The document discusses attacks on kernel memory data structures in Windows. It describes three types of attacks: handle table hijacking, hijacking NTFS file structures, and token hijacking. The author previously developed MemoryRanger, a hypervisor that runs drivers in isolated kernel enclaves to block such attacks. A new feature called a data-only enclave is introduced. The document then demonstrates how hijacking file structures could allow bypassing file access controls by copying a file object's data to gain unauthorized access to a secret file. MemoryRanger is shown to prevent this attack by isolating drivers and their memory.

1. Kernel Hijacking Is Not an Option:
MemoryRanger Comes to the Rescue Again
Igor Korkin
Independent Researcher
2020

2. WHOAMI
▪ PhD, speaker at the ADFSL conference since 2014 and the BlackHat
▪ Windows OS Kernel Security Researcher:
▪ Rootkits and anti-rootkits
▪ Bare-Metal Hypervisors vs. Attacks on Kernel Memory
▪ Fan of cross-disciplinary research —
▪ Love traveling and powerlifting —
2
igorkorkin.blogspot.com
igor.korkin

3. ▪ Three attacks on kernel memory data:
1. Handle Table Hijacking
2. Hijacking NTFS structures
Bypass file sharing access control:
AGENDA: ATTACKS ON FILES
3

4. ▪ Three attacks on kernel memory data:
1. Handle Table Hijacking
2. Hijacking NTFS structures
3. Token Hijacking
Process Privilege Escalation:Bypass file sharing access control:
AGENDA: ATTACKS ON FILES+TOKENS
4

5. AGENDA: ATTACKS ON FILES+TOKENS & MEMORYRANGER
▪ Three attacks on kernel memory data:
1. Handle Table Hijacking
2. Hijacking NTFS structures
3. Token Hijacking
Process Privilege Escalation:Bypass file sharing access control:
▪MemoryRanger blocks kernel attacks:
▪ It runs drivers in isolated kernel enclaves
▪ It includes a new feature: Data-Only Enclave
Driver A
Driver B
MemoryRanger Hypervisor
Driver A
Driver B
Driver A
Driver B

6. 6
PREVIOUS RESEARCH ON MEMORYRANGER:
PAPERS+SLIDES+DEMOS
(2019) MemoryRanger Prevents Hijacking
FILE_OBJECT Structures in Windows Kernel
https://igorkorkin.blogspot.com/2019/04/
memoryranger-prevents-hijacking.html
(2018) Divide et Impera: MemoryRanger
Runs Drivers in Isolated Kernel Spaces
https://igorkorkin.blogspot.com/2018/12/div
ide-et-impera-memoryranger-runs.html

7. KERNEL DRIVERS CAN COMPROMISE THE OS SECURITY
7
OS Built-in Drivers
NT OS Kernel
• Scheduler
• Memory Manager
Kernel Data
OS Structures
and Objects
Allocated
Sensitive Data
System Tables,
Paging Structures
Kernel Code
3rd Party Drivers
with bugs
Malicious Kernel Drivers
OS Sensitive Data,
PatchGuard flags

8. ▪ RobbinHood Ransomware - 2020
▪ Exploits a legitimate buggy driver to load a malware driver
▪ Malware driver disables endpoint security products
KERNEL DRIVERS IN RECENT MALWARE ATTACKS ON WINDOWS
8
1. Ransomware installs Gigabyte driver to kill antivirus products - https://www.zdnet.com/article/ransomware-installs-gigabyte-
driver-to-kill-antivirus-products/
2. Nansh0u Miner Attack Infects 50K MS-SQL, PHPMyAdmin Servers - https://www.guardicore.com/2019/05/nansh0u-campaign-
hackers-arsenal-grows-stronger/
3. Glupteba: Hidden Malware Delivery in Plain Sight - https://news.sophos.com/wp-content/uploads/2020/06/glupteba_final.pdf

9. ▪ RobbinHood Ransomware - 2020
▪ Exploits a legitimate buggy driver to load a malware driver
▪ Malware driver disables endpoint security products
KERNEL DRIVERS IN RECENT MALWARE ATTACKS ON WINDOWS
9
▪ Crypto-miner with a signed driver - 2019
▪ Infected more than 50,000 Windows machines in the world
▪ Uses a signed malware driver to protect itself from termination
1. Ransomware installs Gigabyte driver to kill antivirus products - https://www.zdnet.com/article/ransomware-installs-gigabyte-
driver-to-kill-antivirus-products/
2. Nansh0u Miner Attack Infects 50K MS-SQL, PHPMyAdmin Servers - https://www.guardicore.com/2019/05/nansh0u-campaign-
hackers-arsenal-grows-stronger/
3. Glupteba: Hidden Malware Delivery in Plain Sight - https://news.sophos.com/wp-content/uploads/2020/06/glupteba_final.pdf

10. ▪ RobbinHood Ransomware - 2020
▪ Exploits a legitimate buggy driver to load a malware driver
▪ Malware driver disables endpoint security products
KERNEL DRIVERS IN RECENT MALWARE ATTACKS ON WINDOWS
1. Ransomware installs Gigabyte driver to kill antivirus products - https://www.zdnet.com/article/ransomware-installs-gigabyte-
driver-to-kill-antivirus-products/
2. Nansh0u Miner Attack Infects 50K MS-SQL, PHPMyAdmin Servers - https://www.guardicore.com/2019/05/nansh0u-campaign-
hackers-arsenal-grows-stronger/
3. Glupteba: Hidden Malware Delivery in Plain Sight - https://news.sophos.com/wp-content/uploads/2020/06/glupteba_final.pdf
10
▪ Crypto-miner with a signed driver - 2019
▪ Infected more than 50,000 Windows machines in the world
▪ Uses a signed malware driver to protect itself from termination
▪ Glupteba includes rootkit to hide files and processes - 2020
▪ Exploits a signed vulnerable driver to bypass the
Kernel Patch Protection and Driver Signature Enforcement

11. 11

15. MemoryRanger
Don’t mess with
kernel data!

16. Episode 1
Bypass File Sharing Access Control via
Hijacking File Structures
16

17. SCENARIO OF ATTACKS ON FILES
17
Researcher s Driver
Secret Formula
Open a file in an
exclusive mode
NTOS Kernel
(2) Try to access the file
via Hijacking Attacks
(2) Try to access the file
via Hijacking Attacks

18. SCENARIO OF ATTACKS ON FILES
18
Researcher s Driver
Secret Formula
Attacker s Driver
(1) Try to access the
file via ZwCreateFile
Open a file in an
exclusive mode
NTOS Kernel
(2) Try to access the file
via Hijacking Attacks
(2) Try to access the file
via Hijacking Attacks

19. SCENARIO OF ATTACKS ON FILES
19
Researcher s Driver
Secret Formula
Attacker s Driver
(1) Try to access the
file via ZwCreateFile
Open a file in an
exclusive mode
NTOS Kernel
(2) Try to access the file
via Hijacking Attacks
(2) Try to access the file
via Hijacking Attacks

20. Researcher s Driver
Corrupted Data
Attacker s Driver
(1) Try to access the
file via ZwCreateFile
Open a file in an
exclusive mode
NTOS Kernel
(2) Try to access the file
via Hijacking Attacks
(2) Try to access the file
via Hijacking Attacks
Leaked Secret
Formula
SCENARIO OF ATTACKS ON FILES
20

21. ZwCreateFile()
File handle
ZwWriteFile()/ZwReadFile()
NTOS
Output buffer
+
status
ZwCloseFile()
status
File name
+
ShareAccess*
create file
File handle
+
input buffer
File handle
FILE SYSTEM KERNEL API ROUTINES
NTSTATUS ZwCreateFile(..., ShareAccess, ...);
• ShareAccess flag determines whether other drivers can access the opened file.
21

22. ZwCreateFile()
File handle
ZwWriteFile()/ZwReadFile()
NTOS
Output buffer
+
status
ZwCloseFile()
status
File name
+
ShareAccess*
create file
File handle
+
input buffer
File handle
FILE SYSTEM KERNEL API ROUTINES
22

23. INTERNALS OF ZwCreateFile
23
ZwCreateFile( ,
ShareAccess=0)
Security Ref. Monitor
NTFS driver
Access Control Lists
?
Disk driversDisk drivers
Secret file
Object Manager
I/O Manager

24. INTERNALS OF ZwCreateFile
24
ZwCreateFile( ,
ShareAccess=0)
Security Ref. Monitor
NTFS driver
Access Control Lists
?
Disk driversDisk drivers
Secret file
Object Manager
I/O Manager

25. INTERNALS OF ZwCreateFile
25
ZwCreateFile( ,
ShareAccess=0)
Security Ref. Monitor
NTFS driver
Access Control Lists
?
Disk driversDisk drivers
Secret file
Object Manager
I/O Manager

26. INTERNALS OF ZwCreateFile
26
ZwCreateFile( ,
ShareAccess=0)
Security Ref. Monitor
NTFS driver
Access Control Lists
?
Disk driversDisk drivers
Secret file
Object Manager
I/O Manager

27. INTERNALS OF ZwCreateFile
27
ZwCreateFile( ,
ShareAccess=0)
Security Ref. Monitor
NTFS driver
Access Control Lists
?
Disk driversDisk drivers
Secret file
Object Manager
I/O Manager

28. INTERNALS OF ZwCreateFile
28
ZwCreateFile( ,
ShareAccess=0)
Security Ref. Monitor
NTFS driver
Access Control Lists
?
Disk driversDisk drivers
Secret file
Object Manager
I/O Manager

29. 29
ZwCreateFile( ,
ShareAccess=0)
Security Ref. Monitor
NTFS driver
Access Control Lists
?
Disk driversDisk drivers
ZwCreateFile( )
Secret file
Object Manager
I/O Manager
SECURITY REFERENCE MONITOR PREVENTS ILLEGAL ACCESS

30. SECURITY REFERENCE MONITOR PREVENTS ILLEGAL ACCESS
30
ZwCreateFile( ,
ShareAccess=0)
Security Ref. Monitor
NTFS driver
Access Control Lists
?
Disk driversDisk drivers
ZwCreateFile( )
Secret file
Object Manager
I/O Manager
STATUS SHARING
VIOLATION

31. INTERNALS OF ZwReadFile/ZwWriteFile
31
I/O Manager
Object Manager
Security Ref. Monitor
NTFS driver
File handle
Disk driversDisk drivers
Disk
Access Control Lists
File handle
ZwReadFile( )
ZwWriteFile( )

32. INTERNALS OF ZwReadFile/ZwWriteFile
32
I/O Manager
Object Manager
Security Ref. Monitor
NTFS driver
File handle
Disk driversDisk drivers
Handle Table
Entry
...
Entry
Disk
Access Control Lists
File handle
ZwReadFile( )
ZwWriteFile( )

33. INTERNALS OF ZwReadFile/ZwWriteFile
33
I/O Manager
Object Manager
Security Ref. Monitor
NTFS driver
File handle
Disk driversDisk drivers
File Object
Handle Table
Entry
Object Header...
Entry
Disk
Access Control Lists
File handle
ZwReadFile( )
ZwWriteFile( )

34. INTERNALS OF ZwReadFile/ZwWriteFile
34
I/O Manager
Object Manager
Security Ref. Monitor
NTFS driver
File handle
Disk driversDisk drivers
File Object
Handle Table
Entry
Object Header
Other structures
...
Entry
NTFS Data
Structures
Secret fileDisk
Access Control Lists
File handle
ZwReadFile( )
ZwWriteFile( )

35. ▪ ZwCreateFile checks shared access permissions
▪ZwWriteFile and ZwReadFile do not bother about access
permissions
SUMMARY
35

36. 36
I/O Manager
Object Manager
Security Ref. Monitor
NTFS driver
File handle
Disk driversDisk drivers
File Object
Kernel Handle Table
Object Header
Other structures
NTFS Data
Structures
Secret fileDisk
Access Control Lists
File handle
ZwReadFile( )
ZwWriteFile( )
Entry Entry Entry...
IDEA OF HIJACKING: CREATE A FILE HIAJCKER

37. I/O Manager
Object Manager
Security Ref. Monitor
NTFS driver
File handle
Disk driversDisk drivers
File Object
Kernel Handle Table
Entry
Object Header
Other structures
NTFS Data
Structures
Secret fileDisk
Access Control Lists
File handle
ZwReadFile( )
ZwWriteFile( )
File handle
File handle
ZwReadFile( )
ZwWriteFile( )
File Object
Object Header
Entry
Other structures
NTFS Data
Structures
File Hiajcker
Entry Entry...
IDEA OF HIJACKING: CREATE A FILE HIAJCKER AND COPY STRUCTS
37

38. I/O Manager
Object Manager
Security Ref. Monitor
NTFS driver
File handle
Disk driversDisk drivers
File Object
Kernel Handle Table
Entry
Object Header
Other structures
NTFS Data
Structures
Secret fileDisk
Access Control Lists
File handle
ZwReadFile( )
ZwWriteFile( )
File handle
File handle
ZwReadFile( )
ZwWriteFile( )
File Object
Object Header
Entry
Other structures
NTFS Data
Structures
File Hiajcker
Entry Entry...
IDEA OF HIJACKING: CREATE A FILE HIAJCKER AND COPY STRUCTS
38

39. Handle Table Hijacking
Hijacking
FILE_OBJECT
Hijacking NTFS
Data Structures
I/O Manager
Object Manager
Security Ref. Monitor
NTFS driver
File handle
Disk driversDisk drivers
File Object
Kernel Handle Table
Entry
Object Header
Other structures
NTFS Data
Structures
Secret fileDisk
Access Control Lists
File handle
ZwReadFile( )
ZwWriteFile( )
File handle
File handle
ZwReadFile( )
ZwWriteFile( )
File Object
Object Header
Entry
Other structures
NTFS Data
Structures
File Hiajcker
Entry Entry...
HIJACKING ATTACKS ON FILES STRUCTURES
2019
39

40. Handle Table Hijacking
Hijacking
FILE_OBJECT
Hijacking NTFS
Data Structures
I/O Manager
Object Manager
Security Ref. Monitor
NTFS driver
File handle
Disk driversDisk drivers
File Object
Kernel Handle Table
Entry
Object Header
Other structures
NTFS Data
Structures
Secret fileDisk
Access Control Lists
File handle
ZwReadFile( )
ZwWriteFile( )
File handle
File handle
ZwReadFile( )
ZwWriteFile( )
File Object
Object Header
Entry
Other structures
NTFS Data
Structures
File Hiajcker
Entry Entry...
HIJACKING ATTACKS ON FILES STRUCTURES
40

41. Handle Table Hijacking
Hijacking
FILE_OBJECT
Hijacking NTFS
Data Structures
I/O Manager
Object Manager
Security Ref. Monitor
NTFS driver
File handle
Disk driversDisk drivers
File Object
Kernel Handle Table
Entry
Object Header
Other structures
NTFS Data
Structures
Secret fileDisk
Access Control Lists
File handle
ZwReadFile( )
ZwWriteFile( )
File handle
File handle
ZwReadFile( )
ZwWriteFile( )
File Object
Object Header
Entry
Other structures
NTFS Data
Structures
File Hiajcker
Entry Entry...
HIJACKING ATTACKS ON FILES STRUCTURES
2019
41

42. Handle Table Hijacking
Hijacking
FILE_OBJECT
Hijacking NTFS
Data Structures
I/O Manager
Object Manager
Security Ref. Monitor
NTFS driver
File handle
Disk driversDisk drivers
File Object
Kernel Handle Table
Entry
Object Header
Other structures
NTFS Data
Structures
Secret fileDisk
Access Control Lists
File handle
ZwReadFile( )
ZwWriteFile( )
File handle
File handle
ZwReadFile( )
ZwWriteFile( )
File Object
Object Header
Entry
Other structures
NTFS Data
Structures
File Hiajcker
Entry Entry...
HIJACKING ATTACKS ON FILES STRUCTURES
42

43. Handle Table Hijacking
Hijacking
FILE_OBJECT
Hijacking NTFS
Data Structures
I/O Manager
Object Manager
Security Ref. Monitor
NTFS driver
File handle
Disk driversDisk drivers
File Object
Kernel Handle Table
Entry
Object Header
Other structures
NTFS Data
Structures
Secret fileDisk
Access Control Lists
File handle
ZwReadFile( )
ZwWriteFile( )
File handle
File handle
ZwReadFile( )
ZwWriteFile( )
File Object
Object Header
Entry
Other structures
NTFS Data
Structures
File Hiajcker
Entry Entry...
HIJACKING ATTACKS ON FILES STRUCTURES
43
Hijacking FILE_OBJECT → MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
https://igorkorkin.blogspot.com/2019/04/memoryranger-prevents-hijacking.html

44. HANDLE HIJACKING ATTACK
44

45. HANDLE HIJACKING ATTACK
Handle Table Hijacking
Hijacking
FILE_OBJECT
Hijacking NTFS
Data Structures
I/O Manager
Object Manager
Security Ref. Monitor
NTFS driver
File handle
Disk driversDisk drivers
File Object
Kernel Handle Table
Entry
Object Header
Other structures
NTFS Data
Structures
Secret fileDisk
Access Control Lists
File handle
ZwReadFile( )
ZwWriteFile( )
File handle
File handle
ZwReadFile( )
ZwWriteFile( )
File Object
Object Header
Entry
Other structures
NTFS Data
Structures
File Hiajcker
Entry Entry...
45

46. KERNEL HANDLE TABLE
46
File Object
Kernel Handle Table
Object Header
Entry Entry...
File Handle
8 bytes
EntryEntry
index
ObjectPointerBits
6 bytes
Handle Entry
Object Header Addr = 0xFF00_0000 + ObjectPointerBits
File Object Addr = Object Header Addr + 0x18

47. HANDLE TABLE HIJACKING
47
ObjectPointerBits
Attacker s Driver
File handle
Researcher s Driver
File handle
Copy
content...Entry
Kernel Handle Table
ObjectPointerBits
Object Header
Secret File File Hijacker
Object Header

48. HANDLE TABLE HIJACKING
48
ObjectPointerBits
Attacker s Driver
Object Header
File handle
Researcher s Driver
File handle
Secret File File Hijacker
Object Header
Copy
content
Kernel Handle Table
ObjectPointerBits
Copy
content
Handle Table
Hijacking

49. ObjectPointerBits
Attacker s Driver
Object Header
File handle
Researcher s Driver
File handle
Secret File File Hijacker
Object Header
Copy
content
Kernel Handle Table
ObjectPointerBits
Copy
content
Handle Table
Hijacking
HANDLE TABLE HIJACKING
49

50. DEMO: HANDLE TABLE HIJACKING
50
Kernel
mode
User
mode
Hard
Disk
Driver
ZwCreateFile()
•ShareAccess=0
Secret file
OS Components
The researcher opens a secret file
Console
Kernel Handle Table
Entry

51. DEMO: HANDLE TABLE HIJACKING
51
Kernel
mode
User
mode
Hard
Disk
Driver
ZwCreateFile()
•ShareAccess=0
Secret file
Driver
ZwCreateFile()
OS Components
Attempt 1: The Legal Access
Console Attacker
access
violation
Kernel Handle Table
Entry Entry

52. DEMO: HANDLE TABLE HIJACKING
52
Kernel
mode
User
mode
Hard
Disk
Driver
ZwCreateFile()
•ShareAccess=0
Secret file
Driver
ZwCreateFile()
OS Components
Attempt 1: The Legal Access
Console Attacker
access
violation
Kernel Handle Table
Entry Entry
Driver
ZwCreateFile()
•ShareAccess=0
Secret File
Driver
handle_hijacking
hijacker.txt
OS Components
Attempt 2: Handle Table Hijacking
Attacker
EntryEntry
Console

53. DEMO#1: HANDLE TABLE HIJACKING
The online version is here –
https://www.youtube.com/embed/5NNSXfTRtiQ?vq=hd1440
53

54. HOW TO PREVENT THE HANDLE HIJACKING?
54
▪ We have to block WRITE access to the ObjectPointerBits
▪ We have to grant READ access to the whole Handle Table for all drivers
Attacker s DriverResearcher s Driver
read read
• read=true
• write=true
ObjectPointerBits
• read=true
• write=true
• read=true
• write=true
ObjectPointerBits
• read=true
• write=true
write

55. HOW TO PREVENT THE HANDLE HIJACKING?
55
Attacker s DriverResearcher s Driver
read read
• read=true
• write=true
ObjectPointerBits
• read=true
• write=true
• read=true
• write=true
ObjectPointerBits
• read=true
• write=true
MemoryRanger Hypervisor
write
▪ We have to block WRITE access to the ObjectPointerBits
▪ We have to grant READ access to the whole Handle Table for all drivers

56. MEMORYRANGER ISOLATES DRIVERS BY
RUNNING DRIVERS IN SEPARATE KERNEL SPACES
56
MemoryRanger and Enclaves details are here:
(2019) https://igorkorkin.blogspot.com/2019/04/memoryranger-prevents-hijacking.html
(2018) https://igorkorkin.blogspot.com/2018/12/divide-et-impera-memoryranger-runs.html
Driver A
Driver B
MemoryRanger Hypervisor
Driver A
Driver B
Driver A
Driver B

57. The Current Situation
OS Code
OS
Data
RSRCH Entry
Attacker
Default enclave for OS
and driver loaded before
Enclave for RSRCH s Driver
EPT pointer
Enclave for Attacker s
Driver
Kernel Handle Table
Entry
READ
READ
WRITE
READ
OS Code
OS
Data
RSRCH
Attacker
READ
OS Code
OS
Data
RSRCH
Attacker Entry
READ
OS Code
OS
Data
RSRCH
Attacker
READ
READ
READ
WRITE
GrAc.
ObjP.
Entry
GrAc.
ObjP.
Entry
Entry
MEMORY MAP: MEMORYRANGER PREVENTS HANDLE HIJACKING
57

58. The Current Situation
OS Code
OS
Data
RSRCH Entry
Attacker
Default enclave for OS
and driver loaded before
Enclave for RSRCH s Driver
EPT pointer
Enclave for Attacker s
Driver
Kernel Handle Table
Entry
READ
READ
WRITE
READ
OS Code
OS
Data
RSRCH
Attacker
READ
OS Code
OS
Data
RSRCH
Attacker Entry
READ
OS Code
OS
Data
RSRCH
Attacker
READ
READ
READ
WRITE
GrAc.
ObjP.
Entry
GrAc.
ObjP.
Entry
Entry
MEMORY MAP: MEMORYRANGER PREVENTS HANDLE HIJACKING
58

59. MEMORY MAP: MEMORYRANGER PREVENTS HANDLE HIJACKING
The Current Situation
OS Code
OS
Data
RSRCH Entry
Attacker
Default enclave for OS
and driver loaded before
Enclave for RSRCH s Driver
EPT pointer
Enclave for Attacker s
Driver
Kernel Handle Table
Entry
READ
READ
WRITE
READ
OS Code
OS
Data
RSRCH
Attacker
READ
OS Code
OS
Data
RSRCH
Attacker Entry
READ
OS Code
OS
Data
RSRCH
Attacker
READ
READ
READ
WRITE
GrAc.
ObjP.
Entry
GrAc.
ObjP.
Entry
Entry

60. MEMORY MAP: MEMORYRANGER PREVENTS HANDLE HIJACKING
60
The Current Situation
OS Code
OS
Data
RSRCH Entry
Attacker
Default enclave for OS
and driver loaded before
Enclave for RSRCH s Driver
EPT pointer
Enclave for Attacker s
Driver
Kernel Handle Table
Entry
READ
READ
WRITE
READ
OS Code
OS
Data
RSRCH
Attacker
READ
OS Code
OS
Data
RSRCH
Attacker Entry
READ
OS Code
OS
Data
RSRCH
Attacker
READ
READ
READ
WRITE
GrAc.
ObjP.
Entry
GrAc.
ObjP.
Entry
Entry

61. DEMO#2: PREVENTION OF HANDLE TABLE HIJACKING
The online version is here –
https://www.youtube.com/embed/5Pz-IXvQDiY?vq=hd1440
61

62. 62
MemoryRanger Prevents the Handle Hijacking
MemoryRanger
restricts WRITE
access to the
ObjectPointerBits
field
Attacker s EnclaveRSRCH s Enclave
Driver
ZwCreateFile()
•ShareAccess=0
Secret File
Attacker
hijacker.txt
OS Components
MemoryRanger
Driver
handle_hijacking
OS Components
Default Enclave
OS kernel,
and other
drivers
OS kernel,
and other
drivers
OS kernel
and other
drivers
Internal
Data
Internal
Data
OS and
Other
Data
Console
EntryEntry Entry
GrAc.
ObjP.Entry
GrAc.
ObjP.

63. 63
MemoryRanger Prevents the Handle Hijacking
MemoryRanger
restricts WRITE
access to the
ObjectPointerBits
field
Attacker s EnclaveRSRCH s Enclave
Driver
ZwCreateFile()
•ShareAccess=0
Secret File
Attacker
hijacker.txt
OS Components
MemoryRanger
Driver
handle_hijacking
OS Components
Default Enclave
OS kernel,
and other
drivers
OS kernel,
and other
drivers
OS kernel
and other
drivers
Internal
Data
Internal
Data
OS and
Other
Data
Console
EntryEntry Entry
GrAc.
ObjP.Entry
GrAc.
ObjP.

64. HIJACKING NTFS DATA STRUCTURES
64

65. HIJACKING ATTACKS ON FILES STRUCTURES
Handle Table Hijacking
Hijacking
FILE_OBJECT
Hijacking NTFS
Data Structures
I/O Manager
Object Manager
Security Ref. Monitor
NTFS driver
File handle
Disk driversDisk drivers
File Object
Kernel Handle Table
Entry
Object Header
Other structures
NTFS Data
Structures
Secret fileDisk
Access Control Lists
File handle
ZwReadFile( )
ZwWriteFile( )
File handle
File handle
ZwReadFile( )
ZwWriteFile( )
File Object
Object Header
Entry
Other structures
NTFS Data
Structures
File Hiajcker
Entry Entry...
65

66. NTFS DATA STRUCTURES
66
PVOID FsContent
File Object
File Control Block
PVOID FsContent2 ERESOURCE
FAST_MUTEX
File on the Disk
etc...
File Handle
Cache Control Block
ERESOURCE
FAST_MUTEX
Control Block Structures
(NTFS data structures)

67. HIJACKING NTFS STRUCTURES
67
Attacker s Driver
FILE_OBJECT
Researcher s Driver
FILE_OBJECT
Secret File File Hijacker
NTFS Data
Structures
FAST_MUTEX ERESOURCE
etc
FAST_MUTEX ERESOURCE
etc
NTFS Data
Structures

68. HIJACKING NTFS STRUCTURES
68
Attacker s Driver
FILE_OBJECT
Researcher s Driver
FILE_OBJECT
Secret File File Hijacker
NTFS Data
Structures
FAST_MUTEX ERESOURCE
etc
FAST_MUTEX ERESOURCE
etc
Hijacking NTFS
structures
NTFS Data
Structures
Copy content

69. HIJACKING NTFS STRUCTURES
69
Attacker s Driver
FILE_OBJECT
Researcher s Driver
FILE_OBJECT
Secret File File Hijacker
NTFS Data
Structures
FAST_MUTEX ERESOURCE
etc
FAST_MUTEX ERESOURCE
etc
Hijacking NTFS
structures
NTFS Data
Structures
Copy content

70. BSOD - RESOURCE_NOT_OWNED (0xE3)
70

71. void ExReleaseResourceLite(PERESOURCE Resource){
…
CurrentThread = KeGetCurrentThread();
if (IsOwnedExclusive(Resource)) {
if (Resource->OwnerThreads[0].OwnerThread != CurrentThread) {
KeBugCheckEx(RESOURCE_NOT_OWNED, … )
}
}
}
BSOD: THE REASON AND THE WAY TO BYPASS
*wrk-v1.2basentosexresource.c
71

72. void ExReleaseResourceLite(PERESOURCE Resource){
…
CurrentThread = KeGetCurrentThread();
if (IsOwnedExclusive(Resource)) {
if (Resource->OwnerThreads[0].OwnerThread != CurrentThread) {
KeBugCheckEx(RESOURCE_NOT_OWNED, … )
}
}
}
BSOD: THE REASON AND THE WAY TO BYPASS
*wrk-v1.2basentosexresource.c
72

73. 1. Overwrite control block structures
2. Patch ThreadID-related fields using attackers ThreadID:
▪ Resource->OwnerEntry.OwnerThread = PsGetCurrentThread();
▪ PagingIoResource->OwnerEntry.OwnerThread = PsGetCurrentThread()
3. Repeat steps 1 and 2 before each read and write call
BSOD: THE WAY TO BYPASS (FOR HACKERS ONLY)
73

74. DEMO: HIJACKING NTFS STRUCTURES
74
Kernel
mode
User
mode
Hard
Disk
Driver
ZwCreateFile()
•ShareAccess=0
Secret file
Driver
ZwCreateFile()
OS Components
Attempt 1: The Legal Access
Console Attacker
access
violation
NTFS Data
Structures
NTFS Data
Structures

75. DEMO: HIJACKING NTFS STRUCTURES
75
Kernel
mode
User
mode
Hard
Disk
Driver
ZwCreateFile()
•ShareAccess=0
Secret file
Driver
ZwCreateFile()
OS Components
Attempt 1: The Legal Access
Console Attacker
access
violation
Driver
ZwCreateFile()
•ShareAccess=0
Secret File
Driver
hijacking_ntfs_structs
hijacker.txt
OS Components
Attempt 2: Hijacking NTFS structures
AttackerConsole
NTFS Data
Structures
NTFS Data
Structures
NTFS Data
Structures
NTFS Data Structs
Repeat
patching

76. DEMO#3: HIJACKING NTFS STRUCTURES
The online version is here –
https://www.youtube.com/embed/bHEf2fNkqbc?vq=hd1440
76

77. The Current Situation
OS Code
OS
Data
RSRCH NTFS
Struct
Attacker
Default enclave for OS and
driver loaded before
EPT pointer
READ
NTFS
Struct
READ
READ
OS Code
OS
Data
RSRCH NTFS
Struct
Attacker
READ
NTFS
Struct
Enclave for RSRSH s Driver
OS Code
OS
Data
RSRCH NTFS
Struct
Attacker
READ
NTFS
Struct
READ
Enclave for Attacker s
Driver
OS Code
OS
Data
RSRCH NTFS
Struct
Attacker
READ
NTFS
Struct
WRITE
READ
WRITE
77
MEMORYRANGER PREVENTS HIJACKING NTFS STRUCTS

78. The Current Situation
OS Code
OS
Data
RSRCH NTFS
Struct
Attacker
Default enclave for OS and
driver loaded before
EPT pointer
READ
NTFS
Struct
READ
READ
OS Code
OS
Data
RSRCH NTFS
Struct
Attacker
READ
NTFS
Struct
Enclave for RSRSH s Driver
OS Code
OS
Data
RSRCH NTFS
Struct
Attacker
READ
NTFS
Struct
READ
Enclave for Attacker s
Driver
OS Code
OS
Data
RSRCH NTFS
Struct
Attacker
READ
NTFS
Struct
WRITE
READ
WRITE
78
MEMORYRANGER PREVENTS HIJACKING NTFS STRUCTS

79. DEMO#4: PREVENTION OF HIJACKING NTFS STRUCTS
The online version is here –
https://www.youtube.com/embed/CSvq-VyxFH4?vq=hd1440
79

80. 80
Preventing the Hijacking NTFS structures
MemoryRanger
prevents Hijacking
NTFS structures
Attacker s EnclaveRSRCH s Enclave
Driver
ZwCreateFile()
•ShareAccess=0
Secret File
Attacker
hijacker.txt
OS Components
MemoryRanger
Driver
hijacking_ntfs_structs
Default Enclave
OS kernel,
and other
drivers
OS kernel,
and other
drivers
OS kernel
and other
drivers
Internal
Data
Internal
Data
OS and
Other
Data
Console
NTFS
Structs
NTFS
Structs
NTFS
Structs
NTFS
Structs
OS Components

81. Episode 2
Privilege Escalation via Token Hijacking
81

82. 82
EPROCESS
OS kernel core (Scheduler, etc)
SYSTEM:4
Kernel
mode
User
mode
EPROCESS AND TOKEN IN WINDOWS

83. 83
EPROCESS EPROCESS
OS kernel core (Scheduler, etc)
SYSTEM:4 CMD
Kernel
mode
User
mode
EPROCESS AND TOKEN IN WINDOWS

84. 84
TOKEN
EPROCESS
EX_FAST_REF Token
EPROCESS
EX_FAST_REF Token
OS kernel core (Scheduler, etc)
Privileges
SYSTEM:4 CMD
Kernel
mode
User
mode
void * Object void * Object
TOKEN
Privileges
EPROCESS AND TOKEN IN WINDOWS

85. 85
TOKEN
EPROCESS
EX_FAST_REF Token
EPROCESS
EX_FAST_REF Token
OS kernel core (Scheduler, etc)
Privileges
SYSTEM:4 CMD
Kernel
mode
User
mode
void * Object void * Object
TOKEN
Privileges
+more privs
EPROCESS AND TOKEN IN WINDOWS: ADD MORE PRIVILEGES

86. 86
TOKEN
EPROCESS
EX_FAST_REF Token
EPROCESS
EX_FAST_REF Token
OS kernel core (Scheduler, etc)
•SidHash
•RestrictedSidHash
Privileges
SYSTEM:4 CMD
Kernel
mode
User
mode
void * Object void * Object
TOKEN
Privileges
+more privs
•SidHash
•RestrictedSidHash
EPROCESS AND TOKEN IN WINDOWS: SidHash field

87. 87
TOKEN
EPROCESS
EX_FAST_REF Token
EPROCESS
EX_FAST_REF Token
OS kernel core (Scheduler, etc)
•SidHash
•RestrictedSidHash
Privileges
SYSTEM:4 CMD
Kernel
mode
User
mode
void * Object void * Object
TOKEN
Privileges
+more privs
•SidHash
•RestrictedSidHash
EPROCESS AND TOKEN IN WINDOWS: TOKEN SWAPPING

88. 88
EPROCESS AND TOKEN IN WINDOWS: MSFT Defender
TOKEN
EPROCESS
EX_FAST_REF Token
EPROCESS
EX_FAST_REF Token
OS kernel core (Scheduler, etc)
•SidHash
•RestrictedSidHash
Privileges
SYSTEM:4 CMD
Kernel
mode
User
mode
void * Object void * Object
TOKEN
Privileges
+more privs
•SidHash
•RestrictedSidHash

89. TOKEN INTERNALS
89
_EPROCESS
Dynamic Part
Static Part
_TOKEN

90. TOKEN INTERNALS
90
•UserAndGroups
•UserAndGroupCount
...
_EPROCESS
•SidHash
Dynamic Part
Static Part
_SID_AND_ATTRIBUTES:
•PSID Sid ULONG Attributes
_SID_AND_ATTRIBUTES:
•PSID Sid ULONG Attributes
_SID_AND_ATTRIBUTES:
•PSID Sid ULONG Attributes
SIDN
SID1
...
SidHash = hash(SID1+..+SIDN)
_TOKEN

91. AN IDEA OF TOKEN HIJACKING ATACK
91
_TOKEN
•UserAndGroups
•UserAndGroupCount
SID
...
SID
...
•SidHash
_SID_AND_ATTRIBUTES:
•PSID Sid ULONG Attributes
_SID_AND_ATTRIBUTES:
•PSID Sid ULONG Attributes
_SID_AND_ATTRIBUTES:
•PSID Sid ULONG Attributes
_TOKEN
•UserAndGroups
•UserAndGroupCount
SID
...
SID
...
•SidHash
_SID_AND_ATTRIBUTES:
•PSID Sid ULONG Attributes
_SID_AND_ATTRIBUTES:
•PSID Sid ULONG Attributes
_SID_AND_ATTRIBUTES:
•PSID Sid ULONG Attributes

92. AN IDEA OF TOKEN HIJACKING ATACK
92
_TOKEN
•UserAndGroups
•UserAndGroupCount
SID
...
SID
...
•SidHash
_SID_AND_ATTRIBUTES:
•PSID Sid ULONG Attributes
_SID_AND_ATTRIBUTES:
•PSID Sid ULONG Attributes
_SID_AND_ATTRIBUTES:
•PSID Sid ULONG Attributes
_TOKEN
•UserAndGroups
•UserAndGroupCount
SID
...
SID
...
•SidHash
_SID_AND_ATTRIBUTES:
•PSID Sid ULONG Attributes
_SID_AND_ATTRIBUTES:
•PSID Sid ULONG Attributes
_SID_AND_ATTRIBUTES:
•PSID Sid ULONG Attributes
Copy both parts:
static and dynamic

93. TOKEN HIJACKING ATTACK
93
TOKEN
EPROCESS
TOKEN
EPROCESS
OS kernel core (Scheduler, etc)
SYSTEM:4 CMD
Kernel
mode
User
mode Console
Driver
token_hijacking

94. TOKEN HIJACKING ATTACK
94Commands to stop and disable Windows Defender —
https://www.carbonblack.com/2019/08/16/cb-tau-threat-intelligence-notification-trickbot-banking-trojan-continues-to-evolve/
TOKEN
EPROCESS
TOKEN
EPROCESS
OS kernel core (Scheduler, etc)
SYSTEM:4 CMD
Kernel
mode
User
mode Console
Driver
token_hijacking

95. DEMO#5: TOKEN HIJACKING
The online version is here –
https://www.youtube.com/embed/7Dgtz_2oGJg?vq=hd1440
95

96. Enclaves for Newly Loaded DriversEnclaves for sensitive kernel data
EPT pointer
The Current Situation
OS Code
R/W
Token
Structures
Token
Structures
EPROCESS
Strustures
Token
Structures
Token
Structures
Token
Structures
R/W
Attacker
Default enclave for OS and
driver loaded before
OS Code
R/W
Token
Structures
Token
Structures
EPROCESS
Strustures
Token
Structures
Token
Structures
Token
Structures
R/W
Attacker
The Token Enclave
OS Code
Token
Structures
Token
Structures
EPROCESS
Strustures
Token
Structures
Token
Structures
Token
Structures
Attacker
EnclaveforaNewlyLoadedDriver
OS Code
R/W
Token
Structures
Token
Structures
EPROCESS
Strustures
Token
Structures
Token
Structures
Token
Structures
Attacker
Earlier
Loaded
Drivers
Earlier
Loaded
Drivers
Earlier
Loaded
Drivers
Earlier
Loaded
Drivers
R/W
A Newly
Loaded
Driver
A Newly
Loaded
Driver
A Newly
Loaded
Driver
R/W
A Newly
Loaded
Driver
MEMORY MAP: MEMORYRANGER PREVENTS TOKEN HIAJCKING
96

97. Enclaves for Newly Loaded DriversEnclaves for sensitive kernel data
EPT pointer
The Current Situation
OS Code
R/W
Token
Structures
Token
Structures
EPROCESS
Strustures
Token
Structures
Token
Structures
Token
Structures
R/W
Attacker
Default enclave for OS and
driver loaded before
OS Code
R/W
Token
Structures
Token
Structures
EPROCESS
Strustures
Token
Structures
Token
Structures
Token
Structures
R/W
Attacker
The Token Enclave
OS Code
Token
Structures
Token
Structures
EPROCESS
Strustures
Token
Structures
Token
Structures
Token
Structures
Attacker
EnclaveforaNewlyLoadedDriver
OS Code
R/W
Token
Structures
Token
Structures
EPROCESS
Strustures
Token
Structures
Token
Structures
Token
Structures
Attacker
Earlier
Loaded
Drivers
Earlier
Loaded
Drivers
Earlier
Loaded
Drivers
Earlier
Loaded
Drivers
R/W
A Newly
Loaded
Driver
A Newly
Loaded
Driver
A Newly
Loaded
Driver
R/W
A Newly
Loaded
Driver
MEMORY MAP: MEMORYRANGER PREVENTS TOKEN HIAJCKING
97

98. Enclaves for Newly Loaded DriversEnclaves for sensitive kernel data
EPT pointer
The Current Situation
OS Code
R/W
Token
Structures
Token
Structures
EPROCESS
Strustures
Token
Structures
Token
Structures
Token
Structures
R/W
Attacker
Default enclave for OS and
driver loaded before
OS Code
R/W
Token
Structures
Token
Structures
EPROCESS
Strustures
Token
Structures
Token
Structures
Token
Structures
R/W
Attacker
The Token Enclave
OS Code
Token
Structures
Token
Structures
EPROCESS
Strustures
Token
Structures
Token
Structures
Token
Structures
Attacker
EnclaveforaNewlyLoadedDriver
OS Code
R/W
Token
Structures
Token
Structures
EPROCESS
Strustures
Token
Structures
Token
Structures
Token
Structures
Attacker
Earlier
Loaded
Drivers
Earlier
Loaded
Drivers
Earlier
Loaded
Drivers
Earlier
Loaded
Drivers
R/W
A Newly
Loaded
Driver
A Newly
Loaded
Driver
A Newly
Loaded
Driver
R/W
A Newly
Loaded
Driver
MEMORY MAP: MEMORYRANGER PREVENTS TOKEN HIAJCKING
98

99. Enclaves for Newly Loaded DriversEnclaves for sensitive kernel data
EPT pointer
The Current Situation
OS Code
R/W
Token
Structures
Token
Structures
EPROCESS
Strustures
Token
Structures
Token
Structures
Token
Structures
R/W
Attacker
Default enclave for OS and
driver loaded before
OS Code
R/W
Token
Structures
Token
Structures
EPROCESS
Strustures
Token
Structures
Token
Structures
Token
Structures
R/W
Attacker
The Token Enclave
OS Code
Token
Structures
Token
Structures
EPROCESS
Strustures
Token
Structures
Token
Structures
Token
Structures
Attacker
EnclaveforaNewlyLoadedDriver
OS Code
R/W
Token
Structures
Token
Structures
EPROCESS
Strustures
Token
Structures
Token
Structures
Token
Structures
Attacker
Earlier
Loaded
Drivers
Earlier
Loaded
Drivers
Earlier
Loaded
Drivers
Earlier
Loaded
Drivers
R/W
A Newly
Loaded
Driver
A Newly
Loaded
Driver
A Newly
Loaded
Driver
R/W
A Newly
Loaded
Driver
MEMORY MAP: MEMORYRANGER PREVENTS TOKEN HIAJCKING
99

100. DEMO#6: PREVENTION OF TOKEN HIJACKING
The online version is here –
https://www.youtube.com/embed/_zGAR7wvM4g?vq=hd1440
100

101. 101
TOKEN
EPROCESS
TOKEN
EPROCESS
OS kernel core (Scheduler, etc)
SYSTEM:4 CMD
Kernel
mode
User
mode Console
Driver
token_hijacking
TOKEN HIJACKING ATTACK

102. 102
TOKEN HIJACKING IS BLOCKED BY A NEW DATA-ONLY ENCLAVE
Here is a new data-only enclave
TOKEN
EPROCESS
TOKEN
EPROCESS
OS kernel core (Scheduler, etc)
SYSTEM:4 CMD
Kernel
mode
User
mode Console
Driver
token_hijacking
MemoryRanger
prevents Token
Hijacking

103. Episode 3
MemoryRanger
103

104. MEMORY RANGER ARCHITECTURE
104
https://github.com/IgorKorkin/MemoryRanger
OS
Memory Access Policy (MAP)
Access to the protected
data triggers EPT violation
Driver registers callbacks
to receive OS events
Hypervisor
A new driver
is loaded
Kernel API
function is called
DdiMon hooks
kernel API routines
MemoryMonRWX
traps EPT violations
?
Memory
Ranger
ISOLATED_MEM_ENCLAVE PROTECTED_MEMORY
PROTECTED_MEMORY
PROTECTED_MEMORY
ISOLATED_MEM_ENCLAVE
ISOLATED_MEM_ENCLAVE
PROTECTED_MEMORY
PROTECTED_MEMORY
DEFAULT_MEM_ENCLAVE
TOKEN_MEM_ENCLAVE
A new process
is created
(Further details in the paper)

105. 1. Windows OS security features provide limited kernel memory protection
2. Handle Hijacking = copy 6 bytes of structure
3. Hijacking NTFS = copy data structures & Thread ID
4. Token Hijacking = copy structures & their interconnections
5. Updated MemoryRanger
▪ protects new data structures
▪ includes a new data-only enclave to isolate the secret data from all drivers
▪ works well on the recent Windows 1903
CONCLUSION
105

106. 106

107. 107
MemoryRanger
protects the OS!

108. Igor Korkin * igor.korkin@gmail.com * igorkorkin.blogspot.com

109. EXTRA SLIDES
109

110. DEMO: PREVENTING THE HANDLE HIJACKING ATTACK
110
MemoryRanger Prevents the Handle Hijacking
MemoryRanger
restricts WRITE
access to the
ObjectPointerBits
field
Attacker s EnclaveRSRCH s Enclave
Driver
ZwCreateFile()
•ShareAccess=0
Secret File
Attacker
hijacker.txt
OS Components
MemoryRanger
Driver
handle_hijacking
OS Components
Default Enclave
OS kernel,
and other
drivers
OS kernel,
and other
drivers
OS kernel
and other
drivers
Internal
Data
Internal
Data
OS and
Other
Data
Driver
ZwCreateFile()
•ShareAccess=0
Secret File
Driver
handle_hijacking
hijacker.txt
OS Components
Attempt 2: Handle Table Hijacking
Attacker
EntryEntry
Console Console
Entry
EntryEntry Entry
GrAc.
ObjP.Entry
GrAc.
ObjP.

111. DEMO: PREVENTING THE HIJACKING NTFS STRUCTURES
111
Driver
ZwCreateFile()
•ShareAccess=0
Secret File
Driver
hijacking_ntfs_structs
hijacker.txt
OS Components
Attempt 2: Hijacking NTFS structures
AttackerConsole
NTFS Data
Structures
NTFS Data Structs
Repeat
patching
Preventing the Hijacking NTFS structures
MemoryRanger
prevents Hijacking
NTFS structures
Attacker s EnclaveRSRCH s Enclave
Driver
ZwCreateFile()
•ShareAccess=0
Secret File
Attacker
hijacker.txt
OS Components
MemoryRanger
Driver
hijacking_ntfs_structs
Default Enclave
OS kernel,
and other
drivers
OS kernel,
and other
drivers
OS kernel
and other
drivers
Internal
Data
Internal
Data
OS and
Other
Data
Console
NTFS
Structs
NTFS
Structs
NTFS
Structs
NTFS
Structs
OS Components