Windows Exploitation Tricks: Abusing the User-Mode Debugger

Aside | Posted on by

Windows Exploitation Tricks: Abusing the User-Mode Debugger

See if you can spot the problem with the following code snippet from that function:

The result of this behavior is given a process handle with it’s possible to use that to get full access to the process and initial thread even if the objects wouldn’t grant the caller that access. Well I would expect the caller would need to have opened suitable process and thread handles before attaching the debugger and use them to access the target, or if the kernel has to create new handles at least do an access check on them. The file handle is opened when attaching to the process and uses the following code:

This code is careful to pass to the file open call to ensure it doesn’t give the debugger access to arbitrary files.

Source: googleprojectzero.blogspot.com