SlideShare a Scribd company logo

MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel

Igor Korkin, profile picture
Igor Korkin

Igor Korkin discusses file_object hijacking in the Windows kernel and presents the MemoryRanger hypervisor as a protective solution against such vulnerabilities. The document details the mechanisms of file_object structures, the process of hijacking, and the methodologies to safeguard sensitive kernel memory through encryption and hypervisor protections. It emphasizes that all Windows OS versions since NT 4.0 are susceptible to file_object hijacking, underscoring a critical security concern in kernel management.

Software
1 of 114
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
Igor Korkin 2019 ADFSL Conference MemoryRanger Prevents Hijacking FILE_OBJECT structures in Windows Kernel
WHOAMI ▪MEPhI Alumni, PhD in Cyber Security ▪ Area of interest is Windows Kernel security: ▪ Memory Forensics ▪ Rootkits Detection ▪ Bare-Metal Hypervisors ▪ Fan of cross-disciplinary research - igorkorkin.blogspot.com ▪ Love traveling and powerlifting - igor.korkin
AGENDA ▪ ▪ ▪
AGENDA ▪ FILE_OBJECT hijacking: details and demo ▪ ▪
AGENDA ▪ FILE_OBJECT hijacking: details and demo ▪ A history of related OS components and memory protection issues ▪
AGENDA ▪ FILE_OBJECT hijacking: details and demo ▪ A history of related OS components and memory protection issues ▪MemoryRanger hypervisor protects sensitive kernel memory
AGENDA ▪ FILE_OBJECT hijacking: details and demo ▪ A history of related OS components and memory protection issues ▪MemoryRanger hypervisor protects sensitive kernel memory
File Manager in Kernel Mode
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
NTSTATUS ZwCreateFile(..., ShareAccess, ...); ZWCREATEFILE ROUTINE
NTSTATUS ZwCreateFile(..., ShareAccess, ...); ZWCREATEFILE ROUTINE – ShareAccess flag determines whether other drivers can access the opened file. – Calling ZwCreateFile with ShareAccess=0 gives the caller exclusive access to the file. ShareAccess
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
vs. The Boss s Driver ZwCreateFile( budget.txt ShareAccess=0) budget.txt exclusive mode The Attacker s Driver
vs. The Boss s Driver ZwCreateFile( budget.txt ShareAccess=0) budget.txt exclusive mode The Attacker s Driver
FILE SYSTEM ROUTINES IN WINDOWS KERNEL ZwCreateFile( budget.txt ShareAccess=0) budget.txt OS kernel components ?
FILE SYSTEM ROUTINES IN WINDOWS KERNEL I/O Manager ZwCreateFile( budget.txt ShareAccess=0) budget.txt OS kernel components
FILE SYSTEM ROUTINES IN WINDOWS KERNEL I/O Manager Object Manager ZwCreateFile( budget.txt ShareAccess=0) budget.txt OS kernel components
FILE SYSTEM ROUTINES IN WINDOWS KERNEL I/O Manager Object Manager Security Reference Monitor ZwCreateFile( budget.txt ShareAccess=0) budget.txt OS kernel components
FILE SYSTEM ROUTINES IN WINDOWS KERNEL I/O Manager Object Manager Security Reference Monitor ZwCreateFile( budget.txt ShareAccess=0) budget.txt File System Drivers OS kernel components
FILE SYSTEM ROUTINES IN WINDOWS KERNEL Access control list ? I/O Manager Object Manager Security Reference Monitor ZwCreateFile( budget.txt ShareAccess=0) budget.txt File System Drivers OS kernel components
FILE SYSTEM ROUTINES IN WINDOWS KERNEL I/O Manager Object Manager Security Reference Monitor ZwCreateFile( budget.txt ShareAccess=0) budget.txt File System Drivers ZwCreateFile( hijacker.txt
FILE SYSTEM ROUTINES IN WINDOWS KERNEL I/O Manager Object Manager Security Reference Monitor ZwCreateFile( budget.txt ShareAccess=0) budget.txt File System Drivers ZwCreateFile( hijacker.txt STATUS SHARING VIOLATION Code=0xC0000043
FILE SYSTEM ROUTINES IN WINDOWS KERNEL I/O Manager Object Manager Security Reference Monitor ZwCreateFile( budget.txt ShareAccess=0) budget.txt File System Drivers FILE_OBJECT File Handle
FILE SYSTEM ROUTINES IN WINDOWS KERNEL I/O Manager Object Manager Security Reference Monitor ZwReadFile( ) ZwWriteFile( ) ZwCreateFile( budget.txt ShareAccess=0) budget.txt File System Drivers FILE_OBJECT File Handle File Handle File Handle
FILE SYSTEM ROUTINES IN WINDOWS KERNEL I/O Manager Object Manager Security Reference Monitor ZwReadFile( ) ZwWriteFile( ) ZwCreateFile( budget.txt ShareAccess=0) Hey! I m a hacker-attacker! budget.txt File System Drivers FILE_OBJECT File Handle File Handle File Handle
FILE SYSTEM ROUTINES IN WINDOWS KERNEL I/O Manager Object Manager Security Reference Monitor ZwReadFile( ) ZwWriteFile( ) ZwCreateFile( budget.txt ShareAccess=0) ZwCreateFile( hijacker.txt budget.txt hijacker.txt File System Drivers File Handle FILE_OBJECTFILE_OBJECT File Handle File Handle File Handle 1.Create a file
FILE SYSTEM ROUTINES IN WINDOWS KERNEL I/O Manager Object Manager Security Reference Monitor ZwReadFile( ) ZwWriteFile( ) ZwCreateFile( budget.txt ShareAccess=0) budget.txt hijacker.txt File System Drivers File Handle FILE_OBJECTFILE_OBJECT File Handle File Handle File Handle FILE_OBJECT Hijacking 2.Copy
FILE SYSTEM ROUTINES IN WINDOWS KERNEL I/O Manager Object Manager Security Reference Monitor ZwReadFile( ) ZwWriteFile( ) ZwCreateFile( budget.txt ShareAccess=0) ZwReadFile( ) ZwWriteFile( ) budget.txt hijacker.txt File System Drivers File Handle FILE_OBJECTFILE_OBJECT File Handle File Handle File Handle FILE_OBJECT File Handle File Handle
JUST 4 CRUCIAL FIELDS FOR FILES HIJACKING typedef struct _FILE_OBJECT { … PVPB Vpb; PVOID FsContext; PVOID FsContext2; PSECTION_OBJECT_POINTERS SectionObjectPointer; … } FILE_OBJECT; • The Vpb field points to a mounted Volume Parameter Block (VPB), associated with the target device object. • FsContext points to the FSRTL_COMMON_FCB_HEADER structure, which has to be allocated by the file driver. • FsContext2 field refers to the Context Control Block (CBB) associated with the file object • SectionObjectPointer stores file-mapping and caching-related information for a file stream.
THE ATTACK Kernel mode User mode Hard Disk Driver ZwCreateFile() •ShareAccess=0 budget.txt FILE_OBJECT Driver open_by_hijacking hijacker.txt OS Components Attempt 2: The Hijacking Attack FILE_OBJECT The Boss Attacker Driver ZwCreateFile() •ShareAccess=0 budget.txt FILE_OBJECT Driver ZwCreateFile() OS Components Attempt 1: The Legal Access FILE_OBJECT The Boss Attacker access violation
THE ATTACK Kernel mode User mode Hard Disk Driver ZwCreateFile() •ShareAccess=0 budget.txt FILE_OBJECT Driver open_by_hijacking hijacker.txt OS Components Attempt 2: The Hijacking Attack FILE_OBJECT The Boss Attacker Driver ZwCreateFile() •ShareAccess=0 budget.txt FILE_OBJECT Driver ZwCreateFile() OS Components Attempt 1: The Legal Access FILE_OBJECT The Boss Attacker access violation
DEMO: THE ATTACK The online version is here – https://www.youtube.com/watch?v=2mU85RluOSA?vq=hd1080
▪ All Windows OSes since NT 4.0 are vulnerable for FILE_OBJECT hijacking: THE ANALYSIS OF THE ATTACK
▪ All Windows OSes since NT 4.0 are vulnerable for FILE_OBJECT hijacking: ▪1993 - the first mention of Object Manager and Security Reference Monitor THE ANALYSIS OF THE ATTACK Windows NT:The Next Generation by Len Feldman, March 1, 1993
▪ All Windows OSes since NT 4.0 are vulnerable for FILE_OBJECT hijacking: ▪1993 - the first mention of Object Manager and Security Reference Monitor ▪1965 – the first memory isolation concept Multics* was developed for General Electric 645 mainframe. Multics joined to the ARPANet and gave rise to the Unix. THE ANALYSIS OF THE ATTACK Fernando Corbato Victor Vyssotsky Two Fathers of Multics *DOI: http://dx.doi.org/10.1145/1463891.1463912
THE FILE_OBJECT PROTECTION VIA ENCRYPTION FILE_OBJECT Boss s Driver Attacker s Driver FILE_OBJECT
THE FILE_OBJECT PROTECTION VIA ENCRYPTION FILE_OBJECT Boss s Driver Attacker s Driver FILE_OBJECT
THE FILE_OBJECT PROTECTION VIA ENCRYPTION FILE_OBJECT Boss s Driver Attacker s Driver FILE_OBJECT 1. Encrypt the FILE_OBJECT 2. 3. 4. 5.
THE FILE_OBJECT PROTECTION VIA ENCRYPTION FILE_OBJECT Boss s Driver Attacker s Driver FILE_OBJECT 1. Encrypt the FILE_OBJECT 2. Trap legal access 3. 4. 5.
THE FILE_OBJECT PROTECTION VIA ENCRYPTION FILE_OBJECT Boss s Driver Attacker s Driver FILE_OBJECT 1. Encrypt the FILE_OBJECT 2. Trap legal access 3. Decrypt the FILE_OBJECT 4. 5.
THE FILE_OBJECT PROTECTION VIA ENCRYPTION FILE_OBJECT Boss s Driver Attacker s Driver FILE_OBJECT 1. Encrypt the FILE_OBJECT 2. Trap legal access 3. Decrypt the FILE_OBJECT 4. Wait to complete file operation 5.
THE FILE_OBJECT PROTECTION VIA ENCRYPTION FILE_OBJECT Boss s Driver Attacker s Driver FILE_OBJECT 1. Encrypt the FILE_OBJECT 2. Trap legal access 3. Decrypt the FILE_OBJECT 4. Wait to complete file operation 5. Go to step 1
1. Encrypt the FILE_OBJECT 2. Trap legal access 3. Decrypt the FILE_OBJECT 4. Wait file operation completion 5. Go to step 1 1. Encrypt the FILE_OBJECT 2. Trap legal access 3. Decrypt the FILE_OBJECT 4. Wait file operation completion 5. Go to step 1 1. Encrypt the FILE_OBJECT 2. Trap legal access 3. Decrypt the FILE_OBJECT 4. Wait file operation completion 5. Go to step 1 THE FILE_OBJECT PROTECTION VIA ENCRYPTION FILE_OBJECT Boss s Driver Attacker s Driver FILE_OBJECT 1. Encrypt the FILE_OBJECT 2. Trap legal access 3. Decrypt the FILE_OBJECT 4. Wait file operation completion 5. Go to step 1 1. Encrypt the FILE_OBJECT 2. Trap legal access 3. Decrypt the FILE_OBJECT 4. Wait to complete file operation 5. Go to step 1
1. Encrypt the FILE_OBJECT 2. Trap legal access 3. Decrypt the FILE_OBJECT 4. Wait file operation completion 5. Go to step 1 1. Encrypt the FILE_OBJECT 2. Trap legal access 3. Decrypt the FILE_OBJECT 4. Wait file operation completion 5. Go to step 1 1. Encrypt the FILE_OBJECT 2. Trap legal access 3. Decrypt the FILE_OBJECT 4. Wait file operation completion 5. Go to step 1 THE FILE_OBJECT PROTECTION VIA ENCRYPTION FILE_OBJECT Boss s Driver Attacker s Driver FILE_OBJECT 1. Encrypt the FILE_OBJECT 2. Trap legal access 3. Decrypt the FILE_OBJECT 4. Wait file operation completion 5. Go to step 1 1. Encrypt the FILE_OBJECT 2. Trap legal access 3. Decrypt the FILE_OBJECT 4. Wait to complete file operation 5. Go to step 1
WINDOWS KERNEL MEMORY OS Kernel Code OS Kernel Structures FILE_OBJECT Boss s Driver Attacker s Driver FILE_OBJECT
WINDOWS KERNEL MEMORY OS Kernel Code OS Kernel Structures FILE_OBJECT Boss s Driver Attacker s Driver FILE_OBJECT
WINDOWS KERNEL MEMORY OS Kernel Code OS Kernel Structures FILE_OBJECT Boss s Driver Attacker s Driver FILE_OBJECT
WINDOWS KERNEL MEMORY OS Kernel Code OS Kernel Structures FILE_OBJECT Boss s Driver Attacker s Driver FILE_OBJECT
PROCESSING MEMORY ACCESS: EPT FEATURE Guest OS Hypervisor VT-x without EPT Paging structures Host Memory
PROCESSING MEMORY ACCESS: EPT FEATURE Host Physical Address H Guest OS Hypervisor VT-x without EPT = G Guest Physical Address Paging structures V G Guest Virtual Address Host Memory
PROCESSING MEMORY ACCESS: EPT FEATURE Host Physical Address H Guest OS Hypervisor VT-x without EPT = VT-x with EPT G Guest Physical Address Paging structures V G Guest Virtual Address Paging structures Host Memory EPT Paging structures
PROCESSING MEMORY ACCESS: EPT FEATURE Host Physical Address H Guest OS Hypervisor VT-x without EPT = EPT Physical Address Host Physical Address VT-x with EPT G EPT( )G Guest Physical Address Paging structures V G Guest Virtual Address Guest Physical Address Paging structures V G Guest Virtual Address H = Host Memory EPT Paging structures =EPT( )G
EPT PAGING STRUCTURES EPT Paging structures EPT Page Table Entries EPT Entry for the Page A EPT Entry for the Page B EPT Entry for the Page Z EPT Tables EPT Tables …
EPT PAGING STRUCTURES EPT Paging structures EPT Page Table Entries EPT Entry for the Page A EPT Entry for the Page B EPT Entry for the Page Z EPT Tables EPT Tables Page A Guest Physical Address Page A Host Physical Address …
1. Using EPT we can trap read/write/execute access attempts and redirect them from the secret page to the fake one: 2. 3. EPT MAIN FEATURES
1. Using EPT we can trap read/write/execute access attempts and redirect them from the secret page to the fake one: 2. 3. EPT MAIN FEATURES access Guest Page Hypervisor does not react Host Page
1. Using EPT we can trap read/write/execute access attempts and redirect them from the secret page to the fake one: 2. 3. EPT MAIN FEATURES access Guest Page Hypervisor does not react Host Page Hypervisor traps all these access attempts access Guest Page Host Page
1. Using EPT we can trap read/write/execute access attempts and redirect them from the secret page to the fake one: 2. 3. EPT MAIN FEATURES access Guest Page Hypervisor does not react Host Page Hypervisor traps all these access attempts access Guest Page Host Page
1. Using EPT we can trap read/write/execute access attempts and redirect them from the secret page to the fake one: 2. 3. EPT MAIN FEATURES access Guest Page Hypervisor does not react Host Page Hypervisor traps all these access attempts access Guest Page Host Page
1. Using EPT we can trap read/write/execute access attempts and redirect them from the secret page to the fake one: 2. EPT memory settings can be updated in the real time 3. EPT MAIN FEATURES access Guest Page Hypervisor does not react Host Page Hypervisor traps all these access attempts access Guest Page Host Page Fake Page
1. Using EPT we can trap read/write/execute access attempts and redirect them from the secret page to the fake one: 2. EPT memory settings can be updated in the real time 3. We can dynamically allocate several EPTs with different memory setting and switch between them in the real time EPT MAIN FEATURES access Guest Page Hypervisor does not react Host Page Hypervisor traps all these access attempts access Guest Page Host Page Fake Page
WINDOWS KERNEL MEMORY Enclave for Attacker s DriverEnclave for Boss s DriverEnclave for the OS kernel OS Kernel Code OS Kernel Structures FILE_OBJECT Boss s Driver Attacker s Driver FILE_OBJECT OS Kernel Code OS Kernel Structures FILE_OBJECT FILE_OBJECT MemoryRanger Attacker s DriverBoss s Driver
WINDOWS KERNEL MEMORY Enclave for Attacker s DriverEnclave for Boss s DriverEnclave for the OS kernel OS Kernel Code OS Kernel Structures FILE_OBJECT Boss s Driver Attacker s Driver FILE_OBJECT OS Kernel Code OS Kernel Structures FILE_OBJECT FILE_OBJECT MemoryRanger Attacker s DriverBoss s Driver
MEMORY RANGER PREVENTS FILE_OBJECT HIJACKING Current Situation OS Code OS Structs Default enclave for OS Enclave for Boss Driver EPT pointer Enclave for Attacker s Driver
MEMORY RANGER PREVENTS FILE_OBJECT HIJACKING Current Situation OS Code OS Structs The Boss FILE_OBJ Default enclave for OS Enclave for Boss Driver EPT pointer Enclave for Attacker s Driver
MEMORY RANGER PREVENTS FILE_OBJECT HIJACKING Current Situation OS Code OS Structs The Boss FILE_OBJ Attacker FILE_OBJ Default enclave for OS Enclave for Boss Driver EPT pointer Enclave for Attacker s Driver
MEMORY RANGER PREVENTS FILE_OBJECT HIJACKING Current Situation OS Code OS Structs The Boss FILE_OBJ Attacker FILE_OBJ Default enclave for OS Enclave for Boss Driver EPT pointer Enclave for Attacker s Driver
MEMORY RANGER PREVENTS FILE_OBJECT HIJACKING Current Situation OS Code OS Structs The Boss FILE_OBJ Attacker FILE_OBJ Default enclave for OS OS Code OS Structs Enclave for Boss Driver EPT pointer Enclave for Attacker s Driver
MEMORY RANGER PREVENTS FILE_OBJECT HIJACKING Current Situation OS Code OS Structs The Boss FILE_OBJ Attacker FILE_OBJ Default enclave for OS OS Code OS Structs The Boss Enclave for Boss s Driver OS Code OS Structs The Boss EPT pointer Enclave for Attacker s Driver
MEMORY RANGER PREVENTS FILE_OBJECT HIJACKING Current Situation OS Code OS Structs The Boss FILE_OBJ Attacker FILE_OBJ Default enclave for OS OS Code OS Structs The Boss FILE_OBJ Enclave for Boss s Driver OS Code OS Structs The Boss FILE_OBJ EPT pointer Enclave for Attacker s Driver
MEMORY RANGER PREVENTS FILE_OBJECT HIJACKING Current Situation OS Code OS Structs The Boss FILE_OBJ Attacker FILE_OBJ Default enclave for OS OS Code OS Structs The Boss FILE_OBJ Attacker Enclave for Boss s Driver OS Code OS Structs The Boss FILE_OBJ Attacker OS Code OS Structs The Boss Attacker EPT pointer FILE_OBJ Enclave for Attacker s Driver
MEMORY RANGER PREVENTS FILE_OBJECT HIJACKING Current Situation OS Code OS Structs The Boss FILE_OBJ Attacker FILE_OBJ Default enclave for OS OS Code OS Structs The Boss FILE_OBJ Attacker FILE_OBJ Enclave for Boss s Driver OS Code OS Structs The Boss FILE_OBJ Attacker FILE_OBJ OS Code OS Structs The Boss Attacker FILE_OBJ EPT pointer FILE_OBJ Enclave for Attacker s Driver
MEMORY RANGER PREVENTS FILE_OBJECT HIJACKING Current Situation OS Code OS Structs The Boss FILE_OBJ Attacker FILE_OBJ Default enclave for OS OS Code OS Structs The Boss FILE_OBJ Attacker FILE_OBJ Enclave for Boss s Driver OS Code OS Structs The Boss FILE_OBJ Attacker FILE_OBJ OS Code OS Structs The Boss Attacker FILE_OBJ EPT pointer FILE_OBJ Enclave for Attacker s Driver
MEMORY RANGER PREVENTS FILE_OBJECT HIJACKING Current Situation OS Code OS Structs The Boss FILE_OBJ Attacker FILE_OBJ Default enclave for OS OS Code OS Structs The Boss FILE_OBJ Attacker FILE_OBJ Enclave for Boss s Driver OS Code OS Structs The Boss FILE_OBJ Attacker FILE_OBJ OS Code OS Structs The Boss Attacker FILE_OBJ EPT pointer FILE_OBJ Enclave for Attacker s Driver
DEMO: PREVENTING THE HIJACKING Driver ZwCreateFile() •ShareAccess=0 budget.txt FILE_OBJECT Driver open_by_hijacking hijacker.txt OS Components Attempt 2: The Hijacking Attack Preventing the Hijacking Attack FILE_OBJECT The Boss Attacker Attacker s EnclaveAllocator s Enclave The Boss Driver ZwCreateFile() •ShareAccess=0 FILE_OBJECT budget.txt Attacker hijacker.txt OS Components MemoryRanger Driver open_by_hijacking FILE_OBJECT OS Components Default Enclave OS kernel, and other drivers OS kernel, and other drivers OS kernel and other drivers Internal Data Internal Data OS and Other Data
DEMO: PREVENTING THE HIJACKING Driver ZwCreateFile() •ShareAccess=0 budget.txt FILE_OBJECT Driver open_by_hijacking hijacker.txt OS Components Attempt 2: The Hijacking Attack Preventing the Hijacking Attack FILE_OBJECT The Boss Attacker Attacker s EnclaveAllocator s Enclave The Boss Driver ZwCreateFile() •ShareAccess=0 FILE_OBJECT budget.txt Attacker hijacker.txt OS Components MemoryRanger Driver open_by_hijacking FILE_OBJECT OS Components Default Enclave OS kernel, and other drivers OS kernel, and other drivers OS kernel and other drivers Internal Data Internal Data OS and Other Data
DEMO: THE ATTACK PREVENTION The online version is here – https://www.youtube.com/watch?v=8ONmC5Do4I4?vq=hd1080
DEMO: PREVENTING THE HIJACKING Driver ZwCreateFile() •ShareAccess=0 budget.txt FILE_OBJECT Driver open_by_hijacking hijacker.txt OS Components Attempt 2: The Hijacking Attack Preventing the Hijacking Attack FILE_OBJECT The Boss Attacker Attacker s EnclaveAllocator s Enclave The Boss Driver ZwCreateFile() •ShareAccess=0 FILE_OBJECT budget.txt Attacker hijacker.txt OS Components MemoryRanger Driver open_by_hijacking FILE_OBJECT OS Components Default Enclave OS kernel, and other drivers OS kernel, and other drivers OS kernel and other drivers Internal Data Internal Data OS and Other Data
DEMO: PREVENTING THE HIJACKING Driver ZwCreateFile() •ShareAccess=0 budget.txt FILE_OBJECT Driver open_by_hijacking hijacker.txt OS Components Attempt 2: The Hijacking Attack Preventing the Hijacking Attack FILE_OBJECT The Boss Attacker Attacker s EnclaveAllocator s Enclave The Boss Driver ZwCreateFile() •ShareAccess=0 FILE_OBJECT budget.txt Attacker hijacker.txt OS Components MemoryRanger Driver open_by_hijacking FILE_OBJECT OS Components Default Enclave OS kernel, and other drivers OS kernel, and other drivers OS kernel and other drivers Internal Data Internal Data OS and Other Data
Preventing the Hijacking Attack MemoryRanger prevents illegal access Attacker s EnclaveAllocator s Enclave The Boss Driver ZwCreateFile() •ShareAccess=0 FILE_OBJECT budget.txt Attacker hijacker.txt OS Components MemoryRanger Driver open_by_hijacking FILE_OBJECT OS Components Default Enclave OS kernel, and other drivers OS kernel, and other drivers OS kernel and other drivers Internal Data Internal Data OS and Other Data
MEMORY RANGER ARCHITECTURE OS
MEMORY RANGER ARCHITECTURE OS A new driver is loaded
MEMORY RANGER ARCHITECTURE OS A new driver is loaded Kernel API function is called
MEMORY RANGER ARCHITECTURE OS Access to the protected data triggers EPT violation A new driver is loaded Kernel API function is called
MEMORY RANGER ARCHITECTURE OS Access to the protected data triggers EPT violation Driver receives OS events notifications ISOLATED_MEM_ENCLAVE A new driver is loaded Kernel API function is called ISOLATED_MEM_ENCLAVE ISOLATED_MEM_ENCLAVE Memory Ranger
MEMORY RANGER ARCHITECTURE OS Access to the protected data triggers EPT violation Driver receives OS events notifications ISOLATED_MEM_ENCLAVE PROTECTED_MEMORY A new driver is loaded Kernel API function is called DdiMon hooks kernel API routines PROTECTED_MEMORY PROTECTED_MEMORY ISOLATED_MEM_ENCLAVE ISOLATED_MEM_ENCLAVE Memory Ranger
OS Access to the protected data triggers EPT violation Driver receives OS events notifications Hypervisor ISOLATED_MEM_ENCLAVE PROTECTED_MEMORY A new driver is loaded Kernel API function is called DdiMon hooks kernel API routines MemoryMonRWX traps EPT violations PROTECTED_MEMORY PROTECTED_MEMORY ISOLATED_MEM_ENCLAVE ISOLATED_MEM_ENCLAVE Memory Ranger MEMORY RANGER ARCHITECTURE
MEMORY RANGER ARCHITECTURE OS Memory Access Policy (MAP) Access to the protected data triggers EPT violation Driver receives OS events notifications Hypervisor ISOLATED_MEM_ENCLAVE PROTECTED_MEMORY A new driver is loaded Kernel API function is called DdiMon hooks kernel API routines MemoryMonRWX traps EPT violations ? PROTECTED_MEMORY PROTECTED_MEMORY ISOLATED_MEM_ENCLAVE ISOLATED_MEM_ENCLAVE Memory Ranger
Driver Protected Memory Reads/Writes MEMORY RANGER BENCHMARKS: MEMORY ACCESS TIME
Driver Protected Memory Reads/Writes 70±2 0 1 2 3 4 5 Enabled Cache x100000 MEMORY RANGER BENCHMARKS: MEMORY ACCESS TIME
Driver Protected Memory Reads/Writes 70±2 100.000±4.000 0 1 2 3 4 5 Enabled Cache Disabled Cache x100000 MEMORY RANGER BENCHMARKS: MEMORY ACCESS TIME
Driver Protected Memory Reads/Writes 70±2 100.000±4.000 500.000±10.000 0 1 2 3 4 5 Enabled Cache Disabled Cache AllMemPro x100000 MEMORY RANGER BENCHMARKS: MEMORY ACCESS TIME * AllMemPro details - http://bit.ly/AllMemPro *
Driver Protected Memory Reads/Writes 70±2 100.000±4.000 500.000±10.000 170.000±7.000 0 1 2 3 4 5 Enabled Cache Disabled Cache AllMemPro MemoryRanger x100000 MEMORY RANGER BENCHMARKS: MEMORY ACCESS TIME * AllMemPro details - http://bit.ly/AllMemPro *
Driver Protected Memory Reads/Writes 70±2 100.000±4.000 500.000±10.000 170.000±7.000 0 1 2 3 4 5 Enabled Cache Disabled Cache AllMemPro MemoryRanger x100000 MEMORY RANGER BENCHMARKS: MEMORY ACCESS TIME * AllMemPro details - http://bit.ly/AllMemPro *
Driver Protected Memory Reads/Writes 70±2 100.000±4.000 500.000±10.000 170.000±7.000 0 1 2 3 4 5 Enabled Cache Disabled Cache AllMemPro MemoryRanger x100000 MEMORY RANGER BENCHMARKS: MEMORY ACCESS TIME * AllMemPro details - http://bit.ly/AllMemPro *
THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY Integrity Confidentiality Memory Regions Dynamically Allocated Data by the OSCode Drivers allocations
THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY Drivers code Integrity Confidentiality Memory Regions Dynamically Allocated Data by the OSCode Drivers allocations
THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY OS Code Drivers code Integrity Confidentiality Memory Regions Dynamically Allocated Data by the OSCode Drivers allocations
THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY OS Code Drivers code Integrity Confidentiality Device Guard Memory Regions Dynamically Allocated Data by the OSCode Drivers allocations
THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY OS Code Drivers code Integrity Confidentiality Device Guard Memory Regions Dynamically Allocated Data by the OSCode Drivers allocations
THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY OS Code Drivers code Allocated data Integrity Confidentiality Device Guard Memory Regions Dynamically Allocated Data by the OSCode Drivers allocations
THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY OS Code Drivers code Allocated data Integrity Confidentiality Device Guard Memory Regions Dynamically Allocated Data by the OSCode Drivers allocations
THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY OS Code Drivers code Allocated data LDR_DATA_TABLE_ENTRY structures PsLoadedModuleList DRIVER_OBJECT structures MajorFunction[] EPROCESS structures PsActiveProcessLinks Integrity Confidentiality Device Guard Memory Regions Dynamically Allocated Data by the OSCode Drivers allocations
THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY OS Code Drivers code Allocated data LDR_DATA_TABLE_ENTRY structures PsLoadedModuleList DRIVER_OBJECT structures MajorFunction[] EPROCESS structures PsActiveProcessLinks Integrity Confidentiality Device Guard Patch Guard Memory Regions Dynamically Allocated Data by the OSCode Drivers allocations (skipped)
THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY OS Code Drivers code Allocated data LDR_DATA_TABLE_ENTRY structures PsLoadedModuleList DRIVER_OBJECT structures MajorFunction[] EPROCESS structures PsActiveProcessLinks Integrity Confidentiality Device Guard Patch Guard Memory Regions Dynamically Allocated Data by the OSCode Drivers allocations (skipped)
THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY OS Code Drivers code Allocated data LDR_DATA_TABLE_ENTRY structures PsLoadedModuleList DRIVER_OBJECT structures MajorFunction[] EPROCESS structures PsActiveProcessLinks Token Integrity Confidentiality Device Guard Patch Guard Memory Regions Dynamically Allocated Data by the OSCode Drivers allocations (skipped)
THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY OS Code Drivers code FILE_OBJECT structures Allocated data LDR_DATA_TABLE_ENTRY structures PsLoadedModuleList DRIVER_OBJECT structures MajorFunction[] EPROCESS structures PsActiveProcessLinks Token Integrity Confidentiality Device Guard Patch Guard Memory Regions Dynamically Allocated Data by the OSCode Drivers allocations (skipped)
THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY OS Code Drivers code FILE_OBJECT structures Allocated data LDR_DATA_TABLE_ENTRY structures PsLoadedModuleList DRIVER_OBJECT structures MajorFunction[] EPROCESS structures PsActiveProcessLinks Token Integrity Confidentiality Device Guard Patch Guard Memory Regions Dynamically Allocated Data by the OSCode Drivers allocations (skipped) ? ? ?
THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY OS Code Drivers code FILE_OBJECT structures Allocated data LDR_DATA_TABLE_ENTRY structures PsLoadedModuleList DRIVER_OBJECT structures MajorFunction[] EPROCESS structures PsActiveProcessLinks Token Integrity Confidentiality Device Guard Patch Guard Memory Regions Dynamically Allocated Data by the OSCode Drivers allocations (skipped) ? ? ?
THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY OS Code Drivers code FILE_OBJECT structures Allocated data LDR_DATA_TABLE_ENTRY structures PsLoadedModuleList DRIVER_OBJECT structures MajorFunction[] EPROCESS structures PsActiveProcessLinks Token Integrity Confidentiality Device Guard Patch Guard Memory Regions Dynamically Allocated Data by the OSCode Drivers allocations (skipped) ? ? ?
THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY OS Code Drivers code FILE_OBJECT structures Allocated data LDR_DATA_TABLE_ENTRY structures PsLoadedModuleList DRIVER_OBJECT structures MajorFunction[] EPROCESS structures PsActiveProcessLinks Token Integrity Confidentiality Device Guard Patch Guard Memory Regions Dynamically Allocated Data by the OSCode Drivers allocations (skipped) ? ? ?
▪All modern Windows OSes are vulnerable to FILE_OBJECT hijacking ▪ MemoryRanger prevents the hijacking attack by running drivers into isolated memory enclaves ▪ Research is ongoing CONCLUSION
Thank you! Igor Korkin igor.korkin@gmail.com All the details & my CV are here igorkorkin.blogspot.com
AllMemPro MEMORY RANGER HISTORY HyperPlatform MemoryMonRWX HyperPlatform MemoryRanger MemoryMonRWX HyperPlatform 1. Korkin, I., & Tanda, S. (2016). Monitoring & controlling kernel-mode events by HyperPlatform. Recon, Canada. 2. Korkin, I., & Tanda, S. (2017). Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access. ADFSL, USA. 3. Korkin, I. (2018). Hypervisor-Based Active Data Protection for Integrity and Confidentiality of Dynamically Allocated Memory in Windows Kernel. ADFSL, USA. 4. Korkin, I. (2018). Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces. BlackHat, UK 5. Korkin, I. (2019). MemoryRanger Prevents Hijacking FILE_OBJECT structures in Windows Kernel. ADFSL, USA. AllMemPro MemoryMonRWX HyperPlatform Step 1 Step 2 Step 3 Step 4 Step 5 MemoryRanger with a new feature Prevention of the FILE_OBJECT attack REcon

More Related Content

PPTX
Hypervisor-Based Active Data Protection for Integrity and Confidentiality of ...
Igor Korkin
 
PDF
Kernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue Again
Igor Korkin
 
PPTX
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces
Igor Korkin
 
PPTX
Protected Process Light will be Protected – MemoryRanger Fills the Gap Again
Igor Korkin
 
PPTX
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Igor Korkin
 
PPTX
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...
Igor Korkin
 
PPTX
Applying Memory Forensics to Rootkit Detection
Igor Korkin
 
PDF
Windows Internals: fuzzing, hijacking and weaponizing kernel objects
Nullbyte Security Conference
 
Hypervisor-Based Active Data Protection for Integrity and Confidentiality of ...
Igor Korkin
 
Kernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue Again
Igor Korkin
 
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces
Igor Korkin
 
Protected Process Light will be Protected – MemoryRanger Fills the Gap Again
Igor Korkin
 
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Igor Korkin
 
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...
Igor Korkin
 
Applying Memory Forensics to Rootkit Detection
Igor Korkin
 
Windows Internals: fuzzing, hijacking and weaponizing kernel objects
Nullbyte Security Conference
 

What's hot (20)

PPTX
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...
Igor Korkin
 
PDF
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes
NoSuchCon
 
PDF
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON
 
PDF
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON
 
PDF
MNSEC 2018 - Windows forensics
MNCERT
 
PDF
Fighting Malware Without Antivirus
EnergySec
 
PDF
DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo sht
Felipe Prado
 
PDF
Shusei tomonaga pac_sec_20171026
PacSecJP
 
PDF
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
CODE BLUE
 
PDF
Finfisher- Nguyễn Chấn Việt
Security Bootcamp
 
PPT
Live Memory Forensics on Android devices
Nikos Gkogkos
 
PDF
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
Felipe Prado
 
PDF
The Joy of Sandbox Mitigations
James Forshaw
 
PDF
44CON 2014 - Breaking AV Software
44CON
 
PPTX
Catching fileless attacks
Balaji Rajasekaran
 
PPTX
Android forensics an Custom Recovery Image
Mohamed Khaled
 
PDF
James Forshaw, elevator action
PacSecJP
 
ODP
Malware analysis
xabean
 
PDF
SanDisk SecureAccess Encryption 1.5
Brent Muir
 
PDF
Social Engineering the Windows Kernel by James Forshaw
Shakacon
 
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...
Igor Korkin
 
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes
NoSuchCon
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON
 
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON
 
MNSEC 2018 - Windows forensics
MNCERT
 
Fighting Malware Without Antivirus
EnergySec
 
DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo sht
Felipe Prado
 
Shusei tomonaga pac_sec_20171026
PacSecJP
 
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
CODE BLUE
 
Finfisher- Nguyễn Chấn Việt
Security Bootcamp
 
Live Memory Forensics on Android devices
Nikos Gkogkos
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
Felipe Prado
 
The Joy of Sandbox Mitigations
James Forshaw
 
44CON 2014 - Breaking AV Software
44CON
 
Catching fileless attacks
Balaji Rajasekaran
 
Android forensics an Custom Recovery Image
Mohamed Khaled
 
James Forshaw, elevator action
PacSecJP
 
Malware analysis
xabean
 
SanDisk SecureAccess Encryption 1.5
Brent Muir
 
Social Engineering the Windows Kernel by James Forshaw
Shakacon
 
Ad

Similar to MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel (20)

PDF
Oleksyk applied-anti-forensics
DefconRussia
 
PPTX
Security research over Windows #defcon china
Peter Hlavaty
 
ODP
Ohm2013 'defeating trojans' slides
Rob Meijer
 
DOCX
Chapter 2Controlling a ComputerChapter 2 OverviewOverv
EstelaJeffery653
 
PDF
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
MITRE ATT&CK
 
PPTX
Lannguyen-Detecting Cyber Attacks
Security Bootcamp
 
PDF
Big Game Hunting - Peculiarities In Nation State Malware Research
pinkflawd
 
DOCX
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
smile790243
 
PDF
Dear Hacker: Infrastructure Security Reality Check
Paula Januszkiewicz
 
PPT
Rootkit Hunting & Compromise Detection
amiable_indian
 
PDF
One-Byte Modification for Breaking Memory Forensic Analysis
Takahiro Haruyama
 
PDF
CNIT 123 Ch 8: OS Vulnerabilities
Sam Bowne
 
PDF
CNIT 123 8: Desktop and Server OS Vulnerabilities
Sam Bowne
 
PDF
Windows Security Internals: A Deep Dive into Windows Authentication, Authoriz...
modhaofentibo
 
PDF
Bh us 12_miller_exploit_mitigation_slides
Artem I. Baranov
 
PDF
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Scott K. Larson
 
ODP
CISSP Week 14
jemtallon
 
PPTX
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat Security Conference
 
PDF
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
DefCamp
 
PDF
Ch14 security
Welly Dian Astika
 
Oleksyk applied-anti-forensics
DefconRussia
 
Security research over Windows #defcon china
Peter Hlavaty
 
Ohm2013 'defeating trojans' slides
Rob Meijer
 
Chapter 2Controlling a ComputerChapter 2 OverviewOverv
EstelaJeffery653
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
MITRE ATT&CK
 
Lannguyen-Detecting Cyber Attacks
Security Bootcamp
 
Big Game Hunting - Peculiarities In Nation State Malware Research
pinkflawd
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
smile790243
 
Dear Hacker: Infrastructure Security Reality Check
Paula Januszkiewicz
 
Rootkit Hunting & Compromise Detection
amiable_indian
 
One-Byte Modification for Breaking Memory Forensic Analysis
Takahiro Haruyama
 
CNIT 123 Ch 8: OS Vulnerabilities
Sam Bowne
 
CNIT 123 8: Desktop and Server OS Vulnerabilities
Sam Bowne
 
Windows Security Internals: A Deep Dive into Windows Authentication, Authoriz...
modhaofentibo
 
Bh us 12_miller_exploit_mitigation_slides
Artem I. Baranov
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Scott K. Larson
 
CISSP Week 14
jemtallon
 
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat Security Conference
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
DefCamp
 
Ch14 security
Welly Dian Astika
 
Ad

Recently uploaded (20)

PDF
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
PPTX
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
PDF
System and Network Administraation Chapter 3
jaramharo
 
PDF
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
PDF
How Creative Agencies Leverage Project Management Software.pdf
Orangescrum
 
PDF
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
PPTX
history of c programming in notes for students .pptx
Vijayakumari829030
 
PPTX
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
PPTX
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
PDF
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
PDF
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
PPTX
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
PPTX
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
PPTX
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
PDF
AI in Product Development-omnex systems
omnex systems
 
PPTX
Introduction to Artificial Intelligence
lohedi9363
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
PPTX
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
PDF
Flood Susceptibility Mapping Using Image-Based 2D-CNN Deep Learnin. Overview ...
lawrenceomai2
 
PDF
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
System and Network Administraation Chapter 3
jaramharo
 
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
How Creative Agencies Leverage Project Management Software.pdf
Orangescrum
 
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
history of c programming in notes for students .pptx
Vijayakumari829030
 
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
AI in Product Development-omnex systems
omnex systems
 
Introduction to Artificial Intelligence
lohedi9363
 
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
Flood Susceptibility Mapping Using Image-Based 2D-CNN Deep Learnin. Overview ...
lawrenceomai2
 
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 

MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel

  • 1. Igor Korkin 2019 ADFSL Conference MemoryRanger Prevents Hijacking FILE_OBJECT structures in Windows Kernel
  • 2. WHOAMI ▪MEPhI Alumni, PhD in Cyber Security ▪ Area of interest is Windows Kernel security: ▪ Memory Forensics ▪ Rootkits Detection ▪ Bare-Metal Hypervisors ▪ Fan of cross-disciplinary research - igorkorkin.blogspot.com ▪ Love traveling and powerlifting - igor.korkin
  • 4. AGENDA ▪ FILE_OBJECT hijacking: details and demo ▪ ▪
  • 5. AGENDA ▪ FILE_OBJECT hijacking: details and demo ▪ A history of related OS components and memory protection issues ▪
  • 6. AGENDA ▪ FILE_OBJECT hijacking: details and demo ▪ A history of related OS components and memory protection issues ▪MemoryRanger hypervisor protects sensitive kernel memory
  • 7. AGENDA ▪ FILE_OBJECT hijacking: details and demo ▪ A history of related OS components and memory protection issues ▪MemoryRanger hypervisor protects sensitive kernel memory
  • 8. File Manager in Kernel Mode
  • 10. NTSTATUS ZwCreateFile(..., ShareAccess, ...); ZWCREATEFILE ROUTINE
  • 11. NTSTATUS ZwCreateFile(..., ShareAccess, ...); ZWCREATEFILE ROUTINE – ShareAccess flag determines whether other drivers can access the opened file. – Calling ZwCreateFile with ShareAccess=0 gives the caller exclusive access to the file. ShareAccess
  • 13. vs. The Boss s Driver ZwCreateFile( budget.txt ShareAccess=0) budget.txt exclusive mode The Attacker s Driver
  • 14. vs. The Boss s Driver ZwCreateFile( budget.txt ShareAccess=0) budget.txt exclusive mode The Attacker s Driver
  • 15. FILE SYSTEM ROUTINES IN WINDOWS KERNEL ZwCreateFile( budget.txt ShareAccess=0) budget.txt OS kernel components ?
  • 16. FILE SYSTEM ROUTINES IN WINDOWS KERNEL I/O Manager ZwCreateFile( budget.txt ShareAccess=0) budget.txt OS kernel components
  • 17. FILE SYSTEM ROUTINES IN WINDOWS KERNEL I/O Manager Object Manager ZwCreateFile( budget.txt ShareAccess=0) budget.txt OS kernel components
  • 18. FILE SYSTEM ROUTINES IN WINDOWS KERNEL I/O Manager Object Manager Security Reference Monitor ZwCreateFile( budget.txt ShareAccess=0) budget.txt OS kernel components
  • 19. FILE SYSTEM ROUTINES IN WINDOWS KERNEL I/O Manager Object Manager Security Reference Monitor ZwCreateFile( budget.txt ShareAccess=0) budget.txt File System Drivers OS kernel components
  • 20. FILE SYSTEM ROUTINES IN WINDOWS KERNEL Access control list ? I/O Manager Object Manager Security Reference Monitor ZwCreateFile( budget.txt ShareAccess=0) budget.txt File System Drivers OS kernel components
  • 21. FILE SYSTEM ROUTINES IN WINDOWS KERNEL I/O Manager Object Manager Security Reference Monitor ZwCreateFile( budget.txt ShareAccess=0) budget.txt File System Drivers ZwCreateFile( hijacker.txt
  • 22. FILE SYSTEM ROUTINES IN WINDOWS KERNEL I/O Manager Object Manager Security Reference Monitor ZwCreateFile( budget.txt ShareAccess=0) budget.txt File System Drivers ZwCreateFile( hijacker.txt STATUS SHARING VIOLATION Code=0xC0000043
  • 23. FILE SYSTEM ROUTINES IN WINDOWS KERNEL I/O Manager Object Manager Security Reference Monitor ZwCreateFile( budget.txt ShareAccess=0) budget.txt File System Drivers FILE_OBJECT File Handle
  • 24. FILE SYSTEM ROUTINES IN WINDOWS KERNEL I/O Manager Object Manager Security Reference Monitor ZwReadFile( ) ZwWriteFile( ) ZwCreateFile( budget.txt ShareAccess=0) budget.txt File System Drivers FILE_OBJECT File Handle File Handle File Handle
  • 25. FILE SYSTEM ROUTINES IN WINDOWS KERNEL I/O Manager Object Manager Security Reference Monitor ZwReadFile( ) ZwWriteFile( ) ZwCreateFile( budget.txt ShareAccess=0) Hey! I m a hacker-attacker! budget.txt File System Drivers FILE_OBJECT File Handle File Handle File Handle
  • 26. FILE SYSTEM ROUTINES IN WINDOWS KERNEL I/O Manager Object Manager Security Reference Monitor ZwReadFile( ) ZwWriteFile( ) ZwCreateFile( budget.txt ShareAccess=0) ZwCreateFile( hijacker.txt budget.txt hijacker.txt File System Drivers File Handle FILE_OBJECTFILE_OBJECT File Handle File Handle File Handle 1.Create a file
  • 27. FILE SYSTEM ROUTINES IN WINDOWS KERNEL I/O Manager Object Manager Security Reference Monitor ZwReadFile( ) ZwWriteFile( ) ZwCreateFile( budget.txt ShareAccess=0) budget.txt hijacker.txt File System Drivers File Handle FILE_OBJECTFILE_OBJECT File Handle File Handle File Handle FILE_OBJECT Hijacking 2.Copy
  • 28. FILE SYSTEM ROUTINES IN WINDOWS KERNEL I/O Manager Object Manager Security Reference Monitor ZwReadFile( ) ZwWriteFile( ) ZwCreateFile( budget.txt ShareAccess=0) ZwReadFile( ) ZwWriteFile( ) budget.txt hijacker.txt File System Drivers File Handle FILE_OBJECTFILE_OBJECT File Handle File Handle File Handle FILE_OBJECT File Handle File Handle
  • 29. JUST 4 CRUCIAL FIELDS FOR FILES HIJACKING typedef struct _FILE_OBJECT { … PVPB Vpb; PVOID FsContext; PVOID FsContext2; PSECTION_OBJECT_POINTERS SectionObjectPointer; … } FILE_OBJECT; • The Vpb field points to a mounted Volume Parameter Block (VPB), associated with the target device object. • FsContext points to the FSRTL_COMMON_FCB_HEADER structure, which has to be allocated by the file driver. • FsContext2 field refers to the Context Control Block (CBB) associated with the file object • SectionObjectPointer stores file-mapping and caching-related information for a file stream.
  • 30. THE ATTACK Kernel mode User mode Hard Disk Driver ZwCreateFile() •ShareAccess=0 budget.txt FILE_OBJECT Driver open_by_hijacking hijacker.txt OS Components Attempt 2: The Hijacking Attack FILE_OBJECT The Boss Attacker Driver ZwCreateFile() •ShareAccess=0 budget.txt FILE_OBJECT Driver ZwCreateFile() OS Components Attempt 1: The Legal Access FILE_OBJECT The Boss Attacker access violation
  • 31. THE ATTACK Kernel mode User mode Hard Disk Driver ZwCreateFile() •ShareAccess=0 budget.txt FILE_OBJECT Driver open_by_hijacking hijacker.txt OS Components Attempt 2: The Hijacking Attack FILE_OBJECT The Boss Attacker Driver ZwCreateFile() •ShareAccess=0 budget.txt FILE_OBJECT Driver ZwCreateFile() OS Components Attempt 1: The Legal Access FILE_OBJECT The Boss Attacker access violation
  • 32. DEMO: THE ATTACK The online version is here – https://www.youtube.com/watch?v=2mU85RluOSA?vq=hd1080
  • 33. ▪ All Windows OSes since NT 4.0 are vulnerable for FILE_OBJECT hijacking: THE ANALYSIS OF THE ATTACK
  • 34. ▪ All Windows OSes since NT 4.0 are vulnerable for FILE_OBJECT hijacking: ▪1993 - the first mention of Object Manager and Security Reference Monitor THE ANALYSIS OF THE ATTACK Windows NT:The Next Generation by Len Feldman, March 1, 1993
  • 35. ▪ All Windows OSes since NT 4.0 are vulnerable for FILE_OBJECT hijacking: ▪1993 - the first mention of Object Manager and Security Reference Monitor ▪1965 – the first memory isolation concept Multics* was developed for General Electric 645 mainframe. Multics joined to the ARPANet and gave rise to the Unix. THE ANALYSIS OF THE ATTACK Fernando Corbato Victor Vyssotsky Two Fathers of Multics *DOI: http://dx.doi.org/10.1145/1463891.1463912
  • 36. THE FILE_OBJECT PROTECTION VIA ENCRYPTION FILE_OBJECT Boss s Driver Attacker s Driver FILE_OBJECT
  • 37. THE FILE_OBJECT PROTECTION VIA ENCRYPTION FILE_OBJECT Boss s Driver Attacker s Driver FILE_OBJECT
  • 38. THE FILE_OBJECT PROTECTION VIA ENCRYPTION FILE_OBJECT Boss s Driver Attacker s Driver FILE_OBJECT 1. Encrypt the FILE_OBJECT 2. 3. 4. 5.
  • 39. THE FILE_OBJECT PROTECTION VIA ENCRYPTION FILE_OBJECT Boss s Driver Attacker s Driver FILE_OBJECT 1. Encrypt the FILE_OBJECT 2. Trap legal access 3. 4. 5.
  • 40. THE FILE_OBJECT PROTECTION VIA ENCRYPTION FILE_OBJECT Boss s Driver Attacker s Driver FILE_OBJECT 1. Encrypt the FILE_OBJECT 2. Trap legal access 3. Decrypt the FILE_OBJECT 4. 5.
  • 41. THE FILE_OBJECT PROTECTION VIA ENCRYPTION FILE_OBJECT Boss s Driver Attacker s Driver FILE_OBJECT 1. Encrypt the FILE_OBJECT 2. Trap legal access 3. Decrypt the FILE_OBJECT 4. Wait to complete file operation 5.
  • 42. THE FILE_OBJECT PROTECTION VIA ENCRYPTION FILE_OBJECT Boss s Driver Attacker s Driver FILE_OBJECT 1. Encrypt the FILE_OBJECT 2. Trap legal access 3. Decrypt the FILE_OBJECT 4. Wait to complete file operation 5. Go to step 1
  • 43. 1. Encrypt the FILE_OBJECT 2. Trap legal access 3. Decrypt the FILE_OBJECT 4. Wait file operation completion 5. Go to step 1 1. Encrypt the FILE_OBJECT 2. Trap legal access 3. Decrypt the FILE_OBJECT 4. Wait file operation completion 5. Go to step 1 1. Encrypt the FILE_OBJECT 2. Trap legal access 3. Decrypt the FILE_OBJECT 4. Wait file operation completion 5. Go to step 1 THE FILE_OBJECT PROTECTION VIA ENCRYPTION FILE_OBJECT Boss s Driver Attacker s Driver FILE_OBJECT 1. Encrypt the FILE_OBJECT 2. Trap legal access 3. Decrypt the FILE_OBJECT 4. Wait file operation completion 5. Go to step 1 1. Encrypt the FILE_OBJECT 2. Trap legal access 3. Decrypt the FILE_OBJECT 4. Wait to complete file operation 5. Go to step 1
  • 44. 1. Encrypt the FILE_OBJECT 2. Trap legal access 3. Decrypt the FILE_OBJECT 4. Wait file operation completion 5. Go to step 1 1. Encrypt the FILE_OBJECT 2. Trap legal access 3. Decrypt the FILE_OBJECT 4. Wait file operation completion 5. Go to step 1 1. Encrypt the FILE_OBJECT 2. Trap legal access 3. Decrypt the FILE_OBJECT 4. Wait file operation completion 5. Go to step 1 THE FILE_OBJECT PROTECTION VIA ENCRYPTION FILE_OBJECT Boss s Driver Attacker s Driver FILE_OBJECT 1. Encrypt the FILE_OBJECT 2. Trap legal access 3. Decrypt the FILE_OBJECT 4. Wait file operation completion 5. Go to step 1 1. Encrypt the FILE_OBJECT 2. Trap legal access 3. Decrypt the FILE_OBJECT 4. Wait to complete file operation 5. Go to step 1
  • 45. WINDOWS KERNEL MEMORY OS Kernel Code OS Kernel Structures FILE_OBJECT Boss s Driver Attacker s Driver FILE_OBJECT
  • 46. WINDOWS KERNEL MEMORY OS Kernel Code OS Kernel Structures FILE_OBJECT Boss s Driver Attacker s Driver FILE_OBJECT
  • 47. WINDOWS KERNEL MEMORY OS Kernel Code OS Kernel Structures FILE_OBJECT Boss s Driver Attacker s Driver FILE_OBJECT
  • 48. WINDOWS KERNEL MEMORY OS Kernel Code OS Kernel Structures FILE_OBJECT Boss s Driver Attacker s Driver FILE_OBJECT
  • 49. PROCESSING MEMORY ACCESS: EPT FEATURE Guest OS Hypervisor VT-x without EPT Paging structures Host Memory
  • 50. PROCESSING MEMORY ACCESS: EPT FEATURE Host Physical Address H Guest OS Hypervisor VT-x without EPT = G Guest Physical Address Paging structures V G Guest Virtual Address Host Memory
  • 51. PROCESSING MEMORY ACCESS: EPT FEATURE Host Physical Address H Guest OS Hypervisor VT-x without EPT = VT-x with EPT G Guest Physical Address Paging structures V G Guest Virtual Address Paging structures Host Memory EPT Paging structures
  • 52. PROCESSING MEMORY ACCESS: EPT FEATURE Host Physical Address H Guest OS Hypervisor VT-x without EPT = EPT Physical Address Host Physical Address VT-x with EPT G EPT( )G Guest Physical Address Paging structures V G Guest Virtual Address Guest Physical Address Paging structures V G Guest Virtual Address H = Host Memory EPT Paging structures =EPT( )G
  • 53. EPT PAGING STRUCTURES EPT Paging structures EPT Page Table Entries EPT Entry for the Page A EPT Entry for the Page B EPT Entry for the Page Z EPT Tables EPT Tables …
  • 54. EPT PAGING STRUCTURES EPT Paging structures EPT Page Table Entries EPT Entry for the Page A EPT Entry for the Page B EPT Entry for the Page Z EPT Tables EPT Tables Page A Guest Physical Address Page A Host Physical Address …
  • 55. 1. Using EPT we can trap read/write/execute access attempts and redirect them from the secret page to the fake one: 2. 3. EPT MAIN FEATURES
  • 56. 1. Using EPT we can trap read/write/execute access attempts and redirect them from the secret page to the fake one: 2. 3. EPT MAIN FEATURES access Guest Page Hypervisor does not react Host Page
  • 57. 1. Using EPT we can trap read/write/execute access attempts and redirect them from the secret page to the fake one: 2. 3. EPT MAIN FEATURES access Guest Page Hypervisor does not react Host Page Hypervisor traps all these access attempts access Guest Page Host Page
  • 58. 1. Using EPT we can trap read/write/execute access attempts and redirect them from the secret page to the fake one: 2. 3. EPT MAIN FEATURES access Guest Page Hypervisor does not react Host Page Hypervisor traps all these access attempts access Guest Page Host Page
  • 59. 1. Using EPT we can trap read/write/execute access attempts and redirect them from the secret page to the fake one: 2. 3. EPT MAIN FEATURES access Guest Page Hypervisor does not react Host Page Hypervisor traps all these access attempts access Guest Page Host Page
  • 60. 1. Using EPT we can trap read/write/execute access attempts and redirect them from the secret page to the fake one: 2. EPT memory settings can be updated in the real time 3. EPT MAIN FEATURES access Guest Page Hypervisor does not react Host Page Hypervisor traps all these access attempts access Guest Page Host Page Fake Page
  • 61. 1. Using EPT we can trap read/write/execute access attempts and redirect them from the secret page to the fake one: 2. EPT memory settings can be updated in the real time 3. We can dynamically allocate several EPTs with different memory setting and switch between them in the real time EPT MAIN FEATURES access Guest Page Hypervisor does not react Host Page Hypervisor traps all these access attempts access Guest Page Host Page Fake Page
  • 62. WINDOWS KERNEL MEMORY Enclave for Attacker s DriverEnclave for Boss s DriverEnclave for the OS kernel OS Kernel Code OS Kernel Structures FILE_OBJECT Boss s Driver Attacker s Driver FILE_OBJECT OS Kernel Code OS Kernel Structures FILE_OBJECT FILE_OBJECT MemoryRanger Attacker s DriverBoss s Driver
  • 63. WINDOWS KERNEL MEMORY Enclave for Attacker s DriverEnclave for Boss s DriverEnclave for the OS kernel OS Kernel Code OS Kernel Structures FILE_OBJECT Boss s Driver Attacker s Driver FILE_OBJECT OS Kernel Code OS Kernel Structures FILE_OBJECT FILE_OBJECT MemoryRanger Attacker s DriverBoss s Driver
  • 64. MEMORY RANGER PREVENTS FILE_OBJECT HIJACKING Current Situation OS Code OS Structs Default enclave for OS Enclave for Boss Driver EPT pointer Enclave for Attacker s Driver
  • 65. MEMORY RANGER PREVENTS FILE_OBJECT HIJACKING Current Situation OS Code OS Structs The Boss FILE_OBJ Default enclave for OS Enclave for Boss Driver EPT pointer Enclave for Attacker s Driver
  • 66. MEMORY RANGER PREVENTS FILE_OBJECT HIJACKING Current Situation OS Code OS Structs The Boss FILE_OBJ Attacker FILE_OBJ Default enclave for OS Enclave for Boss Driver EPT pointer Enclave for Attacker s Driver
  • 67. MEMORY RANGER PREVENTS FILE_OBJECT HIJACKING Current Situation OS Code OS Structs The Boss FILE_OBJ Attacker FILE_OBJ Default enclave for OS Enclave for Boss Driver EPT pointer Enclave for Attacker s Driver
  • 68. MEMORY RANGER PREVENTS FILE_OBJECT HIJACKING Current Situation OS Code OS Structs The Boss FILE_OBJ Attacker FILE_OBJ Default enclave for OS OS Code OS Structs Enclave for Boss Driver EPT pointer Enclave for Attacker s Driver
  • 69. MEMORY RANGER PREVENTS FILE_OBJECT HIJACKING Current Situation OS Code OS Structs The Boss FILE_OBJ Attacker FILE_OBJ Default enclave for OS OS Code OS Structs The Boss Enclave for Boss s Driver OS Code OS Structs The Boss EPT pointer Enclave for Attacker s Driver
  • 70. MEMORY RANGER PREVENTS FILE_OBJECT HIJACKING Current Situation OS Code OS Structs The Boss FILE_OBJ Attacker FILE_OBJ Default enclave for OS OS Code OS Structs The Boss FILE_OBJ Enclave for Boss s Driver OS Code OS Structs The Boss FILE_OBJ EPT pointer Enclave for Attacker s Driver
  • 71. MEMORY RANGER PREVENTS FILE_OBJECT HIJACKING Current Situation OS Code OS Structs The Boss FILE_OBJ Attacker FILE_OBJ Default enclave for OS OS Code OS Structs The Boss FILE_OBJ Attacker Enclave for Boss s Driver OS Code OS Structs The Boss FILE_OBJ Attacker OS Code OS Structs The Boss Attacker EPT pointer FILE_OBJ Enclave for Attacker s Driver
  • 72. MEMORY RANGER PREVENTS FILE_OBJECT HIJACKING Current Situation OS Code OS Structs The Boss FILE_OBJ Attacker FILE_OBJ Default enclave for OS OS Code OS Structs The Boss FILE_OBJ Attacker FILE_OBJ Enclave for Boss s Driver OS Code OS Structs The Boss FILE_OBJ Attacker FILE_OBJ OS Code OS Structs The Boss Attacker FILE_OBJ EPT pointer FILE_OBJ Enclave for Attacker s Driver
  • 73. MEMORY RANGER PREVENTS FILE_OBJECT HIJACKING Current Situation OS Code OS Structs The Boss FILE_OBJ Attacker FILE_OBJ Default enclave for OS OS Code OS Structs The Boss FILE_OBJ Attacker FILE_OBJ Enclave for Boss s Driver OS Code OS Structs The Boss FILE_OBJ Attacker FILE_OBJ OS Code OS Structs The Boss Attacker FILE_OBJ EPT pointer FILE_OBJ Enclave for Attacker s Driver
  • 74. MEMORY RANGER PREVENTS FILE_OBJECT HIJACKING Current Situation OS Code OS Structs The Boss FILE_OBJ Attacker FILE_OBJ Default enclave for OS OS Code OS Structs The Boss FILE_OBJ Attacker FILE_OBJ Enclave for Boss s Driver OS Code OS Structs The Boss FILE_OBJ Attacker FILE_OBJ OS Code OS Structs The Boss Attacker FILE_OBJ EPT pointer FILE_OBJ Enclave for Attacker s Driver
  • 75. DEMO: PREVENTING THE HIJACKING Driver ZwCreateFile() •ShareAccess=0 budget.txt FILE_OBJECT Driver open_by_hijacking hijacker.txt OS Components Attempt 2: The Hijacking Attack Preventing the Hijacking Attack FILE_OBJECT The Boss Attacker Attacker s EnclaveAllocator s Enclave The Boss Driver ZwCreateFile() •ShareAccess=0 FILE_OBJECT budget.txt Attacker hijacker.txt OS Components MemoryRanger Driver open_by_hijacking FILE_OBJECT OS Components Default Enclave OS kernel, and other drivers OS kernel, and other drivers OS kernel and other drivers Internal Data Internal Data OS and Other Data
  • 76. DEMO: PREVENTING THE HIJACKING Driver ZwCreateFile() •ShareAccess=0 budget.txt FILE_OBJECT Driver open_by_hijacking hijacker.txt OS Components Attempt 2: The Hijacking Attack Preventing the Hijacking Attack FILE_OBJECT The Boss Attacker Attacker s EnclaveAllocator s Enclave The Boss Driver ZwCreateFile() •ShareAccess=0 FILE_OBJECT budget.txt Attacker hijacker.txt OS Components MemoryRanger Driver open_by_hijacking FILE_OBJECT OS Components Default Enclave OS kernel, and other drivers OS kernel, and other drivers OS kernel and other drivers Internal Data Internal Data OS and Other Data
  • 77. DEMO: THE ATTACK PREVENTION The online version is here – https://www.youtube.com/watch?v=8ONmC5Do4I4?vq=hd1080
  • 78. DEMO: PREVENTING THE HIJACKING Driver ZwCreateFile() •ShareAccess=0 budget.txt FILE_OBJECT Driver open_by_hijacking hijacker.txt OS Components Attempt 2: The Hijacking Attack Preventing the Hijacking Attack FILE_OBJECT The Boss Attacker Attacker s EnclaveAllocator s Enclave The Boss Driver ZwCreateFile() •ShareAccess=0 FILE_OBJECT budget.txt Attacker hijacker.txt OS Components MemoryRanger Driver open_by_hijacking FILE_OBJECT OS Components Default Enclave OS kernel, and other drivers OS kernel, and other drivers OS kernel and other drivers Internal Data Internal Data OS and Other Data
  • 79. DEMO: PREVENTING THE HIJACKING Driver ZwCreateFile() •ShareAccess=0 budget.txt FILE_OBJECT Driver open_by_hijacking hijacker.txt OS Components Attempt 2: The Hijacking Attack Preventing the Hijacking Attack FILE_OBJECT The Boss Attacker Attacker s EnclaveAllocator s Enclave The Boss Driver ZwCreateFile() •ShareAccess=0 FILE_OBJECT budget.txt Attacker hijacker.txt OS Components MemoryRanger Driver open_by_hijacking FILE_OBJECT OS Components Default Enclave OS kernel, and other drivers OS kernel, and other drivers OS kernel and other drivers Internal Data Internal Data OS and Other Data
  • 80. Preventing the Hijacking Attack MemoryRanger prevents illegal access Attacker s EnclaveAllocator s Enclave The Boss Driver ZwCreateFile() •ShareAccess=0 FILE_OBJECT budget.txt Attacker hijacker.txt OS Components MemoryRanger Driver open_by_hijacking FILE_OBJECT OS Components Default Enclave OS kernel, and other drivers OS kernel, and other drivers OS kernel and other drivers Internal Data Internal Data OS and Other Data
  • 82. MEMORY RANGER ARCHITECTURE OS A new driver is loaded
  • 83. MEMORY RANGER ARCHITECTURE OS A new driver is loaded Kernel API function is called
  • 84. MEMORY RANGER ARCHITECTURE OS Access to the protected data triggers EPT violation A new driver is loaded Kernel API function is called
  • 85. MEMORY RANGER ARCHITECTURE OS Access to the protected data triggers EPT violation Driver receives OS events notifications ISOLATED_MEM_ENCLAVE A new driver is loaded Kernel API function is called ISOLATED_MEM_ENCLAVE ISOLATED_MEM_ENCLAVE Memory Ranger
  • 86. MEMORY RANGER ARCHITECTURE OS Access to the protected data triggers EPT violation Driver receives OS events notifications ISOLATED_MEM_ENCLAVE PROTECTED_MEMORY A new driver is loaded Kernel API function is called DdiMon hooks kernel API routines PROTECTED_MEMORY PROTECTED_MEMORY ISOLATED_MEM_ENCLAVE ISOLATED_MEM_ENCLAVE Memory Ranger
  • 87. OS Access to the protected data triggers EPT violation Driver receives OS events notifications Hypervisor ISOLATED_MEM_ENCLAVE PROTECTED_MEMORY A new driver is loaded Kernel API function is called DdiMon hooks kernel API routines MemoryMonRWX traps EPT violations PROTECTED_MEMORY PROTECTED_MEMORY ISOLATED_MEM_ENCLAVE ISOLATED_MEM_ENCLAVE Memory Ranger MEMORY RANGER ARCHITECTURE
  • 88. MEMORY RANGER ARCHITECTURE OS Memory Access Policy (MAP) Access to the protected data triggers EPT violation Driver receives OS events notifications Hypervisor ISOLATED_MEM_ENCLAVE PROTECTED_MEMORY A new driver is loaded Kernel API function is called DdiMon hooks kernel API routines MemoryMonRWX traps EPT violations ? PROTECTED_MEMORY PROTECTED_MEMORY ISOLATED_MEM_ENCLAVE ISOLATED_MEM_ENCLAVE Memory Ranger
  • 89. Driver Protected Memory Reads/Writes MEMORY RANGER BENCHMARKS: MEMORY ACCESS TIME
  • 90. Driver Protected Memory Reads/Writes 70±2 0 1 2 3 4 5 Enabled Cache x100000 MEMORY RANGER BENCHMARKS: MEMORY ACCESS TIME
  • 91. Driver Protected Memory Reads/Writes 70±2 100.000±4.000 0 1 2 3 4 5 Enabled Cache Disabled Cache x100000 MEMORY RANGER BENCHMARKS: MEMORY ACCESS TIME
  • 92. Driver Protected Memory Reads/Writes 70±2 100.000±4.000 500.000±10.000 0 1 2 3 4 5 Enabled Cache Disabled Cache AllMemPro x100000 MEMORY RANGER BENCHMARKS: MEMORY ACCESS TIME * AllMemPro details - http://bit.ly/AllMemPro *
  • 93. Driver Protected Memory Reads/Writes 70±2 100.000±4.000 500.000±10.000 170.000±7.000 0 1 2 3 4 5 Enabled Cache Disabled Cache AllMemPro MemoryRanger x100000 MEMORY RANGER BENCHMARKS: MEMORY ACCESS TIME * AllMemPro details - http://bit.ly/AllMemPro *
  • 94. Driver Protected Memory Reads/Writes 70±2 100.000±4.000 500.000±10.000 170.000±7.000 0 1 2 3 4 5 Enabled Cache Disabled Cache AllMemPro MemoryRanger x100000 MEMORY RANGER BENCHMARKS: MEMORY ACCESS TIME * AllMemPro details - http://bit.ly/AllMemPro *
  • 95. Driver Protected Memory Reads/Writes 70±2 100.000±4.000 500.000±10.000 170.000±7.000 0 1 2 3 4 5 Enabled Cache Disabled Cache AllMemPro MemoryRanger x100000 MEMORY RANGER BENCHMARKS: MEMORY ACCESS TIME * AllMemPro details - http://bit.ly/AllMemPro *
  • 96. THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY Integrity Confidentiality Memory Regions Dynamically Allocated Data by the OSCode Drivers allocations
  • 97. THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY Drivers code Integrity Confidentiality Memory Regions Dynamically Allocated Data by the OSCode Drivers allocations
  • 98. THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY OS Code Drivers code Integrity Confidentiality Memory Regions Dynamically Allocated Data by the OSCode Drivers allocations
  • 99. THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY OS Code Drivers code Integrity Confidentiality Device Guard Memory Regions Dynamically Allocated Data by the OSCode Drivers allocations
  • 100. THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY OS Code Drivers code Integrity Confidentiality Device Guard Memory Regions Dynamically Allocated Data by the OSCode Drivers allocations
  • 101. THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY OS Code Drivers code Allocated data Integrity Confidentiality Device Guard Memory Regions Dynamically Allocated Data by the OSCode Drivers allocations
  • 102. THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY OS Code Drivers code Allocated data Integrity Confidentiality Device Guard Memory Regions Dynamically Allocated Data by the OSCode Drivers allocations
  • 103. THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY OS Code Drivers code Allocated data LDR_DATA_TABLE_ENTRY structures PsLoadedModuleList DRIVER_OBJECT structures MajorFunction[] EPROCESS structures PsActiveProcessLinks Integrity Confidentiality Device Guard Memory Regions Dynamically Allocated Data by the OSCode Drivers allocations
  • 104. THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY OS Code Drivers code Allocated data LDR_DATA_TABLE_ENTRY structures PsLoadedModuleList DRIVER_OBJECT structures MajorFunction[] EPROCESS structures PsActiveProcessLinks Integrity Confidentiality Device Guard Patch Guard Memory Regions Dynamically Allocated Data by the OSCode Drivers allocations (skipped)
  • 105. THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY OS Code Drivers code Allocated data LDR_DATA_TABLE_ENTRY structures PsLoadedModuleList DRIVER_OBJECT structures MajorFunction[] EPROCESS structures PsActiveProcessLinks Integrity Confidentiality Device Guard Patch Guard Memory Regions Dynamically Allocated Data by the OSCode Drivers allocations (skipped)
  • 106. THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY OS Code Drivers code Allocated data LDR_DATA_TABLE_ENTRY structures PsLoadedModuleList DRIVER_OBJECT structures MajorFunction[] EPROCESS structures PsActiveProcessLinks Token Integrity Confidentiality Device Guard Patch Guard Memory Regions Dynamically Allocated Data by the OSCode Drivers allocations (skipped)
  • 107. THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY OS Code Drivers code FILE_OBJECT structures Allocated data LDR_DATA_TABLE_ENTRY structures PsLoadedModuleList DRIVER_OBJECT structures MajorFunction[] EPROCESS structures PsActiveProcessLinks Token Integrity Confidentiality Device Guard Patch Guard Memory Regions Dynamically Allocated Data by the OSCode Drivers allocations (skipped)
  • 108. THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY OS Code Drivers code FILE_OBJECT structures Allocated data LDR_DATA_TABLE_ENTRY structures PsLoadedModuleList DRIVER_OBJECT structures MajorFunction[] EPROCESS structures PsActiveProcessLinks Token Integrity Confidentiality Device Guard Patch Guard Memory Regions Dynamically Allocated Data by the OSCode Drivers allocations (skipped) ? ? ?
  • 109. THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY OS Code Drivers code FILE_OBJECT structures Allocated data LDR_DATA_TABLE_ENTRY structures PsLoadedModuleList DRIVER_OBJECT structures MajorFunction[] EPROCESS structures PsActiveProcessLinks Token Integrity Confidentiality Device Guard Patch Guard Memory Regions Dynamically Allocated Data by the OSCode Drivers allocations (skipped) ? ? ?
  • 110. THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY OS Code Drivers code FILE_OBJECT structures Allocated data LDR_DATA_TABLE_ENTRY structures PsLoadedModuleList DRIVER_OBJECT structures MajorFunction[] EPROCESS structures PsActiveProcessLinks Token Integrity Confidentiality Device Guard Patch Guard Memory Regions Dynamically Allocated Data by the OSCode Drivers allocations (skipped) ? ? ?
  • 111. THE CURRENT SITUATION WITH ATTACKS ON WINDOWS MEMORY OS Code Drivers code FILE_OBJECT structures Allocated data LDR_DATA_TABLE_ENTRY structures PsLoadedModuleList DRIVER_OBJECT structures MajorFunction[] EPROCESS structures PsActiveProcessLinks Token Integrity Confidentiality Device Guard Patch Guard Memory Regions Dynamically Allocated Data by the OSCode Drivers allocations (skipped) ? ? ?
  • 112. ▪All modern Windows OSes are vulnerable to FILE_OBJECT hijacking ▪ MemoryRanger prevents the hijacking attack by running drivers into isolated memory enclaves ▪ Research is ongoing CONCLUSION
  • 113. Thank you! Igor Korkin igor.korkin@gmail.com All the details & my CV are here igorkorkin.blogspot.com
  • 114. AllMemPro MEMORY RANGER HISTORY HyperPlatform MemoryMonRWX HyperPlatform MemoryRanger MemoryMonRWX HyperPlatform 1. Korkin, I., & Tanda, S. (2016). Monitoring & controlling kernel-mode events by HyperPlatform. Recon, Canada. 2. Korkin, I., & Tanda, S. (2017). Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access. ADFSL, USA. 3. Korkin, I. (2018). Hypervisor-Based Active Data Protection for Integrity and Confidentiality of Dynamically Allocated Memory in Windows Kernel. ADFSL, USA. 4. Korkin, I. (2018). Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces. BlackHat, UK 5. Korkin, I. (2019). MemoryRanger Prevents Hijacking FILE_OBJECT structures in Windows Kernel. ADFSL, USA. AllMemPro MemoryMonRWX HyperPlatform Step 1 Step 2 Step 3 Step 4 Step 5 MemoryRanger with a new feature Prevention of the FILE_OBJECT attack REcon