I have presented that files open in an exclusive mode can be illegally accessed without any security reaction. After that, I’ve presented my MemoryRanger, which can prevent such unauthorized memory access. All the details are here - https://igorkorkin.blogspot.com/2019/04/memoryranger-prevents-hijacking.html

1. Igor Korkin
2019 ADFSL Conference
MemoryRanger Prevents Hijacking
FILE_OBJECT structures in Windows Kernel

2. WHOAMI
▪MEPhI Alumni, PhD in Cyber Security
▪ Area of interest is Windows Kernel security:
▪ Memory Forensics
▪ Rootkits Detection
▪ Bare-Metal Hypervisors
▪ Fan of cross-disciplinary research - igorkorkin.blogspot.com
▪ Love traveling and powerlifting - igor.korkin

3. AGENDA
▪
▪
▪

4. AGENDA
▪ FILE_OBJECT hijacking: details and demo
▪
▪

5. AGENDA
▪ FILE_OBJECT hijacking: details and demo
▪ A history of related OS components and memory protection issues
▪

6. AGENDA
▪ FILE_OBJECT hijacking: details and demo
▪ A history of related OS components and memory protection issues
▪MemoryRanger hypervisor protects sensitive kernel memory

7. AGENDA
▪ FILE_OBJECT hijacking: details and demo
▪ A history of related OS components and memory protection issues
▪MemoryRanger hypervisor protects sensitive kernel memory

8. File Manager in Kernel Mode

10. NTSTATUS ZwCreateFile(..., ShareAccess, ...);
ZWCREATEFILE ROUTINE

11. NTSTATUS ZwCreateFile(..., ShareAccess, ...);
ZWCREATEFILE ROUTINE
– ShareAccess flag determines whether other
drivers can access the opened file.
– Calling ZwCreateFile with ShareAccess=0
gives the caller exclusive access to the file.
ShareAccess

13. vs.
The Boss s Driver
ZwCreateFile( budget.txt
ShareAccess=0)
budget.txt
exclusive
mode
The Attacker s Driver

14. vs.
The Boss s Driver
ZwCreateFile( budget.txt
ShareAccess=0)
budget.txt
exclusive
mode
The Attacker s Driver

15. FILE SYSTEM ROUTINES IN WINDOWS KERNEL
ZwCreateFile( budget.txt
ShareAccess=0)
budget.txt
OS kernel
components
?

16. FILE SYSTEM ROUTINES IN WINDOWS KERNEL
I/O Manager
ZwCreateFile( budget.txt
ShareAccess=0)
budget.txt
OS kernel
components

17. FILE SYSTEM ROUTINES IN WINDOWS KERNEL
I/O Manager
Object Manager
ZwCreateFile( budget.txt
ShareAccess=0)
budget.txt
OS kernel
components

18. FILE SYSTEM ROUTINES IN WINDOWS KERNEL
I/O Manager
Object Manager
Security Reference Monitor
ZwCreateFile( budget.txt
ShareAccess=0)
budget.txt
OS kernel
components

19. FILE SYSTEM ROUTINES IN WINDOWS KERNEL
I/O Manager
Object Manager
Security Reference Monitor
ZwCreateFile( budget.txt
ShareAccess=0)
budget.txt
File System Drivers
OS kernel
components

20. FILE SYSTEM ROUTINES IN WINDOWS KERNEL
Access
control list
?
I/O Manager
Object Manager
Security Reference Monitor
ZwCreateFile( budget.txt
ShareAccess=0)
budget.txt
File System Drivers
OS kernel
components

21. FILE SYSTEM ROUTINES IN WINDOWS KERNEL
I/O Manager
Object Manager
Security Reference Monitor
ZwCreateFile( budget.txt
ShareAccess=0)
budget.txt
File System Drivers
ZwCreateFile( hijacker.txt

22. FILE SYSTEM ROUTINES IN WINDOWS KERNEL
I/O Manager
Object Manager
Security Reference Monitor
ZwCreateFile( budget.txt
ShareAccess=0)
budget.txt
File System Drivers
ZwCreateFile( hijacker.txt
STATUS SHARING
VIOLATION
Code=0xC0000043

23. FILE SYSTEM ROUTINES IN WINDOWS KERNEL
I/O Manager
Object Manager
Security Reference Monitor
ZwCreateFile( budget.txt
ShareAccess=0)
budget.txt
File System Drivers
FILE_OBJECT
File Handle

24. FILE SYSTEM ROUTINES IN WINDOWS KERNEL
I/O Manager
Object Manager
Security Reference Monitor
ZwReadFile( )
ZwWriteFile( )
ZwCreateFile( budget.txt
ShareAccess=0)
budget.txt
File System Drivers
FILE_OBJECT
File Handle
File Handle
File Handle

25. FILE SYSTEM ROUTINES IN WINDOWS KERNEL
I/O Manager
Object Manager
Security Reference Monitor
ZwReadFile( )
ZwWriteFile( )
ZwCreateFile( budget.txt
ShareAccess=0) Hey! I m a hacker-attacker!
budget.txt
File System Drivers
FILE_OBJECT
File Handle
File Handle
File Handle

26. FILE SYSTEM ROUTINES IN WINDOWS KERNEL
I/O Manager
Object Manager
Security Reference Monitor
ZwReadFile( )
ZwWriteFile( )
ZwCreateFile( budget.txt
ShareAccess=0) ZwCreateFile( hijacker.txt
budget.txt hijacker.txt
File System Drivers
File Handle
FILE_OBJECTFILE_OBJECT
File Handle
File Handle
File Handle
1.Create a file

27. FILE SYSTEM ROUTINES IN WINDOWS KERNEL
I/O Manager
Object Manager
Security Reference Monitor
ZwReadFile( )
ZwWriteFile( )
ZwCreateFile( budget.txt
ShareAccess=0)
budget.txt hijacker.txt
File System Drivers
File Handle
FILE_OBJECTFILE_OBJECT
File Handle
File Handle
File Handle FILE_OBJECT Hijacking
2.Copy

28. FILE SYSTEM ROUTINES IN WINDOWS KERNEL
I/O Manager
Object Manager
Security Reference Monitor
ZwReadFile( )
ZwWriteFile( )
ZwCreateFile( budget.txt
ShareAccess=0)
ZwReadFile( )
ZwWriteFile( )
budget.txt hijacker.txt
File System Drivers
File Handle
FILE_OBJECTFILE_OBJECT
File Handle
File Handle
File Handle
FILE_OBJECT
File Handle
File Handle

29. JUST 4 CRUCIAL FIELDS FOR FILES HIJACKING
typedef struct _FILE_OBJECT {
…
PVPB Vpb;
PVOID FsContext;
PVOID FsContext2;
PSECTION_OBJECT_POINTERS SectionObjectPointer;
…
} FILE_OBJECT;
• The Vpb field points to a mounted Volume Parameter Block (VPB), associated with the target device object.
• FsContext points to the FSRTL_COMMON_FCB_HEADER structure, which has to be allocated by the file driver.
• FsContext2 field refers to the Context Control Block (CBB) associated with the file object
• SectionObjectPointer stores file-mapping and caching-related information for a file stream.

30. THE ATTACK
Kernel
mode
User
mode
Hard
Disk
Driver
ZwCreateFile()
•ShareAccess=0
budget.txt
FILE_OBJECT
Driver
open_by_hijacking
hijacker.txt
OS Components
Attempt 2: The Hijacking Attack
FILE_OBJECT
The Boss Attacker
Driver
ZwCreateFile()
•ShareAccess=0
budget.txt
FILE_OBJECT
Driver
ZwCreateFile()
OS Components
Attempt 1: The Legal Access
FILE_OBJECT
The Boss Attacker
access
violation

31. THE ATTACK
Kernel
mode
User
mode
Hard
Disk
Driver
ZwCreateFile()
•ShareAccess=0
budget.txt
FILE_OBJECT
Driver
open_by_hijacking
hijacker.txt
OS Components
Attempt 2: The Hijacking Attack
FILE_OBJECT
The Boss Attacker
Driver
ZwCreateFile()
•ShareAccess=0
budget.txt
FILE_OBJECT
Driver
ZwCreateFile()
OS Components
Attempt 1: The Legal Access
FILE_OBJECT
The Boss Attacker
access
violation

32. DEMO: THE ATTACK
The online version is here –
https://www.youtube.com/watch?v=2mU85RluOSA?vq=hd1080

33. ▪ All Windows OSes since NT 4.0 are vulnerable for FILE_OBJECT hijacking:
THE ANALYSIS OF THE ATTACK

34. ▪ All Windows OSes since NT 4.0 are vulnerable for FILE_OBJECT hijacking:
▪1993 - the first mention of Object Manager
and Security Reference Monitor
THE ANALYSIS OF THE ATTACK
Windows NT:The Next Generation
by Len Feldman, March 1, 1993

35. ▪ All Windows OSes since NT 4.0 are vulnerable for FILE_OBJECT hijacking:
▪1993 - the first mention of Object Manager and Security Reference Monitor
▪1965 – the first memory isolation concept Multics*
was developed for General Electric 645 mainframe.
Multics joined to the ARPANet and gave rise to the Unix.
THE ANALYSIS OF THE ATTACK
Fernando
Corbato
Victor
Vyssotsky
Two Fathers of Multics
*DOI: http://dx.doi.org/10.1145/1463891.1463912

36. THE FILE_OBJECT PROTECTION VIA ENCRYPTION
FILE_OBJECT
Boss s Driver Attacker s Driver
FILE_OBJECT

37. THE FILE_OBJECT PROTECTION VIA ENCRYPTION
FILE_OBJECT
Boss s Driver Attacker s Driver
FILE_OBJECT

38. THE FILE_OBJECT PROTECTION VIA ENCRYPTION
FILE_OBJECT
Boss s Driver Attacker s Driver
FILE_OBJECT
1. Encrypt the FILE_OBJECT
2.
3.
4.
5.

39. THE FILE_OBJECT PROTECTION VIA ENCRYPTION
FILE_OBJECT
Boss s Driver Attacker s Driver
FILE_OBJECT
1. Encrypt the FILE_OBJECT
2. Trap legal access
3.
4.
5.

40. THE FILE_OBJECT PROTECTION VIA ENCRYPTION
FILE_OBJECT
Boss s Driver Attacker s Driver
FILE_OBJECT
1. Encrypt the FILE_OBJECT
2. Trap legal access
3. Decrypt the FILE_OBJECT
4.
5.

41. THE FILE_OBJECT PROTECTION VIA ENCRYPTION
FILE_OBJECT
Boss s Driver Attacker s Driver
FILE_OBJECT
1. Encrypt the FILE_OBJECT
2. Trap legal access
3. Decrypt the FILE_OBJECT
4. Wait to complete file operation
5.

42. THE FILE_OBJECT PROTECTION VIA ENCRYPTION
FILE_OBJECT
Boss s Driver Attacker s Driver
FILE_OBJECT
1. Encrypt the FILE_OBJECT
2. Trap legal access
3. Decrypt the FILE_OBJECT
4. Wait to complete file operation
5. Go to step 1

43. 1. Encrypt the FILE_OBJECT
2. Trap legal access
3. Decrypt the FILE_OBJECT
4. Wait file operation completion
5. Go to step 1
1. Encrypt the FILE_OBJECT
2. Trap legal access
3. Decrypt the FILE_OBJECT
4. Wait file operation completion
5. Go to step 1
1. Encrypt the FILE_OBJECT
2. Trap legal access
3. Decrypt the FILE_OBJECT
4. Wait file operation completion
5. Go to step 1
THE FILE_OBJECT PROTECTION VIA ENCRYPTION
FILE_OBJECT
Boss s Driver Attacker s Driver
FILE_OBJECT
1. Encrypt the FILE_OBJECT
2. Trap legal access
3. Decrypt the FILE_OBJECT
4. Wait file operation completion
5. Go to step 1
1. Encrypt the FILE_OBJECT
2. Trap legal access
3. Decrypt the FILE_OBJECT
4. Wait to complete file operation
5. Go to step 1

44. 1. Encrypt the FILE_OBJECT
2. Trap legal access
3. Decrypt the FILE_OBJECT
4. Wait file operation completion
5. Go to step 1
1. Encrypt the FILE_OBJECT
2. Trap legal access
3. Decrypt the FILE_OBJECT
4. Wait file operation completion
5. Go to step 1
1. Encrypt the FILE_OBJECT
2. Trap legal access
3. Decrypt the FILE_OBJECT
4. Wait file operation completion
5. Go to step 1
THE FILE_OBJECT PROTECTION VIA ENCRYPTION
FILE_OBJECT
Boss s Driver Attacker s Driver
FILE_OBJECT
1. Encrypt the FILE_OBJECT
2. Trap legal access
3. Decrypt the FILE_OBJECT
4. Wait file operation completion
5. Go to step 1
1. Encrypt the FILE_OBJECT
2. Trap legal access
3. Decrypt the FILE_OBJECT
4. Wait to complete file operation
5. Go to step 1

45. WINDOWS KERNEL MEMORY
OS Kernel Code
OS Kernel Structures FILE_OBJECT
Boss s Driver Attacker s Driver
FILE_OBJECT

46. WINDOWS KERNEL MEMORY
OS Kernel Code
OS Kernel Structures FILE_OBJECT
Boss s Driver Attacker s Driver
FILE_OBJECT

47. WINDOWS KERNEL MEMORY
OS Kernel Code
OS Kernel Structures FILE_OBJECT
Boss s Driver Attacker s Driver
FILE_OBJECT

48. WINDOWS KERNEL MEMORY
OS Kernel Code
OS Kernel Structures FILE_OBJECT
Boss s Driver Attacker s Driver
FILE_OBJECT

49. PROCESSING MEMORY ACCESS: EPT FEATURE
Guest OS
Hypervisor
VT-x without EPT
Paging
structures
Host
Memory

50. PROCESSING MEMORY ACCESS: EPT FEATURE
Host Physical Address H
Guest OS
Hypervisor
VT-x without EPT
= G
Guest Physical Address
Paging
structures
V
G
Guest Virtual Address
Host
Memory

51. PROCESSING MEMORY ACCESS: EPT FEATURE
Host Physical Address H
Guest OS
Hypervisor
VT-x without EPT
=
VT-x with EPT
G
Guest Physical Address
Paging
structures
V
G
Guest Virtual Address
Paging
structures
Host
Memory
EPT Paging structures

52. PROCESSING MEMORY ACCESS: EPT FEATURE
Host Physical Address H
Guest OS
Hypervisor
VT-x without EPT
=
EPT Physical Address
Host Physical Address
VT-x with EPT
G
EPT( )G
Guest Physical Address
Paging
structures
V
G
Guest Virtual Address
Guest Physical Address
Paging
structures
V
G
Guest Virtual Address
H =
Host
Memory
EPT Paging structures
=EPT( )G

53. EPT PAGING STRUCTURES
EPT Paging structures
EPT Page Table Entries
EPT Entry for the Page A
EPT Entry for the Page B
EPT Entry for the Page Z
EPT Tables
EPT Tables
…

54. EPT PAGING STRUCTURES
EPT Paging structures
EPT Page Table Entries
EPT Entry for the Page A
EPT Entry for the Page B
EPT Entry for the Page Z
EPT Tables
EPT Tables
Page A
Guest Physical
Address
Page A
Host Physical
Address
…

55. 1. Using EPT we can trap read/write/execute access attempts
and redirect them from the secret page to the fake one:
2.
3.
EPT MAIN FEATURES

56. 1. Using EPT we can trap read/write/execute access attempts
and redirect them from the secret page to the fake one:
2.
3.
EPT MAIN FEATURES
access
Guest Page
Hypervisor does not react
Host Page

57. 1. Using EPT we can trap read/write/execute access attempts
and redirect them from the secret page to the fake one:
2.
3.
EPT MAIN FEATURES
access
Guest Page
Hypervisor does not react
Host Page
Hypervisor traps all
these access attempts
access
Guest Page
Host Page

58. 1. Using EPT we can trap read/write/execute access attempts
and redirect them from the secret page to the fake one:
2.
3.
EPT MAIN FEATURES
access
Guest Page
Hypervisor does not react
Host Page
Hypervisor traps all
these access attempts
access
Guest Page
Host Page

59. 1. Using EPT we can trap read/write/execute access attempts
and redirect them from the secret page to the fake one:
2.
3.
EPT MAIN FEATURES
access
Guest Page
Hypervisor does not react
Host Page
Hypervisor traps all
these access attempts
access
Guest Page
Host Page

60. 1. Using EPT we can trap read/write/execute access attempts
and redirect them from the secret page to the fake one:
2. EPT memory settings can be updated in the real time
3.
EPT MAIN FEATURES
access
Guest Page
Hypervisor does not react
Host Page
Hypervisor traps all
these access attempts
access
Guest Page
Host Page
Fake Page

61. 1. Using EPT we can trap read/write/execute access attempts
and redirect them from the secret page to the fake one:
2. EPT memory settings can be updated in the real time
3. We can dynamically allocate several EPTs with different
memory setting and switch between them in the real time
EPT MAIN FEATURES
access
Guest Page
Hypervisor does not react
Host Page
Hypervisor traps all
these access attempts
access
Guest Page
Host Page
Fake Page

62. WINDOWS KERNEL MEMORY
Enclave for Attacker s DriverEnclave for Boss s DriverEnclave for the OS kernel
OS Kernel Code
OS Kernel Structures FILE_OBJECT
Boss s Driver Attacker s Driver
FILE_OBJECT
OS Kernel Code
OS Kernel Structures FILE_OBJECT FILE_OBJECT
MemoryRanger
Attacker s DriverBoss s Driver

63. WINDOWS KERNEL MEMORY
Enclave for Attacker s DriverEnclave for Boss s DriverEnclave for the OS kernel
OS Kernel Code
OS Kernel Structures FILE_OBJECT
Boss s Driver Attacker s Driver
FILE_OBJECT
OS Kernel Code
OS Kernel Structures FILE_OBJECT FILE_OBJECT
MemoryRanger
Attacker s DriverBoss s Driver

64. MEMORY RANGER PREVENTS FILE_OBJECT HIJACKING
Current Situation
OS Code
OS
Structs
Default enclave for OS Enclave for Boss Driver
EPT pointer
Enclave for Attacker s
Driver

65. MEMORY RANGER PREVENTS FILE_OBJECT HIJACKING
Current Situation
OS Code
OS
Structs
The Boss FILE_OBJ
Default enclave for OS Enclave for Boss Driver
EPT pointer
Enclave for Attacker s
Driver

66. MEMORY RANGER PREVENTS FILE_OBJECT HIJACKING
Current Situation
OS Code
OS
Structs
The Boss FILE_OBJ
Attacker FILE_OBJ
Default enclave for OS Enclave for Boss Driver
EPT pointer
Enclave for Attacker s
Driver

67. MEMORY RANGER PREVENTS FILE_OBJECT HIJACKING
Current Situation
OS Code
OS
Structs
The Boss FILE_OBJ
Attacker FILE_OBJ
Default enclave for OS Enclave for Boss Driver
EPT pointer
Enclave for Attacker s
Driver

68. MEMORY RANGER PREVENTS FILE_OBJECT HIJACKING
Current Situation
OS Code
OS
Structs
The Boss FILE_OBJ
Attacker FILE_OBJ
Default enclave for OS
OS Code
OS
Structs
Enclave for Boss Driver
EPT pointer
Enclave for Attacker s
Driver

69. MEMORY RANGER PREVENTS FILE_OBJECT HIJACKING
Current Situation
OS Code
OS
Structs
The Boss FILE_OBJ
Attacker FILE_OBJ
Default enclave for OS
OS Code
OS
Structs
The Boss
Enclave for Boss s Driver
OS Code
OS
Structs
The Boss
EPT pointer
Enclave for Attacker s
Driver

70. MEMORY RANGER PREVENTS FILE_OBJECT HIJACKING
Current Situation
OS Code
OS
Structs
The Boss FILE_OBJ
Attacker FILE_OBJ
Default enclave for OS
OS Code
OS
Structs
The Boss FILE_OBJ
Enclave for Boss s Driver
OS Code
OS
Structs
The Boss FILE_OBJ
EPT pointer
Enclave for Attacker s
Driver

71. MEMORY RANGER PREVENTS FILE_OBJECT HIJACKING
Current Situation
OS Code
OS
Structs
The Boss FILE_OBJ
Attacker FILE_OBJ
Default enclave for OS
OS Code
OS
Structs
The Boss FILE_OBJ
Attacker
Enclave for Boss s Driver
OS Code
OS
Structs
The Boss FILE_OBJ
Attacker
OS Code
OS
Structs
The Boss
Attacker
EPT pointer
FILE_OBJ
Enclave for Attacker s
Driver

72. MEMORY RANGER PREVENTS FILE_OBJECT HIJACKING
Current Situation
OS Code
OS
Structs
The Boss FILE_OBJ
Attacker FILE_OBJ
Default enclave for OS
OS Code
OS
Structs
The Boss FILE_OBJ
Attacker FILE_OBJ
Enclave for Boss s Driver
OS Code
OS
Structs
The Boss FILE_OBJ
Attacker FILE_OBJ
OS Code
OS
Structs
The Boss
Attacker FILE_OBJ
EPT pointer
FILE_OBJ
Enclave for Attacker s
Driver

73. MEMORY RANGER PREVENTS FILE_OBJECT HIJACKING
Current Situation
OS Code
OS
Structs
The Boss FILE_OBJ
Attacker FILE_OBJ
Default enclave for OS
OS Code
OS
Structs
The Boss FILE_OBJ
Attacker FILE_OBJ
Enclave for Boss s Driver
OS Code
OS
Structs
The Boss FILE_OBJ
Attacker FILE_OBJ
OS Code
OS
Structs
The Boss
Attacker FILE_OBJ
EPT pointer
FILE_OBJ
Enclave for Attacker s
Driver

74. MEMORY RANGER PREVENTS FILE_OBJECT HIJACKING
Current Situation
OS Code
OS
Structs
The Boss FILE_OBJ
Attacker FILE_OBJ
Default enclave for OS
OS Code
OS
Structs
The Boss FILE_OBJ
Attacker FILE_OBJ
Enclave for Boss s Driver
OS Code
OS
Structs
The Boss FILE_OBJ
Attacker FILE_OBJ
OS Code
OS
Structs
The Boss
Attacker FILE_OBJ
EPT pointer
FILE_OBJ
Enclave for Attacker s
Driver

75. DEMO: PREVENTING THE HIJACKING
Driver
ZwCreateFile()
•ShareAccess=0
budget.txt
FILE_OBJECT
Driver
open_by_hijacking
hijacker.txt
OS Components
Attempt 2: The Hijacking Attack Preventing the Hijacking Attack
FILE_OBJECT
The Boss Attacker
Attacker s EnclaveAllocator s Enclave
The Boss
Driver
ZwCreateFile()
•ShareAccess=0
FILE_OBJECT
budget.txt
Attacker
hijacker.txt
OS Components
MemoryRanger
Driver
open_by_hijacking
FILE_OBJECT
OS Components
Default Enclave
OS kernel,
and other
drivers
OS kernel,
and other
drivers
OS kernel
and other
drivers
Internal
Data
Internal
Data
OS and
Other
Data

76. DEMO: PREVENTING THE HIJACKING
Driver
ZwCreateFile()
•ShareAccess=0
budget.txt
FILE_OBJECT
Driver
open_by_hijacking
hijacker.txt
OS Components
Attempt 2: The Hijacking Attack Preventing the Hijacking Attack
FILE_OBJECT
The Boss Attacker
Attacker s EnclaveAllocator s Enclave
The Boss
Driver
ZwCreateFile()
•ShareAccess=0
FILE_OBJECT
budget.txt
Attacker
hijacker.txt
OS Components
MemoryRanger
Driver
open_by_hijacking
FILE_OBJECT
OS Components
Default Enclave
OS kernel,
and other
drivers
OS kernel,
and other
drivers
OS kernel
and other
drivers
Internal
Data
Internal
Data
OS and
Other
Data

77. DEMO: THE ATTACK PREVENTION
The online version is here –
https://www.youtube.com/watch?v=8ONmC5Do4I4?vq=hd1080

78. DEMO: PREVENTING THE HIJACKING
Driver
ZwCreateFile()
•ShareAccess=0
budget.txt
FILE_OBJECT
Driver
open_by_hijacking
hijacker.txt
OS Components
Attempt 2: The Hijacking Attack Preventing the Hijacking Attack
FILE_OBJECT
The Boss Attacker
Attacker s EnclaveAllocator s Enclave
The Boss
Driver
ZwCreateFile()
•ShareAccess=0
FILE_OBJECT
budget.txt
Attacker
hijacker.txt
OS Components
MemoryRanger
Driver
open_by_hijacking
FILE_OBJECT
OS Components
Default Enclave
OS kernel,
and other
drivers
OS kernel,
and other
drivers
OS kernel
and other
drivers
Internal
Data
Internal
Data
OS and
Other
Data

79. DEMO: PREVENTING THE HIJACKING
Driver
ZwCreateFile()
•ShareAccess=0
budget.txt
FILE_OBJECT
Driver
open_by_hijacking
hijacker.txt
OS Components
Attempt 2: The Hijacking Attack Preventing the Hijacking Attack
FILE_OBJECT
The Boss Attacker
Attacker s EnclaveAllocator s Enclave
The Boss
Driver
ZwCreateFile()
•ShareAccess=0
FILE_OBJECT
budget.txt
Attacker
hijacker.txt
OS Components
MemoryRanger
Driver
open_by_hijacking
FILE_OBJECT
OS Components
Default Enclave
OS kernel,
and other
drivers
OS kernel,
and other
drivers
OS kernel
and other
drivers
Internal
Data
Internal
Data
OS and
Other
Data

80. Preventing the Hijacking Attack
MemoryRanger
prevents illegal
access
Attacker s EnclaveAllocator s Enclave
The Boss
Driver
ZwCreateFile()
•ShareAccess=0
FILE_OBJECT
budget.txt
Attacker
hijacker.txt
OS Components
MemoryRanger
Driver
open_by_hijacking
FILE_OBJECT
OS Components
Default Enclave
OS kernel,
and other
drivers
OS kernel,
and other
drivers
OS kernel
and other
drivers
Internal
Data
Internal
Data
OS and
Other
Data

81. MEMORY RANGER ARCHITECTURE
OS

82. MEMORY RANGER ARCHITECTURE
OS
A new driver
is loaded

83. MEMORY RANGER ARCHITECTURE
OS
A new driver
is loaded
Kernel API
function is called

84. MEMORY RANGER ARCHITECTURE
OS
Access to the protected data
triggers EPT violation
A new driver
is loaded
Kernel API
function is called

85. MEMORY RANGER ARCHITECTURE
OS
Access to the protected data
triggers EPT violation
Driver receives
OS events
notifications
ISOLATED_MEM_ENCLAVE
A new driver
is loaded
Kernel API
function is called
ISOLATED_MEM_ENCLAVE
ISOLATED_MEM_ENCLAVE
Memory
Ranger

86. MEMORY RANGER ARCHITECTURE
OS
Access to the protected data
triggers EPT violation
Driver receives
OS events
notifications
ISOLATED_MEM_ENCLAVE PROTECTED_MEMORY
A new driver
is loaded
Kernel API
function is called
DdiMon hooks
kernel API routines
PROTECTED_MEMORY
PROTECTED_MEMORY
ISOLATED_MEM_ENCLAVE
ISOLATED_MEM_ENCLAVE
Memory
Ranger

87. OS
Access to the protected data
triggers EPT violation
Driver receives
OS events
notifications
Hypervisor
ISOLATED_MEM_ENCLAVE PROTECTED_MEMORY
A new driver
is loaded
Kernel API
function is called
DdiMon hooks
kernel API routines
MemoryMonRWX
traps EPT violations
PROTECTED_MEMORY
PROTECTED_MEMORY
ISOLATED_MEM_ENCLAVE
ISOLATED_MEM_ENCLAVE
Memory
Ranger
MEMORY RANGER ARCHITECTURE

88. MEMORY RANGER ARCHITECTURE
OS
Memory Access Policy (MAP)
Access to the protected data
triggers EPT violation
Driver receives
OS events
notifications
Hypervisor
ISOLATED_MEM_ENCLAVE PROTECTED_MEMORY
A new driver
is loaded
Kernel API
function is called
DdiMon hooks
kernel API routines
MemoryMonRWX
traps EPT violations
?
PROTECTED_MEMORY
PROTECTED_MEMORY
ISOLATED_MEM_ENCLAVE
ISOLATED_MEM_ENCLAVE
Memory
Ranger

89. Driver Protected Memory
Reads/Writes
MEMORY RANGER BENCHMARKS: MEMORY ACCESS TIME

90. Driver Protected Memory
Reads/Writes
70±2
0
1
2
3
4
5
Enabled Cache
x100000
MEMORY RANGER BENCHMARKS: MEMORY ACCESS TIME

91. Driver Protected Memory
Reads/Writes
70±2
100.000±4.000
0
1
2
3
4
5
Enabled Cache Disabled Cache
x100000
MEMORY RANGER BENCHMARKS: MEMORY ACCESS TIME

92. Driver Protected Memory
Reads/Writes
70±2
100.000±4.000
500.000±10.000
0
1
2
3
4
5
Enabled Cache Disabled Cache AllMemPro
x100000
MEMORY RANGER BENCHMARKS: MEMORY ACCESS TIME
* AllMemPro details - http://bit.ly/AllMemPro
*

93. Driver Protected Memory
Reads/Writes
70±2
100.000±4.000
500.000±10.000
170.000±7.000
0
1
2
3
4
5
Enabled Cache Disabled Cache AllMemPro MemoryRanger
x100000
MEMORY RANGER BENCHMARKS: MEMORY ACCESS TIME
* AllMemPro details - http://bit.ly/AllMemPro
*

94. Driver Protected Memory
Reads/Writes
70±2
100.000±4.000
500.000±10.000
170.000±7.000
0
1
2
3
4
5
Enabled Cache Disabled Cache AllMemPro MemoryRanger
x100000
MEMORY RANGER BENCHMARKS: MEMORY ACCESS TIME
* AllMemPro details - http://bit.ly/AllMemPro
*

95. Driver Protected Memory
Reads/Writes
70±2
100.000±4.000
500.000±10.000
170.000±7.000
0
1
2
3
4
5
Enabled Cache Disabled Cache AllMemPro MemoryRanger
x100000
MEMORY RANGER BENCHMARKS: MEMORY ACCESS TIME
* AllMemPro details - http://bit.ly/AllMemPro
*

96. THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY
Integrity
Confidentiality
Memory
Regions
Dynamically Allocated Data by the OSCode Drivers allocations

97. THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY
Drivers code
Integrity
Confidentiality
Memory
Regions
Dynamically Allocated Data by the OSCode Drivers allocations

98. THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY
OS Code
Drivers code
Integrity
Confidentiality
Memory
Regions
Dynamically Allocated Data by the OSCode Drivers allocations

99. THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY
OS Code
Drivers code
Integrity
Confidentiality
Device Guard
Memory
Regions
Dynamically Allocated Data by the OSCode Drivers allocations

100. THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY
OS Code
Drivers code
Integrity
Confidentiality
Device Guard
Memory
Regions
Dynamically Allocated Data by the OSCode Drivers allocations

101. THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY
OS Code
Drivers code Allocated data
Integrity
Confidentiality
Device Guard
Memory
Regions
Dynamically Allocated Data by the OSCode Drivers allocations

102. THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY
OS Code
Drivers code Allocated data
Integrity
Confidentiality
Device Guard
Memory
Regions
Dynamically Allocated Data by the OSCode Drivers allocations

103. THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY
OS Code
Drivers code Allocated data
LDR_DATA_TABLE_ENTRY
structures
PsLoadedModuleList
DRIVER_OBJECT
structures
MajorFunction[]
EPROCESS structures
PsActiveProcessLinks
Integrity
Confidentiality
Device Guard
Memory
Regions
Dynamically Allocated Data by the OSCode Drivers allocations

104. THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY
OS Code
Drivers code Allocated data
LDR_DATA_TABLE_ENTRY
structures
PsLoadedModuleList
DRIVER_OBJECT
structures
MajorFunction[]
EPROCESS structures
PsActiveProcessLinks
Integrity
Confidentiality
Device Guard Patch Guard
Memory
Regions
Dynamically Allocated Data by the OSCode Drivers allocations
(skipped)

105. THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY
OS Code
Drivers code Allocated data
LDR_DATA_TABLE_ENTRY
structures
PsLoadedModuleList
DRIVER_OBJECT
structures
MajorFunction[]
EPROCESS structures
PsActiveProcessLinks
Integrity
Confidentiality
Device Guard Patch Guard
Memory
Regions
Dynamically Allocated Data by the OSCode Drivers allocations
(skipped)

106. THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY
OS Code
Drivers code Allocated data
LDR_DATA_TABLE_ENTRY
structures
PsLoadedModuleList
DRIVER_OBJECT
structures
MajorFunction[]
EPROCESS structures
PsActiveProcessLinks Token
Integrity
Confidentiality
Device Guard Patch Guard
Memory
Regions
Dynamically Allocated Data by the OSCode Drivers allocations
(skipped)

107. THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY
OS Code
Drivers code
FILE_OBJECT
structures
Allocated data
LDR_DATA_TABLE_ENTRY
structures
PsLoadedModuleList
DRIVER_OBJECT
structures
MajorFunction[]
EPROCESS structures
PsActiveProcessLinks Token
Integrity
Confidentiality
Device Guard Patch Guard
Memory
Regions
Dynamically Allocated Data by the OSCode Drivers allocations
(skipped)

108. THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY
OS Code
Drivers code
FILE_OBJECT
structures
Allocated data
LDR_DATA_TABLE_ENTRY
structures
PsLoadedModuleList
DRIVER_OBJECT
structures
MajorFunction[]
EPROCESS structures
PsActiveProcessLinks Token
Integrity
Confidentiality
Device Guard Patch Guard
Memory
Regions
Dynamically Allocated Data by the OSCode Drivers allocations
(skipped)
?
?
?

109. THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY
OS Code
Drivers code
FILE_OBJECT
structures
Allocated data
LDR_DATA_TABLE_ENTRY
structures
PsLoadedModuleList
DRIVER_OBJECT
structures
MajorFunction[]
EPROCESS structures
PsActiveProcessLinks Token
Integrity
Confidentiality
Device Guard Patch Guard
Memory
Regions
Dynamically Allocated Data by the OSCode Drivers allocations
(skipped)
?
?
?

110. THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY
OS Code
Drivers code
FILE_OBJECT
structures
Allocated data
LDR_DATA_TABLE_ENTRY
structures
PsLoadedModuleList
DRIVER_OBJECT
structures
MajorFunction[]
EPROCESS structures
PsActiveProcessLinks Token
Integrity
Confidentiality
Device Guard Patch Guard
Memory
Regions
Dynamically Allocated Data by the OSCode Drivers allocations
(skipped)
?
?
?

111. THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY
OS Code
Drivers code
FILE_OBJECT
structures
Allocated data
LDR_DATA_TABLE_ENTRY
structures
PsLoadedModuleList
DRIVER_OBJECT
structures
MajorFunction[]
EPROCESS structures
PsActiveProcessLinks Token
Integrity
Confidentiality
Device Guard Patch Guard
Memory
Regions
Dynamically Allocated Data by the OSCode Drivers allocations
(skipped)
?
?
?

112. ▪All modern Windows OSes are vulnerable to FILE_OBJECT hijacking
▪ MemoryRanger prevents the hijacking attack by
running drivers into isolated memory enclaves
▪ Research is ongoing
CONCLUSION

113. Thank you!
Igor Korkin igor.korkin@gmail.com
All the details & my CV are here igorkorkin.blogspot.com

114. AllMemPro
MEMORY RANGER HISTORY
HyperPlatform
MemoryMonRWX
HyperPlatform
MemoryRanger
MemoryMonRWX
HyperPlatform
1. Korkin, I., & Tanda, S. (2016). Monitoring & controlling kernel-mode events by HyperPlatform. Recon, Canada.
2. Korkin, I., & Tanda, S. (2017). Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access. ADFSL, USA.
3. Korkin, I. (2018). Hypervisor-Based Active Data Protection for Integrity and Confidentiality of Dynamically Allocated Memory in Windows Kernel. ADFSL, USA.
4. Korkin, I. (2018). Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces. BlackHat, UK
5. Korkin, I. (2019). MemoryRanger Prevents Hijacking FILE_OBJECT structures in Windows Kernel. ADFSL, USA.
AllMemPro
MemoryMonRWX
HyperPlatform
Step 1 Step 2 Step 3 Step 4 Step 5
MemoryRanger
with a new
feature
Prevention of the
FILE_OBJECT
attack
REcon