I have presented that files open in an exclusive mode can be illegally accessed without any security reaction. After that, I’ve presented my MemoryRanger, which can prevent such unauthorized memory access.
All the details are here - https://igorkorkin.blogspot.com/2019/04/memoryranger-prevents-hijacking.html
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
1. Igor Korkin
2019 ADFSL Conference
MemoryRanger Prevents Hijacking
FILE_OBJECT structures in Windows Kernel
2. WHOAMI
▪MEPhI Alumni, PhD in Cyber Security
▪ Area of interest is Windows Kernel security:
▪ Memory Forensics
▪ Rootkits Detection
▪ Bare-Metal Hypervisors
▪ Fan of cross-disciplinary research - igorkorkin.blogspot.com
▪ Love traveling and powerlifting - igor.korkin
6. AGENDA
▪ FILE_OBJECT hijacking: details and demo
▪ A history of related OS components and memory protection issues
▪MemoryRanger hypervisor protects sensitive kernel memory
7. AGENDA
▪ FILE_OBJECT hijacking: details and demo
▪ A history of related OS components and memory protection issues
▪MemoryRanger hypervisor protects sensitive kernel memory
11. NTSTATUS ZwCreateFile(..., ShareAccess, ...);
ZWCREATEFILE ROUTINE
– ShareAccess flag determines whether other
drivers can access the opened file.
– Calling ZwCreateFile with ShareAccess=0
gives the caller exclusive access to the file.
ShareAccess
12.
13. vs.
The Boss s Driver
ZwCreateFile( budget.txt
ShareAccess=0)
budget.txt
exclusive
mode
The Attacker s Driver
14. vs.
The Boss s Driver
ZwCreateFile( budget.txt
ShareAccess=0)
budget.txt
exclusive
mode
The Attacker s Driver
15. FILE SYSTEM ROUTINES IN WINDOWS KERNEL
ZwCreateFile( budget.txt
ShareAccess=0)
budget.txt
OS kernel
components
?
16. FILE SYSTEM ROUTINES IN WINDOWS KERNEL
I/O Manager
ZwCreateFile( budget.txt
ShareAccess=0)
budget.txt
OS kernel
components
17. FILE SYSTEM ROUTINES IN WINDOWS KERNEL
I/O Manager
Object Manager
ZwCreateFile( budget.txt
ShareAccess=0)
budget.txt
OS kernel
components
18. FILE SYSTEM ROUTINES IN WINDOWS KERNEL
I/O Manager
Object Manager
Security Reference Monitor
ZwCreateFile( budget.txt
ShareAccess=0)
budget.txt
OS kernel
components
19. FILE SYSTEM ROUTINES IN WINDOWS KERNEL
I/O Manager
Object Manager
Security Reference Monitor
ZwCreateFile( budget.txt
ShareAccess=0)
budget.txt
File System Drivers
OS kernel
components
20. FILE SYSTEM ROUTINES IN WINDOWS KERNEL
Access
control list
?
I/O Manager
Object Manager
Security Reference Monitor
ZwCreateFile( budget.txt
ShareAccess=0)
budget.txt
File System Drivers
OS kernel
components
21. FILE SYSTEM ROUTINES IN WINDOWS KERNEL
I/O Manager
Object Manager
Security Reference Monitor
ZwCreateFile( budget.txt
ShareAccess=0)
budget.txt
File System Drivers
ZwCreateFile( hijacker.txt
22. FILE SYSTEM ROUTINES IN WINDOWS KERNEL
I/O Manager
Object Manager
Security Reference Monitor
ZwCreateFile( budget.txt
ShareAccess=0)
budget.txt
File System Drivers
ZwCreateFile( hijacker.txt
STATUS SHARING
VIOLATION
Code=0xC0000043
23. FILE SYSTEM ROUTINES IN WINDOWS KERNEL
I/O Manager
Object Manager
Security Reference Monitor
ZwCreateFile( budget.txt
ShareAccess=0)
budget.txt
File System Drivers
FILE_OBJECT
File Handle
24. FILE SYSTEM ROUTINES IN WINDOWS KERNEL
I/O Manager
Object Manager
Security Reference Monitor
ZwReadFile( )
ZwWriteFile( )
ZwCreateFile( budget.txt
ShareAccess=0)
budget.txt
File System Drivers
FILE_OBJECT
File Handle
File Handle
File Handle
25. FILE SYSTEM ROUTINES IN WINDOWS KERNEL
I/O Manager
Object Manager
Security Reference Monitor
ZwReadFile( )
ZwWriteFile( )
ZwCreateFile( budget.txt
ShareAccess=0) Hey! I m a hacker-attacker!
budget.txt
File System Drivers
FILE_OBJECT
File Handle
File Handle
File Handle
26. FILE SYSTEM ROUTINES IN WINDOWS KERNEL
I/O Manager
Object Manager
Security Reference Monitor
ZwReadFile( )
ZwWriteFile( )
ZwCreateFile( budget.txt
ShareAccess=0) ZwCreateFile( hijacker.txt
budget.txt hijacker.txt
File System Drivers
File Handle
FILE_OBJECTFILE_OBJECT
File Handle
File Handle
File Handle
1.Create a file
27. FILE SYSTEM ROUTINES IN WINDOWS KERNEL
I/O Manager
Object Manager
Security Reference Monitor
ZwReadFile( )
ZwWriteFile( )
ZwCreateFile( budget.txt
ShareAccess=0)
budget.txt hijacker.txt
File System Drivers
File Handle
FILE_OBJECTFILE_OBJECT
File Handle
File Handle
File Handle FILE_OBJECT Hijacking
2.Copy
29. JUST 4 CRUCIAL FIELDS FOR FILES HIJACKING
typedef struct _FILE_OBJECT {
…
PVPB Vpb;
PVOID FsContext;
PVOID FsContext2;
PSECTION_OBJECT_POINTERS SectionObjectPointer;
…
} FILE_OBJECT;
• The Vpb field points to a mounted Volume Parameter Block (VPB), associated with the target device object.
• FsContext points to the FSRTL_COMMON_FCB_HEADER structure, which has to be allocated by the file driver.
• FsContext2 field refers to the Context Control Block (CBB) associated with the file object
• SectionObjectPointer stores file-mapping and caching-related information for a file stream.
32. DEMO: THE ATTACK
The online version is here –
https://www.youtube.com/watch?v=2mU85RluOSA?vq=hd1080
33. ▪ All Windows OSes since NT 4.0 are vulnerable for FILE_OBJECT hijacking:
THE ANALYSIS OF THE ATTACK
34. ▪ All Windows OSes since NT 4.0 are vulnerable for FILE_OBJECT hijacking:
▪1993 - the first mention of Object Manager
and Security Reference Monitor
THE ANALYSIS OF THE ATTACK
Windows NT:The Next Generation
by Len Feldman, March 1, 1993
35. ▪ All Windows OSes since NT 4.0 are vulnerable for FILE_OBJECT hijacking:
▪1993 - the first mention of Object Manager and Security Reference Monitor
▪1965 – the first memory isolation concept Multics*
was developed for General Electric 645 mainframe.
Multics joined to the ARPANet and gave rise to the Unix.
THE ANALYSIS OF THE ATTACK
Fernando
Corbato
Victor
Vyssotsky
Two Fathers of Multics
*DOI: http://dx.doi.org/10.1145/1463891.1463912
38. THE FILE_OBJECT PROTECTION VIA ENCRYPTION
FILE_OBJECT
Boss s Driver Attacker s Driver
FILE_OBJECT
1. Encrypt the FILE_OBJECT
2.
3.
4.
5.
39. THE FILE_OBJECT PROTECTION VIA ENCRYPTION
FILE_OBJECT
Boss s Driver Attacker s Driver
FILE_OBJECT
1. Encrypt the FILE_OBJECT
2. Trap legal access
3.
4.
5.
40. THE FILE_OBJECT PROTECTION VIA ENCRYPTION
FILE_OBJECT
Boss s Driver Attacker s Driver
FILE_OBJECT
1. Encrypt the FILE_OBJECT
2. Trap legal access
3. Decrypt the FILE_OBJECT
4.
5.
41. THE FILE_OBJECT PROTECTION VIA ENCRYPTION
FILE_OBJECT
Boss s Driver Attacker s Driver
FILE_OBJECT
1. Encrypt the FILE_OBJECT
2. Trap legal access
3. Decrypt the FILE_OBJECT
4. Wait to complete file operation
5.
42. THE FILE_OBJECT PROTECTION VIA ENCRYPTION
FILE_OBJECT
Boss s Driver Attacker s Driver
FILE_OBJECT
1. Encrypt the FILE_OBJECT
2. Trap legal access
3. Decrypt the FILE_OBJECT
4. Wait to complete file operation
5. Go to step 1
43. 1. Encrypt the FILE_OBJECT
2. Trap legal access
3. Decrypt the FILE_OBJECT
4. Wait file operation completion
5. Go to step 1
1. Encrypt the FILE_OBJECT
2. Trap legal access
3. Decrypt the FILE_OBJECT
4. Wait file operation completion
5. Go to step 1
1. Encrypt the FILE_OBJECT
2. Trap legal access
3. Decrypt the FILE_OBJECT
4. Wait file operation completion
5. Go to step 1
THE FILE_OBJECT PROTECTION VIA ENCRYPTION
FILE_OBJECT
Boss s Driver Attacker s Driver
FILE_OBJECT
1. Encrypt the FILE_OBJECT
2. Trap legal access
3. Decrypt the FILE_OBJECT
4. Wait file operation completion
5. Go to step 1
1. Encrypt the FILE_OBJECT
2. Trap legal access
3. Decrypt the FILE_OBJECT
4. Wait to complete file operation
5. Go to step 1
44. 1. Encrypt the FILE_OBJECT
2. Trap legal access
3. Decrypt the FILE_OBJECT
4. Wait file operation completion
5. Go to step 1
1. Encrypt the FILE_OBJECT
2. Trap legal access
3. Decrypt the FILE_OBJECT
4. Wait file operation completion
5. Go to step 1
1. Encrypt the FILE_OBJECT
2. Trap legal access
3. Decrypt the FILE_OBJECT
4. Wait file operation completion
5. Go to step 1
THE FILE_OBJECT PROTECTION VIA ENCRYPTION
FILE_OBJECT
Boss s Driver Attacker s Driver
FILE_OBJECT
1. Encrypt the FILE_OBJECT
2. Trap legal access
3. Decrypt the FILE_OBJECT
4. Wait file operation completion
5. Go to step 1
1. Encrypt the FILE_OBJECT
2. Trap legal access
3. Decrypt the FILE_OBJECT
4. Wait to complete file operation
5. Go to step 1
45. WINDOWS KERNEL MEMORY
OS Kernel Code
OS Kernel Structures FILE_OBJECT
Boss s Driver Attacker s Driver
FILE_OBJECT
46. WINDOWS KERNEL MEMORY
OS Kernel Code
OS Kernel Structures FILE_OBJECT
Boss s Driver Attacker s Driver
FILE_OBJECT
47. WINDOWS KERNEL MEMORY
OS Kernel Code
OS Kernel Structures FILE_OBJECT
Boss s Driver Attacker s Driver
FILE_OBJECT
48. WINDOWS KERNEL MEMORY
OS Kernel Code
OS Kernel Structures FILE_OBJECT
Boss s Driver Attacker s Driver
FILE_OBJECT
49. PROCESSING MEMORY ACCESS: EPT FEATURE
Guest OS
Hypervisor
VT-x without EPT
Paging
structures
Host
Memory
50. PROCESSING MEMORY ACCESS: EPT FEATURE
Host Physical Address H
Guest OS
Hypervisor
VT-x without EPT
= G
Guest Physical Address
Paging
structures
V
G
Guest Virtual Address
Host
Memory
51. PROCESSING MEMORY ACCESS: EPT FEATURE
Host Physical Address H
Guest OS
Hypervisor
VT-x without EPT
=
VT-x with EPT
G
Guest Physical Address
Paging
structures
V
G
Guest Virtual Address
Paging
structures
Host
Memory
EPT Paging structures
52. PROCESSING MEMORY ACCESS: EPT FEATURE
Host Physical Address H
Guest OS
Hypervisor
VT-x without EPT
=
EPT Physical Address
Host Physical Address
VT-x with EPT
G
EPT( )G
Guest Physical Address
Paging
structures
V
G
Guest Virtual Address
Guest Physical Address
Paging
structures
V
G
Guest Virtual Address
H =
Host
Memory
EPT Paging structures
=EPT( )G
53. EPT PAGING STRUCTURES
EPT Paging structures
EPT Page Table Entries
EPT Entry for the Page A
EPT Entry for the Page B
EPT Entry for the Page Z
EPT Tables
EPT Tables
…
54. EPT PAGING STRUCTURES
EPT Paging structures
EPT Page Table Entries
EPT Entry for the Page A
EPT Entry for the Page B
EPT Entry for the Page Z
EPT Tables
EPT Tables
Page A
Guest Physical
Address
Page A
Host Physical
Address
…
55. 1. Using EPT we can trap read/write/execute access attempts
and redirect them from the secret page to the fake one:
2.
3.
EPT MAIN FEATURES
56. 1. Using EPT we can trap read/write/execute access attempts
and redirect them from the secret page to the fake one:
2.
3.
EPT MAIN FEATURES
access
Guest Page
Hypervisor does not react
Host Page
57. 1. Using EPT we can trap read/write/execute access attempts
and redirect them from the secret page to the fake one:
2.
3.
EPT MAIN FEATURES
access
Guest Page
Hypervisor does not react
Host Page
Hypervisor traps all
these access attempts
access
Guest Page
Host Page
58. 1. Using EPT we can trap read/write/execute access attempts
and redirect them from the secret page to the fake one:
2.
3.
EPT MAIN FEATURES
access
Guest Page
Hypervisor does not react
Host Page
Hypervisor traps all
these access attempts
access
Guest Page
Host Page
59. 1. Using EPT we can trap read/write/execute access attempts
and redirect them from the secret page to the fake one:
2.
3.
EPT MAIN FEATURES
access
Guest Page
Hypervisor does not react
Host Page
Hypervisor traps all
these access attempts
access
Guest Page
Host Page
60. 1. Using EPT we can trap read/write/execute access attempts
and redirect them from the secret page to the fake one:
2. EPT memory settings can be updated in the real time
3.
EPT MAIN FEATURES
access
Guest Page
Hypervisor does not react
Host Page
Hypervisor traps all
these access attempts
access
Guest Page
Host Page
Fake Page
61. 1. Using EPT we can trap read/write/execute access attempts
and redirect them from the secret page to the fake one:
2. EPT memory settings can be updated in the real time
3. We can dynamically allocate several EPTs with different
memory setting and switch between them in the real time
EPT MAIN FEATURES
access
Guest Page
Hypervisor does not react
Host Page
Hypervisor traps all
these access attempts
access
Guest Page
Host Page
Fake Page
62. WINDOWS KERNEL MEMORY
Enclave for Attacker s DriverEnclave for Boss s DriverEnclave for the OS kernel
OS Kernel Code
OS Kernel Structures FILE_OBJECT
Boss s Driver Attacker s Driver
FILE_OBJECT
OS Kernel Code
OS Kernel Structures FILE_OBJECT FILE_OBJECT
MemoryRanger
Attacker s DriverBoss s Driver
63. WINDOWS KERNEL MEMORY
Enclave for Attacker s DriverEnclave for Boss s DriverEnclave for the OS kernel
OS Kernel Code
OS Kernel Structures FILE_OBJECT
Boss s Driver Attacker s Driver
FILE_OBJECT
OS Kernel Code
OS Kernel Structures FILE_OBJECT FILE_OBJECT
MemoryRanger
Attacker s DriverBoss s Driver
64. MEMORY RANGER PREVENTS FILE_OBJECT HIJACKING
Current Situation
OS Code
OS
Structs
Default enclave for OS Enclave for Boss Driver
EPT pointer
Enclave for Attacker s
Driver
65. MEMORY RANGER PREVENTS FILE_OBJECT HIJACKING
Current Situation
OS Code
OS
Structs
The Boss FILE_OBJ
Default enclave for OS Enclave for Boss Driver
EPT pointer
Enclave for Attacker s
Driver
66. MEMORY RANGER PREVENTS FILE_OBJECT HIJACKING
Current Situation
OS Code
OS
Structs
The Boss FILE_OBJ
Attacker FILE_OBJ
Default enclave for OS Enclave for Boss Driver
EPT pointer
Enclave for Attacker s
Driver
67. MEMORY RANGER PREVENTS FILE_OBJECT HIJACKING
Current Situation
OS Code
OS
Structs
The Boss FILE_OBJ
Attacker FILE_OBJ
Default enclave for OS Enclave for Boss Driver
EPT pointer
Enclave for Attacker s
Driver
68. MEMORY RANGER PREVENTS FILE_OBJECT HIJACKING
Current Situation
OS Code
OS
Structs
The Boss FILE_OBJ
Attacker FILE_OBJ
Default enclave for OS
OS Code
OS
Structs
Enclave for Boss Driver
EPT pointer
Enclave for Attacker s
Driver
69. MEMORY RANGER PREVENTS FILE_OBJECT HIJACKING
Current Situation
OS Code
OS
Structs
The Boss FILE_OBJ
Attacker FILE_OBJ
Default enclave for OS
OS Code
OS
Structs
The Boss
Enclave for Boss s Driver
OS Code
OS
Structs
The Boss
EPT pointer
Enclave for Attacker s
Driver
70. MEMORY RANGER PREVENTS FILE_OBJECT HIJACKING
Current Situation
OS Code
OS
Structs
The Boss FILE_OBJ
Attacker FILE_OBJ
Default enclave for OS
OS Code
OS
Structs
The Boss FILE_OBJ
Enclave for Boss s Driver
OS Code
OS
Structs
The Boss FILE_OBJ
EPT pointer
Enclave for Attacker s
Driver
71. MEMORY RANGER PREVENTS FILE_OBJECT HIJACKING
Current Situation
OS Code
OS
Structs
The Boss FILE_OBJ
Attacker FILE_OBJ
Default enclave for OS
OS Code
OS
Structs
The Boss FILE_OBJ
Attacker
Enclave for Boss s Driver
OS Code
OS
Structs
The Boss FILE_OBJ
Attacker
OS Code
OS
Structs
The Boss
Attacker
EPT pointer
FILE_OBJ
Enclave for Attacker s
Driver
72. MEMORY RANGER PREVENTS FILE_OBJECT HIJACKING
Current Situation
OS Code
OS
Structs
The Boss FILE_OBJ
Attacker FILE_OBJ
Default enclave for OS
OS Code
OS
Structs
The Boss FILE_OBJ
Attacker FILE_OBJ
Enclave for Boss s Driver
OS Code
OS
Structs
The Boss FILE_OBJ
Attacker FILE_OBJ
OS Code
OS
Structs
The Boss
Attacker FILE_OBJ
EPT pointer
FILE_OBJ
Enclave for Attacker s
Driver
73. MEMORY RANGER PREVENTS FILE_OBJECT HIJACKING
Current Situation
OS Code
OS
Structs
The Boss FILE_OBJ
Attacker FILE_OBJ
Default enclave for OS
OS Code
OS
Structs
The Boss FILE_OBJ
Attacker FILE_OBJ
Enclave for Boss s Driver
OS Code
OS
Structs
The Boss FILE_OBJ
Attacker FILE_OBJ
OS Code
OS
Structs
The Boss
Attacker FILE_OBJ
EPT pointer
FILE_OBJ
Enclave for Attacker s
Driver
74. MEMORY RANGER PREVENTS FILE_OBJECT HIJACKING
Current Situation
OS Code
OS
Structs
The Boss FILE_OBJ
Attacker FILE_OBJ
Default enclave for OS
OS Code
OS
Structs
The Boss FILE_OBJ
Attacker FILE_OBJ
Enclave for Boss s Driver
OS Code
OS
Structs
The Boss FILE_OBJ
Attacker FILE_OBJ
OS Code
OS
Structs
The Boss
Attacker FILE_OBJ
EPT pointer
FILE_OBJ
Enclave for Attacker s
Driver
75. DEMO: PREVENTING THE HIJACKING
Driver
ZwCreateFile()
•ShareAccess=0
budget.txt
FILE_OBJECT
Driver
open_by_hijacking
hijacker.txt
OS Components
Attempt 2: The Hijacking Attack Preventing the Hijacking Attack
FILE_OBJECT
The Boss Attacker
Attacker s EnclaveAllocator s Enclave
The Boss
Driver
ZwCreateFile()
•ShareAccess=0
FILE_OBJECT
budget.txt
Attacker
hijacker.txt
OS Components
MemoryRanger
Driver
open_by_hijacking
FILE_OBJECT
OS Components
Default Enclave
OS kernel,
and other
drivers
OS kernel,
and other
drivers
OS kernel
and other
drivers
Internal
Data
Internal
Data
OS and
Other
Data
76. DEMO: PREVENTING THE HIJACKING
Driver
ZwCreateFile()
•ShareAccess=0
budget.txt
FILE_OBJECT
Driver
open_by_hijacking
hijacker.txt
OS Components
Attempt 2: The Hijacking Attack Preventing the Hijacking Attack
FILE_OBJECT
The Boss Attacker
Attacker s EnclaveAllocator s Enclave
The Boss
Driver
ZwCreateFile()
•ShareAccess=0
FILE_OBJECT
budget.txt
Attacker
hijacker.txt
OS Components
MemoryRanger
Driver
open_by_hijacking
FILE_OBJECT
OS Components
Default Enclave
OS kernel,
and other
drivers
OS kernel,
and other
drivers
OS kernel
and other
drivers
Internal
Data
Internal
Data
OS and
Other
Data
77. DEMO: THE ATTACK PREVENTION
The online version is here –
https://www.youtube.com/watch?v=8ONmC5Do4I4?vq=hd1080
78. DEMO: PREVENTING THE HIJACKING
Driver
ZwCreateFile()
•ShareAccess=0
budget.txt
FILE_OBJECT
Driver
open_by_hijacking
hijacker.txt
OS Components
Attempt 2: The Hijacking Attack Preventing the Hijacking Attack
FILE_OBJECT
The Boss Attacker
Attacker s EnclaveAllocator s Enclave
The Boss
Driver
ZwCreateFile()
•ShareAccess=0
FILE_OBJECT
budget.txt
Attacker
hijacker.txt
OS Components
MemoryRanger
Driver
open_by_hijacking
FILE_OBJECT
OS Components
Default Enclave
OS kernel,
and other
drivers
OS kernel,
and other
drivers
OS kernel
and other
drivers
Internal
Data
Internal
Data
OS and
Other
Data
79. DEMO: PREVENTING THE HIJACKING
Driver
ZwCreateFile()
•ShareAccess=0
budget.txt
FILE_OBJECT
Driver
open_by_hijacking
hijacker.txt
OS Components
Attempt 2: The Hijacking Attack Preventing the Hijacking Attack
FILE_OBJECT
The Boss Attacker
Attacker s EnclaveAllocator s Enclave
The Boss
Driver
ZwCreateFile()
•ShareAccess=0
FILE_OBJECT
budget.txt
Attacker
hijacker.txt
OS Components
MemoryRanger
Driver
open_by_hijacking
FILE_OBJECT
OS Components
Default Enclave
OS kernel,
and other
drivers
OS kernel,
and other
drivers
OS kernel
and other
drivers
Internal
Data
Internal
Data
OS and
Other
Data
80. Preventing the Hijacking Attack
MemoryRanger
prevents illegal
access
Attacker s EnclaveAllocator s Enclave
The Boss
Driver
ZwCreateFile()
•ShareAccess=0
FILE_OBJECT
budget.txt
Attacker
hijacker.txt
OS Components
MemoryRanger
Driver
open_by_hijacking
FILE_OBJECT
OS Components
Default Enclave
OS kernel,
and other
drivers
OS kernel,
and other
drivers
OS kernel
and other
drivers
Internal
Data
Internal
Data
OS and
Other
Data
85. MEMORY RANGER ARCHITECTURE
OS
Access to the protected data
triggers EPT violation
Driver receives
OS events
notifications
ISOLATED_MEM_ENCLAVE
A new driver
is loaded
Kernel API
function is called
ISOLATED_MEM_ENCLAVE
ISOLATED_MEM_ENCLAVE
Memory
Ranger
86. MEMORY RANGER ARCHITECTURE
OS
Access to the protected data
triggers EPT violation
Driver receives
OS events
notifications
ISOLATED_MEM_ENCLAVE PROTECTED_MEMORY
A new driver
is loaded
Kernel API
function is called
DdiMon hooks
kernel API routines
PROTECTED_MEMORY
PROTECTED_MEMORY
ISOLATED_MEM_ENCLAVE
ISOLATED_MEM_ENCLAVE
Memory
Ranger
87. OS
Access to the protected data
triggers EPT violation
Driver receives
OS events
notifications
Hypervisor
ISOLATED_MEM_ENCLAVE PROTECTED_MEMORY
A new driver
is loaded
Kernel API
function is called
DdiMon hooks
kernel API routines
MemoryMonRWX
traps EPT violations
PROTECTED_MEMORY
PROTECTED_MEMORY
ISOLATED_MEM_ENCLAVE
ISOLATED_MEM_ENCLAVE
Memory
Ranger
MEMORY RANGER ARCHITECTURE
88. MEMORY RANGER ARCHITECTURE
OS
Memory Access Policy (MAP)
Access to the protected data
triggers EPT violation
Driver receives
OS events
notifications
Hypervisor
ISOLATED_MEM_ENCLAVE PROTECTED_MEMORY
A new driver
is loaded
Kernel API
function is called
DdiMon hooks
kernel API routines
MemoryMonRWX
traps EPT violations
?
PROTECTED_MEMORY
PROTECTED_MEMORY
ISOLATED_MEM_ENCLAVE
ISOLATED_MEM_ENCLAVE
Memory
Ranger
96. THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY
Integrity
Confidentiality
Memory
Regions
Dynamically Allocated Data by the OSCode Drivers allocations
97. THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY
Drivers code
Integrity
Confidentiality
Memory
Regions
Dynamically Allocated Data by the OSCode Drivers allocations
98. THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY
OS Code
Drivers code
Integrity
Confidentiality
Memory
Regions
Dynamically Allocated Data by the OSCode Drivers allocations
99. THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY
OS Code
Drivers code
Integrity
Confidentiality
Device Guard
Memory
Regions
Dynamically Allocated Data by the OSCode Drivers allocations
100. THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY
OS Code
Drivers code
Integrity
Confidentiality
Device Guard
Memory
Regions
Dynamically Allocated Data by the OSCode Drivers allocations
101. THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY
OS Code
Drivers code Allocated data
Integrity
Confidentiality
Device Guard
Memory
Regions
Dynamically Allocated Data by the OSCode Drivers allocations
102. THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY
OS Code
Drivers code Allocated data
Integrity
Confidentiality
Device Guard
Memory
Regions
Dynamically Allocated Data by the OSCode Drivers allocations
103. THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY
OS Code
Drivers code Allocated data
LDR_DATA_TABLE_ENTRY
structures
PsLoadedModuleList
DRIVER_OBJECT
structures
MajorFunction[]
EPROCESS structures
PsActiveProcessLinks
Integrity
Confidentiality
Device Guard
Memory
Regions
Dynamically Allocated Data by the OSCode Drivers allocations
104. THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY
OS Code
Drivers code Allocated data
LDR_DATA_TABLE_ENTRY
structures
PsLoadedModuleList
DRIVER_OBJECT
structures
MajorFunction[]
EPROCESS structures
PsActiveProcessLinks
Integrity
Confidentiality
Device Guard Patch Guard
Memory
Regions
Dynamically Allocated Data by the OSCode Drivers allocations
(skipped)
105. THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY
OS Code
Drivers code Allocated data
LDR_DATA_TABLE_ENTRY
structures
PsLoadedModuleList
DRIVER_OBJECT
structures
MajorFunction[]
EPROCESS structures
PsActiveProcessLinks
Integrity
Confidentiality
Device Guard Patch Guard
Memory
Regions
Dynamically Allocated Data by the OSCode Drivers allocations
(skipped)
106. THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY
OS Code
Drivers code Allocated data
LDR_DATA_TABLE_ENTRY
structures
PsLoadedModuleList
DRIVER_OBJECT
structures
MajorFunction[]
EPROCESS structures
PsActiveProcessLinks Token
Integrity
Confidentiality
Device Guard Patch Guard
Memory
Regions
Dynamically Allocated Data by the OSCode Drivers allocations
(skipped)
107. THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY
OS Code
Drivers code
FILE_OBJECT
structures
Allocated data
LDR_DATA_TABLE_ENTRY
structures
PsLoadedModuleList
DRIVER_OBJECT
structures
MajorFunction[]
EPROCESS structures
PsActiveProcessLinks Token
Integrity
Confidentiality
Device Guard Patch Guard
Memory
Regions
Dynamically Allocated Data by the OSCode Drivers allocations
(skipped)
108. THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY
OS Code
Drivers code
FILE_OBJECT
structures
Allocated data
LDR_DATA_TABLE_ENTRY
structures
PsLoadedModuleList
DRIVER_OBJECT
structures
MajorFunction[]
EPROCESS structures
PsActiveProcessLinks Token
Integrity
Confidentiality
Device Guard Patch Guard
Memory
Regions
Dynamically Allocated Data by the OSCode Drivers allocations
(skipped)
?
?
?
109. THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY
OS Code
Drivers code
FILE_OBJECT
structures
Allocated data
LDR_DATA_TABLE_ENTRY
structures
PsLoadedModuleList
DRIVER_OBJECT
structures
MajorFunction[]
EPROCESS structures
PsActiveProcessLinks Token
Integrity
Confidentiality
Device Guard Patch Guard
Memory
Regions
Dynamically Allocated Data by the OSCode Drivers allocations
(skipped)
?
?
?
110. THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY
OS Code
Drivers code
FILE_OBJECT
structures
Allocated data
LDR_DATA_TABLE_ENTRY
structures
PsLoadedModuleList
DRIVER_OBJECT
structures
MajorFunction[]
EPROCESS structures
PsActiveProcessLinks Token
Integrity
Confidentiality
Device Guard Patch Guard
Memory
Regions
Dynamically Allocated Data by the OSCode Drivers allocations
(skipped)
?
?
?
111. THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY
OS Code
Drivers code
FILE_OBJECT
structures
Allocated data
LDR_DATA_TABLE_ENTRY
structures
PsLoadedModuleList
DRIVER_OBJECT
structures
MajorFunction[]
EPROCESS structures
PsActiveProcessLinks Token
Integrity
Confidentiality
Device Guard Patch Guard
Memory
Regions
Dynamically Allocated Data by the OSCode Drivers allocations
(skipped)
?
?
?
112. ▪All modern Windows OSes are vulnerable to FILE_OBJECT hijacking
▪ MemoryRanger prevents the hijacking attack by
running drivers into isolated memory enclaves
▪ Research is ongoing
CONCLUSION
113. Thank you!
Igor Korkin igor.korkin@gmail.com
All the details & my CV are here igorkorkin.blogspot.com
114. AllMemPro
MEMORY RANGER HISTORY
HyperPlatform
MemoryMonRWX
HyperPlatform
MemoryRanger
MemoryMonRWX
HyperPlatform
1. Korkin, I., & Tanda, S. (2016). Monitoring & controlling kernel-mode events by HyperPlatform. Recon, Canada.
2. Korkin, I., & Tanda, S. (2017). Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access. ADFSL, USA.
3. Korkin, I. (2018). Hypervisor-Based Active Data Protection for Integrity and Confidentiality of Dynamically Allocated Memory in Windows Kernel. ADFSL, USA.
4. Korkin, I. (2018). Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces. BlackHat, UK
5. Korkin, I. (2019). MemoryRanger Prevents Hijacking FILE_OBJECT structures in Windows Kernel. ADFSL, USA.
AllMemPro
MemoryMonRWX
HyperPlatform
Step 1 Step 2 Step 3 Step 4 Step 5
MemoryRanger
with a new
feature
Prevention of the
FILE_OBJECT
attack
REcon