- AccessGain Tool » »
Bypassing file system security in Windows with no hooking or patching
If you just want to download the tool and skip the article then click here
Here is a technique that can be succesfully used to bypass NTFS security in Windows. It is not a security hole because it requires a kernel mode driver in order to work. However, its security implications are interesting (more about this in the PDF document at the end of this page).
Let’s say that multiple users share a computer and use NTFS security permissions in order to prevent others from accessing their private data. If one of the users is allowed to load a kernel mode driver, then he/she can bypass NTFS security and see all the data on that computer, including files he/she didn’t previously had access to (like other user’s files).
We built a file system filter driver which fools the file system into opening any file, including files we shouldn’t be able access due to the security permissions set on them. This driver uses only documented techniques and there are only 3 lines of code needed to enable this method. So no complicated hooking or patching is involved.
Microsoft has been notified about this and replied (as expected) that they do not consider this a security hole because it requires a kernel mode driver to be loaded. However, there are lots of examples of malware which is able to run code in kernel mode (for example rootkits), so that’s why we considered it is important to share this method. These types of malware can disguise into powerful antiviruses and fool the user into letting them install and load their kernel-mode drivers.
Moreover, there are a number of file security products on the market claiming they can “guard” your files against any modification. This method can also be used to bypass them.
In case this method would be used by a malware (virus, rootkit) it would enable it to access any file on the system and even overwrite executables which are currently running on the system.
Forensic analysis tools could also use this technique to easily access files on drives mounted as read-only, where they are not able to change permissions or take ownership of those files.
Here is a video demonstration of how this works:
.
For those interested in advanced details on how this works, here is a document that you can read:
Bypassing file system security in Windows
Frequently Asked Questions
Q: “Why can’t I simply right click on the file/folder and take ownership?”
A: You could do that, but there are times when that is not possible (on a read-only hard-drive for example). Taking ownership also takes a lot of time if you have lots of files.
Q: “Why can’t I just write code to take ownership of a file/folder?”
A: Yes, you could do that, but we thought it would be easier to use an existing tool. From a developer’s point of view, this method requires only 3 lines of code in a kernel-mode driver.
Q: “I can do raw reads to the disk and access the contents of a protected file”
A: Yes, that can also be an option if you are willing to put in this amount of effort.
LATER EDIT: You can download the tool that uses this technique here
[...] detalii tehnice, puteti accesa post-ul in limba engleza ce contine un video si un document PDF:http://www.hobeanu.com/blog/bypassing-file-system-security-in-windows/ Aceasta metoda nu este considerata o gaura de securitate deoarece necesita incarcarea unui driver. [...]
January 14, 2009 @ 11:39 am
What are the limitation(s) of this tool?
September 29, 2009 @ 2:25 am
Hi Daryll,
The tool doesn’t currently work on 64bit systems as the driver is not signed. You can however disable Driver SIgnature Enforcement by pressing F8 at boot time and it should work.
Moreover, this is only a proof of concept so it is not intended for commercial/production environments.
One of the limitations would be the fact that it facilitates opening any file but not creating files anywhere (e.g: you can not create a file in a read-only folder).
September 29, 2009 @ 8:14 am
I see, by the way does this tool work with fat32 file system?
September 30, 2009 @ 2:29 am
Yes, it should work the same way although FAT32 doesn’t implement any kind of file security (as NTFS does).
September 30, 2009 @ 10:37 am
Would it be okay if I just copy and paste the .sys file into windows system path without executing the .inf file? Let’s say in a Network.
September 30, 2009 @ 2:14 pm
NTFS “security” is a joke anyway. I have just began testing NTFS security on Server 2008 and have found that if you give a non-admin modify rights to a folder, then remove their modify rights. Then have an admin create a file in that folder the non-admin can delete the file even though you can look at the permission levels and they clearly show that user should not be able to.
February 21, 2010 @ 5:27 pm
What a smashing driver
Thankyou
I was able to recover a frends precious family photos off a dieing hard drive without argueing with the security.
All backed up now, so shes happy.
Why do people never backup there family photos?
October 12, 2011 @ 1:14 pm
Harvey: that sounds great!
October 12, 2011 @ 1:40 pm
YOU MADE MORE THAN ONLY ONE DAY!!!
1001 THANX!
href
October 19, 2011 @ 11:55 pm