Windows OS kernel memory is one of the main targets of cyber-attacks. By launching such attacks, hackers are succeeding in process privilege escalation and tampering with users data by accessing kernel mode memory. This paper considers a new example of such an attack, which results in access to the files opened in an exclusive mode. Windows built-in security features prevent such legal access, but attackers can circumvent them by patching dynamically allocated objects. The research shows that the Windows 10, version 1809 x64 is vulnerable to this attack. The paper provides an example of using MemoryRanger, a hypervisor-based solution to prevent such attack by running kernel-mode drivers in isolated kernel memory enclaves.
翻译:Windows OS 内核内核内存是网络攻击的主要目标之一。 通过发动这种攻击,黑客通过访问内核模式内存,在程序上成功地实现了特权升级和篡改用户数据。 本文考虑了这种攻击的一个新例子, 导致访问以独家模式打开的文档。 Windows 内置的安全功能阻止了这种合法访问, 但攻击者可以通过静态分配对象来绕过它们。 研究表明Windows 10, 1809 x64 版本的Windows 10 很容易受到这次攻击。 本文提供了一个例子, 使用 MemorRanger, 一种基于超视像仪的解决方案, 通过在孤立的内核内核内存飞地运行内向驱动器来防止这种攻击。
相关内容
微信扫码咨询专知VIP会员