•  
  •  
 

Abstract

Windows OS kernel memory is one of the main targets of cyber-attacks. By launching such attacks, hackers are succeeding in process privilege escalation and tampering users’ data by accessing kernel-mode memory. This paper considers a new example of such an attack, which results in access to the files opened in an exclusive mode. Windows built-in security features prevent such a legal access, but attackers can circumvent them by patching dynamically allocated objects. The research shows that the newest Windows 10 x64 is vulnerable to this attack. The paper provides an example of using MemoryRanger, a hypervisor- based solution to prevent such attack by running kernel-mode drivers in isolated kernel memory enclaves.

References

Abdalhalim, A. (2018, January 14). A Light on Windows 10’s “OBJECT_HEADER->TypeIndex”. Retrieved from https://medium. com/@ashabdalhalim/a-lighton- windows-10s-object-headertypeindex- value-e8f907e7073a

Bosworth, S., & Kabay, M. E. (2002). Operating System Security. Computer Security Handbook. 4th edition. John Wiley & Sons, Inc. New York, NY, USA

Datta, A. (2012). Lecture 11: OS Protection and Security. CITS2230 Operating Systems. School of Computer Science & Software Engineering. The University of Western Australia. Crawley, Western Australia. Retrieved from http://teaching.csse.uwa. edu.au/units/CITS2230/handouts/ Lecture11/lecture11.pdf

Easefilter. (n.d.). Understand Windows File System File I/O. Retrieved from https://www.easefilter. com/Forums_Files/File_IO.htm

Fyyre. (2018, November 10). WalkDirectory function. KernelDetective source code. Retrieved from https://github. com/Fyyre/kerneldetective/blob/ master/module.cpp

GamingMasteR. (2009). Hidden Kernel Module (Driver) detection techniques. RCE forums. Retrieved from http://www.woodmann.com/forum/ archive/index.php/t-12782.html

Govindavajhala, S., & Appel, A. W. (2006, January 31).Windows Access Control Demystified. Princeton University. Retrieved from https://www.cs.princeton.edu/ ~appel/papers/winval.pdf

Hewardt, M., & Pravat, D. (2008). Security. Advanced Windows Debugging. Addison- Wesley Professional.

Korkin, I. (2018-a). Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces. In Proceedings of the BlackHat Europe Conference, London, UK. Retrieved from https://www.blackhat.com/eu- 18/briefings/schedule/#divideet- impera-memoryranger-runsdrivers- in-isolated-kernelspaces- 12668

Korkin, I. (2018-b). MemoryRanger source code. GitHub repository. Retrieved from https://github.com/ IgorKorkin/MemoryRanger

Korkin, I., & Nesterow, I. (2016, May 24-26). Acceleration of Statistical Detection of Zero- day Malware in the Memory Dump Using CUDA-enabled GPU Hardware. Paper presented at the Proceedings of the 11th Annual Conference on Digital Forensics, Security and Law (CDFSL), Embry-Riddle Aeronautical University, Daytona Beach, Florida, USA, pp. 47-82 Retrieved from commons. erau.edu/adfsl/2016/tuesday/10

McHoes, A., & Flynn, I. (2013). File Management. Windows Operating Systems. Understanding Operating Systems. Cengage India; 6th edition

Microsoft. (n.d.). NtQueryDirectoryObject function. Microsoft Corporation. Retrieved from https:// lacicloud.net/custom/open/leaks/ Windows\%20Leaked\%20Source/wrkv1.2/ base/ntos/ob/obdir.c

MSDN. (2017, June 17). Using Files in a Driver. Kernel-Mode Driver Architecture. Retrieved from https://docs.microsoft.com/enus/ windows-hardware/drivers/ kernel/using-files-in-a-driver

MSDN. (2018, May 5). ACCESS_ ALLOWED_ACE structure. Retrieved from https: //docs.microsoft.com/enus/ windows/desktop/api/winnt/nswinnt-_ access_allowed_ace

Nagar, R. (1997, September-a). Windows NT File System Internals A Developer’s Guide. O’Reilly Media. Retrieved from https://doc.lagout. org/operating/20system\%20/ Windows/Windows\%20NT\%20File\ %20System\%20Internals\%20- \%20A\%20Developer\%27s\ %20Guide\%20\%281997\%29.pdf

Nagar, R. (1997, September-b). Fields in the File Object. Windows NT File System Internals A Developer’s Guide. O’Reilly Media. Retrieved from https://doc.lagout. org/operating\%20system\%20/Windows/Windows\%20NT\%20File\ %20System\%20Internals\%20- \%20A\%20Developer\%27s\ %20Guide\%20\%281997\%29.pdf

Pistelli, D. (n.d.). AntiMida 1.0. Retrieved from https://www.ntcore. com/files/antimida_1.0.htm

Probert, D. (2004). Windows Kernel Internals Object Manager & LPC. Microsoft. Retrieved from http://i-web.i.u-tokyo.ac.jp/ edu/training/ss/msprojects/data/ 04-ObjectManagerLPC.ppt

Rapid7. (2018-a). Vulnerability & Exploit Database. Microsoft CVE- 2018-8120: Win32k Elevation of Privilege Vulnerability. Retrieved from https://www.rapid7.com/db/ vulnerabilities/msft-cve-2018- 8120

Rapid7. (2018-b). Vulnerability & Exploit Database. Microsoft CVE- 2018-8611: Windows Kernel Elevation of Privilege Vulnerability. Retrieved from https://www.rapid7.com/db/ vulnerabilities/msft-cve-2018- 8611

Rapid7. (2018-c). Vulnerability & Exploit Database. Microsoft CVE- 2018-8170: Windows Image Elevation of Privilege Vulnerability. Retrieved from https://www.rapid7.com/db/ vulnerabilities/msft-cve-2018- 8170

Russinovich, M. (1997). Inside NT’s Object Manager. Compute Engines. Retrieved from https://www.itprotoday. com/compute-engines/inside-ntsobject- manager

Russinovich, M., Ionescu, A., & Solomon, D. (2012, March 15). Microsoft Windows Security. Microsoft Press Store. Retrieved from https://www.microsoftpressstore. com/articles/article.aspx?p= 2228450&seqNum=3

Silberman, P. (2006). FindObjectTypes function. Source code of FUTo_enhanced rootkit. Retrieved from http://read.pudn.com/ downloads133/sourcecode/windows/ system/568917/FUTo_enhanced/ FUTo/Sys/Rootkit.c.htm

Swift, M.M., Brundrett, P., Dyke, C.V., Garg, P., Hopkins, A., Chan, S., Goertzel, M., & Jensenworth, G. (2002). Improving the Granularity of Access Control in Windows NT. Published in: Journal ACM Transactions on Information and System Security (TISSEC). Volume 5 Issue 4. pp. 398-437. DOI: https: //doi.org/10.1145/581271.581273

The NT Insider (1999). Keeping Secrets - Windows NT Security (Part I). The NT Insider. Vol 6, Issue 3. Retrieved from http://www.osronline. com/article.cfm?id=56

The NT Insider (2006). In Denial - Debugging STATUS_ACCESS_DENIED. The NT Insider. Vol 13, Issue 2. Retrieved from http://www.osronline. com/article.cfm?article=459

Yosifovich P., Ionescu A., Russinovich M.E., & Solomon D.A. (2017). Chapter 7 Security. Windows Internals 7th edition. Microsoft Press. Redmond, Washington.

Download

Share

COinS
 
 

To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.