Search This Blog

December 23, 2023

ALPChecker – Detecting Spoofing and Blinding Attacks by Anastasiia Kropova and Igor Korkin #HITB2023HKT #COMMSEC


In recent years, Windows OS has faced a surge in attacks exploiting kernel drivers, notably targeting AV and EDR systems. The vulnerable Asynchronous Local Procedure Call (ALPC) technology, vital for client-server interactions, lacks essential safeguards, as demonstrated in successful attacks at LABScon 2022 and Ekoparty 2022.

To address ALPC vulnerabilities, we propose ALPChecker, a proactive security tool detecting kernel mode attacks by checking client and server ALPC ports. It plays a critical role in preventing bypassing and disabling of Windows protection tools, ensuring the ongoing integrity of ALPC connections in the Windows operating environment.

The details are here:
Kropova, A., Korkin, I. (2023, May 24-27). ALPChecker – Detecting Spoofing and Blinding Attacks. In Proceedings of the Hack In The Box Security Conference (HITBSecConf2023), CommSec Track, Phuket, Thailand, August 21-25, 2023, Retrieved from https://conference.hitb.org/hitbsecconf2023hkt/session/commsec-alpchecker-detecting-spoofing-and-blinding-attacks/

November 03, 2021

Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning talk) by Svetlana Golub and Igor Korkin


GNOME desktop environment stores user’s credentials in process memory, which poses an obvious danger and needs to be fixed. The competitive advantage of the proposed security tool (MimiDove) includes its ability to quickly detect and remove passwords containing both ASCII characters and Unicode characters.

The details about an updated Mimidave

Golub, S., Korkin, I. (2021). Your Linux Passwords Are in Danger: MimiDove Meets the Challenge. Talk presented at the Texas Cyber Summit 2021, Retrieved from https://texascyber.com/briefings_schedule/your-linux-passwords-are-in-danger-mimidove-meets-the-challenge/
Golub, S., Korkin, I (2021). Your Linux Passwords Are in Danger: MimiDove Meets the Challenge. Paper presented at the Journal of Computer Engineering (IOSRJCE), 23(6), 2021, pp. 27-28. Retrieved from iosrjournals.org/iosr-jce/papers/Vol23-issue6/Ser-1/C2306012728.pdf doi.org/10.9790/0661-2306012728

October 31, 2021

Protected Process Light will be Protected – MemoryRanger Fills the Gap Again


Windows OS issued a newly updated security mechanism to prevent illegal access to the memory of critical processes as well as for Digital Rights Management (DRM) requirements. It is Protected Process Light (PPL). Intruders can disable PPL to access the memory content of protected processes using a kernel driver. Also, they can illegally enable PPL for the malware apps to provide self-protection and access memory of protected processes, without disabling their PPL. PatchGuard does not check the integrity of PPL. This kind of attack is crucial for OS security and has to be prevented. This paper presents some undocumented internals of PPL during the creation of the protected process as well as accessing the protected process memory to analyze how the PPL can be tampered with. In this contribution, the hypervisor-based solution called MemoryRanger is applied to prevent such type of kernel attacks on PPL. MemoryRanger can prevent both types of attacks on PPL: disabling and enabling PPL in run time. MemoryRanger has been successfully tested on the recent Windows 10, version 20H2 Build 19042.631 x64.

The details about an updated MemoryRanger




Korkin, I. (2021, May 24-27). Protected Process Light is not Protected: MemoryRanger Fills The Gap Again. Paper presented at the Systematic Approaches to Digital Forensic Engineering (SADFE) International Workshop in conjunction with the 42nd IEEE Symposium on Security and Privacy. in Proceedings of 2021 IEEE Symposium on Security and Privacy Workshops, San Francisco, CA, USA, May 24-27, 2021, pp.298-308, Retrieved from https://conferences.computer.org/sp/pdfs/spw/2021/893400a298.pdf doi.org/10.1109/SPW53761.2021.00050

May 22, 2021

(Windows) Kernel Hijacking Is Not an Option: MemoryRanger Comes to Rescue Again


The security of a computer system depends on OS kernel protection. It is crucial to reveal and inspect new attacks on kernel data, as these are used by hackers. The purpose of this paper is to continue research into attacks on dynamically allocated data in the Windows OS kernel and demonstrate the capacity of MemoryRanger to prevent these attacks. This paper discusses three new hijacking attacks on kernel data, which are based on bypassing OS security mechanisms. The first two hijacking attacks result in illegal access to files open in exclusive access. The third attack escalates process privileges, without applying token swapping. Although Windows security experts have issued new protection features, access attempts to the dynamically allocated data in the kernel are not fully controlled. MemoryRanger hypervisor is designed to fill this security gap. The updated MemoryRanger prevents these new attacks as well as supporting the Windows 10 1903 x64.

The details about an updated MemoryRanger






Korkin, I. (2021, June 10). Kernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue Again. Paper presented at the Journal of Digital Forensics, Security and Law: Vol 16, No.1, Article 4. Retrieved from https://commons.erau.edu/jdfsl/vol16/iss1/4

April 16, 2019

MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel

Windows OS kernel memory is one of the main targets of cyber-attacks. By launching such attacks, hackers are succeeding in process privilege escalation and tampering with users' data by accessing kernel-mode memory.
This paper considers a new example of such an attack, which results in access to the files opened in an exclusive mode. Windows built-in security features prevent such legal access, but attackers can circumvent them by patching dynamically allocated objects. The research shows that the Windows 10, version 1809 x64 is vulnerable to this attack. The paper provides an example of using MemoryRanger, a hypervisor-based solution to prevent such attacks by running kernel-mode drivers in isolated kernel memory enclaves.

The details about how MemoryRanger protects FILE_OBJECTs are here:
This research is evaluated and discussed by famous security leads:

𝓡𝒊𝒄𝒉𝒂𝒓𝒅 𝓙𝒐𝒉𝒏𝒔𝒐𝒏 is the Director of Security Research, Oracle Cloud; previously Research Lead at Cisco Talos.
Thank you, 𝓡𝒊𝒄𝒉𝒂𝒓𝒅!
Alex Matrosov is the Offensive REsearch Lead at @NVIDIA and "Rootkits and Bootkits" book co-author (bootkits.io)
Matt Suiche ia a hacker, Microsoft MVP, Founder of @ComaeIo — Co-Founder of @CloudVolumes (now @VMWare)
Thank you, Alex and Matt!

  •  Here are the slides with YouTube demos: the attack and its prevention:





Korkin, I. (2019, May 15-16). MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel. Paper presented at the Proceedings of the 14th annual Conference on Digital Forensics, Security and Law (CDFSL), Embry-Riddle Aeronautical University, Daytona Beach, Florida, USA. Retrieved from https://commons.erau.edu/adfsl/2019/paper-presentation/7/

December 05, 2018

Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces


One of the main issues in the OS security is to provide trusted code execution in an untrusted environment. During executing, kernel-mode drivers allocate and process memory data: OS internal structures, users’ private information, and sensitive data of third-party drivers. All this data and the drivers code can be tampered with by kernel-mode malware. Microsoft security experts integrated new features to fill this gap, but they are not enough: allocated data can be stolen and patched and the driver’s code can be dumped without any security reaction. The proposed hypervisor-based system (MemoryRanger) tackles this issue by executing drivers in separate kernel enclaves with specific memory attributes. MemoryRanger protects code and data using Intel VT-x and EPT features with low performance degradation on Windows 10 x64.

MemoryRanger details are here:

Update: this research is evaluated by a famous security lead:
Yuriy Bulygin has been the chief threat researcher at Intel Security/McAfee and led the Advanced Threat Research team.
Thank you, Yuriy!


Korkin, I. (2018, December 5-6). Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces. In Proceedings of the BlackHat Europe Conference, London, UK. Retrieved from https://www.blackhat.com/eu-18/briefings/schedule/#divide-et-impera-memoryranger-runs-drivers-in-isolated-kernel-spaces-12668

March 10, 2018

AllMemPro: Hypervisor-Based Active Data Protection for Integrity and Confidentiality of Dynamically Allocated Memory in Windows Kernel

One of the main issues in the OS security is providing trusted code execution in an untrusted environment. During executing, kernel-mode drivers dynamically allocate memory to store and process their data: Windows core kernel structures, users’ private information, and sensitive data of third-party drivers. All this data can be tampered with by kernel-mode malware. Attacks on Windows-based computers can cause not just hiding a malware driver, process privilege escalation, and stealing private data but also failures of industrial CNC machines. Windows built-in security and existing approaches do not provide the integrity and confidentiality of the allocated memory of third-party drivers. The proposed hypervisor-based system (AllMemPro) protects allocated data from being modified or stolen. AllMemPro prevents access to even 1 byte of allocated data, adapts for newly allocated memory in real time, and protects the driver without its source code. AllMemPro works well on newest Windows 10 1709 x64.
AllMemPro details are here:


This research is evaluated by a famous security lead:
David Weston leads the Windows Device Security and Offensive Security Research teams at Microsoft in Redmond, Washington, United States of America.
Thank you, Dave!

     In addition, these results have been used in the research Kernel Mode Threats and Practical Defenses presented at the Black Hat USA 2018.

Korkin, I. (2018, May 17-18). Hypervisor-Based Active Data Protection for Integrity and Confidentiality of Dynamically Allocated Memory in Windows Kernel. Paper presented at the Proceedings of the 13th annual Conference on Digital Forensics, Security and Law (CDFSL), University of Texas at San Antonio (UTSA), San Antonio, Texas, USA. Retrieved from https://commons.erau.edu/adfsl/2018/presentations/13/

March 30, 2017

MemoryMonRWX: Detect Kernel-Mode Rootkits via Real-Time Logging & Controlling Memory Access


Modern malware and spyware platforms attack existing antivirus solutions and even Microsoft PatchGuard. To protect users and business systems new technologies developed by Intel and AMD CPUs may be applied. To deal with the new malware we propose monitoring and controlling access to the memory in real time using Intel VT-x with EPT. We have checked this concept by developing MemoryMonRWX, which is a bare-metal hypervisor. MemoryMonRWX is able to track and trap all types of memory access: read, write, and execute. MemoryMonRWX also has the following competitive advantages: fine-grained analysis, support of multi-core CPUs and 64-bit Windows 10. MemoryMonRWX is able to protect critical kernel memory areas even when PatchGuard has been disabled by malware. Its main innovative features are as follows: guaranteed interception of every memory access, resilience, and low performance degradation.

The details of MemoryMonRWX are here:
Korkin, I., & Tanda, S. (2017, May 15-16). Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access. Paper presented at the Proceedings of the 12th annual Conference on Digital Forensics, Security and Law (CDFSL), Embry-Riddle Aeronautical University, Daytona Beach, Florida, USA. Retrieved from commons.erau.edu/adfsl/2017/papers/5/