Windows内核劫持不是一个选项MemoryRanger再次出手相救

版权申诉

windows

82 浏览量 2022-01-19 13:25:21 上传评论收藏 424KB PDF 举报

资源推荐

资源详情

资源评论

WINDOWS KERNEL HIJACKING IS NOT AN OPTION:

MEMORYRANGER COMES TO THE RESCUE AGAIN

Igor Korkin, PhD

Independent Researcher

Moscow, Russian Federation

igor.korkin@gmail.com

ABSTRACT

The security of a computer system depends on OS kernel protection. It is

crucial to reveal and inspect new attacks on kernel data, as these are used by

hackers. The purpose of this paper is to continue research into attacks on

dynamically allocated data in the Windows OS kernel and demonstrate the

capacity of MemoryRanger to prevent these attacks. This paper discusses three

new hijacking attacks on kernel data, which are based on bypassing OS security

mechanisms. The first two hijacking attacks result in illegal access to files open in

exclusive access. The third attack escalates process privileges, without applying

token swapping. Although Windows security experts have issued new protection

features, access attempts to the dynamically allocated data in the kernel are not

fully controlled. MemoryRanger hypervisor is designed to fill this security gap.

The updated MemoryRanger prevents these new attacks as well as supporting the

Windows 10 1903 x64.

Keywords: hypervisor-based protection, Windows kernel, hijacking attacks

on memory, memory isolation, Kernel Data Protection.

1. INTRODUCTION

The security of users’ data and

applications depends on the security of

the OS kernel code and data. Modern

operating systems include millions of

lines of code, which makes it

impossible to reveal and remediate all

vulnerabilities. Attackers can exploit

the OS vulnerabilities to perform

malicious actions. Windows OS kernel

remains one of the most desired targets

for hackers.

Another big challenge of OS

kernel protection is the third-party

kernel-mode drivers, which execute at

the same high privilege level as the OS

kernel, and they also include a variety

of vulnerabilities. Researchers

consider that “kernel modules (drivers)

introduce additional attack surface, as

they have full access to the kernel’s

address space” (Yitbarek and Austin,

2019).

At the recent DEF CON hacking

conference researchers from

Eclypsium released a list of more than

40 drivers from Microsoft-certified

hardware vendors, which are prone to

privilege escalation attacks (Jesse and

Shkatov, 2019).

Another vulnerability in a signed

third-party driver was presented at the

Blue Hat IL conference by security

experts from the Microsoft Defender

ATP Research Team. The vulnerable

driver uses a watchdog mechanism

based on user APC injection, which

can also be exploited by attackers to

bypass driver signature enforcement

and gain escalated privileges.

(Rapaport, 2019).

Recently revealed Banking trojan

“Banload”, which targets bank

customers in Brazil and Thailand,

applied a malicious kernel-mode

component to fight with anti-malware

and banking protection programs. This

digitally signed malware driver is

designed “to remove software drivers

and executables belonging to anti-

malware and banking protection

programs”, such as AVG, Avast, IBM

Trusteer Rapport (Bisson, 2019;

Kremez, 2019).

Kernel-mode drivers were also

used during the recent RobbinHood

ransomware attack. Hackers installed a

legitimate driver and exploited its

vulnerability to temporarily disable the

Windows OS driver signature

enforcement. Finally, they installed a

malicious kernel driver (Cimpanu,

2020).

Notorious cryptocurrency mining

malware also applies kernel-mode

rootkits to prevent them from being

terminated. Windows-based crypto

miner infected more than 50000

servers from 90 countries (Harpaz and

Goldberg, 2019; O'Donnell, 2019).

The Microsoft Security team do

their best to maintain a high level of

OS kernel protection by issuing

various security features, for example,

Microsoft Kernel Patch Protection

(KPP) aka PatchGuard etc. At the

same, time security researchers and

rootkit developers are discovering

different techniques to bypass

PatchGuard. The most notable of them

was GhostHook, which abused the

Intel Processor Trace (PT) feature to

overcome PatchGuard and patch the

kernel. Cimpanu (2019) underlines that

two recently published bypassing

techniques InfinityHook and ByePg

“establish a permanent foothold in the

kernel itself and open the door for the

return of rootkits on Windows 10”.

We can see that on the one hand,

all drivers and the OS kernel share the

same memory space, and on the other

hand, there are no built-in mechanisms

to restrict access to the kernel memory.

All drivers have full access to the

system and can be used by attackers.

Windows security features provide

limited kernel memory protection.

Threat model

Let us assume that using various

approaches, intruders are able to

execute malicious kernel code. This

paper analyses two types of attacks on

kernel data, which result in the

following, see Figure 1:

• gaining access to the files open

in an exclusive mode (Handle

Hijacking and Hijacking NTFS

data structures);

To prevent all these attacks on

Windows OS kernel data the updated

MemoryRanger hypervisor will be

presented.

MemoryRanger prevents attacks

on files by running newly loaded

drivers in separated kernel spaces as

well as restricting access to the

corresponding sensitive memory areas.

The newest key feature of

MemoryRanger allows it to run a

special data enclave for sensitive OS

kernel data, such as _TOKEN

structures. This enclave includes these

sensitive OS structures, OS kernel

core, and a limited number of OS

kernel built-in drivers. This new

scheme prevents illegal access from all

drivers whether loaded before and after

MemoryRanger.

The remainder of the paper is as

follows.

Section 2 provides the details of

the control flow and corresponding

internal data structures involved during

file operations in kernel mode. Two

examples of hijacking attacks on files

will be given.

Section 3 presents the details of

access control issues in the Windows

OS kernel and shows how attackers

can hijack the corresponding structure

in order to escalate the process

privileges.

Section 4 contains the details of

adapting MemoryRanger to prevent

these attacks.

Section 5 and Section 6 focus on

the main conclusions and further

research directions respectively.

2. TWO HIJACKING ATTACKS

ON THE FILES OPENED

WITHOUT SHARED ACCESS

This section describes the

internals of file operations in the

Windows OS kernel: data structures

and correlations between them. Two

given hijacking attacks make it

possible to illegally read and overwrite

the content of the file opened in an

exclusive mode. These two hijacking

attacks are based on modifying the OS

internal data structures involved in file

operations.

2.1. Control Flow and Internal Data

Structures Involved in Read and

Write File Operations

Windows OS provides four main

kernel API routines to create,

read/write, and close files:

ZwCreateFile, ZwReadFile,

ZwWriteFile, ZwClose.

During file operations, several OS

kernel components are involved

(Russinovich, Solomon, and Ionescu,

2012; Tanenbaum and Bos, 2014).

Each time a driver calls ZwCreateFile

the control goes to the following OS

kernel subsystems: I/O manager,

Object Manager, Security Reference

Monitor, NTFS driver, and finally, the

control goes to the low-level drivers,

such as Disk Filter Driver and Disk

Class Driver. These are in charge of

access to the physical disk.

The key features revealed by

Korkin (2019) are that Security

Reference Monitor checks access

rights to the file for ZwCreateFile

routine, while routines ZwReadFile,

ZwWriteFile are uncontrolled by the

Security Reference Monitor.

Once a file is created via calling

ZwCreateFile, the OS creates a file

handle, adds an entry to the Handle

Table, allocates file object, NTFS data,

and other structures. The created file

handle is returned to the caller and is

used as a key to read and write the

open file using functions ZwReadFile

and ZwWriteFile.

The details of the control flow and

internal data structures involved in

read and write file operations are given

in Figure 2. Using a file handle, the OS

traverses through the handle table to

acquire the file object. By reading file

object fields the OS locates control

block structures (NTFS data

structures) and moves to them. Disk

drivers access the opened file on a disk

by using NTFS data structures.

OS kernel treats read and write

file access by traversing through these

structures without any checks by

Security Reference Monitor.

This vulnerability can be used to

gain full illegal access to the files

opened without shared access. To

achieve it, intruders can create a file

hijacker and patch any of the

structures, see Figure 2.

As a result, all intruders’ access

attempts using the file hijacker handle

will be redirected by the OS to the

secret file, see Figure 3. This is the key

point of all hijacking attacks on files.

Intruders can modify the

following data to change the control

flow, the corresponding attacks are in

brackets:

• handle table entries (Handle

Table Hijacking);

• file object (Hijacking

FILE_OBJECT);

• NTFS data structures

(Hijacking NTFS structures).

A File Object Hijacking attack

was presented by Korkin (2019).

The next two subsections will

describe the details of Handle

Hijacking and Hijacking NTFS

structures.

剩余28页未读，继续阅读

评论收藏

内容反馈

版权申诉

易小侠

粉丝: 6453
资源: 9万+

Windows内核劫持不是一个选项MemoryRanger再次出手相救_Windows Kernel Hijacking Is

最新资源

Windows内核劫持不是一个选项MemoryRanger再次出手相救_Windows Kernel Hijacking Is

KEPLER__Facilitating_Control-flow_Hijacking_Primitive_Evaluat

Hijacking the Linux Kernel.pdf

mininet_tcp_hijacking:这是使用Mininet和Ettercap的TCP劫持（telnet）的演示

Android Hijacking（安卓劫持）

dt002g_Intent_Hijacking_Group10:该存储库保留了三个应用程序的最终实现，这些应用程序用于演示在现代Android设备中执行意图劫持的可能性

DNS hijacking without exploration.pdf

第一百一十三课：COM Hijacking1

Session Hijacking

dll-hijacking:dll代理

DLL-hijacking

Perl Advanced TCP Hijacking-开源

BlockJack通过区块链改进域间路由中IP前缀劫持攻击的预防_BlockJack Towards Improved Prev

android 反劫持

PyPI 官网下载 | probator-auditor-domain-hijacking-1.0.2.tar.gz

OpenSSH-Win32.zip

magnifier0day:Windows 10特权升级（magnifier.exe）通过Dll搜索顺序劫持

浅谈javascript函数劫持[转自xfocus]第1/3页

php.ini-development

Hack Proofing Your Network, Second Edition

Cobalt Strike下载

北京邮电大学计算机考研复试笔试资料

计算机系统-笔记-HUN2021级

cs1.6老版本供下载

合成孔径雷达的经典成像算法cs(matlab)仿真代码（吐血整理，内容全，注释全）

港大CS（MSC）面试整理

合成孔径雷达RD CS OmegaK算法点目标仿真.rar

计算机科学导论原书第二版答案.zip

Cobalt-Strike-4.5

cobaltstrike4.3.zip

最新资源