Thursday, 31 October 2019

windows - Why can I move the executable of a service but not delete it?

I am learning about privilege escalation and dangerous service configurations on Windows.


Here is the thing:



  • A service has a world writeable executable myservice.exe (baaaad idea).

  • The service is running with system privileges

  • When you try to copy/replace myservice.exe while it is running, that will not work. (Permission Denied)

  • However when you first move the executable and then copy a second (evil) myservice.exe into the folder, windows will not complain

  • Next time the service is restarted, the evil service.exe is executed


My question: What process keeps a handle on the myservice.exe to prevent me from deleting it? How can that same process allow me to move the file and continue functioning?


I tried to answer those question myself using procmon.exe from the Sysinternals Suite, but so far I found nothing.

-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

How can I VLOOKUP in multiple Excel documents?

I am trying to VLOOKUP reference data with around 400 seperate Excel files. Is it possible to do this in a quick way rather than doing it m...