|Informative Information for the Uninformed|
In Phrack 55, Greg Hoglund described the benefits of patching nt!SeAccessCheck so that it never returns access denied. This has the effect of causing access checks on securable objects to always grant access, regardless of whether or not the access would normally be granted. As a result, non-privileged users can directly access otherwise privileged resources. This simple modification does not directly make it possible to execute privileged code, but it does indirectly facilitate it by allowing non-privileged users to interact with and modify system processes.
Category: Type I
Origin: Greg Hoglund was the first person to publicly identify this technique in September, 1999.
Capabilities: Access to restricted resources.
Covertness: Like function prologue overwrites, the nt!SeAccessCheck patch can be detected through differences between the mapped image of ntoskrnl.exe and the on-disk version.