in Silhouette/Silhouette.cpp [88:132]
static NTSTATUS OpenLSA(HANDLE* phLsass)
{
const UNICODE_STRING szKeyPath = RTL_CONSTANT_STRING(L"\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\Lsa");
const UNICODE_STRING szLsaPid = RTL_CONSTANT_STRING(L"LsaPid");
NTSTATUS ntStatus = 0;
CLIENT_ID cid = { 0, };
OBJECT_ATTRIBUTES objAttr = { 0, };
PEPROCESS pProcess = NULL;
// Find LSA PID
ntStatus = GetRegistryDword(&szKeyPath, &szLsaPid, &gLsaPid);
if (!NT_SUCCESS(ntStatus))
{
goto Cleanup;
}
// Get a handle
cid = { ULongToHandle(gLsaPid), NULL };
InitializeObjectAttributes(&objAttr, NULL, OBJ_KERNEL_HANDLE, NULL, NULL);
ntStatus = ZwOpenProcess(phLsass, 0, &objAttr, &cid);
if (!NT_SUCCESS(ntStatus))
{
goto Cleanup;
}
ntStatus = ObReferenceObjectByHandle(*phLsass, 0, *PsProcessType, KernelMode, (PVOID*)&pProcess, NULL);
if (!NT_SUCCESS(ntStatus))
{
goto Cleanup;
}
if (!PsIsProtectedProcessLight(pProcess))
{
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL,
"Silhouette: LSASS is not RunAsPPL! Besides making it vulnerable to a variety of virtual memory-based attacks attacks, "
"it greatly increases the chance of page faults due to benign VM accesses from APIs such as EnumProcessModules().\n");
}
Cleanup:
ReferenceDelete(pProcess);
return ntStatus;
}