Disabling SeAccessCheck

In Phrack 55, Greg Hoglund described the benefits of patching nt!SeAccessCheck so that it never returns access denied[19]. This has the effect of causing access checks on securable objects to always grant access, regardless of whether or not the access would normally be granted. As a result, non-privileged users can directly access otherwise privileged resources. This simple modification does not directly make it possible to execute privileged code, but it does indirectly facilitate it by allowing non-privileged users to interact with and modify system processes.

Category: Type I

Origin: Greg Hoglund was the first person to publicly identify this technique in September, 1999[19].

Capabilities: Access to restricted resources.

Covertness: Like function prologue overwrites, the nt!SeAccessCheck patch can be detected through differences between the mapped image of ntoskrnl.exe and the on-disk version.