Full Report
In my previous blog post I mentioned the GetProcessHandleFromHwnd API. This was an API I didn’t know existed until I found a publicly disclosed UAC bypass using the Quick Assist UI Access application. This API looked interesting so I thought I should take a closer look. I typically start by reading the documentation for an API I don’t know about, assuming it’s documented at all. It can give you an idea of how long the API has existed as well as its security properties. The documentation’s remarks contain the following three statements that I thought were interesting: If the caller has UIAccess, however, they can use a windows hook to inject code into the target process, and from within the target process, send a handle back to the caller. GetProcessHandleFromHwnd is a convenience function that uses this technique to obtain the handle of the process that owns the specified HWND. Note that it only succeeds in cases where the caller and target process are running as the same user.
Analysis Summary
# Tool/Technique: GetProcessHandleFromHwnd API Investigation
## Overview
The focus is on the analysis of the undocumented or lesser-known Windows API function `GetProcessHandleFromHwnd`. This function is designed to obtain a handle to the process that owns a specified window handle (HWND). Its implementation and behavior have evolved across Windows versions, revealing interesting security bypass potential, particularly related to User Interface Privilege Isolation (UIPI) and User Account Control (UAC) elevation mechanisms.
## Technical Details
- Type: Technique (Leveraging a specific Windows API function)
- Platform: Microsoft Windows (Versions Vista through recent Windows 11 builds analyzed)
- Capabilities: Allows a calling process to obtain a handle to a target process based on a known HWND, utilizing either a kernel-mode implementation or a legacy user-mode hook injection mechanism.
- First Seen: Function implementation details suggest existence since at least Windows Vista (documented support claimed for XP, later discredited by analysis).
## MITRE ATT&CK Mapping
- T1548 - Privilege Escalation
- T1548.002 - Bypass User Account Control (UAC)
*(Note: The context specifically mentions its use in a publicly disclosed UAC bypass.)*
- T1055 - Process Injection
- T1055.004 - DLL Injection (Relevant to the older hook-based method)
## Functionality
### Core Capabilities
- **Handle Retrieval:** The primary function is to return a handle to the process owning a given HWND.
- **Evolution of Implementation:**
- **Vista:** Initial implementation involved a user-mode technique using Windows hooks (`SetWindowsHookEx`) loaded via `oleacc.dll`. This required sending a custom window message (`WM_OLEACC_HOOK`). Upon receiving this, the target process would duplicate a required handle (limited rights) to the caller via shared memory.
- **Windows 7+:** The hook function was moved to a separate DLL (`oleacchooks.dll`, exported via ordinal 1).
- **Modern Windows 11:** The function is implemented as a Win32k kernel function that attempts to open the process handle directly.
- **Access Rights:** When successful (especially against protected processes like `WerFaultSecure.exe` following window enumeration), the function can return a handle with access rights including `PROCESS_DUP_HANDLE`, `PROCESS_VM_OPERATION`, `PROCESS_VM_READ`, `PROCESS_VM_WRITE`, and `PROCESS_QUERY_LIMITED_INFORMATION`.
### Advanced Features
- **UAC Bypass Vector:** The historical hook mechanism, combined with UI Access properties, formed the basis for exploits that could elevate privileges (though documentation claims about UI Access requirements were found to be partially inaccurate or outdated).
- **Protected Process Exploitation:** The modern kernel implementation bypasses legacy UAC/UIPI checks sufficiently to leak process handles to non-protected code, allowing for memory modification (writing shellcode and redirecting execution flow) within protected processes, though direct handle duplication might be blocked by PPL checks.
- **Handle Duplication Logic (Legacy):** The older approach relied on the target process executing code to duplicate the handle to the caller via shared memory, a process constrained when users/integrity levels differ significantly (e.g., failure to open the caller with `PROCESS_DUP_HANDLE`).
## Indicators of Compromise
- File Hashes: N/A (Refers to legitimate OS functions/DLLs: `oleacc.dll`, `oleacchooks.dll`, `WerFaultSecure.exe`)
- File Names: `oleacc.dll`, `oleacchooks.dll`, `WerFaultSecure.exe`
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators:
- Use of `SetWindowsHookEx` followed by sending a custom message (`WM_OLEACC_HOOK`) targeting a specific process's thread.
- Accessing named shared memory sections (`OLEACC_HOOK_SHMEM_*`).
- Calls to `GetProcessHandleFromHwnd` resulting in handles with elevated access rights being returned to low-integrity callers.
## Associated Threat Actors
Specific threat actor attribution is not provided in the context, but the technique is associated with published **UAC bypass proofs-of-concept (PoCs)**, such as one using the Quick Assist UI Access application and a separate PPL window PoC.
## Detection Methods
- Signature-based detection: Not applicable for detecting the legitimate API usage itself.
- Behavioral detection: Monitoring for the sequence of API calls related to hook establishment and custom inter-process communication (IPC) leveraging `WM_OLEACC_HOOK`. Specifically, monitoring for low-integrity processes receiving process handles with unexpected access rights via IPC mechanisms associated with `GetProcessHandleFromHwnd`.
- YARA rules: Not provided.
## Mitigation Strategies
- **Patching/OS Updates:** Relying on Microsoft's fixes (mentioned as addressed in Windows 11 24H2 and general UIPI hardening).
- **UIPI & Integrity Enforcement:** Strong enforcement of UIPI rules (where applicable) and ensuring that system processes handling privileged operations are not susceptible to manipulation via simple HWND enumeration.
- **Application Hardening:** Protecting system binaries like Windows Error Reporting components (`WerFaultSecure.exe`) from unexpected handle acquisition.
## Related Tools/Techniques
- Quick Assist UI Access application (used in the initial UAC bypass discovery).
- `SetWindowsHookEx` API (Used in the legacy implementation).
- Process Handle Manipulation / Token Impersonation (General privilege escalation themes).