Search This Blog

April 16, 2019

MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel

Windows OS kernel memory is one of the main targets of cyber-attacks. By launching such attacks, hackers are succeeding in process privilege escalation and tampering with users' data by accessing kernel-mode memory.
This paper considers a new example of such an attack, which results in access to the files opened in an exclusive mode. Windows built-in security features prevent such legal access, but attackers can circumvent them by patching dynamically allocated objects. The research shows that the Windows 10, version 1809 x64 is vulnerable to this attack. The paper provides an example of using MemoryRanger, a hypervisor-based solution to prevent such attacks by running kernel-mode drivers in isolated kernel memory enclaves.

Update: this research is evaluated by a famous security lead:
𝓡𝒊𝒄𝒉𝒂𝒓𝒅 𝓙𝒐𝒉𝒏𝒔𝒐𝒏 is the Director of Security Research, Oracle Cloud; previously Research Lead at Cisco Talos.
Thank you, 𝓡𝒊𝒄𝒉𝒂𝒓𝒅!
Update: this research is evaluated and discussed by famous security leads:Alex Matrosov is the Offensive REsearch Lead at @NVIDIA and "Rootkits and Bootkits" book co-author (bootkits.io)
Matt Suiche ia a hacker, Microsoft MVP, Founder of @ComaeIo — Co-Founder of @CloudVolumes (now @VMWare)
Thank you, Alex and Matt!

  •   • Here are the slides with YouTube demos: the attack and its prevention:







The details about how MemoryRanger protects FILE_OBJECTs are here:

Korkin, I. (2019, May 15-16). MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel. Paper presented at the Proceedings of the 14th annual Conference on Digital Forensics, Security and Law (CDFSL), Embry-Riddle Aeronautical University, Daytona Beach, Florida, USA. Retrieved from https://commons.erau.edu/adfsl/2019/paper-presentation/7/

December 05, 2018

Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces


One of the main issues in the OS security is to provide trusted code execution in an untrusted environment. During executing, kernel-mode drivers allocate and process memory data: OS internal structures, users’ private information, and sensitive data of third-party drivers. All this data and the drivers code can be tampered with by kernel-mode malware. Microsoft security experts integrated new features to fill this gap, but they are not enough: allocated data can be stolen and patched and the driver’s code can be dumped without any security reaction. The proposed hypervisor-based system (MemoryRanger) tackles this issue by executing drivers in separate kernel enclaves with specific memory attributes. MemoryRanger protects code and data using Intel VT-x and EPT features with low performance degradation on Windows 10 x64.
Update: this research is evaluated by a famous security lead:
Yuriy Bulygin has been the chief threat researcher at Intel Security/McAfee and led the Advanced Threat Research team.
Thank you, Yuriy!



MemoryRanger details are here:

Korkin, I. (2018, December 5-6). Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces. In Proceedings of the BlackHat Europe Conference, London, UK. Retrieved from https://www.blackhat.com/eu-18/briefings/schedule/#divide-et-impera-memoryranger-runs-drivers-in-isolated-kernel-spaces-12668

March 10, 2018

AllMemPro: Hypervisor-Based Active Data Protection for Integrity and Confidentiality of Dynamically Allocated Memory in Windows Kernel

Update: this research is evaluated by a famous security lead:
David Weston leads the Windows Device Security and Offensive Security Research teams at Microsoft in Redmond, Washington, United States of America.
Thank you, Dave!

     In addition, these results have been used in the research Kernel Mode Threats and Practical Defenses presented at the Black Hat USA 2018.





One of the main issues in the OS security is providing trusted code execution in an untrusted environment. During executing, kernel-mode drivers dynamically allocate memory to store and process their data: Windows core kernel structures, users’ private information, and sensitive data of third-party drivers. All this data can be tampered with by kernel-mode malware. Attacks on Windows-based computers can cause not just hiding a malware driver, process privilege escalation, and stealing private data but also failures of industrial CNC machines. Windows built-in security and existing approaches do not provide the integrity and confidentiality of the allocated memory of third-party drivers. The proposed hypervisor-based system (AllMemPro) protects allocated data from being modified or stolen. AllMemPro prevents access to even 1 byte of allocated data, adapts for newly allocated memory in real time, and protects the driver without its source code. AllMemPro works well on newest Windows 10 1709 x64.

AllMemPro details are here:
Korkin, I. (2018, May 17-18). Hypervisor-Based Active Data Protection for Integrity and Confidentiality of Dynamically Allocated Memory in Windows Kernel. Paper presented at the Proceedings of the 13th annual Conference on Digital Forensics, Security and Law (CDFSL), University of Texas at San Antonio (UTSA), San Antonio, Texas, USA. Retrieved from https://commons.erau.edu/adfsl/2018/presentations/13/

March 30, 2017

MemoryMonRWX: Detect Kernel-Mode Rootkits via Real-Time Logging & Controlling Memory Access


Modern malware and spyware platforms attack existing antivirus solutions and even Microsoft PatchGuard. To protect users and business systems new technologies developed by Intel and AMD CPUs may be applied. To deal with the new malware we propose monitoring and controlling access to the memory in real time using Intel VT-x with EPT. We have checked this concept by developing MemoryMonRWX, which is a bare-metal hypervisor. MemoryMonRWX is able to track and trap all types of memory access: read, write, and execute. MemoryMonRWX also has the following competitive advantages: fine-grained analysis, support of multi-core CPUs and 64-bit Windows 10. MemoryMonRWX is able to protect critical kernel memory areas even when PatchGuard has been disabled by malware. Its main innovative features are as follows: guaranteed interception of every memory access, resilience, and low performance degradation.

The details are here:
Korkin, I., & Tanda, S. (2017, May 15-16). Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access. Paper presented at the Proceedings of the 12th annual Conference on Digital Forensics, Security and Law (CDFSL), Embry-Riddle Aeronautical University, Daytona Beach, Florida, USA. Retrieved from commons.erau.edu/adfsl/2017/papers/5/

June 27, 2016

Monitoring & Controlling Kernel-Mode Events by HyperPlatform


This research has been used in the Computer Security course at the Israel Institute of Technology, Haifa, Israel. The course is here details
We presented a HyperPlatform, which is an advanced system monitoring platform for Windows Operating System. Using Intel VT-x and Extended Page Table (EPT) technologies, this platform provides speedy monitoring of various events. HyperPlatform is hidden and resilient to modern anti-forensics techniques and can be easily extended for day-to-day reverse engineering work.
The details are here:
Tanda, S., & Korkin, I. (2016, June 17-19). Monitoring & controlling kernel-mode events by HyperPlatform. Paper presented at the REcon conference, Montreal, Canada. Retrieved from recon.cx/2016/talks/Monitoring-and-controlling-kernel-mode-events-by-HyperPlatform.html

May 30, 2016

Acceleration of Statistical Detection of Zero-day Malware in the Memory Dump Using CUDA-enabled GPU Hardware

This paper focuses on the anticipatory enhancement of methods of detecting stealth software. Cyber security detection tools are insufficiently powerful to reveal the most recent cyber-attacks which use malware. In this paper, we will present first an idea of the highest stealth malware, as this is the most complicated scenario for detection because it combines both existing anti-forensic techniques together with their potential improvements. Second, we present new detection methods, which are resilient to this hidden prototype. To help solve this detection challenge, we have analyzed Windows memory content using a new method of Shannon Entropy calculation; methods of digital photogrammetry; the Zipf–Mandelbrot law, as well as by disassembling the memory content and analyzing the output. Finally, we present an idea and architecture of the software tool, which uses CUDA-enabled GPU hardware to speed-up memory forensics. All three ideas are currently a work in progress.

The details are here:
Korkin, I., & Nesterow, I. (2016, May 24-26). Acceleration of Statistical Detection of Zero-day Malware in the Memory Dump Using CUDA-enabled GPU Hardware. Paper presented at the Proceedings of the 11th annual Conference on Digital Forensics, Security and Law (CDFSL), Embry-Riddle Aeronautical University, Daytona Beach, Florida, USA, pp. 47-82 Retrieved from commons.erau.edu/adfsl/2016/tuesday/10

May 27, 2015

Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluctuations

Update 07/16/2015 - Best Paper Award
This paper was selected as one of the best papers of the 10th ADFSL Conference 2015 conference.adfsl.org and it will be published in the Journal of Digital Forensics, Security and Law (JDFSL)!

These results are mentined in the research Malicious Hypervisor Threat – Phase Two: How to Catch the Hypervisor presented at the DeepSec 2016: paper and slides.


Hardware virtualization technologies play a significant role in cyber security. On the one hand these technologies enhance security levels, by designing a trusted operating system. On the other hand these technologies can be taken up into modern malware which is rather hard to detect. None of the existing methods is able to efficiently detect a hypervisor in the face of countermeasures such as time cheating, temporary self-uninstalling, memory hiding etc. New hypervisor detection methods which will be described in this paper can detect a hypervisor under these countermeasures and even count several nested ones. These novel approaches rely on the new statistical analysis of time discrepancies by examination of a set of instructions, which are unconditionally intercepted by a hypervisor. Reliability was achieved through the comprehensive analysis of the collected data despite its fluctuation. These offered methods were comprehensively assessed in both Intel and AMD CPUs.

The details are here:
Korkin, I. (2015, May 18-21). Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluctuations. Paper presented at the Proceedings of the 10th Annual Conference on Digital Forensics, Security and Law (CDFSL), 33-57, Embry-Riddle Aeronautical University, Daytona Beach, Florida, USA. Retrieved from proceedings.adfsl.org/index.php/CDFSL/article/view/128/125
Korkin, I. (2015, September). Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluctuations. Journal of Digital Forensics, Security and Law, Vol 10, No 2, pp 7-38. Retrieved from ojs.jdfsl.org/index.php/jdfsl/article/view/337

July 24, 2014

Applying Memory Forensics to Rootkit Detection


Volatile memory dump and its analysis is an essential part of digital forensics. Among a number of various software and hardware approaches for memory dumping there are authors who point out that some of these approaches are not resilient to various anti-forensic techniques, and others that require a reboot or are highly platform dependent. New resilient tools have certain disadvantages such as low speed or vulnerability to rootkits which directly manipulate kernel structures e.g. page tables. A new memory forensic system – Malware Analysis System for Hidden Knotty Anomalies (MASHKA) is described in this paper. It is resilient to popular anti-forensic techniques. The system can be used for doing a wide range of memory forensics tasks. This paper describes how to apply the system for research and detection of kernel mode rootkits and also presents analysis of the most popular anti-rootkit tools.

Update: this research has been used in Scientific Report - DRDC-RDDC-2017-R041:
Thank you, Richard!
Richard Carbone is an Infosec Analyst and Researcher, EC-Council CHFI / SANS GCIH & GREM, Defence Research and Development Canada – Valcartier Research Centre. DRDC acts as a Canadian equivalent to DARPA.
I am proud to play a small role in the protection of our cyber world!


The details are here:
Korkin, I., & Nesterov I. (2014, May 28-29). Applying Memory Forensics to Rootkit Detection. Paper presented at the Proceedings of the 9th annual Conference on Digital Forensics, Security and Law (CDFSL), 115-141, Richmond, Virginia, USA. Retrieved from proceedings.adfsl.org/index.php/CDFSL/article/view/34/34