<i><b>

@@ All the updates will be soon @@

</b></i>

Updated MemoryRanger: Hijacking Is Not An Option

Updated MemoryRanger prevents the following new attacks:

• <b>Hijacking of NTFS structures</b> gains an unauthorized access to files opened without shared access by patching Stream Control Block structures;
• <b>Handle Hijacking Attack</b> provides illegal access to exclusively open files via patching handle table entries;
• <b>Token Hijacking Attack</b> is designed to elevate the process privileges without using token-swapping technique;

News:

• Demos with Handle Hijacking and Token Hijacking as well as their prevention on newest <b>Windows 10 1903</b> are below.
• Demos with Hijacking of NTFS structures will be soon.
• Updated MemoryRanger implements <b>special memory enclave to protect the sensitive kernel data</b>, e.g. Token Structures, from being tampered with all drivers, the scheme is below.

<img src="https://github.com/IgorKorkin/MemoryRanger/blob/master/memoryranger_prevents_token_and_handle_hijacking.png" width="1000" />

Handle Hijacking Attack and its Preventing are here:

Token Hijacking Attack and its Preventing are here:

MemoryRanger

MemoryRanger hypervisor moves newly loaded drivers into isolated kernel spaces by using VT-x and EPT. MemoryRanger has been presented at Black Hat Europe 2018 and CDFSL 2019. MemoryRanger runs driver inside separate enclaves to protect the following kernel-mode areas:

• allocated data, drivers code, and EPROCESS.token fields (BlackHat 2018);
• FILE_OBJECT structures (CDFSL 2019).

MemoryRanger at the CDFSL 2019:

<img src="https://github.com/IgorKorkin/MemoryRanger/blob/master/cdfsl2019_memoryranger_prevents_fileobj_hijacking.png" width="700" />

• demonstration of illegal access to an exclusive open file via FILE_OBJECT hijacking;
• prevention of FILE_OBJECT hijacking;
• paper, slides, demos are here.

MemoryRanger at the Black Hat Europe 2018

• demonstration of illegal access to allocated data, drivers code, and EPROCESS.token field;
• protection of the dynamically allocated data;
• preventing newly loaded drivers to escalate process priviledges;
• paper, slides, demos are here.

Details

MemoryRanger hypervisor is based on these projects:

• MemoryMonRWX by Satoshi Tanda;
• DdiMon by Satoshi Tanda;
• AllMemPro.