The document discusses attacks on kernel memory data structures in Windows. It describes three types of attacks: handle table hijacking, hijacking NTFS file structures, and token hijacking. The author previously developed MemoryRanger, a hypervisor that runs drivers in isolated kernel enclaves to block such attacks. A new feature called a data-only enclave is introduced. The document then demonstrates how hijacking file structures could allow bypassing file access controls by copying a file object's data to gain unauthorized access to a secret file. MemoryRanger is shown to prevent this attack by isolating drivers and their memory.
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Kernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue Again
1. Kernel Hijacking Is Not an Option:
MemoryRanger Comes to the Rescue Again
Igor Korkin
Independent Researcher
2020
2. WHOAMI
▪ PhD, speaker at the ADFSL conference since 2014 and the BlackHat
▪ Windows OS Kernel Security Researcher:
▪ Rootkits and anti-rootkits
▪ Bare-Metal Hypervisors vs. Attacks on Kernel Memory
▪ Fan of cross-disciplinary research —
▪ Love traveling and powerlifting —
2
igorkorkin.blogspot.com
igor.korkin
3. ▪ Three attacks on kernel memory data:
1. Handle Table Hijacking
2. Hijacking NTFS structures
Bypass file sharing access control:
AGENDA: ATTACKS ON FILES
3
4. ▪ Three attacks on kernel memory data:
1. Handle Table Hijacking
2. Hijacking NTFS structures
3. Token Hijacking
Process Privilege Escalation:Bypass file sharing access control:
AGENDA: ATTACKS ON FILES+TOKENS
4
5. AGENDA: ATTACKS ON FILES+TOKENS & MEMORYRANGER
▪ Three attacks on kernel memory data:
1. Handle Table Hijacking
2. Hijacking NTFS structures
3. Token Hijacking
Process Privilege Escalation:Bypass file sharing access control:
▪MemoryRanger blocks kernel attacks:
▪ It runs drivers in isolated kernel enclaves
▪ It includes a new feature: Data-Only Enclave
Driver A
Driver B
MemoryRanger Hypervisor
Driver A
Driver B
Driver A
Driver B
6. 6
PREVIOUS RESEARCH ON MEMORYRANGER:
PAPERS+SLIDES+DEMOS
(2019) MemoryRanger Prevents Hijacking
FILE_OBJECT Structures in Windows Kernel
https://igorkorkin.blogspot.com/2019/04/
memoryranger-prevents-hijacking.html
(2018) Divide et Impera: MemoryRanger
Runs Drivers in Isolated Kernel Spaces
https://igorkorkin.blogspot.com/2018/12/div
ide-et-impera-memoryranger-runs.html
7. KERNEL DRIVERS CAN COMPROMISE THE OS SECURITY
7
OS Built-in Drivers
NT OS Kernel
• Scheduler
• Memory Manager
Kernel Data
OS Structures
and Objects
Allocated
Sensitive Data
System Tables,
Paging Structures
Kernel Code
3rd Party Drivers
with bugs
Malicious Kernel Drivers
OS Sensitive Data,
PatchGuard flags
8. ▪ RobbinHood Ransomware - 2020
▪ Exploits a legitimate buggy driver to load a malware driver
▪ Malware driver disables endpoint security products
KERNEL DRIVERS IN RECENT MALWARE ATTACKS ON WINDOWS
8
1. Ransomware installs Gigabyte driver to kill antivirus products - https://www.zdnet.com/article/ransomware-installs-gigabyte-
driver-to-kill-antivirus-products/
2. Nansh0u Miner Attack Infects 50K MS-SQL, PHPMyAdmin Servers - https://www.guardicore.com/2019/05/nansh0u-campaign-
hackers-arsenal-grows-stronger/
3. Glupteba: Hidden Malware Delivery in Plain Sight - https://news.sophos.com/wp-content/uploads/2020/06/glupteba_final.pdf
9. ▪ RobbinHood Ransomware - 2020
▪ Exploits a legitimate buggy driver to load a malware driver
▪ Malware driver disables endpoint security products
KERNEL DRIVERS IN RECENT MALWARE ATTACKS ON WINDOWS
9
▪ Crypto-miner with a signed driver - 2019
▪ Infected more than 50,000 Windows machines in the world
▪ Uses a signed malware driver to protect itself from termination
1. Ransomware installs Gigabyte driver to kill antivirus products - https://www.zdnet.com/article/ransomware-installs-gigabyte-
driver-to-kill-antivirus-products/
2. Nansh0u Miner Attack Infects 50K MS-SQL, PHPMyAdmin Servers - https://www.guardicore.com/2019/05/nansh0u-campaign-
hackers-arsenal-grows-stronger/
3. Glupteba: Hidden Malware Delivery in Plain Sight - https://news.sophos.com/wp-content/uploads/2020/06/glupteba_final.pdf
10. ▪ RobbinHood Ransomware - 2020
▪ Exploits a legitimate buggy driver to load a malware driver
▪ Malware driver disables endpoint security products
KERNEL DRIVERS IN RECENT MALWARE ATTACKS ON WINDOWS
1. Ransomware installs Gigabyte driver to kill antivirus products - https://www.zdnet.com/article/ransomware-installs-gigabyte-
driver-to-kill-antivirus-products/
2. Nansh0u Miner Attack Infects 50K MS-SQL, PHPMyAdmin Servers - https://www.guardicore.com/2019/05/nansh0u-campaign-
hackers-arsenal-grows-stronger/
3. Glupteba: Hidden Malware Delivery in Plain Sight - https://news.sophos.com/wp-content/uploads/2020/06/glupteba_final.pdf
10
▪ Crypto-miner with a signed driver - 2019
▪ Infected more than 50,000 Windows machines in the world
▪ Uses a signed malware driver to protect itself from termination
▪ Glupteba includes rootkit to hide files and processes - 2020
▪ Exploits a signed vulnerable driver to bypass the
Kernel Patch Protection and Driver Signature Enforcement
17. SCENARIO OF ATTACKS ON FILES
17
Researcher s Driver
Secret Formula
Open a file in an
exclusive mode
NTOS Kernel
(2) Try to access the file
via Hijacking Attacks
(2) Try to access the file
via Hijacking Attacks
18. SCENARIO OF ATTACKS ON FILES
18
Researcher s Driver
Secret Formula
Attacker s Driver
(1) Try to access the
file via ZwCreateFile
Open a file in an
exclusive mode
NTOS Kernel
(2) Try to access the file
via Hijacking Attacks
(2) Try to access the file
via Hijacking Attacks
19. SCENARIO OF ATTACKS ON FILES
19
Researcher s Driver
Secret Formula
Attacker s Driver
(1) Try to access the
file via ZwCreateFile
Open a file in an
exclusive mode
NTOS Kernel
(2) Try to access the file
via Hijacking Attacks
(2) Try to access the file
via Hijacking Attacks
20. Researcher s Driver
Corrupted Data
Attacker s Driver
(1) Try to access the
file via ZwCreateFile
Open a file in an
exclusive mode
NTOS Kernel
(2) Try to access the file
via Hijacking Attacks
(2) Try to access the file
via Hijacking Attacks
Leaked Secret
Formula
SCENARIO OF ATTACKS ON FILES
20
50. DEMO: HANDLE TABLE HIJACKING
50
Kernel
mode
User
mode
Hard
Disk
Driver
ZwCreateFile()
•ShareAccess=0
Secret file
OS Components
The researcher opens a secret file
Console
Kernel Handle Table
Entry
51. DEMO: HANDLE TABLE HIJACKING
51
Kernel
mode
User
mode
Hard
Disk
Driver
ZwCreateFile()
•ShareAccess=0
Secret file
Driver
ZwCreateFile()
OS Components
Attempt 1: The Legal Access
Console Attacker
access
violation
Kernel Handle Table
Entry Entry
52. DEMO: HANDLE TABLE HIJACKING
52
Kernel
mode
User
mode
Hard
Disk
Driver
ZwCreateFile()
•ShareAccess=0
Secret file
Driver
ZwCreateFile()
OS Components
Attempt 1: The Legal Access
Console Attacker
access
violation
Kernel Handle Table
Entry Entry
Driver
ZwCreateFile()
•ShareAccess=0
Secret File
Driver
handle_hijacking
hijacker.txt
OS Components
Attempt 2: Handle Table Hijacking
Attacker
EntryEntry
Console
53. DEMO#1: HANDLE TABLE HIJACKING
The online version is here –
https://www.youtube.com/embed/5NNSXfTRtiQ?vq=hd1440
53
54. HOW TO PREVENT THE HANDLE HIJACKING?
54
▪ We have to block WRITE access to the ObjectPointerBits
▪ We have to grant READ access to the whole Handle Table for all drivers
Attacker s DriverResearcher s Driver
read read
• read=true
• write=true
ObjectPointerBits
• read=true
• write=true
• read=true
• write=true
ObjectPointerBits
• read=true
• write=true
write
55. HOW TO PREVENT THE HANDLE HIJACKING?
55
Attacker s DriverResearcher s Driver
read read
• read=true
• write=true
ObjectPointerBits
• read=true
• write=true
• read=true
• write=true
ObjectPointerBits
• read=true
• write=true
MemoryRanger Hypervisor
write
▪ We have to block WRITE access to the ObjectPointerBits
▪ We have to grant READ access to the whole Handle Table for all drivers
56. MEMORYRANGER ISOLATES DRIVERS BY
RUNNING DRIVERS IN SEPARATE KERNEL SPACES
56
MemoryRanger and Enclaves details are here:
(2019) https://igorkorkin.blogspot.com/2019/04/memoryranger-prevents-hijacking.html
(2018) https://igorkorkin.blogspot.com/2018/12/divide-et-impera-memoryranger-runs.html
Driver A
Driver B
MemoryRanger Hypervisor
Driver A
Driver B
Driver A
Driver B
57. The Current Situation
OS Code
OS
Data
RSRCH Entry
Attacker
Default enclave for OS
and driver loaded before
Enclave for RSRCH s Driver
EPT pointer
Enclave for Attacker s
Driver
Kernel Handle Table
Entry
READ
READ
WRITE
READ
OS Code
OS
Data
RSRCH
Attacker
READ
OS Code
OS
Data
RSRCH
Attacker Entry
READ
OS Code
OS
Data
RSRCH
Attacker
READ
READ
READ
WRITE
GrAc.
ObjP.
Entry
GrAc.
ObjP.
Entry
Entry
MEMORY MAP: MEMORYRANGER PREVENTS HANDLE HIJACKING
57
58. The Current Situation
OS Code
OS
Data
RSRCH Entry
Attacker
Default enclave for OS
and driver loaded before
Enclave for RSRCH s Driver
EPT pointer
Enclave for Attacker s
Driver
Kernel Handle Table
Entry
READ
READ
WRITE
READ
OS Code
OS
Data
RSRCH
Attacker
READ
OS Code
OS
Data
RSRCH
Attacker Entry
READ
OS Code
OS
Data
RSRCH
Attacker
READ
READ
READ
WRITE
GrAc.
ObjP.
Entry
GrAc.
ObjP.
Entry
Entry
MEMORY MAP: MEMORYRANGER PREVENTS HANDLE HIJACKING
58
59. MEMORY MAP: MEMORYRANGER PREVENTS HANDLE HIJACKING
The Current Situation
OS Code
OS
Data
RSRCH Entry
Attacker
Default enclave for OS
and driver loaded before
Enclave for RSRCH s Driver
EPT pointer
Enclave for Attacker s
Driver
Kernel Handle Table
Entry
READ
READ
WRITE
READ
OS Code
OS
Data
RSRCH
Attacker
READ
OS Code
OS
Data
RSRCH
Attacker Entry
READ
OS Code
OS
Data
RSRCH
Attacker
READ
READ
READ
WRITE
GrAc.
ObjP.
Entry
GrAc.
ObjP.
Entry
Entry
60. MEMORY MAP: MEMORYRANGER PREVENTS HANDLE HIJACKING
60
The Current Situation
OS Code
OS
Data
RSRCH Entry
Attacker
Default enclave for OS
and driver loaded before
Enclave for RSRCH s Driver
EPT pointer
Enclave for Attacker s
Driver
Kernel Handle Table
Entry
READ
READ
WRITE
READ
OS Code
OS
Data
RSRCH
Attacker
READ
OS Code
OS
Data
RSRCH
Attacker Entry
READ
OS Code
OS
Data
RSRCH
Attacker
READ
READ
READ
WRITE
GrAc.
ObjP.
Entry
GrAc.
ObjP.
Entry
Entry
61. DEMO#2: PREVENTION OF HANDLE TABLE HIJACKING
The online version is here –
https://www.youtube.com/embed/5Pz-IXvQDiY?vq=hd1440
61
62. 62
MemoryRanger Prevents the Handle Hijacking
MemoryRanger
restricts WRITE
access to the
ObjectPointerBits
field
Attacker s EnclaveRSRCH s Enclave
Driver
ZwCreateFile()
•ShareAccess=0
Secret File
Attacker
hijacker.txt
OS Components
MemoryRanger
Driver
handle_hijacking
OS Components
Default Enclave
OS kernel,
and other
drivers
OS kernel,
and other
drivers
OS kernel
and other
drivers
Internal
Data
Internal
Data
OS and
Other
Data
Console
EntryEntry Entry
GrAc.
ObjP.Entry
GrAc.
ObjP.
63. 63
MemoryRanger Prevents the Handle Hijacking
MemoryRanger
restricts WRITE
access to the
ObjectPointerBits
field
Attacker s EnclaveRSRCH s Enclave
Driver
ZwCreateFile()
•ShareAccess=0
Secret File
Attacker
hijacker.txt
OS Components
MemoryRanger
Driver
handle_hijacking
OS Components
Default Enclave
OS kernel,
and other
drivers
OS kernel,
and other
drivers
OS kernel
and other
drivers
Internal
Data
Internal
Data
OS and
Other
Data
Console
EntryEntry Entry
GrAc.
ObjP.Entry
GrAc.
ObjP.
65. HIJACKING ATTACKS ON FILES STRUCTURES
Handle Table Hijacking
Hijacking
FILE_OBJECT
Hijacking NTFS
Data Structures
I/O Manager
Object Manager
Security Ref. Monitor
NTFS driver
File handle
Disk driversDisk drivers
File Object
Kernel Handle Table
Entry
Object Header
Other structures
NTFS Data
Structures
Secret fileDisk
Access Control Lists
File handle
ZwReadFile( )
ZwWriteFile( )
File handle
File handle
ZwReadFile( )
ZwWriteFile( )
File Object
Object Header
Entry
Other structures
NTFS Data
Structures
File Hiajcker
Entry Entry...
65
66. NTFS DATA STRUCTURES
66
PVOID FsContent
File Object
File Control Block
PVOID FsContent2 ERESOURCE
FAST_MUTEX
File on the Disk
etc...
File Handle
Cache Control Block
ERESOURCE
FAST_MUTEX
Control Block Structures
(NTFS data structures)
67. HIJACKING NTFS STRUCTURES
67
Attacker s Driver
FILE_OBJECT
Researcher s Driver
FILE_OBJECT
Secret File File Hijacker
NTFS Data
Structures
FAST_MUTEX ERESOURCE
etc
FAST_MUTEX ERESOURCE
etc
NTFS Data
Structures
68. HIJACKING NTFS STRUCTURES
68
Attacker s Driver
FILE_OBJECT
Researcher s Driver
FILE_OBJECT
Secret File File Hijacker
NTFS Data
Structures
FAST_MUTEX ERESOURCE
etc
FAST_MUTEX ERESOURCE
etc
Hijacking NTFS
structures
NTFS Data
Structures
Copy content
69. HIJACKING NTFS STRUCTURES
69
Attacker s Driver
FILE_OBJECT
Researcher s Driver
FILE_OBJECT
Secret File File Hijacker
NTFS Data
Structures
FAST_MUTEX ERESOURCE
etc
FAST_MUTEX ERESOURCE
etc
Hijacking NTFS
structures
NTFS Data
Structures
Copy content
71. void ExReleaseResourceLite(PERESOURCE Resource){
…
CurrentThread = KeGetCurrentThread();
if (IsOwnedExclusive(Resource)) {
if (Resource->OwnerThreads[0].OwnerThread != CurrentThread) {
KeBugCheckEx(RESOURCE_NOT_OWNED, … )
}
}
}
BSOD: THE REASON AND THE WAY TO BYPASS
*wrk-v1.2basentosexresource.c
71
72. void ExReleaseResourceLite(PERESOURCE Resource){
…
CurrentThread = KeGetCurrentThread();
if (IsOwnedExclusive(Resource)) {
if (Resource->OwnerThreads[0].OwnerThread != CurrentThread) {
KeBugCheckEx(RESOURCE_NOT_OWNED, … )
}
}
}
BSOD: THE REASON AND THE WAY TO BYPASS
*wrk-v1.2basentosexresource.c
72
73. 1. Overwrite control block structures
2. Patch ThreadID-related fields using attackers ThreadID:
▪ Resource->OwnerEntry.OwnerThread = PsGetCurrentThread();
▪ PagingIoResource->OwnerEntry.OwnerThread = PsGetCurrentThread()
3. Repeat steps 1 and 2 before each read and write call
BSOD: THE WAY TO BYPASS (FOR HACKERS ONLY)
73
74. DEMO: HIJACKING NTFS STRUCTURES
74
Kernel
mode
User
mode
Hard
Disk
Driver
ZwCreateFile()
•ShareAccess=0
Secret file
Driver
ZwCreateFile()
OS Components
Attempt 1: The Legal Access
Console Attacker
access
violation
NTFS Data
Structures
NTFS Data
Structures
75. DEMO: HIJACKING NTFS STRUCTURES
75
Kernel
mode
User
mode
Hard
Disk
Driver
ZwCreateFile()
•ShareAccess=0
Secret file
Driver
ZwCreateFile()
OS Components
Attempt 1: The Legal Access
Console Attacker
access
violation
Driver
ZwCreateFile()
•ShareAccess=0
Secret File
Driver
hijacking_ntfs_structs
hijacker.txt
OS Components
Attempt 2: Hijacking NTFS structures
AttackerConsole
NTFS Data
Structures
NTFS Data
Structures
NTFS Data
Structures
NTFS Data Structs
Repeat
patching
76. DEMO#3: HIJACKING NTFS STRUCTURES
The online version is here –
https://www.youtube.com/embed/bHEf2fNkqbc?vq=hd1440
76
77. The Current Situation
OS Code
OS
Data
RSRCH NTFS
Struct
Attacker
Default enclave for OS and
driver loaded before
EPT pointer
READ
NTFS
Struct
READ
READ
OS Code
OS
Data
RSRCH NTFS
Struct
Attacker
READ
NTFS
Struct
Enclave for RSRSH s Driver
OS Code
OS
Data
RSRCH NTFS
Struct
Attacker
READ
NTFS
Struct
READ
Enclave for Attacker s
Driver
OS Code
OS
Data
RSRCH NTFS
Struct
Attacker
READ
NTFS
Struct
WRITE
READ
WRITE
77
MEMORYRANGER PREVENTS HIJACKING NTFS STRUCTS
78. The Current Situation
OS Code
OS
Data
RSRCH NTFS
Struct
Attacker
Default enclave for OS and
driver loaded before
EPT pointer
READ
NTFS
Struct
READ
READ
OS Code
OS
Data
RSRCH NTFS
Struct
Attacker
READ
NTFS
Struct
Enclave for RSRSH s Driver
OS Code
OS
Data
RSRCH NTFS
Struct
Attacker
READ
NTFS
Struct
READ
Enclave for Attacker s
Driver
OS Code
OS
Data
RSRCH NTFS
Struct
Attacker
READ
NTFS
Struct
WRITE
READ
WRITE
78
MEMORYRANGER PREVENTS HIJACKING NTFS STRUCTS
79. DEMO#4: PREVENTION OF HIJACKING NTFS STRUCTS
The online version is here –
https://www.youtube.com/embed/CSvq-VyxFH4?vq=hd1440
79
80. 80
Preventing the Hijacking NTFS structures
MemoryRanger
prevents Hijacking
NTFS structures
Attacker s EnclaveRSRCH s Enclave
Driver
ZwCreateFile()
•ShareAccess=0
Secret File
Attacker
hijacker.txt
OS Components
MemoryRanger
Driver
hijacking_ntfs_structs
Default Enclave
OS kernel,
and other
drivers
OS kernel,
and other
drivers
OS kernel
and other
drivers
Internal
Data
Internal
Data
OS and
Other
Data
Console
NTFS
Structs
NTFS
Structs
NTFS
Structs
NTFS
Structs
OS Components
102. 102
TOKEN HIJACKING IS BLOCKED BY A NEW DATA-ONLY ENCLAVE
Here is a new data-only enclave
TOKEN
EPROCESS
TOKEN
EPROCESS
OS kernel core (Scheduler, etc)
SYSTEM:4 CMD
Kernel
mode
User
mode Console
Driver
token_hijacking
MemoryRanger
prevents Token
Hijacking
104. MEMORY RANGER ARCHITECTURE
104
https://github.com/IgorKorkin/MemoryRanger
OS
Memory Access Policy (MAP)
Access to the protected
data triggers EPT violation
Driver registers callbacks
to receive OS events
Hypervisor
A new driver
is loaded
Kernel API
function is called
DdiMon hooks
kernel API routines
MemoryMonRWX
traps EPT violations
?
Memory
Ranger
ISOLATED_MEM_ENCLAVE PROTECTED_MEMORY
PROTECTED_MEMORY
PROTECTED_MEMORY
ISOLATED_MEM_ENCLAVE
ISOLATED_MEM_ENCLAVE
PROTECTED_MEMORY
PROTECTED_MEMORY
DEFAULT_MEM_ENCLAVE
TOKEN_MEM_ENCLAVE
A new process
is created
(Further details in the paper)
105. 1. Windows OS security features provide limited kernel memory protection
2. Handle Hijacking = copy 6 bytes of structure
3. Hijacking NTFS = copy data structures & Thread ID
4. Token Hijacking = copy structures & their interconnections
5. Updated MemoryRanger
▪ protects new data structures
▪ includes a new data-only enclave to isolate the secret data from all drivers
▪ works well on the recent Windows 1903
CONCLUSION
105
110. DEMO: PREVENTING THE HANDLE HIJACKING ATTACK
110
MemoryRanger Prevents the Handle Hijacking
MemoryRanger
restricts WRITE
access to the
ObjectPointerBits
field
Attacker s EnclaveRSRCH s Enclave
Driver
ZwCreateFile()
•ShareAccess=0
Secret File
Attacker
hijacker.txt
OS Components
MemoryRanger
Driver
handle_hijacking
OS Components
Default Enclave
OS kernel,
and other
drivers
OS kernel,
and other
drivers
OS kernel
and other
drivers
Internal
Data
Internal
Data
OS and
Other
Data
Driver
ZwCreateFile()
•ShareAccess=0
Secret File
Driver
handle_hijacking
hijacker.txt
OS Components
Attempt 2: Handle Table Hijacking
Attacker
EntryEntry
Console Console
Entry
EntryEntry Entry
GrAc.
ObjP.Entry
GrAc.
ObjP.
111. DEMO: PREVENTING THE HIJACKING NTFS STRUCTURES
111
Driver
ZwCreateFile()
•ShareAccess=0
Secret File
Driver
hijacking_ntfs_structs
hijacker.txt
OS Components
Attempt 2: Hijacking NTFS structures
AttackerConsole
NTFS Data
Structures
NTFS Data Structs
Repeat
patching
Preventing the Hijacking NTFS structures
MemoryRanger
prevents Hijacking
NTFS structures
Attacker s EnclaveRSRCH s Enclave
Driver
ZwCreateFile()
•ShareAccess=0
Secret File
Attacker
hijacker.txt
OS Components
MemoryRanger
Driver
hijacking_ntfs_structs
Default Enclave
OS kernel,
and other
drivers
OS kernel,
and other
drivers
OS kernel
and other
drivers
Internal
Data
Internal
Data
OS and
Other
Data
Console
NTFS
Structs
NTFS
Structs
NTFS
Structs
NTFS
Structs
OS Components