Enlightened and Unenlightened PE files

Posted on by

If you thought that the world of the PE files cannot get even more confusing I have some news for you: some of the PE files can be enlightened.

I came across enlightened files by looking at the Windows 10 files – what caught my attention was this resource inside the Notepad on Windows 10:

I have never seen it before so quick google search followed. Despite the fact this particular resource type/name is not a topic that was much discussed on the internet I quickly discovered this presentation from 2016.

On a slide 37 it states:

Declare your app enlightened (Win32)

Add these entries to resources.rc

MICROSOFTEDPENLIGHTENEDAPPINFO EDPENLIGHTENEDAPPINFOID
BEGIN
0x0001
END

MICROSOFTEDPPERMISSIVEAPPINFO EDPPERMISSIVEAPPINFOID
BEGIN
0x0001
END

A-ha!

Okay.

But what does it do/mean?

Turns out this is a part of Windows  Information Protection (WIP) initiative that focuses on supporting application management within Enterprise and covers both Mobile and Desktop devices. It enforces certain privacy rules on applications including data access and transfer between managed and unmanaged apps. The Enterprise enlightened apps are these that follow strict policies and protect data by design. They are able to distinguish between the personal and company data and protect (or not) it accordingly. From what I understood so far, in the proposed model the data is tagged and its use is guarded by policies associated with tags. This is actually pretty cool. Apps can then get a native support from OS that will enforce certain rules e.g. can block screen capture, clipboard and any other form of data exchange.

There is more information here. The article actually puts Notepad on the List of enlightened Microsoft apps.

So, if you see these resources it simply means that the program was designed with WIP in mind. I am still wondering how this can be verified (since anyone can add these resources during the compilation time, right?). Also, from what I have read about WIP – ‘Unenlightened apps, when marked as corporate-managed, consider all data corporate and encrypt everything by default.’. This is pretty interesting if the encryption is ‘by default’. I wonder how will it affect malware behavior and artifacts (not perfectly clear how the encryption is applied an on what level; will e.g. keylog files written by an unenlightened app /e.g. malicious code injected into Notepad?/ be somehow encrypted? will registry data be encrypted?).

If anyone experimented with this, and/r researched it more in-depth I’d appreciate a follow-up.