Safe Mode and proceeding that way

---

It is possible to disable the WFP on the fly by closing the Handles that are monitored by WFP. Also the process which monitors WFP directories is actually our very same winlogon.exe. :) so I would not rely on WFP to save you, and I dont believe code execution vulnerabilities in Windows are particulalry rare. :)

-Maestr0

Good point. I didn't think WFP was so easily exploitable remotely.

How would one defeat WFP ('windows file protection' for those who don't know) remotely?