Awesome
<i><b>
@@ All the updates will be soon @@
</b></i>
Updated MemoryRanger: Hijacking Is Not An Option
Updated MemoryRanger prevents the following new attacks:
- <b>Hijacking of NTFS structures</b> gains an unauthorized access to files opened without shared access by patching Stream Control Block structures;
- <b>Handle Hijacking Attack</b> provides illegal access to exclusively open files via patching handle table entries;
- <b>Token Hijacking Attack</b> is designed to elevate the process privileges without using token-swapping technique;
News:
- Demos with Handle Hijacking and Token Hijacking as well as their prevention on newest <b>Windows 10 1903</b> are below.
- Demos with Hijacking of NTFS structures will be soon.
- Updated MemoryRanger implements <b>special memory enclave to protect the sensitive kernel data</b>, e.g. Token Structures, from being tampered with all drivers, the scheme is below.
Handle Hijacking Attack and its Preventing are here:
Token Hijacking Attack and its Preventing are here:
MemoryRanger
MemoryRanger hypervisor moves newly loaded drivers into isolated kernel spaces by using VT-x and EPT. MemoryRanger has been presented at Black Hat Europe 2018 and CDFSL 2019. MemoryRanger runs driver inside separate enclaves to protect the following kernel-mode areas:
- allocated data, drivers code, and EPROCESS.token fields (BlackHat 2018);
- FILE_OBJECT structures (CDFSL 2019).
MemoryRanger at the CDFSL 2019:
<img src="https://github.com/IgorKorkin/MemoryRanger/blob/master/cdfsl2019_memoryranger_prevents_fileobj_hijacking.png" width="700" />- demonstration of illegal access to an exclusive open file via FILE_OBJECT hijacking;
- prevention of FILE_OBJECT hijacking;
- paper, slides, demos are here.
MemoryRanger at the Black Hat Europe 2018
- demonstration of illegal access to allocated data, drivers code, and EPROCESS.token field;
- protection of the dynamically allocated data;
- preventing newly loaded drivers to escalate process priviledges;
- paper, slides, demos are here.
Details
MemoryRanger hypervisor is based on these projects: