Thoughts about software and Windows internals
As multiple people requested it, we are releasing a tool which will help you bypass NTFS security permissions, using the method we described in our previous article.
This could be useful when you plug in an old hard-drive with messed up NTFS permissions or in case of an old Windows installation sitting on another partition.
Click here to download the tool.
Let us know how this tool helped you by posting a comment here.
If you just want to download the tool and skip the article then click here
If you thought NTFS was secure, then think again. Here is a technique that can be succesfully used to bypass NTFS security in Windows. It is not a security hole because it requires a kernel mode driver in order to work. However, its security implications are interesting (more about this in the PDF document at the end of this page).
Let’s say that multiple users share a computer and use NTFS security permissions in order to prevent others from accessing their private data. If one of the users is allowed to load a kernel mode driver, then he/she can bypass NTFS security and see all the data on that computer, including files he/she didn’t previously had access to (like other user’s files).
We built a file system filter driver which fools the file system into opening any file, including files we shouldn’t be able access due to the security permissions set on them. This driver uses only documented techniques and there are only 3 lines of code needed to enable this method. So no complicated hooking or patching is involved.
Microsoft has been notified about this and replied (as expected) that they do not consider this a security hole because it requires a kernel mode driver to be loaded. However, there are lots of examples of malware which is able to run code in kernel mode (for example rootkits), so that’s why we considered it is important to share this method. These types of malware can disguise into powerful antiviruses and fool the user into letting them install and load their kernel-mode drivers.
Moreover, there are a number of file security products on the market claiming they can “guard” your files against any modification. This method can also be used to bypass them.
In case this method would be used by a malware (virus, rootkit) it would enable it to access any file on the system and even overwrite executables which are currently running on the system.
Forensic analysis tools could also use this technique to easily access files on drives mounted as read-only, where they are not able to change permissions or take ownership of those files.
Here is a video demonstration of how this works:
.
For those interested in advanced details on how this works, here is a document that you can read:
Bypassing file system security in Windows
Frequently Asked Questions
People may ask:
Q: “Why can’t I simply right click on the file/folder and take ownership?”
A: The presented method is intended to be used programatically. Of course it would be silly to load a driver instead of right clicking on a file/folder.
Q: “Why can’t I just write code to take ownership of a file/folder?”
A: You would need more than 3 lines of code and more CPU cycles to do that. How long does it take you to do that for hundreds of files? What about an external hard-drive mounted as read-only?
Q: “I can do raw reads to the disk and access the contents of a protected file”
A: Does it take you less than 3 lines of code to do that? What about writes? Can you write to a online/mounted drive without causing corruption?
LATER EDIT: You can download the tool that uses this technique here
| M | T | W | T | F | S | S |
|---|---|---|---|---|---|---|
| « Apr | ||||||
| 1 | 2 | 3 | 4 | 5 | ||
| 6 | 7 | 8 | 9 | 10 | 11 | 12 |
| 13 | 14 | 15 | 16 | 17 | 18 | 19 |
| 20 | 21 | 22 | 23 | 24 | 25 | 26 |
| 27 | 28 | 29 | 30 | |||
