Abstract
The security of a computer system depends on OS kernel protection. It is crucial to reveal and inspect new attacks on kernel data, as these are used by hackers. The purpose of this paper is to continue research into attacks on dynamically allocated data in the Windows OS kernel and demonstrate the capacity of MemoryRanger to prevent these attacks. This paper discusses three new hijacking attacks on kernel data, which are based on bypassing OS security mechanisms. The first two hijacking attacks result in illegal access to files open in exclusive access. The third attack escalates process privileges, without applying token swapping. Although Windows security experts have issued new protection features, access attempts to the dynamically allocated data in the kernel are not fully controlled. MemoryRanger hypervisor is designed to fill this security gap. The updated MemoryRanger prevents these new attacks as well as supporting the Windows 10 1903 x64.
References
[1] Barta, C. (2009). Access token stealing on Windows. Retrieved from https://docplayer.net/20917850-Access-token-stealing-on-windows-csaba-barta.html
[2] Bisht, S. (2020). Understanding and Abusing Process Tokens — Part II. Retrieved from https://securitytimes.medium.com/understanding-and-abusing-access-tokens-part-ii-b9069f432962
[3] Bisson, D. (March 6, 2019). Fileless Malware Targeting Brazilian and Thai Bank Customers With Multiple Threats. Security Intelligence. Retrieved from https://securityintelligence.com/news/fileless-malware-targeting-brazilian-and-thai-bank-customers-with-multiple-threats/
[4] Bui, J. (2019). Understanding and Defending Against Access Token Theft: Finding Alternatives to winlogon.exe. Retrieved from https://posts.specterops.io/understanding-and-defending-against-access-token-theft-finding-alternatives-to-winlogon-exe-80696c8a73b
[5] Chebbi, C. (2019, April 24). Windows Kernel exploitation: Elevation of privilege (EoP) with Token stealing. Retrieved from https://www.peerlyst.com/posts/windows-kernel-exploitation-elevation-of-privilege-eop-with-token-stealing-chiheb-chebbi
[6] Cimpanu, C. (2019, November 22). New bypass disclosed in Microsoft PatchGuard (KPP). https://www.zdnet.com/article/new-bypass-disclosed-in-microsoft-patchguard-kpp/
[7] Cimpanu, C. (2020, February 7). Ransomware installs Gigabyte driver to kill antivirus products. ZDNet. Retrieved from https://www.zdnet.com/article/ransomware-installs-gigabyte-driver-to-kill-antivirus-products/
[8] Cocomazzi, A. & Pierini, A. (2020). Windows Privilege Escalations: Still Abusing Local Service Accounts to Get SYSTEM Privileges. HITBSecConf2020, Amsterdam. Retrieved from https://conference.hitb.org/hitbsecconf2020ams/sessions/windows-privilege-escalations-still-abusing-local-service-accounts-to-get-system-privileges/
[9] CodeMachine. (2019). Windows 7 Object Headers. Articles on Windows Internals, Programming, Security and Debugging. Retrieved from https://codemachine.com/article_objectheader.html
[10] DarthTon. (2019-a) Blackbone Windows memory hacking library. Blackbone source code. Retrieved from https://github.com/DarthTon/Blackbone
[11] DarthTon. (2019-b). BBGrantAccess function. Change handle granted access. Blackbone source code. Retrieved from https://github.com/DarthTon/Blackbone/blob/master/src/BlackBoneDrv/Routines.c
[12] Delpy, B. (2020). A little tool to play with Windows security. Source Code of Mimikatz. GitHub. Retrieved from https://github.com/gentilkiwi/mimikatz
[13] Eremeev, A. (2020). The Kernel-Bridge Framework. Windows kernel hacking framework, driver template, hypervisor and API written on C++. Github. Retrieved from https://github.com/HoShiMin/Kernel-Bridge/blob/master/Kernel-Bridge/API/Hypervisor.cpp
[14] Hale-Ligh, M. Case, A, Levy, J., Walters, A. (2014, July 28). The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory (1st ed.). Indianapolis, Indiana: Wiley.
[15] Harpaz, O. and Goldberg, D. (2019, May 29). The Nansh0u Campaign: Hackers Arsenal Grows Stronger. Retrieved from https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
[16] Hoglund, G., Butler. J. (2006). Rootkits: Subverting the Windows Kernel (1st ed.). Token Privilege and Group Elevation with DKOM. New Jersey, US: Addison-Wesley Professional.
[17] Ismail, M., A., Aboelseoud H., Senousy, M., B. (2014). An Investigation into Access Control in Various Types of Operating Systems. International Journal of Computer Applications. Retrieved from https://pdfs.semanticscholar.org/6035/d4420f6038aefc511d970fc630a41cf40df3.pdf
[18] Jesse, M. and Shkatov, M. (2019). Screwed Drivers – Signed, Sealed, Delivered. Retrieved from https://eclypsium.com/2019/08/10/screwed-drivers-signed-sealed-delivered/
[19] Johnson, M. H. (2015, October 1). Windows System Programming (4th ed.). Chapter 15. Securing Windows Objects. Massachusetts, US: Addison-Wesley Professional.
[20] Korkin, I. (2018, December 5-6). Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces. In Proceedings of the BlackHat Europe Conference, London, UK. Retrieved from https://www.blackhat.com/eu-18/briefings/schedule/#divide-et-impera-memoryranger-runs-drivers-in-isolated-kernel-spaces-12668
[21] Korkin, I. (2019, May 15-16). MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel. Paper presented at the Proceedings of the 14th annual Conference on Digital Forensics, Security and Law (CDFSL), Embry-Riddle Aeronautical University, Daytona Beach, Florida, USA. Retrieved from https://commons.erau.edu/adfsl/2019/paper-presentation/7/
[22] Korkin, I. (2020). MemoryRanger source code. GitHub repository. Retrieved from https://github.com/IgorKorkin/MemoryRanger
[23] Kremez, V. (May 13, 2019). Cybercrime: Groups Behind “Banload” Banking Malware Implement New Techniques. Security Research. SentinelLabs. Retrieved from https://labs.sentinelone.com/cybercrime-banload-banking-malware-fraud/
[24] Microsoft. (2019). 2.3.1 NTSTATUS Values. Windows Protocols. Retrieved from https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55
[25] Microsoft. (n.d.-a). NTFS File System Data Structures. Microsoft Corporation. Retrieved from https://github.com/ZoloZiak/WinNT4/blob/master/private/ntos/cntfs/ntfsstru.h
[26] Miller, T. (1991, October 31). Portable Systems Group Caching Design Note. Revision 1.3. Copyright (c) Microsoft Corporation. File: cache.doc. Retrieved from Windows_Research_Kernel(sources)\NT_Design_Workbook\Get_Workbook
[27] MITRE ATT&CK. (2020). Access Token Manipulation.
[28] Monnappa, K. (2018). Learning Malware Analysis: Explore the Concepts, Tools, and Techniques to Analyze and Investigate Windows Malware (1st ed.), Birmingham, United Kingdom: Packt Publishing.
[29] MSDN. (2018-a). FsRtlGetPerStreamContextPointer Macro. Programming reference for Windows Driver Kit. Retrieved from https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-fsrtlgetperstreamcontextpointer
[30] MSDN. (2018-b). FSRTL_COMMON_FCB_HEADER structure. Programming reference for Windows Driver Kit. Retrieved from https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/ns-ntifs-_fsrtl_common_fcb_header
[31] MSDN. (2018-c). FSRTL_ADVANCED_FCB_HEADER structure. Programming reference for Windows Driver Kit. Retrieved from https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/ns-ntifs-_fsrtl_advanced_fcb_header
[32] Nagar, R. (1997). Windows NT File System Internals: A Developer's Guide. Publisher: O'Reilly Media.
[33] O'Donnell, L. (2019, May 29). 50k Servers Infected with Cryptomining Malware in Nansh0u Campaign. Retrieved from https://threatpost.com/50k-servers-infected-with-cryptomining-malware-in-nansh0u-campaign/145140/
[34] Oh, M. (2017). Detecting and mitigating elevation-of-privilege exploit for CVE-2017-0005. Retrieved from https://www.microsoft.com/security/blog/2017/03/27/detecting-and-mitigating-elevation-of-privilege-exploit-for-cve-2017-0005/
[35] Park, S., Lee, S., Xu, W., Moon, H., Kim, T. (2019). libmpk: Software Abstraction for Intel Memory Protection Keys (Intel MPK). Id in the Proceedings of the 2019 USENIX Annual Technical Conference. July 10–12, 2019 • Renton, WA, USA. Retrieved from https://www.usenix.org/system/files/atc19-park-soyeon.pdf
[36] Perla, E. and Oldani, M. (2010). A Guide to Kernel Exploitation: Attacking the Core (1st ed.). Massachusetts, US: Syngress.
[37] Pierini, A. (2019). Whoami priv - show me your privileges and I will lead you to SYSTEM. Hack in Paris. Retrieved from https://hackinparis.com/archives/2019/#talk-2019-whoami-priv-show-me-your-privileges-and-i-will-lead-you-to-system
[38] Prakash, A., Venkataramani, E., Yin, H., Zhiqiang, L. (2013). Manipulating Semantic Values in Kernel Data Structures: Attack Assessments and Implications. 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), Budapest. Retrieved from http://web.cse.ohio-state.edu/~lin.3021/file/DSN13.pdf
[39] Probert, D. (2010). Windows Kernel Architecture Internals. MSRA/UR Workshop – Beijing, China. Retrieved from https://repo.zenk-security.com/Linux%20et%20systemes%20d.exploitations/Windows%20Kernel%20Architecture%20Internals.pdf
[40] Probert, D. (2010). Windows Kernel Architecture Internals. Retrieved from https://repo.zenk-security.com/Linux%20et%20systemes%20d.exploitations/Windows%20Kernel%20Architecture%20Internals.pdf
[41] Probert, D. B. (2004). Windows Kernel Internals: Cache Manager. Windows Kernel Development Microsoft Corporation. Retrieved from https://www.i.u-tokyo.ac.jp/edu/training/ss/lecture/new-documents/Lectures/15-CacheManager/CacheManager.pdf
[42] Rapaport, A. (2019, March 25). From alert to driver vulnerability: Microsoft Defender ATP investigation unearths privilege escalation flaw. Retrieved from https://www.microsoft.com/security/blog/2019/03/25/from-alert-to-driver-vulnerability-microsoft-defender-atp-investigation-unearths-privilege-escalation-flaw/
[43] ReactOS. (n.d.). ExUnlockHandleTableEntry. ReactOS Kernel. Retrieved from https://doxygen.reactos.org/de/d51/ntoskrnl_2ex_2handle_8c_source.html#l00887
[44] ReactOS. (n.d.-a). CDFS File System Data Structures. Microsoft Corporation. Retrieved from https://doxygen.reactos.org/de/dc7/cdstruc_8h.html
[45] Russinovich, M. (1998, March 31). Windows NT Architecture, Part 2. ItProToday. Retrieved from https://www.itprotoday.com/compute-engines/windows-nt-architecture-part-2
[46] Russinovich, M., Solomon, D., and Ionescu, A. (2012, September 25). Windows Internals (6th ed.). Parts 1 and 2. Redmond, Washington: Microsoft Press.
[47] Schreiber, S. B. (2000). Undocumented Windows 2000 Secrets. Object Handles. WINDOWS 2000 OBJECT MANAGEMENT. pp 411. Retrieved from http://users.du.se/~hjo/cs/common/books/Undocumented%20Windows%202000%20Secrets/sbs-w2k-7-windows-2000-object-management.pdf
[48] Singh, A., Kaplan, D., Feng, C., and Sanossian, H. (2019). How Windows Defender Antivirus integrates hardware-based system integrity for informed, extensive endpoint protection. Retrieved from https://www.microsoft.com/security/blog/2019/07/31/how-windows-defender-antivirus-integrates-hardware-based-system-integrity-for-informed-extensive-endpoint-protection/
[49] Stallings, W. (2014). Operating System Security. Computer Security Handbook edited by Bosworth, S., Kabay, M. E., Whyne, E, New Jersey: John Wiley & Sons. Retrieved from http://index-of.co.uk/Networking/Computer%20Security%20Handbook%204th.pdf
[50] Suma, G. S., Dija, S., Thomas, K. L. (2014). A Novel Methodology for Windows 7 x64 Memory Forensics. DOI: 10.1109/ICCIC.2014.7238400
[51] Sysnap. (2011). Hijacking Kernel Handle. 0tutorials: Unpacking Tutorials, Programming Tutorials, Kernel Tutorials, Reverse Engineering Tutorials Retrieved from http://0tutorials.blogspot.com/2011/08/hijacking-kernel-handle.html
[52] Tanda, S. (2020). The research UEFI hypervisor that supports booting an operating system. Retrieved from https://github.com/tandasat/MiniVisorPkg
[53] Tanenbaum, A. and Bos., H. (2014, March 20). Modern Operating Systems (4th ed.). New Jersey: Pearson Prentice-Hal.
[54] Tango. (2018, January 14). A Light on Windows 10's “OBJECT_HEADER->TypeIndex”. Retrieved from https://medium.com/@ashabdalhalim/a-light-on-windows-10s-object-header-typeindex-value-e8f907e7073a
[55] Treadwell, D. (1989). Windows NT Executive Support Routines Specification. Manage Object Handles and Handle Tables. Retrieved from “Windows_Research_Kernel(sources)\NT_Design_Workbook\Get_Workbook\execsupp.doc”
[56] WRK. (n.d.). ExUnlockHandleTableEntry. The Windows Research Kernel Retrieved from https://github.com/Aekras1a/Labs/blob/9c9121da3fcc34f840a3f67e14fcc2a76d4aa053/Labs/WRK/base/ntos/ex/handle.c
[57] Yitbarek, S. F., and Austin, T. (2019). Neverland: Lightweight Hardware Extensions for Enforcing Operating System Integrity. Retrieved from https://arxiv.org/pdf/1905.05975.pdf
Recommended Citation
Korkin, Igor
(2021)
"Windows Kernel Hijacking Is Not an Option: MemoryRanger Comes to the Rescue Again,"
Journal of Digital Forensics, Security and Law: Vol. 16
, Article 4.
DOI: https://doi.org/10.58940/1558-7223.1726
Available at:
https://commons.erau.edu/jdfsl/vol16/iss1/4
Included in
Computer and Systems Architecture Commons, Information Security Commons, OS and Networks Commons, Software Engineering Commons, Systems Architecture Commons