Protected Process Light will be Protected – MemoryRanger Fills the Gap Again
Download as PPTX, PDF0 likes1,967 views
This document discusses Protected Process Light (PPL) and how it protects process memory on Windows. PPL adds a protection field to the EPROCESS structure that is set during process creation to mark a process as protected. When another process tries to open a protected process, Windows performs access checks using the protection levels to restrict access even for processes running with debug privileges. This helps prevent malware and other unauthorized processes from accessing sensitive memory of protected processes like LSASS.
![PPL: PspAllocateProcess sets Protection.Level for the process
Protection = 0x0 Protection = 0x72
PspAllocateProcess:
mov rdx, [nt!PsProcessType]
call nt!ObCreateObject ; allocates EPROCESS structure
..
mov r15,qword ptr [rsp+0B8h] ; r15 is address of created EPROCESS
mov byte ptr [r15+87Ah], dil ; 87Ah is offset of Protection.Level
; dil is the Protection.level
52](https://image.slidesharecdn.com/slides-texas-protected-process-light-will-be-protected-memoryranger-fills-the-gap-again-211031144435/85/Protected-Process-Light-will-be-Protected-MemoryRanger-Fills-the-Gap-Again-52-320.jpg)
![PPL: PspAllocateProcess sets Protection.Level for the process
PspAllocateProcess:
mov rdx, [nt!PsProcessType]
call nt!ObCreateObject ; allocates EPROCESS structure
..
mov r15,qword ptr [rsp+0B8h] ; r15 is address of created EPROCESS
mov byte ptr [r15+87Ah], dil ; 87Ah is offset of Protection.Level
; dil is the Protection.level
Protection = 0x0 Protection = 0x72 53](https://image.slidesharecdn.com/slides-texas-protected-process-light-will-be-protected-memoryranger-fills-the-gap-again-211031144435/85/Protected-Process-Light-will-be-Protected-MemoryRanger-Fills-the-Gap-Again-53-320.jpg)
![PPL: PspAllocateProcess sets Protection.Level for the process
PspAllocateProcess:
mov rdx, [nt!PsProcessType]
call nt!ObCreateObject ; allocates EPROCESS structure
..
mov r15,qword ptr [rsp+0B8h] ; r15 is address of created EPROCESS
mov byte ptr [r15+87Ah], dil ; 87Ah is offset of Protection.Level
; dil is the Protection.level
Protection = 0x0 Protection = 0x72 54](https://image.slidesharecdn.com/slides-texas-protected-process-light-will-be-protected-memoryranger-fills-the-gap-again-211031144435/85/Protected-Process-Light-will-be-Protected-MemoryRanger-Fills-the-Gap-Again-54-320.jpg)
![PPL: PspAllocateProcess sets Protection.Level for the process
PspAllocateProcess:
mov rdx, [nt!PsProcessType]
call nt!ObCreateObject ; allocates EPROCESS structure
..
mov r15,qword ptr [rsp+0B8h] ; r15 is address of created EPROCESS
mov byte ptr [r15+87Ah], dil ; 87Ah is offset of Protection.Level
; dil is the Protection.level
Protection.Level = 0x0 Protection.Level = 0x72 55](https://image.slidesharecdn.com/slides-texas-protected-process-light-will-be-protected-memoryranger-fills-the-gap-again-211031144435/85/Protected-Process-Light-will-be-Protected-MemoryRanger-Fills-the-Gap-Again-55-320.jpg)
![bool RtlTestProtectedAccess(PS_PROTECTION CallerProt, PS_PROTECTION TargetProt)
{
if (TargetProt.Type == 0)
return true;
if (CallerProt.Type < TargetProt.Type)
return false;
auto CallerDMask = RtlProtectedAccess[CallerProt.Signer].DominateMask;
auto TargetMask = (1 << TargetProt.Signer);
return (CallerDMask & TargetMask);
}
62
PPL: RtlTestProtectedAccess()
https://github.com/IgorKorkin/PPL](https://image.slidesharecdn.com/slides-texas-protected-process-light-will-be-protected-memoryranger-fills-the-gap-again-211031144435/85/Protected-Process-Light-will-be-Protected-MemoryRanger-Fills-the-Gap-Again-62-320.jpg)
![bool RtlTestProtectedAccess(PS_PROTECTION CallerProt, PS_PROTECTION TargetProt)
{
if (TargetProt.Type == 0)
return true;
if (CallerProt.Type < TargetProt.Type)
return false;
auto CallerDMask = RtlProtectedAccess[CallerProt.Signer].DominateMask;
auto TargetMask = (1 << TargetProt.Signer);
return (CallerDMask & TargetMask);
}
63
PPL: RtlTestProtectedAccess()
https://github.com/IgorKorkin/PPL](https://image.slidesharecdn.com/slides-texas-protected-process-light-will-be-protected-memoryranger-fills-the-gap-again-211031144435/85/Protected-Process-Light-will-be-Protected-MemoryRanger-Fills-the-Gap-Again-63-320.jpg)
![bool RtlTestProtectedAccess(PS_PROTECTION CallerProt, PS_PROTECTION TargetProt)
{
if (TargetProt.Type == 0)
return true;
if (CallerProt.Type < TargetProt.Type)
return false;
auto CallerDMask = RtlProtectedAccess[CallerProt.Signer].DominateMask;
auto TargetMask = (1 << TargetProt.Signer);
return (CallerDMask & TargetMask);
}
64
PPL: RtlTestProtectedAccess()
https://github.com/IgorKorkin/PPL](https://image.slidesharecdn.com/slides-texas-protected-process-light-will-be-protected-memoryranger-fills-the-gap-again-211031144435/85/Protected-Process-Light-will-be-Protected-MemoryRanger-Fills-the-Gap-Again-64-320.jpg)
![bool RtlTestProtectedAccess(PS_PROTECTION CallerProt, PS_PROTECTION TargetProt)
{
if (TargetProt.Type == 0)
return true;
if (CallerProt.Type < TargetProt.Type)
return false;
auto CallerDMask = RtlProtectedAccess[CallerProt.Signer].DominateMask;
auto TargetMask = (1 << TargetProt.Signer);
return (CallerDMask & TargetMask);
}
65
PPL: RtlTestProtectedAccess()
https://github.com/IgorKorkin/PPL](https://image.slidesharecdn.com/slides-texas-protected-process-light-will-be-protected-memoryranger-fills-the-gap-again-211031144435/85/Protected-Process-Light-will-be-Protected-MemoryRanger-Fills-the-Gap-Again-65-320.jpg)
![bool RtlTestProtectedAccess(PS_PROTECTION CallerProt, PS_PROTECTION TargetProt)
{
if (TargetProt.Type == 0)
return true;
if (CallerProt.Type < TargetProt.Type)
return false;
auto CallerDMask = RtlProtectedAccess[CallerProt.Signer].DominateMask;
auto TargetMask = (1 << TargetProt.Signer);
return (CallerDMask & TargetMask);
}
66
PPL: RtlTestProtectedAccess()
https://github.com/IgorKorkin/PPL](https://image.slidesharecdn.com/slides-texas-protected-process-light-will-be-protected-memoryranger-fills-the-gap-again-211031144435/85/Protected-Process-Light-will-be-Protected-MemoryRanger-Fills-the-Gap-Again-66-320.jpg)
Protected Process Light will be Protected – MemoryRanger Fills the Gap Again
- 1. Protected Process Light will be Protected ‐ MemoryRanger Fills the Gap Again Igor Korkin Independent Researcher 2021
- 2. WHOAMI PhD, speaker at the ADFSL, BlackHat, HITB, IEEE SPW OS Security Researcher: Rootkits, Anti-rootkits and EDRs Memory Forensics for user- and kernel- modes Bare-Metal Hypervisors against Attacks on Kernel Memory Fan of cross-disciplinary research — Love traveling and powerlifting — igorkorkin.blogspot.com igor.korkin 2
- 3. Protected Process Light (PPL) — Algorithm and Attacks 3 AGENDA
- 4. 4 Users secrets are stored in process memory AGENDA
- 5. 5 Protected Process Light (enabled) PPL is enabled for the process to protect its memory AGENDA
- 6. 6 Protected Process Light (enabled) Attackers are trying to steal the secrets, but PPL blocks their access AGENDA
- 7. 7 Protected Process Light (enabled) Attackers are trying to steal the secrets, but PPL blocks their access • Access to the protected process memory • Inject code into the protected processes • Terminate protected processes Thanks to PPL non-protected processes cannot do the following:
- 8. 8 Protected Process Light (enabled) Protected Process Light (disabled) Attackers can disable PPL AGENDA
- 9. 9 Protected Process Light (enabled) Protected Process Light (disabled) User s secret (stolen) Attackers can steal users data easily AGENDA
- 10. Malware is not protected Attackers want to protect their malware processes AGENDA
- 11. But PPL is enabled only for processes with a special signature Malware is not protected AGENDA
- 12. Malware apps can illegally enable PPL to protect themselves Malware is protected by PPL Malware is not protected AGENDA
- 13. Protected Process Light (enabled) Protected Process Light (disabled) User s secret (stolen) Malware is protected by PPL Malware is not protected Protected Process Light (PPL) — Algorithm and Attacks 13 AGENDA
- 14. Protected Process Light (enabled) Protected Process Light (disabled) User s secret (stolen) Malware is protected by PPL Malware is not protected Protected Process Light (PPL) — Algorithm and Attacks 14 AGENDA Changing kernel data can abuse PPL
- 15. Protected Process Light (enabled) Protected Process Light (disabled) User s secret (stolen) Malware is protected by PPL Malware is not protected Protected Process Light (PPL) — Algorithm and Attacks 15 AGENDA
- 16. Protected Process Light (enabled) Protected Process Light (disabled) User s secret (stolen) Malware is protected by PPL Malware is not protected MemoryRanger blocks attacks on PPL: Driver A Driver B MemoryRanger Hypervisor Driver A Driver B Driver A Driver B Protected Process Light (PPL) — Algorithm and Attacks AGENDA
- 18. 18 Episode 1 Does Windows provide any feature to Protect Process Memory?
- 19. 19 1. Security Reference Monitor (SRM) 2. Protected Process Light (PPL) 3. AppContainer Isolation 4. Windows Resource Protection (WRP, SFC) 5. Session 0 Isolation and Secure Desktop 6. Windows Memory Management (Virtual Memory and Enclave API) 7. Windows Integrity Control (WIC) 8. Mandatory Integrity Control (MIC) 1. User Interface Privilege Isolation (IUPI) 2. Enhanced Protected Mode (EPM) 9. Isolated User Mode (IUM) enabled by Hyper-V WINDOWS FEATURES TO PROTECT PROCESS MEMORY
- 20. 20 WINDOWS FEATURES TO PROTECT PROCESS MEMORY: SRM 1. Security Reference Monitor (SRM) 2. Protected Process Light (PPL) 3. AppContainer Isolation 4. Windows Resource Protection (WRP, SFC) 5. Session 0 Isolation and Secure Desktop 6. Windows Memory Management (Virtual Memory and Enclave API) 7. Windows Integrity Control (WIC) 8. Mandatory Integrity Control (MIC) 1. User Interface Privilege Isolation (IUPI) 2. Enhanced Protected Mode (EPM) 9. Isolated User Mode (IUM) enabled by Hyper-V
- 21. OpenProcess ( ) App with sensitive data A m alware app calls OpenProcess() 21 A malware App calls OpenProcess() to Access Process Data
- 22. NT/ Process Manager Security Reference Monitor (SRM) OpenProcess ( ) App with sensitive data Access Token Privilege SRM perform s access check using Access Token and Security Descriptor 22 SRM checks access rights using Token and Security Descriptor
- 23. NT/ Process Manager Security Reference Monitor (SRM) OpenProcess ( ) App with sensitive data Security Descriptor Access Token Privilege SRM perform s access check using Access Token and Security Descriptor 23 SRM checks access rights using Token and Security Descriptor
- 24. NT/ Process Manager Security Reference Monitor (SRM) OpenProcess ( ) App with sensitive data Security Descriptor Access Token Privilege SRM perform s access check using Access Token and Security Descriptor ? 24 SRM checks access rights using Token and Security Descriptor
- 25. NT/ Process Manager Security Reference Monitor (SRM) OpenProcess ( ) App with sensitive data Security Descriptor Access Token Privilege +SeDeb ugPrivilege SRM always allows full access for process with enabled SeDebugPrivilege 25 SRM allows full access for app with SeDebugPrivilege In Windows Security Model any process with admin rights can acquire the debug privilege and access the memory of any process
- 26. NT/ Process Manager Security Reference Monitor (SRM) OpenProcess ( ) App with sensitive data Security Descriptor Access Token Privilege +SeDeb ugPrivilege Data is leaked SRM always allows full access for process with enabled SeDebugPrivilege Malware with enabled debug privilege can steal sensitive data
- 27. NT/ Process Manager Security Reference Monitor (SRM) OpenProcess ( ) App with sensitive data Security Descriptor Access Token Privilege +SeDeb ugPrivilege Data is leaked SRM always allows full access for process with enabled SeDebugPrivilege ? How to protect data from apps running with debug privilege?
- 28. 28 Episode 2 Protected Process Light? What’s that?
- 29. 1. Security Reference Monitor (SRM) 2. Protected Process Light (PPL) 3. AppContainer Isolation 4. Windows Resource Protection (WRP, SFC) 5. Session 0 Isolation and Secure Desktop 6. Windows Memory Management (Virtual Memory and Enclave API) 7. Windows Integrity Control (WIC) 8. Mandatory Integrity Control (MIC) 1. User Interface Privilege Isolation (IUPI) 2. Enhanced Protected Mode (EPM) 9. Isolated User Mode (IUM) enabled by Hyper-V WINDOWS FEATURES TO PROTECT PROCESS MEMORY: PPL 29
- 30. NT/ Process Manager Security Reference Monitor (SRM) OpenProcess ( ) App with sensitive data 30 PPL restricts non-PPL apps running with debug privilege
- 31. NT/ Process Manager Security Reference Monitor (SRM) Protected Process Light (PPL) OpenProcess ( ) App with sensitive data 31 PPL restricts non-PPL apps running with debug privilege
- 32. NT/ Process Manager Security Reference Monitor (SRM) Protected Process Light (PPL) OpenProcess ( ) App with sensitive data PPL Process 32 PPL restricts non-PPL apps running with debug privilege
- 33. NT/ Process Manager Security Reference Monitor (SRM) Protected Process Light (PPL) OpenProcess ( ) App with sensitive data Non-PPL Process PPL Process 33 PPL restricts non-PPL apps running with debug privilege
- 34. NT/ Process Manager Security Reference Monitor (SRM) Protected Process Light (PPL) OpenProcess ( ) App with sensitive data Non-PPL Process PPL Process An access is blocked Non-protected apps cannot access the protected one 34 PPL restricts non-PPL apps running with debug privilege
- 35. NT/ Process Manager Security Reference Monitor (SRM) Protected Process Light (PPL) OpenProcess ( ) App with sensitive data Non-PPL Process PPL Process An access is blocked Non-protected apps cannot access the protected one PPL restricts non-PPL apps running with debug privilege 35
- 36. 36 Episode 3 How does PPL work?
- 37. PPL: a new Protection field in EPROCESS App User mode Kernel mode App App EPROCESS 37
- 38. App User mode Kernel mode App App EPROCESS Process ID Process Name Process Privilege PPL: a new Protection field in EPROCESS 38
- 39. PS_PROTECTION PS_PROTECTION Protection PS_PROTECTION Protection App User mode Kernel mode App App EPROCESS Process ID Process Name Process Privilege PPL: a new Protection field in EPROCESS 39
- 40. PS_PROTECTION PS_PROTECTION Protection PS_PROTECTION Protection App User mode Kernel mode App App EPROCESS Process ID Process Name Process Privilege PPL: a new Protection field in EPROCESS typedef struct _PS_PROTECTION { union { UCHAR Level; struct { UCHAR Type : 3; UCHAR Audit : 1;//<Reserved UCHAR Signer : 4; }; }; } PS_PROTECTION, *PPS_PROTECTION;
- 41. PS_PROTECTION PS_PROTECTION Protection PS_PROTECTION Protection App User mode Kernel mode App App EPROCESS Process ID Process Name Process Privilege PS_PROTECTION Protection Type Signer PPL: a new Protection field in EPROCESS 41
- 42. PS_PROTECTION PS_PROTECTION Protection PS_PROTECTION Protection App User mode Kernel mode App App EPROCESS Process ID Process Name Process Privilege PS_PROTECTION Protection Type Signer 0 None 1 Authenticode 2 CodeGen 3 Antimalware 4 Lsa 5 Windows 6 WinTcb 7 WinSystem 8 SignerApp 0 None 1 Light 2 Full PPL: a new Protection field in EPROCESS 42
- 43. EXAMPLES OF PROTECTION LEVEL 43 NisSrv ‒ Microsoft Network Realtime Inspection Service. LSASS ‒ Local Security Authority Subsystem Service. SgrmBroker ‒ System Guard Runtime Monitor Broker. Process name NisSrv LSASS SgrmBroker Protection Level 0x31 0x41 0x62
- 44. EXAMPLES OF PROTECTION LEVEL 44 NisSrv ‒ Microsoft Network Realtime Inspection Service. LSASS ‒ Local Security Authority Subsystem Service. SgrmBroker ‒ System Guard Runtime Monitor Broker. Process name NisSrv LSASS SgrmBroker Protection Level 0x31 0x41 0x62 Signer 3 (Antimalware) 4 (Lsa) 6 (WinTcb ) Type 1 (Light) 1 (Light) 2 (Full)
- 45. EXAMPLES OF PROTECTION LEVEL 45 NisSrv ‒ Microsoft Network Realtime Inspection Service. LSASS ‒ Local Security Authority Subsystem Service. SgrmBroker ‒ System Guard Runtime Monitor Broker. Process name NisSrv LSASS SgrmBroker Protection Level 0x31 0x41 0x62 Signer 3 (Antimalware) 4 (Lsa) 6 (WinTcb ) Type 1 (Light) 1 (Light) 2 (Full)
- 46. 46 Episode 4 How does Windows create protected processes?
- 47. PPL: CreateProcess “System” “MemCompression” “Registry” “lsass.exe” “NisSrv.exe” “MsMpEng.exe” “services.exe” 47
- 48. PPL: CreateProcess 48 Which OS functions are involved during creating of Protected Processes? ? ? ? ? “System” “MemCompression” “Registry” “lsass.exe” “NisSrv.exe” “MsMpEng.exe” “services.exe”
- 49. ntdll nt PPL: CreateProcess CmpInitializeRegistryProcess PspInitPhase0 NtCreateUserProcess SmFirstTimeInit 49 “System” “MemCompression” “Registry” “lsass.exe” “NisSrv.exe” “MsMpEng.exe” “services.exe” ZwCreateProcess NtCreateProcessEx
- 50. ntdll nt PPL: CreateProcess CmpInitializeRegistryProcess PspInitPhase0 NtCreateUserProcess PspAllocateProcess PspCreateProcess PsCreateMinimalProcess NtCreateUserProcess SmFirstTimeInit 50 “System” “MemCompression” “Registry” “lsass.exe” “NisSrv.exe” “MsMpEng.exe” “services.exe” ZwCreateProcess NtCreateProcessEx
- 51. ntdll nt PPL: CreateProcess CmpInitializeRegistryProcess PspInitPhase0 NtCreateUserProcess PspAllocateProcess PspCreateProcess PsCreateMinimalProcess NtCreateUserProcess SmFirstTimeInit 51 “System” “MemCompression” “Registry” “lsass.exe” “NisSrv.exe” “MsMpEng.exe” “services.exe” ZwCreateProcess NtCreateProcessEx
- 52. PPL: PspAllocateProcess sets Protection.Level for the process Protection = 0x0 Protection = 0x72 PspAllocateProcess: mov rdx, [nt!PsProcessType] call nt!ObCreateObject ; allocates EPROCESS structure .. mov r15,qword ptr [rsp+0B8h] ; r15 is address of created EPROCESS mov byte ptr [r15+87Ah], dil ; 87Ah is offset of Protection.Level ; dil is the Protection.level 52
- 53. PPL: PspAllocateProcess sets Protection.Level for the process PspAllocateProcess: mov rdx, [nt!PsProcessType] call nt!ObCreateObject ; allocates EPROCESS structure .. mov r15,qword ptr [rsp+0B8h] ; r15 is address of created EPROCESS mov byte ptr [r15+87Ah], dil ; 87Ah is offset of Protection.Level ; dil is the Protection.level Protection = 0x0 Protection = 0x72 53
- 54. PPL: PspAllocateProcess sets Protection.Level for the process PspAllocateProcess: mov rdx, [nt!PsProcessType] call nt!ObCreateObject ; allocates EPROCESS structure .. mov r15,qword ptr [rsp+0B8h] ; r15 is address of created EPROCESS mov byte ptr [r15+87Ah], dil ; 87Ah is offset of Protection.Level ; dil is the Protection.level Protection = 0x0 Protection = 0x72 54
- 55. PPL: PspAllocateProcess sets Protection.Level for the process PspAllocateProcess: mov rdx, [nt!PsProcessType] call nt!ObCreateObject ; allocates EPROCESS structure .. mov r15,qword ptr [rsp+0B8h] ; r15 is address of created EPROCESS mov byte ptr [r15+87Ah], dil ; 87Ah is offset of Protection.Level ; dil is the Protection.level Protection.Level = 0x0 Protection.Level = 0x72 55
- 56. 56 Episode 5 How to get access to the protected process memory?
- 58. PPL: OpenProcess Some App 58 OpenProcess Which OS functions are involved in openning of protected processes? ? “lsass.exe” “NisSrv.exe” “MsMpEng.exe”
- 59. nt ntdll PPL: OpenProcess Some App 59 handle = OpenProcess(pid) NtOpenProcess NtOpenProcess ZwOpenProcess “lsass.exe” “NisSrv.exe” “MsMpEng.exe”
- 60. nt ntdll PPL: OpenProcess Some App 60 handle = OpenProcess(pid) RtlTestProtectedAccess PspCheckForInvalidAccessByProtection PsTestProtectedProcessIncompatibility PspProcessOpen PsOpenProcess NtOpenProcess NtOpenProcess ZwOpenProcess “lsass.exe” “NisSrv.exe” “MsMpEng.exe”
- 61. nt ntdll PPL: OpenProcess RtlTestProtectedAccess Some App 61 handle = OpenProcess(pid) RtlTestProtectedAccess PspCheckForInvalidAccessByProtection PsTestProtectedProcessIncompatibility PspProcessOpen PsOpenProcess NtOpenProcess NtOpenProcess “lsass.exe” “NisSrv.exe” “MsMpEng.exe” ZwOpenProcess
- 62. bool RtlTestProtectedAccess(PS_PROTECTION CallerProt, PS_PROTECTION TargetProt) { if (TargetProt.Type == 0) return true; if (CallerProt.Type < TargetProt.Type) return false; auto CallerDMask = RtlProtectedAccess[CallerProt.Signer].DominateMask; auto TargetMask = (1 << TargetProt.Signer); return (CallerDMask & TargetMask); } 62 PPL: RtlTestProtectedAccess() https://github.com/IgorKorkin/PPL
- 63. bool RtlTestProtectedAccess(PS_PROTECTION CallerProt, PS_PROTECTION TargetProt) { if (TargetProt.Type == 0) return true; if (CallerProt.Type < TargetProt.Type) return false; auto CallerDMask = RtlProtectedAccess[CallerProt.Signer].DominateMask; auto TargetMask = (1 << TargetProt.Signer); return (CallerDMask & TargetMask); } 63 PPL: RtlTestProtectedAccess() https://github.com/IgorKorkin/PPL
- 64. bool RtlTestProtectedAccess(PS_PROTECTION CallerProt, PS_PROTECTION TargetProt) { if (TargetProt.Type == 0) return true; if (CallerProt.Type < TargetProt.Type) return false; auto CallerDMask = RtlProtectedAccess[CallerProt.Signer].DominateMask; auto TargetMask = (1 << TargetProt.Signer); return (CallerDMask & TargetMask); } 64 PPL: RtlTestProtectedAccess() https://github.com/IgorKorkin/PPL
- 65. bool RtlTestProtectedAccess(PS_PROTECTION CallerProt, PS_PROTECTION TargetProt) { if (TargetProt.Type == 0) return true; if (CallerProt.Type < TargetProt.Type) return false; auto CallerDMask = RtlProtectedAccess[CallerProt.Signer].DominateMask; auto TargetMask = (1 << TargetProt.Signer); return (CallerDMask & TargetMask); } 65 PPL: RtlTestProtectedAccess() https://github.com/IgorKorkin/PPL
- 66. bool RtlTestProtectedAccess(PS_PROTECTION CallerProt, PS_PROTECTION TargetProt) { if (TargetProt.Type == 0) return true; if (CallerProt.Type < TargetProt.Type) return false; auto CallerDMask = RtlProtectedAccess[CallerProt.Signer].DominateMask; auto TargetMask = (1 << TargetProt.Signer); return (CallerDMask & TargetMask); } 66 PPL: RtlTestProtectedAccess() https://github.com/IgorKorkin/PPL
- 67. 67 RtlProtectedAccess Array Index Signer DominateMask 0 none 0 1 Authenticode 2 2 CodeGen 4 3 Antimalware 0x108 4 Lsa 0x110 5 Windows 0x13e 6 WinTCB 0x17e 7 WinSystem 0x1fe 8 SignerApp 0
- 68. 68 RtlProtectedAccess Array Index Signer DominateMask Bit Explanation 0 none 0 n/ a 1 Authenticode 2 10 2 CodeGen 4 100 3 Antimalware 0x108 1 0000 1000 4 Lsa 0x110 1 0001 0000 5 Windows 0x13e 1 0011 1110 6 WinTCB 0x17e 1 0111 1110 7 WinSystem 0x1fe 1 1111 1110 8 SignerApp 0 n/ a
- 69. Index Signer DominateMask Bit Explanation 0 none 0 n/ a 1 Authenticode 2 10 2 CodeGen 4 100 3 Antimalware 0x108 1 0000 1000 4 Lsa 0x110 1 0001 0000 5 Windows 0x13e 1 0011 1110 6 WinTCB 0x17e 1 0111 1110 7 WinSystem 0x1fe 1 1111 1110 8 SignerApp 0 n/ a 2 – CodeGen 4 – Lsa 8 – SignerApp 1-8 – All Signers 1 – Authenticode 69 RtlProtectedAccess Array
- 70. Index Signer DominateMask Bit Explanation 0 none 0 n/ a 1 Authenticode 2 10 2 CodeGen 4 100 3 Antimalware 0x108 1 0000 1000 4 Lsa 0x110 1 0001 0000 5 Windows 0x13e 1 0011 1110 6 WinTCB 0x17e 1 0111 1110 7 WinSystem 0x1fe 1 1111 1110 8 SignerApp 0 n/ a 2 – CodeGen 4 – Lsa 8 – SignerApp 1-8 – All Signers 1 – Authenticode 70 3210 7654 8 RtlProtectedAccess Array
- 71. Index Signer DominateMask Bit Explanation 0 none 0 n/ a 1 Authenticode 2 10 2 CodeGen 4 100 3 Antimalware 0x108 1 0000 1000 4 Lsa 0x110 1 0001 0000 5 Windows 0x13e 1 0011 1110 6 WinTCB 0x17e 1 0111 1110 7 WinSystem 0x1fe 1 1111 1110 8 SignerApp 0 n/ a 2 – CodeGen 4 – Lsa 8 – SignerApp 1-8 – All Signers 1 – Authenticode 3210 7654 8 RtlProtectedAccess Array 71
- 72. 72 Episode 6 Two Windows security features SRM and PPL are playing together and losing
- 73. NT/ Process Manager Security Reference Monitor (SRM) Protected Process Light (PPL) OpenProcess ( ) App with sensitive data Non-PPL Process PPL Process 2 1 OpenProcess performs two checks: SRM and then PPL 73
- 74. NT/ Process Manager Security Reference Monitor (SRM) Protected Process Light (PPL) OpenProcess ( ) App with sensitive data Non-PPL Process PPL Process Security Descriptor Access Token Privilege ? 2 OpenProcess performs two checks: SRM and then PPL 74
- 75. NT/ Process Manager Security Reference Monitor (SRM) Protected Process Light (PPL) OpenProcess ( ) App with sensitive data Non-PPL Process PPL Process Security Descriptor Access Token Privilege +SeDeb ugPrivilege 2 OpenProcess performs two checks: SRM and then PPL 75
- 76. NT/ Process Manager Security Reference Monitor (SRM) Protected Process Light (PPL) OpenProcess ( ) App with sensitive data Non-PPL Process PPL Process Security Descriptor Protection=0 EPROCESS Protection=0x41 EPROCESS Access Token Privilege +SeDeb ugPrivilege ? OpenProcess performs two checks: SRM and then PPL 76
- 77. NT/ Process Manager Security Reference Monitor (SRM) Protected Process Light (PPL) OpenProcess ( ) App with sensitive data PPL Process Non-PPL Security Descriptor Protection=72 EPROCESS Protection=0 EPROCESS Access Token Privilege +SeDeb ugPrivilege An access is granted OpenProcess performs two checks: SRM and then PPL 77
- 78. 78 Episode 7 Attacks on PPL?
- 79. App with sensitive data PPL Process Security Descriptor Protection=0 EPROCESS Protection=0x41 EPROCESS Access Token OpenProcess ( ) Non PPL Process 79 PROTECTION LEVEL CAN BE ILLEGALLY CHANGED BY DRIVER
- 80. App with sensitive data PPL Process Security Descriptor Protection=0 EPROCESS Protection=0x41 EPROCESS Access Token Kernel Driver OpenProcess ( ) Non PPL Process 80 PROTECTION LEVEL CAN BE ILLEGALLY CHANGED BY DRIVER
- 81. App with sensitive data PPL Process Security Descriptor Protection=0 EPROCESS Protection=0x41 EPROCESS Access Token Reset value to disable PPL for the protected app Kernel Driver OpenProcess ( ) Non PPL Process 81 PROTECTION LEVEL CAN BE ILLEGALLY CHANGED BY DRIVER
- 82. App with sensitive data Non-PPL Security Descriptor Protection=0 EPROCESS Protection=0 EPROCESS Access Token Reset value to disable PPL for the protected app Kernel Driver OpenProcess ( ) Non PPL Process 82 PROTECTION LEVEL CAN BE ILLEGALLY CHANGED BY DRIVER
- 83. PPL Process Security Descriptor Protection=0 EPROCESS Protection=0x41 EPROCESS Access Token Set value to enable PPL for the m alware app Kernel Driver OpenProcess ( ) Non PPL Process 83 PROTECTION LEVEL CAN BE ILLEGALLY CHANGED BY DRIVER
- 84. PPL Process Security Descriptor Protection=0x51 EPROCESS Protection=0x41 EPROCESS Access Token Set value to enable PPL for the m alware app Kernel Driver OpenProcess ( ) PPL Process 84 PROTECTION LEVEL CAN BE ILLEGALLY CHANGED BY DRIVER
- 85. App with sensitive data Non-PPL Security Descriptor Protection=0x51 EPROCESS Protection=0 EPROCESS Access Token Set value to enable PPL for the m alware app Reset value to disable PPL for the protected app Kernel Driver OpenProcess ( ) PPL Process 85 PROTECTION LEVEL CAN BE ILLEGALLY CHANGED BY DRIVER
- 86. LSASS Windows Defender Malware Non-PPL Process PPL Process PPL Process EPROCESS Protection=0 EPROCESS Protection=0x31 EPROCESS Protection=0x41 Examples of patching the Protection level 86 Attacks on PPL: Drivers Can Modify Protection Byte
- 87. LSASS Windows Defender Malware Non-PPL Process PPL Process PPL Process EPROCESS Protection=0 EPROCESS Protection=0x31 EPROCESS Protection=0x41 Vulnerable drivers: CPU-Z Gigabyte Examples of patching the Protection level 87 Attacks on PPL: Drivers Can Modify Protection Byte
- 88. LSASS Windows Defender Malware Non-PPL Process PPL Process PPL Process EPROCESS Protection=0 EPROCESS Protection=0x31 EPROCESS Protection=0x41 Vulnerable drivers: CPU-Z Gigabyte Hack tools for PPL only: ppLib PPLKiller Examples of patching the Protection level 88 Attacks on PPL: Drivers Can Modify Protection Byte
- 89. LSASS Windows Defender Malware Non-PPL Process PPL Process PPL Process EPROCESS Protection=0 EPROCESS Protection=0x31 EPROCESS Protection=0x41 Vulnerable drivers: CPU-Z Gigabyte Hack tools for PPL only: ppLib PPLKiller General purpose tools: Blackbone Mim ikatz Examples of patching the Protection level 89 Attacks on PPL: Drivers Can Modify Protection Byte
- 90. 90 Episode 8 Mimikatz can disable PPL!
- 91. 91 Mimikatz can gather credentials from Windows LSASS App Password`s hashes Mimikatz App
- 92. Attempt 1: Without Disabling PPL Attempt 2: With Disabling PPL for LSASS LSASS App Password`s hashes Mimikatz App User mode Kernel mode User mode Kernel mode Mimikatz can gather credentials from Windows 92
- 93. Attempt 1: Without Disabling PPL Attempt 2: With Disabling PPL for LSASS LSASS App Password`s hashes Mimikatz App User mode Kernel mode User mode Kernel mode 1 Mimikatz can gather credentials from Windows • Add debug privilege • Dump user’s hash 1 93
- 94. Attempt 1: Without Disabling PPL Attempt 2: With Disabling PPL for LSASS LSASS App Password`s hashes Mimikatz App User mode Kernel mode LSASS App Password`s hashes EPROCESS Protection=0x41 Mimikatz App Mimikatz Driver User mode Kernel mode 1 1 1 Mimikatz can gather credentials from Windows • Add debug privilege • Dump user’s hash • Load Mimikatz driver • Clear Protection byte 1 1 94
- 95. Attempt 1: Without Disabling PPL Attempt 2: With Disabling PPL for LSASS LSASS App Password`s hashes Mimikatz App User mode Kernel mode LSASS App Password`s hashes EPROCESS Protection=0 Mimikatz App Mimikatz Driver User mode Kernel mode 1 1 1 Mimikatz can gather credentials from Windows • Add debug privilege • Dump user’s hash • Load Mimikatz driver • Clear Protection byte 1 1 95
- 96. Attempt 1: Without Disabling PPL Attempt 2: With Disabling PPL for LSASS LSASS App Password`s hashes Mimikatz App User mode Kernel mode LSASS App Password`s hashes EPROCESS Protection=0 Mimikatz App Mimikatz Driver User mode Kernel mode 1 2 1 1 Mimikatz can gather credentials from Windows • Add debug privilege • Dump user’s hash • Load Mimikatz driver • Clear Protection byte • Add debug privilege • Dump user’s hash 1 1 2 96
- 97. Attempt 1: Without Disabling PPL Attempt 2: With Disabling PPL for LSASS LSASS App Password`s hashes Mimikatz App User mode Kernel mode LSASS App Password`s hashes EPROCESS Protection=0 Hashcat Mimikatz App Mimikatz Driver Password User mode Kernel mode 1 3 2 1 1 Mimikatz can gather credentials from Windows • Add debug privilege • Dump user’s hash • Load Mimikatz driver • Clear Protection byte • Add debug privilege • Dump user’s hash • Crack the hash to get password 1 1 2 3 97
- 98. Mimikatz disables PPL to dump NTLM hashes The online version is here – https://www.youtube.com/embed/66g4PgtuD7c?vq=hd1440 98
- 99. Attempt 1: Without Disabling PPL Attempt 2: With Disabling PPL for LSASS LSASS App Password`s hashes Mimikatz App User mode Kernel mode LSASS App Password`s hashes EPROCESS Protection=0 Hashcat Mimikatz App Mimikatz Driver Password User mode Kernel mode 1 3 2 1 1 ? – How to prevent PPL disabling? – We need to restrict access to the Protection field!
- 100. 100 Episode 9 MemoryRanger can block Mimikatz
- 101. Mimikatz Driver EPROCESS for LSASS OS kernel Protection Disable PPL WRITE The Current situation 101 KERNEL DRIVERS SHARE THE SAME MEMORY SPACE
- 102. Mimikatz Driver EPROCESS for LSASS OS kernel Protection Disable PPL WRITE The Current situation 102 How to restrict access to the Protection field?
- 103. MemoryRanger
- 104. Without MemoryRanger all drivers share the same kernel memory space MemoryRanger isolates drivers by running them in separate kernel enclaves Driver A Driver B MemoryRanger s Hypervisor Driver A Driver B Driver A Driver B 104
- 105. Mimikatz Driver EPROCESS for LSASS OS kernel Protection Disable PPL WRITE The Current situation MemoryRanger Prevents Disabling of PPL 105
- 106. Mimikatz Driver EPROCESS for LSASS OS kernel Protection Disable PPL WRITE The Current situation MemoryRanger s Hypervisor 106 MemoryRanger Prevents Disabling of PPL
- 107. Mimikatz Driver EPROCESS for LSASS OS kernel Protection EPROCESS for LSASS OS kernel Protection Default enclave for OS and driver loaded before Disable PPL WRITE The Current situation MemoryRanger s Hypervisor 107 MemoryRanger Prevents Disabling of PPL
- 108. Mimikatz Driver EPROCESS for LSASS OS kernel Protection Mimikatz Driver EPROCESS for LSASS OS kernel Protection Mimikatz Driver EPROCESS for LSASS OS kernel Protection Default enclave for OS and driver loaded before Allocated enclave for Mimikatz driver Disable PPL WRITE WRITE The Current situation MemoryRanger s Hypervisor 108 MemoryRanger Prevents Disabling of PPL
- 109. Mimikatz Driver EPROCESS for LSASS OS kernel Protection Mimikatz Driver EPROCESS for LSASS OS kernel Protection Mimikatz Driver EPROCESS for LSASS OS kernel Protection Default enclave for OS and driver loaded before Allocated enclave for Mimikatz driver Disable PPL WRITE WRITE The Current situation MemoryRanger s Hypervisor 109 MemoryRanger Prevents Disabling of PPL
- 110. MemoryRanger Blocks Mimikatz and prevents disabling PPL The online version is here – https://www.youtube.com/embed/66g4PgtuD7c?vq=hd1440 110
- 111. out Disabling PPL Attempt 2: With Disabling PPL for LSASS LSASS App Password`s hashes LSASS App Password`s hashes EPROCESS Protection=0x41 Mimikatz App Mimikatz Driver User mode Kernel mode 1 1 MemoryRanger Prevents Disabling of PPL for LSASS MemoryRanger 111
- 112. But what if malware can escalate its own PPL? Episode 10 112
- 114. 114 Code-Signing Certificate Determines the Protection Level Malware doesn’t bother about it! Malware does not have this kind of the certificate
- 115. NirSrv PPL Process LSASS PPL Process SgrmBroker PPL Process Non PPL Process User mode Kernel mode Malware App Malware can escalate its PPL to dump Protected Apps
- 116. NirSrv PPL Process LSASS PPL Process SgrmBroker PPL Process Non PPL Process User mode Kernel mode Malware App Malware can escalate its PPL to dump Protected Apps 116
- 117. NirSrv PPL Process LSASS PPL Process SgrmBroker PPL Process Non PPL Process User mode Kernel mode EPROCESS Prote ction=31 Malware App Antimalware Light EPROCESS Prote ction=00 None EPROCESS Lsa Light Prote ction=41 EPROCESS WinTcb Full Prote ction=62 Malware can escalate its PPL to dump Protected Apps 117
- 118. NirSrv PPL Process LSASS PPL Process SgrmBroker PPL Process User mode Kernel mode EPROCESS Prote ction=31 Antimalware Light Malware Driver EPROCESS Prote ction=62 None EPROCESS Lsa Light Prote ction=41 EPROCESS WinTcb Full Prote ction=62 PPL Process Malware App Malware can escalate its PPL to dump Protected Apps 118
- 119. Malware escalates its PPL to dump Protected Processes The online version is here – https://www.youtube.com/embed/IELn8mcMZ4Q?vq=hd1440 119
- 120. NirSrv PPL Process LSASS PPL Process SgrmBroker PPL Process User mode Kernel mode EPROCESS Prote ction=31 Antimalware Light Malware Driver EPROCESS Prote ction=62 None EPROCESS Lsa Light Prote ction=41 EPROCESS WinTcb Full Prote ction=62 PPL Process Malware App Malware can escalate its PPL to dump Protected Apps 120
- 121. 121 Episode 11 MemoryRanger can block malware
- 122. NirSrv PPL Process LSASS PPL Process SgrmBroker PPL Process User mode Kernel mode EPROCESS Prote ction=31 Antimalware Light EPROCESS Lsa Light Prote ction=41 EPROCESS WinTcb Full Prote ction=62 MemoryRanger blocks modifying PPL
- 123. NirSrv PPL Process LSASS PPL Process SgrmBroker PPL Process User mode Kernel mode EPROCESS Prote ction=31 Antimalware Light EPROCESS Lsa Light Prote ction=41 EPROCESS WinTcb Full Prote ction=62 MemoryRanger blocks modifying PPL
- 124. NirSrv PPL Process LSASS PPL Process SgrmBroker PPL Process Non PPL Process User mode Kernel mode EPROCESS Prote ction=31 Malware App Antimalware Light EPROCESS Prote ction=00 None EPROCESS Lsa Light Prote ction=41 EPROCESS WinTcb Full Prote ction=62 MemoryRanger blocks modifying PPL
- 125. NirSrv PPL Process LSASS PPL Process SgrmBroker PPL Process Non PPL Process User mode Kernel mode EPROCESS Prote ction=31 Malware App Antimalware Light Malware Driver EPROCESS Prote ction=00 None EPROCESS Lsa Light Prote ction=41 EPROCESS WinTcb Full Prote ction=62 MemoryRanger blocks modifying PPL
- 126. MemoryRanger prevents escalation of PPL The online version is here – https://www.youtube.com/embed/GEc-GOWtm8M?vq=hd1440 126
- 127. NirSrv PPL Process LSASS PPL Process SgrmBroker PPL Process Non PPL Process User mode Kernel mode EPROCESS Prote ction=31 Malware App Antimalware Light Malware Driver EPROCESS Prote ction=00 None EPROCESS Lsa Light Prote ction=41 EPROCESS WinTcb Full Prote ction=62 MemoryRanger blocks modifying PPL
- 128. 128 Episode 12 Architecture and Customization of MemoryRanger
- 130. OS A new driver is loaded MEMORY RANGER ARCHITECTURE 130
- 131. OS A new driver is loaded A new process is create d MEMORY RANGER ARCHITECTURE 131
- 132. OS A new driver is loaded Kernel API function is called A new process is create d MEMORY RANGER ARCHITECTURE 132
- 133. OS Access to the protected data triggers EPT violation A new driver is loaded Kernel API function is called A new process is create d MEMORY RANGER ARCHITECTURE 133
- 134. OS Access to the protected data triggers EPT violation A new driver is loaded Kernel API function is called Memory Ranger PROTECTED_MEMORY DEFAULT_MEM_ENCLAVE A new process is create d MEMORY RANGER ARCHITECTURE https://github.com/IgorKorkin/MemoryRanger (Further details in the paper)
- 135. OS Access to the protected data triggers EPT violation MR s Driver notifies ab out new OS events: loading processes and drivers A new driver is loaded Kernel API function is called Memory Ranger ISOLATED_MEM_ENCLAVE ISOLATED_MEM_ENCLAVE PROTECTED_MEMORY DEFAULT_MEM_ENCLAVE A new process is create d drivers MEMORY RANGER ARCHITECTURE (Further details in the paper) https://github.com/IgorKorkin/MemoryRanger
- 136. OS Access to the protected data triggers EPT violation MR s Driver notifies ab out new OS events: loading processes and drivers A new driver is loaded Kernel API function is called Memory Ranger ISOLATED_MEM_ENCLAVE PROTECTED_MEMORY PROTECTED_MEMORY ISOLATED_MEM_ENCLAVE PROTECTED_MEMORY DEFAULT_MEM_ENCLAVE A new process is create d drivers processes MEMORY RANGER ARCHITECTURE (Further details in the paper) https://github.com/IgorKorkin/MemoryRanger
- 137. OS Access to the protected data triggers EPT violation MR s Driver notifies ab out new OS events: loading processes and drivers MR s Hypervisor A new driver is loaded Kernel API function is called DdiMon hooks kernel API routines Memory Ranger ISOLATED_MEM_ENCLAVE PROTECTED_MEMORY PROTECTED_MEMORY ISOLATED_MEM_ENCLAVE PROTECTED_MEMORY DEFAULT_MEM_ENCLAVE A new process is create d drivers processes other ob jects MEMORY RANGER ARCHITECTURE (Further details in the paper) https://github.com/IgorKorkin/MemoryRanger
- 138. OS Access to the protected data triggers EPT violation MR s Driver notifies ab out new OS events: loading processes and drivers MR s Hypervisor A new driver is loaded Kernel API function is called DdiMon hooks kernel API routines MemoryMonRWX traps EPT violations Memory Ranger ISOLATED_MEM_ENCLAVE PROTECTED_MEMORY PROTECTED_MEMORY ISOLATED_MEM_ENCLAVE PROTECTED_MEMORY DEFAULT_MEM_ENCLAVE A new process is create d drivers processes other ob jects MEMORY RANGER ARCHITECTURE (Further details in the paper) https://github.com/IgorKorkin/MemoryRanger
- 139. OS Memory Access Policy (MAP) Access to the protected data triggers EPT violation MR s Driver notifies ab out new OS events: loading processes and drivers MR s Hypervisor A new driver is loaded Kernel API function is called DdiMon hooks kernel API routines MemoryMonRWX traps EPT violations ? Memory Ranger ISOLATED_MEM_ENCLAVE PROTECTED_MEMORY PROTECTED_MEMORY ISOLATED_MEM_ENCLAVE PROTECTED_MEMORY DEFAULT_MEM_ENCLAVE A new process is create d drivers processes other ob jects MEMORY RANGER ARCHITECTURE (Further details in the paper) https://github.com/IgorKorkin/MemoryRanger
- 140. 140 (2019) MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel https://igorkorkin.blogspot.co m/2019/04/memoryranger- prevents-hijacking.html (2018) Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces https://igorkorkin.blogspot.co m/2018/12/divide-et-impera- memoryranger-runs.html (2020) Kernel Hijacking Is Not an Option: MemoryRanger Comes to the Rescue Again https://conference.hitb.org/hitb- lockdown002/sessions/kernel- hijacking-is-not-an-option- memoryranger-comes-to-rescue- again/ MemoryRanger: Previous Research
- 141. MR’s Driver: locates an address of Protection field of LSAAS EPROCESS traps loading of Mimikatz MR’s Hypervisor Any access to the restricted memory causes EPT violations MR’s Hypervisor: For execute violation switches an enclave; For readwrite violation blocks an access by redirecting to the fake memory page MemoryRanger can Protect PPL 141
- 142. MR’s Driver: locates an address of Protection field for OS processes and newly created apps traps loading of Mimikatz MR’s Hypervisor Any access to the restricted memory causes EPT violations MR’s Hypervisor: For execute violation switches an enclave; For readwrite violation blocks an access by redirecting to the fake memory page MemoryRanger can Protect PPL 142
- 143. MR’s Driver: locates an address of Protection field for OS processes and newly created apps traps loading of kernel drivers MR’s Hypervisor Any access to the restricted memory causes EPT violations MR’s Hypervisor: For execute violation switches an enclave; For readwrite violation blocks an access by redirecting to the fake memory page MemoryRanger can Protect PPL 143
- 144. MR’s Driver: locates an address of Protection field for OS processes and newly created apps traps loading of kernel drivers MR’s Hypervisor provides discretionary access control mechanism: Any access to the restricted memory causes EPT violations MR’s Hypervisor: For execute violation switches an enclave; For readwrite violation blocks an access by redirecting to the fake memory page MemoryRanger can Protect PPL Default enclave Mimikatz enclave Malware enclave EPROCESS.Protection ReadWrite No Access No Access Mimikatz driver No Access ReadWrite Execute No Access Malware driver No Access No Access ReadWrite Execute 144
- 145. MR’s Driver: locates an address of Protection field for OS processes and newly created apps traps loading of kernel drivers MR’s Hypervisor provides discretionary access control mechanism: Any access to the restricted memory causes EPT violations MR’s Hypervisor: For execute violation switches an enclave; For readwrite violation blocks an access by redirecting to the fake memory page MemoryRanger can Protect PPL 145 Default enclave Mimikatz enclave Malware enclave EPROCESS.Protection ReadWrite No Access No Access Mimikatz driver No Access ReadWrite Execute No Access Malware driver No Access No Access ReadWrite Execute
- 146. MR’s Driver: locates an address of Protection field for OS processes and newly created apps traps loading of kernel drivers MR’s Hypervisor provides discretionary access control mechanism: Any access to the restricted memory causes EPT violations MR’s Hypervisor: For execute violation switches an enclave; For readwrite violation blocks an access by redirecting to the fake page MemoryRanger can Protect PPL 146
- 147. 1. Windows Security Model does not restrict apps running with debug privilege. 2. Protected Process Light (PPL) protects memory of OS and AV processes. 3. Attackers can abuse PPL in the following ways: protect their malware by illegally enabling PPL steal and modify data of protected processes by illegally disabling PPL 4. MemoryRanger blocks attacks on kernel data including attacks on PPL. CONCLUSION 147
- 148. Thank you! Igor Korkin [email protected] All the details are here igorkorkin.blogspot.com
- 149. EXTRA SLIDES 149
- 150. Thank you! Igor Korkin [email protected] All the details are here igorkorkin.blogspot.com
- 151. Thank you! Igor Korkin [email protected] All the details are here igorkorkin.blogspot.com
- 153. 153 (2019) MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel https://igorkorkin.blogspot.com/2019/04/memoryranger- prevents-hijacking.html (2018) Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces https://igorkorkin.blogspot.com/2018/12/divide-et-impera- memoryranger-runs.html (2020) Kernel Hijacking Is Not an Option: MemoryRanger Comes to the Rescue Again https://conference.hitb.org/hitb-lockdown002/sessions/kernel- hijacking-is-not-an-option-memoryranger-comes-to-rescue-again/ MemoryRanger: Previous Research
- 154. Virtual Secure Mode (VSM)1 VSM provides a particular case of enclave-based protection with only two memory partitions called VTL0 and VTL1, without isolation of the trustlets and trust-drivers from each other. MemoryRanger implements a general case with an infinite number of kernel enclaves. Kernel Data Protection (KDP)2 KDP provides read-only memory protection to prevent attackers from modifying memory. MemoryRanger can restrict both read and write access. MemoryRanger can foist the fake memory data on the attacker instead of the real one. MemoryRanger can grant different memory access for various drivers using memory access policy and update the policy in runtime. 154 MemoryRanger vs.VSM and KDP 1. Aquilino, I. (2019). Relevance of Security Features Introduced in Modern Windows OS - https://aaltodoc.aalto.fi/bitstream/handle/123456789/38990/master_Aquilino_Broderick_2019.pdf 2. Allievi, A. (2020). Introducing Kernel Data Protection, a new platform security technology for preventing data corruption - https://www.microsoft.com/security/blog/2020/07/08/introducing-kernel-data-protection-a-new-platform-security-technology-for-preventing-data-corruption/
- 155. MemoryRanger vs.Windows Virtualization-based security (VBS) Features VSM and KDP: Virtual Secure Mode (VSM) Kernel Data Protection (KDP) 155
- 156. The same issue as VmWare Workstation The same solution*: Disable Hyper-V, turn off Virtualization-Based Security 156 MemoryRanger vs. Compatibility Issue with Hyper-V & VBS *"VMware Workstation and Device/Credential Guard are not compatible" error in VMware Workstation on Windows 10 host (2146361) - https://kb.vmware.com/s/article/2146361
- 157. 1. Protected Process Light (PPL) blocks illegal access to OS and AV processes. 2. Attackers can tamper with Protected Process Light: illegally disabling PPL for OS and AV processes allows access to them illegally enabling PPL for malware processes restricts access to them 3. MemoryRanger blocks attacks on kernel data and can protect PPL implements a general protection case comparing with WDCG (VSM and KDP) works well on the recent Windows 20H2 CONCLUSION 157
- 158. AllMemPro MEMORY RANGER HISTORY CONTINUE HyperPlatform MemoryMonRWX HyperPlatform MemoryRanger MemoryMonRWX HyperPlatform 1. Korkin, I., & Tanda, S. (2016). Monitoring & controlling kernel-mode events by HyperPlatform. Recon, Canada. 2. Korkin, I., & Tanda, S. (2017). Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access. ADFSL, USA. 3. Korkin, I. (2018). Hypervisor-Based Active Data Protection for Integrity and Confidentiality of Dynamically Allocated Memory in Windows Kernel. ADFSL, USA. 4. Korkin, I. (2018). Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces. BlackHat, UK 5. Korkin, I. (2019). MemoryRanger Prevents Hijacking FILE_OBJECT structures in Windows Kernel. ADFSL, USA. AllMemPro MemoryMonRWX HyperPlatform Step 1 Step 2 Step 3 Step 4 Step 5 MemoryRanger with a new feature Prevention of the • FILE_OBJECT Hijacking REcon
Editor's Notes
- #48: To put it in a nutshell the MemoryRanger dispatcher is here. It processes three EPT violations and one VM exit.
- #49: To put it in a nutshell the MemoryRanger dispatcher is here. It processes three EPT violations and one VM exit.
- #50: To put it in a nutshell the MemoryRanger dispatcher is here. It processes three EPT violations and one VM exit.
- #51: To put it in a nutshell the MemoryRanger dispatcher is here. It processes three EPT violations and one VM exit.
- #52: To put it in a nutshell the MemoryRanger dispatcher is here. It processes three EPT violations and one VM exit.
- #53: To put it in a nutshell the MemoryRanger dispatcher is here. It processes three EPT violations and one VM exit.
- #54: To put it in a nutshell the MemoryRanger dispatcher is here. It processes three EPT violations and one VM exit.
- #55: To put it in a nutshell the MemoryRanger dispatcher is here. It processes three EPT violations and one VM exit.
- #56: To put it in a nutshell the MemoryRanger dispatcher is here. It processes three EPT violations and one VM exit.
- #58: To put it in a nutshell the MemoryRanger dispatcher is here. It processes three EPT violations and one VM exit.
- #59: To put it in a nutshell the MemoryRanger dispatcher is here. It processes three EPT violations and one VM exit.
- #60: To put it in a nutshell the MemoryRanger dispatcher is here. It processes three EPT violations and one VM exit.
- #61: To put it in a nutshell the MemoryRanger dispatcher is here. It processes three EPT violations and one VM exit.
- #62: To put it in a nutshell the MemoryRanger dispatcher is here. It processes three EPT violations and one VM exit.
- #63: To put it in a nutshell the MemoryRanger dispatcher is here. It processes three EPT violations and one VM exit.
- #64: To put it in a nutshell the MemoryRanger dispatcher is here. It processes three EPT violations and one VM exit.
- #65: To put it in a nutshell the MemoryRanger dispatcher is here. It processes three EPT violations and one VM exit.
- #66: To put it in a nutshell the MemoryRanger dispatcher is here. It processes three EPT violations and one VM exit.
- #67: To put it in a nutshell the MemoryRanger dispatcher is here. It processes three EPT violations and one VM exit.
- #99: First of all, we are launching MemoryRanger console application. It loads the hypervisor /ˈhaɪpə(r)ˌ vaɪzə(r)/ to protect kernel memory. Then, the boss is launching his console, which loads a driver. The boss creates the budget file. And we can see the created the file handle and the allocated FILE_OBJECT structure. By using f_write the boss is setting up the budget. Now, the boss is checking the budget. Done. Now the boss receives a call and the budget file remains open. At this moment, the attacker is getting a chance to snoop the budget. He is launching its console. He is trying to open the budget using file system routine ZwCreateFile. So, he fails to open the file, because Windows prevents illegal access to the budget file. The attacker is willing to gain an access by hijacking. He copies the address of the FILE_OBJECT. By using f_open_by_hijacking the attacker creates a file hijacker. Windows creates this file and returns the file handle and the FILE_OBJECT structure. The attacker is trying to read the budget FILE_OBJECT, but he fails. MemoryRanger prevents illegal memory access to the budget FILE_OBJECT. Anyway, the attacker is still hoping to read the budget. But instead of reading a real budget, the attacker can read only the deliberately foisted fake {pause} null data. He fails again. But anyway, he is trying to overwrite the budget file. If the boss decides to check his budget he will see the originals data. MemoryRanger prevents all illegal access attempts to the budget. Finally, let’s compare these /ðiːz/ two files. We close the budget file and the file hijacker and both control consoles as well. We can see that the budget file includes only the budget and all attackers input data is in his file. The OS is protected.
- #111: First of all, we are launching MemoryRanger console application. It loads the hypervisor /ˈhaɪpə(r)ˌ vaɪzə(r)/ to protect kernel memory. Then, the boss is launching his console, which loads a driver. The boss creates the budget file. And we can see the created the file handle and the allocated FILE_OBJECT structure. By using f_write the boss is setting up the budget. Now, the boss is checking the budget. Done. Now the boss receives a call and the budget file remains open. At this moment, the attacker is getting a chance to snoop the budget. He is launching its console. He is trying to open the budget using file system routine ZwCreateFile. So, he fails to open the file, because Windows prevents illegal access to the budget file. The attacker is willing to gain an access by hijacking. He copies the address of the FILE_OBJECT. By using f_open_by_hijacking the attacker creates a file hijacker. Windows creates this file and returns the file handle and the FILE_OBJECT structure. The attacker is trying to read the budget FILE_OBJECT, but he fails. MemoryRanger prevents illegal memory access to the budget FILE_OBJECT. Anyway, the attacker is still hoping to read the budget. But instead of reading a real budget, the attacker can read only the deliberately foisted fake {pause} null data. He fails again. But anyway, he is trying to overwrite the budget file. If the boss decides to check his budget he will see the originals data. MemoryRanger prevents all illegal access attempts to the budget. Finally, let’s compare these /ðiːz/ two files. We close the budget file and the file hijacker and both control consoles as well. We can see that the budget file includes only the budget and all attackers input data is in his file. The OS is protected.
- #120: First of all, we are launching MemoryRanger console application. It loads the hypervisor /ˈhaɪpə(r)ˌ vaɪzə(r)/ to protect kernel memory. Then, the boss is launching his console, which loads a driver. The boss creates the budget file. And we can see the created the file handle and the allocated FILE_OBJECT structure. By using f_write the boss is setting up the budget. Now, the boss is checking the budget. Done. Now the boss receives a call and the budget file remains open. At this moment, the attacker is getting a chance to snoop the budget. He is launching its console. He is trying to open the budget using file system routine ZwCreateFile. So, he fails to open the file, because Windows prevents illegal access to the budget file. The attacker is willing to gain an access by hijacking. He copies the address of the FILE_OBJECT. By using f_open_by_hijacking the attacker creates a file hijacker. Windows creates this file and returns the file handle and the FILE_OBJECT structure. The attacker is trying to read the budget FILE_OBJECT, but he fails. MemoryRanger prevents illegal memory access to the budget FILE_OBJECT. Anyway, the attacker is still hoping to read the budget. But instead of reading a real budget, the attacker can read only the deliberately foisted fake {pause} null data. He fails again. But anyway, he is trying to overwrite the budget file. If the boss decides to check his budget he will see the originals data. MemoryRanger prevents all illegal access attempts to the budget. Finally, let’s compare these /ðiːz/ two files. We close the budget file and the file hijacker and both control consoles as well. We can see that the budget file includes only the budget and all attackers input data is in his file. The OS is protected.
- #127: First of all, we are launching MemoryRanger console application. It loads the hypervisor /ˈhaɪpə(r)ˌ vaɪzə(r)/ to protect kernel memory. Then, the boss is launching his console, which loads a driver. The boss creates the budget file. And we can see the created the file handle and the allocated FILE_OBJECT structure. By using f_write the boss is setting up the budget. Now, the boss is checking the budget. Done. Now the boss receives a call and the budget file remains open. At this moment, the attacker is getting a chance to snoop the budget. He is launching its console. He is trying to open the budget using file system routine ZwCreateFile. So, he fails to open the file, because Windows prevents illegal access to the budget file. The attacker is willing to gain an access by hijacking. He copies the address of the FILE_OBJECT. By using f_open_by_hijacking the attacker creates a file hijacker. Windows creates this file and returns the file handle and the FILE_OBJECT structure. The attacker is trying to read the budget FILE_OBJECT, but he fails. MemoryRanger prevents illegal memory access to the budget FILE_OBJECT. Anyway, the attacker is still hoping to read the budget. But instead of reading a real budget, the attacker can read only the deliberately foisted fake {pause} null data. He fails again. But anyway, he is trying to overwrite the budget file. If the boss decides to check his budget he will see the originals data. MemoryRanger prevents all illegal access attempts to the budget. Finally, let’s compare these /ðiːz/ two files. We close the budget file and the file hijacker and both control consoles as well. We can see that the budget file includes only the budget and all attackers input data is in his file. The OS is protected.
- #130: We need to process the following three events:
- #131: We need to process the following three events:
- #132: We need to process the following three events:
- #133: We need to process the following three events:
- #134: We need to process the following three events:
- #135: We need to process the following three events:
- #136: We need to process the following three events:
- #137: We need to process the following three events:
- #138: We need to process the following three events:
- #139: We need to process the following three events:
- #140: We need to process the following three events:
- #149: Thank you!
- #151: Thank you!
- #152: Thank you!