bigmuscle Posted April 30, 2014 Author Share Posted April 30, 2014 (edited) - Hooks lsass..exe (Local Security Authority Process) so it can take over the security policy of the entire systemYou are wrong. - Uses that to allow DWM group to assign privieged security tokens that only exist for the purpose of the OS itself to useYou are wrong. - Hooks DWM and elevates privilege using the new tokens to bypass all security so it can hook csrss.exeYou are wrong. - Sets the protect flag on csrss.exe so nothing else can touch it (seems like good security until we circle back round)You are wrong. - Uses this core system process in a highly restricted security context for the only purpose of showing a nag dialog box, which could be shown anywhere but then it could be closed with the X instead of the No buttonYou are wrong. - Leaves DWMGlass.dll in a medium integrity (regular user account, not running under elevation/as adminisrator) zoneYou are wrong. And I checked many times, but correct me if any is wrong I'm correcting you, because you are completely wrong and you posts has no sense. Edited April 30, 2014 by bigmuscle Link to comment Share on other sites More sharing options...
aphelion Posted April 30, 2014 Share Posted April 30, 2014 (edited) - Hooks lsass..exe (Local Security Authority Process) so it can take over the security policy of the entire systemYou are wrong.- Uses that to allow DWM group to assign privieged security tokens that only exist for the purpose of the OS itself to useYou are wrong.- Hooks DWM and elevates privilege using the new tokens to bypass all security so it can hook csrss.exeYou are wrong.- Sets the protect flag on csrss.exe so nothing else can touch it (seems like good security until we circle back round)You are wrong.- Uses this core system process in a highly restricted security context for the only purpose of showing a nag dialog box, which could be shown anywhere but then it could be closed with the X instead of the No buttonYou are wrong.- Leaves DWMGlass.dll in a medium integrity (regular user account, not running under elevation/as adminisrator) zoneYou are wrong.And I checked many times, but correct me if any is wrongI'm correcting you, because you are completely wrong and you posts has no sense.Quoting before the deletion.Edit: Actually not even going to be sarcastic since I think the response is enough to speak for itself.Please fix it. Thats all."Nothing to fix" will just lead to more of this except i will have to take screenshots for the others.- Leaves DWMGlass.dll in a medium integrity (regular user account, not running under elevation/as adminisrator) zoneYou are wrong. Not at medium integrity?C:\AeroGlass>chml DWMGlass.dllChml v1.53 -- View and change Windows file/folder integrity levelsby Mark Minasi (c) 2006-2009 www.minasi.com email:help@minasi.comThe file DWMGlass.dll has no integrity label.Windows treats unlabeled objects like this:File DWMGlass.dll's integrity level: mediumInheritance flags: No inheritance flagsIntegrity policies: No read up: disabled No execute up: disabled No write up: enabledNot the same as a txt file saved to the desktop?C:\Users\Rod\Desktop>chml dxdiag.txtChml v1.53 -- View and change Windows file/folder integrity levelsby Mark Minasi (c) 2006-2009 www.minasi.com email:help@minasi.comThe file dxdiag.txt has no integrity label.Windows treats unlabeled objects like this:File dxdiag.txt's integrity level: mediumInheritance flags: No inheritance flagsIntegrity policies: No read up: disabled No execute up: disabled No write up: enabledNot left unlocked you say?C:\AeroGlass>handle DWMGlass.dllHandle v3.51Copyright (C) 1997-2013 Mark RussinovichSysinternals - www.sysinternals.comNo matching handles found.Not left wide open?C:\AeroGlass>ren DWMGlass.dll BMversion.dll & echo arbitrary code > DWMGlass.dll & type DWMGlass.dllarbitrary codeDo you really think the original dll is going to run at the next startup? Obviously anything can replace echo so no need to say "that wont execute" I can understand being defensive but repeating 4 times isnt going to plead to any different facts. Lets not get to screenhots of process explorer or secpol showing the rest.Obviously enough time wasted already so why not just do the right thing I don't understand, but its your choice Edited April 30, 2014 by aphelion Link to comment Share on other sites More sharing options...
bigmuscle Posted April 30, 2014 Author Share Posted April 30, 2014 Spring update debug version does not work for me. Get an error saying " user is not mean to run this exe." ...Right.. wait, what?Because, it is true. Read the guide http://glass8.berlios.de/guide.html - "How to install this software?", point 2) Umm.. Mr. developer...just checking but... this is a tool to enable aero glass, no? I don't mind if it's nagware or if you just found the goldmine of your life, but WTH is all that stuff Mr. Aphelion is talking about? Care to explain?Don't care about him, it is probably just another troll who wants to spread shit around. Link to comment Share on other sites More sharing options...
bigmuscle Posted April 30, 2014 Author Share Posted April 30, 2014 Quoting before the deletion.Don't worry, nothing need to be quoted by you, I don't need to delete anything. It was you who edited your post several times - you first post contained that you are going to provide some proof for your speculation. So you are free to do it. Link to comment Share on other sites More sharing options...
bigmuscle Posted April 30, 2014 Author Share Posted April 30, 2014 I can understand being defensive but repeating 4 times isnt going to plead to any different facts.Sure, you are right. But your posts contain several things which show that you don't understand it at all and you only saw something somewhere and making some own speculation from it. And if you end it with "can I get refund", it only proofs that you are trying to troll instead of making technical discussion. And it's not worth of normal answer. Link to comment Share on other sites More sharing options...
aphelion Posted April 30, 2014 Share Posted April 30, 2014 Quoting before the deletion.Don't worry, nothing need to be quoted by you, I don't need to delete anything. It was you who edited your post several times - you first post contained that you are going to provide some proof for your speculation. So you are free to do it.Okay, so you don't see the above.What part is most useful for you to see? I can't understand the mindset and to provide dozens of screenshots....is a waste of time that I will do even without apparent effect....but if you have something that you feel is truly wrong and would like demonstrated in detail that would be a better way to focus. Its all true so just pick anything and consider a walkthrough ready in a few hours (it 5am here in nyc...so that means tomorrow) Link to comment Share on other sites More sharing options...
aphelion Posted April 30, 2014 Share Posted April 30, 2014 I can understand being defensive but repeating 4 times isnt going to plead to any different facts.Sure, you are right. But your posts contain several things which show that you don't understand it at all and you only saw something somewhere and making some own speculation from it. And if you end it with "can I get refund", it only proofs that you are trying to troll instead of making technical discussion. And it's not worth of normal answer.No, thats sarcasm. We are from different countries so i can understand there is likely a gap in the intonation there.I "heard" this... is that some way of trying to discourage me from posting proof or the oppsite? I'm not sure if you think denill without any counterpoint is just going to be fine and dandy when anyone can replicate the steps.Hey guys, run secpol. Now run it without dwmhook. Notice the difference. Thats it. Its all right there. It just goes too far not to notice.YOu aid you anted screenshots. Fine. I will head to my desktop and take some. I will start with csrss act ing asa your nagware delivery system. I dont suspect that to satisfy you, or that anything will.Frankly I dont need 3 euros no more than I need this fixed. My system is patched and if you want to screw over everybody else that is your choice. I have nothing to gain and only more time to lose. That I 'm doing this is not trolling, it's time and apparently most important to you, given the joke you chose to focus on instead of the proof i posted, money. Link to comment Share on other sites More sharing options...
bigmuscle Posted April 30, 2014 Author Share Posted April 30, 2014 So... nice job on the blur. Looks great. Heres what I see. And I checked many times, but correct me if any is wrong:- Hooks lsass..exe (Local Security Authority Process) so it can take over the security policy of the entire system- Uses that to allow DWM group to assign privieged security tokens that only exist for the purpose of the OS itself to use- Hooks DWM and elevates privilege using the new tokens to bypass all security so it can hook csrss.exe- Sets the protect flag on csrss.exe so nothing else can touch it (seems like good security until we circle back round)- Uses this core system process in a highly restricted security context for the only purpose of showing a nag dialog box, which could be shown anywhere but then it could be closed with the X instead of the No buttonYes, I want a proof to all of this, because neither one of these happens in my tool. Link to comment Share on other sites More sharing options...
DerekCheng Posted April 30, 2014 Share Posted April 30, 2014 Right now I am having the exact same problem as LasseSL500, however holding CTRL during startup is not preventing Aero Glass from running, system restores have failed, and safe mode won't boot properly either.This is driving me insane. How the hell do I fix this?Thanks Link to comment Share on other sites More sharing options...
aphelion Posted April 30, 2014 Share Posted April 30, 2014 So... nice job on the blur. Looks great. Heres what I see. And I checked many times, but correct me if any is wrong:- Hooks lsass..exe (Local Security Authority Process) so it can take over the security policy of the entire system- Uses that to allow DWM group to assign privieged security tokens that only exist for the purpose of the OS itself to use- Hooks DWM and elevates privilege using the new tokens to bypass all security so it can hook csrss.exe- Sets the protect flag on csrss.exe so nothing else can touch it (seems like good security until we circle back round)- Uses this core system process in a highly restricted security context for the only purpose of showing a nag dialog box, which could be shown anywhere but then it could be closed with the X instead of the No buttonYes, I want a proof to all of this, because neither one of these happens in my tool.Ok. Given that 2 of the points I posted are suddenly missing, I'm assuming you are admitting they are not "Wrong" as you repeated over and over. Thank you for taking a more sensible approach.I am also glad you picked some, so I am not wasting time on things that are not going to be productive.However I'm not sure where the "Yes" and "all of this" came from. If you scroll up to check you will see I what I said is that I will have to take screenshots. There was no "all of this" to say "yes" to because you fully well know that's hundreds of screenshots. Obviously I'm not going to make a hundred screenshots for you because your "tool" (feel free to be more specific) isn't showing something.. Maybe that was your hope. If so I am sorry to disappoint, but I will do what I said and provide screenshots to prove the points that are still on your list.That will be on a rolling basis until you change your mind about your tools or whatever else you think of until then. I expect not to receive any response once each is proven but certainly if there is any discrepancy you'd like to resolve, that's pretty much the point. I wish that there was even a chance of that but I'm not holding my breath. So with that said, here is the first that I said I would take, which is on your list as well. For context: - Uses this core system process in a highly restricted security context for the only purpose of showing a nag dialog box, which could be shown anywhere but then it could be closed with the X instead of the No buttonYou are wrong. No, I'm not. And here's your proof:PID of system level (nagware delivery mechanismProcess Explorer correlating PID to csrss.exeI can't imagine that you might try to say that the role of csrss.exe, a process critical to system operation which "terminating will result in system failure", is being hijacked here in some other way than I described, but since there's lots of time until I wake up I'm sure you'll think of something to pick at. Whatever that is, keep in mind that the as more is posted the picture only gets clearer and I will come back to refute every single point where you said I was wrong until it's clear you're full of it.I resent having to make a picture book with links for you. But it seems that's the only way you will admit it's not that I "saw something somewhere" and "don't understand it" while you don't know anything about it "because neither one of these happens in your tools". Except the ones that disappeared from the list without explanation of course.Let me know when you've seen enough to give up the pretense completely, instead of just one or 2 points at a time, so I can stop wasting my time. I hope it will lead to a fix, but still there is not even an indication of that.If I can stay awake long enough I will give you a glimpse into what I saw and where with the actual tools used. I hope there's some recognition as that should resolve any doubt you still have even after this, given we're already halfway through the list. Based on your code there should be, but based on your responses here it seems the opposite.Before that, though, I think it's important to let people see some of those things happening on their own machines. Rather than picking at 1 thing and then another, this should give a good look into some of the more egregious security holes created by restructuring system wide security. And that's all I will do, no explanation and no assumption. I'm sure there's a very good explanation1. Setting up Auditing for "sensitive privilege use" (Windows term, not mine)[ 500k limit per post, continuing in the next post... ] Link to comment Share on other sites More sharing options...
bphlpt Posted April 30, 2014 Share Posted April 30, 2014 @aphelion, Your knowledge level is obviously way above mine, but just showing what you've showed and saying "this is wrong" isn't proving anything to me, as an admitted noob.It might be more constructive, assuming that your intention is to help rather than complain for whatever purpose, if you said something like - " This is what I see ____, this is bad because ____, it would be better if it was like this ____, and this is one way to do that _____." Isn't the real purpose of free forums such as this one to help users and provide feedback to developers to help make the tools better, safer, and more productive for everyone?Cheers and Regards Link to comment Share on other sites More sharing options...
aphelion Posted April 30, 2014 Share Posted April 30, 2014 Still here. Sorry. slept for 30-45 min apparently. I will finish this post, and then have to come back. It's pretty clear even just from the screenshots... Let's just look at the biggest thing right now, as mentioned before that's that's lsass.exe, the authority for all security on your computer. What should definitely not be happening, and only happens when DWMGlass is running, is trying to pull Tcb privilege constantly as a regular user. Out of disk space for screenshots. Great. External host. Looks giant so if its the same on your end, sorry about that. Somehow doubting I'll get more space to provide the screenshots I'm obligated to.... Anyway, Tcb means "Acting as Part of the Operating system": DWMGlass disabled = no sensitive privilege requests denied, because everything it's asking to do is within the scope of what it's supposed to be doing and the OS lets it through without issue DWN Glass disabled = already described but will go over with screen in a second with screens. Basically, Tcb in user land... the OS obviously does not belong in the LUA context so that will be how it wraps up and leave the door open for counterpoint and explanation. Maybe So I will brb with that and in the meantime ,as I said I would not judge or jump to conclusions, the door is wide open Mr. Big, would love to hear your take on this behavior you're entirely unaware of Also can I get more space? Thanks Link to comment Share on other sites More sharing options...
aphelion Posted April 30, 2014 Share Posted April 30, 2014 @aphelion, Your knowledge level is obviously way above mine, but just showing what you've showed and saying "this is wrong" isn't proving anything to me, as an admitted noob.It might be more constructive, assuming that your intention is to help rather than complain for whatever purpose, if you said something like - " This is what I see ____, this is bad because ____, it would be better if it was like this ____, and this is one way to do that _____." Isn't the real purpose of free forums such as this one to help users and provide feedback to developers to help make the tools better, safer, and more productive for everyone?Cheers and RegardsI am getting there... the pots I just made should explain somewhat but probably not enough. LUA is Limited User Account and having the security process asking for system access from that account is a behavior that should never happen, since it's the master after all. Except when its compromised... but I am trying to not say anything too inflammatory because we saw the reaction earlier and I want to give all the information first, since the explanations are all online also. But I will cover everything eventually, or at least I intend to. Sorry for not being more thorough. It is 10 am and I havent slept yet as you can see the posts have gone back quite a while Link to comment Share on other sites More sharing options...
aphelion Posted April 30, 2014 Share Posted April 30, 2014 (edited) To your point on the purpose of public forums, agreed. Consider though, if I just PM it, do you think it will get fixed? Maybe? That's why it's posted here, for visibility. It may not make sense yet, as i haven't covered it in detail and that will take some time. But it certainly should have been making sense for quite a while to the target audience. I don't see any more name calling coming my way, which is a nice thing. Just saying.Edit: typos Edited April 30, 2014 by aphelion Link to comment Share on other sites More sharing options...
bigmuscle Posted April 30, 2014 Author Share Posted April 30, 2014 (edited) No, I'm not. And here's your proof:00eventlog.pngPID of system level (nagware delivery mechanism00psexec.pngProcess Explorer correlating PID to csrss.exeI can't imagine that you might try to say that the role of csrss.exe, a process critical to system operation which "terminating will result in system failure", is being hijacked here in some other way than I described, but since there's lots of time until I wake up I'm sure you'll think of something to pick at. Whatever that is, keep in mind that the as more is posted the picture only gets clearer and I will come back to refute every single point where you said I was wrong until it's clear you're full of it.And here we are, because your answer is what I was exactly expecting. Maybe you should look how process isolation and interactive services works. DWM process is a service with very limited privileges and it runs in its own session thus it cannot interact with user desktop in any way. However, the operating system, since Windows Vista, provides a feature so non-interactive services can send a message to the interactive desktop. And this is handled by CSRSS.EXE process. Very simple, it's no taking over the security policy, elevating some privileges nor hooking any system process. It is official WinAPI feature by calling MessageBox function. I don't comment whether this way is secure or not, I just say that it is handled completely by official OS function and if there is anything unsecure with it, then it is bug in the OS itself and not something which I do. Edited April 30, 2014 by bigmuscle Link to comment Share on other sites More sharing options...
Recommended Posts