Some days ago, while we were doing some of our research, we
discovered a strange IE 7 behavior or "feature". We were trying to execute a
renamed IE 7 executable, but we noticed that it was always ended without any
system notification. After a basic debugging session of IE7, we discovered
the code responsible for this action is inside ieframe.dll for
Windows XP and iertutil.dll for Windows Vista (ieframe.dll in Vista has also some code to "detect" it).
This code
tries to match the executable name against some hardcoded values:
iexplore.exe, explorer.exe and ieuser.exe (in XP) and iexplore.exe, ieuser.exe,
ieinstall.exe and iedw.exe (in Vista). If the name doesn't match, the process
will be killed. What’s the reason for this "feature"? After some research, we
noticed this could be a feature derived from the inclusion of Protected Mode
for Internet Explorer in Windows Vista:
"In Microsoft Windows Vista,
Microsoft Internet Explorer 7 runs in Protected Mode, which helps
protect users from attack by running the Internet Explorer process with
greatly restricted privileges
[…]While most Internet Explorer 7
security features will be available in Internet Explorer 7 for Windows
XP Service Pack 2, Protected Mode is only available on Windows Vista because
it is based on security features new to Windows Vista.
[…]Two
higher privilege broker processes allow Internet Explorer and extensions to
perform elevated operations given user consent. For example, the user
privilege broker (IEUser.exe) process provides a set of functions that let
the user saves files to areas outside of low integrity areas. In addition, an
administrator privilege broker (IEInstal.exe) process allows Internet
Explorer to install ActiveX controls.
"
The system tries to verify if
this is a Browser Process to provide it with the privileges needed to browse
the Web. You can read more about this feature here . A few days ago, I read a post of Joanna Rutkowska (here) about Windows Vista User Account Control (UAC). In this post, she explains some methods that Vista uses to recognize installer executables. One of these is to match the filename against keywords like "install," "setup," "update," etc. MS is using the same method to recognize if a process belongs to Internet Explorer processes. Is this the right method?