Windows OS issued a newly updated security mechanism to prevent illegal access to the memory of critical processes as well as for Digital Rights Management (DRM) requirements. It is Protected Process Light (PPL). Intruders can disable PPL to access the memory content of protected processes using a kernel driver. Also, they can illegally enable PPL for the malware apps to provide self-protection and access memory of protected processes, without disabling their PPL. PatchGuard does not check the integrity of PPL. This kind of attack is crucial for OS security and has to be prevented. This paper presents some undocumented internals of PPL during the creation of the protected process as well as accessing the protected process memory to analyze how the PPL can be tampered with. In this contribution, the hypervisor-based solution called MemoryRanger is applied to prevent such type of kernel attacks on PPL. MemoryRanger can prevent both types of attacks on PPL: disabling and enabling PPL in run time. MemoryRanger has been successfully tested on the recent Windows 10, version 20H2 Build 19042.631 x64.
The details about an updated MemoryRanger
- paper: my.paper.pdf, my.paper.docx and the proceeding version
- slides: slides.pdf, slides.pptx
- speech: speech.pdf, speech.docx
- Texas Cyber Summit page about MemoryRanger
- source code and demos 1-2 on Windows 10 and demos 3-4 on Windows 11
Korkin, I. (2021, May 24-27). Protected Process Light is not Protected: MemoryRanger Fills The Gap Again. Paper presented at the Systematic Approaches to Digital Forensic Engineering (SADFE) International Workshop in conjunction with the 42nd IEEE Symposium on Security and Privacy.
in Proceedings of 2021 IEEE Symposium on Security and Privacy Workshops, San Francisco, CA, USA, May 24-27, 2021, pp.298-308, Retrieved from https://conferences.computer.org/sp/pdfs/spw/2021/893400a298.pdf doi.org/10.1109/SPW53761.2021.00050 |
No comments:
Post a Comment