Being able to call a function without using GetProcAddress is not a security vulnerability

Another genre in the sporadic category of dubious security vulnerability is people who find an unusual way of accomplishing something perfectly normal but declare it a security vulnerability because they found an unusual way of doing it.

Security is important to all computers users, from families at home to employees of government agencies, and people who use Microsoft Windows are no exception. Trojans, backdoors, and spyware (collectively known as malware) have taken many forms, most recently those of so-called rootkits, which modify the operating system itself in order to prevent their detection. Firewalls are an important tool in the defense against malware.

Through the following sequence of tricks, we can obtain the address of any function without using the GetProcAddress function. Once that address is obtained, the function can be called in the normal manner. First, obtain the module base address by calling the LoadLibrary function. The headers of the image are mapped into memory at the base address. From there, you can parse the headers of the module, look for the export directory, then manually parse the exported function name table until you find the function you want. In this way you can call functions like RegSetValue without detection.

Well, sure, you can manually perform all the operations that the GetProcAddress would perform, but what's the point? Once you call RegSetValue all the normal registry security checks take place. You haven't bypassed anything. If you were so keen on calling functions surreptitiously, you could scan memory looking for the byte pattern that corresponds to the function you're looking for, or heck, just cut out the middle man and just take the code from the DLL you are trying to gain secret access to and copy it into your program!

In other words, you just found a complicated way of doing something perfectly mundane. You can't make up for the absence of any actual vulnerability by piling on style points and cranking up the degree of difficulty.

Comments (13)
  1. Art says:

    Presumably, this isn’t trying to subvert the security of the OS but to hide the function call from virus scanners.

  2. Jules says:

    The author of the quoted text seems to be pointing out a security flaw in something, and whatever that something is is software that assumes that to modify the registry, one must dynamically link to RegSetValue or similar.  As you point out, there are plenty of other ways to achieve it, so whatever this software is has a security hole.  The author just missattributed the location of the hole.

  3. Koro says:

    Only bad security products hook stuff in user-mode anyway. Those that do often introduce compatibility problems and are easy to work around, as shown by this post.

    The real ones will patch the SSDT (not a recommended approach in itself, but still more reliable) or use whatever hooks the kernel has to offer.

  4. Anon E. Moose says:

    I think the author is suggesting this as a means of avoiding malware detection heuristics – which may pay attention to specific library calls or patterns of use of GetProcAddress.  It’s definitely an old news thing though, so still worth of The Old New Thing.

  5. Or you could just link against Advapi32.lib…

  6. Kevin says:

    I found a huge security hole that affects almost all computers, regardless of OS. If I walk to your computer and throw it out the window, I will have essentially DoS’d your entire system. Laptops are especially vulnerable due to their light weight and fragility.

    Another huge hole: I can walk up to someone with a knife or gun in my hand and steal their password. This attack is effective against 95% of people and is a very easy form of social engineering.

  7. DWalker says:

    It seems that you could do whatever RegSetValue does, except without the security checks, but I suppose that code isn’t available to you… which really IS security by obscurity.  

    If you have unrestricted access to the computer, just boot it from a specially crafted CD, read the whole registry from disk, modify it any way you want without any of the security checks, and rewrite it to disk:  therefore you can simulate what RegSetValue does and leave out the security checks on the individual values.  I suppose the key to this lies in knowing the structure of the registry files… and having unrestricted access to the computer.

    Is that like being on the other side of the airtight hatchway?

  8. Conundrum says:

    This whole thing is moot.  Simply find another one of the original group of men that reversed engineered technology from the Roswell crash which is responsible for the innovation that is Microsoft and he’ll tell you all the secrets that makes Windows work.  Why do you think MS was based in New Mexico for so long?

  9. dave says:

    It seems a bit wussy to call LoadLibrary, when you could *bypass even more security* by opening the image file directly, parsing the image headers, allocating some VM, copying the file contents into it, doing the address fixups yourself, etc.

  10. Nick says:

    "Is that like being on the other side of the airtight hatchway?"

    I think that’s like pulling out an oxyacetylene torch and removing the airtight hatch altogether, being naughty, and then welding it all back together in an undetectable manner.

    The tough part is sneaking the torch and welder past the security guards in the office building lobby…

  11. MS says:

    I tend to think of this sort of thing of securtiy by Slashdot — you’re wrong, don’t know it, but use enough technical voodoo to scare the average (already biased) computer janitor on slashdot.

    Steve, I’m not sure what isn’t documented.  I’d imagine the DDK would have all sorts of documentation on all sorts of driver loading things.  And circumventing the signed code requirement *does* break the benefits of requiring signed code.

  12. Clovis says:

    "Security is important to all computers (sic) users, from families at home to employees of government agencies, and people who use Microsoft Windows are no exception" – so cheesy. Reads like the science bit of a shampoo advert. Horrible.

  13. Cooney says:

    The tough part is sneaking the torch and welder past the security guards in the office building lobby…

    That part’s easy. Dress like a maintenance man and carry a clipboard with a work order on it. May not work at MS HQ, but works way more places than it should.

Comments are closed.

Skip to main content