Updated MemoryRanger: Hijacking Is Not An Option

Updated MemoryRanger prevents the following new attacks:

• Hijacking of NTFS structures gains an unauthorized access to files opened without shared access by patching Stream Control Block structures;
• Handle Hijacking Attack provides illegal access to exclusively open files via patching handle table entries;
• Token Hijacking Attack is designed to elevate the process privileges without using token-swapping technique;

News:

• Demos with Handle Hijacking and Token Hijacking as well as their prevention on newest Windows 10 1903 are below.
• Demos with Hijacking of NTFS structures will be soon.
• Updated MemoryRanger implements special memory enclave to protect the sensitive kernel data, e.g. Token Structures, from being tampered with all drivers, the scheme is below.

Handle Hijacking Attack and its Preventing are here:

Token Hijacking Attack and its Preventing are here:

MemoryRanger

MemoryRanger hypervisor moves newly loaded drivers into isolated kernel spaces by using VT-x and EPT. MemoryRanger has been presented at Black Hat Europe 2018 and CDFSL 2019. MemoryRanger runs driver inside separate enclaves to protect the following kernel-mode areas:

• allocated data, drivers code, and EPROCESS.token fields (BlackHat 2018);
• FILE_OBJECT structures (CDFSL 2019).

MemoryRanger at the CDFSL 2019:

• demonstration of illegal access to an exclusive open file via FILE_OBJECT hijacking;
• prevention of FILE_OBJECT hijacking;
• paper, slides, demos are here.

MemoryRanger at the Black Hat Europe 2018

• demonstration of illegal access to allocated data, drivers code, and EPROCESS.token field;
• protection of the dynamically allocated data;
• preventing newly loaded drivers to escalate process priviledges;
• paper, slides, demos are here.

Details

MemoryRanger hypervisor is based on these projects:

• MemoryMonRWX by Satoshi Tanda;
• DdiMon by Satoshi Tanda;
• AllMemPro.