Attacking User Mode

As illustrated in Figure 2-1, attacking the kernel is equivalent to attacking the walls of the
Windows castle. Most attacks against the operating system have historically taken a
more obvious and potentially easier route, via the doors and windows.
User mode code serves effectively as the door and window into resources and data
on the system. Obviously, this code must be able to access resources and data, or the
operating system would offer a pretty poor user experience. Thus, if you can authenticate
to Windows as an authorized user, you will have access to all the resources and data
relevant to that user. Furthermore, if you are lucky enough to authenticate as an
administrative user, you will likely have access to the resources and data for all the users
on the system. The access control gatekeeper for user mode data and resources is the
Local Security Authori
ty (LSA), a protected subsystemthat works across user and kernel
mode to authenticate users, authorize access to resources, enforce security policy, and
manage security audit events.
Assuming compromise via the kernel has been avoided, the LSA subsystem is the
primary security gateway into Windows. The rest of this chapter will focus on how it
validates access to objects, checks user privileges, and generates audit messages. Unless
otherwise noted, all discussion will assume user mode scenarios.