There are many drivers from various hardware and software vendors lying around that offer functionality to fully access the kernel with minimal effort. Vulnerabilities in signed drivers are mostly utilized by game cheat developers to circumvent anti-cheat mechanisms, but they have also been observed being used by several APT groups and in commodity malware alike.
This paper discusses the types of vulnerabilities that commonly occur in kernel drivers, provides several case studies of malware utilizing such vulnerable drivers, analyzes examples of vulnerable drivers that we discovered during our research, and outlines effective mitigation techniques against this type of exploitation. While this problem is not new and relevant research about the topic has been presented in the past, mainly during and [1], [2], [3] , it is still a problem as of this writing.
While every vulnerability is different, similar types of vulnerabilities seem to be recurrent in unrelated kernel drivers. This may be partially caused by ancient driver code samples that were created back when access to kernel mode was not restricted to signed drivers and developers did not take security into consideration malware could simply load unsigned rootkit drivers instead. The following sections describe the vulnerabilities most frequently observed in drivers from a large variety of, and even high-profile, hardware and software vendors.
Some contain various information about the processor or specific CPU core — such as temperature, power, …. Many commercial drivers implement functionality for user-mode applications to access these instructions through an IOCTL mechanism. This is usually intended to be able to read or write a few specific innocent MSRs like CPU voltage, temperature, … , but developers sometimes do not add any additional checks to restrict access to critical MSRs, such as the example seen in Figure 2.
Figure 2. On such systems, simply changing the pointer to the address of an arbitrary user-mode executable buffer containing malicious code, and then immediately executing a system call instruction on a same CPU core, was enough to gain kernel-level code execution.
This is no longer the case with newer systems due to modern exploitation mitigations. That being said, with clever use of various techniques, it is still possible to bypass most of these mitigations and achieve kernel-level code execution on Windows 10 or even brand-new Windows 11 systems as of December All the mitigations in the following sections are in place on most modern machines and need to be bypassed to achieve successful kernel-mode exploitation.
SMEP is a protection mechanism introduced in in Intel processors based on the Ivy Bridge architecture and enabled by default since Windows 8. It prevents execution of code in user-mode pages from Ring 0, and is implemented by assigning a user-mode or kernel-mode value to a flag bit on every virtual memory page in the page table.
That being said, since the attacker is in control of the stack that is passed to kernel mode on system calls, they may utilize a technique called a ROP chain to manipulate the stack. Since an attacker can read kernel modules from the file system and knows at which addresses the modules are loaded, the gadgets can be easily looked up and if those gadgets exist, a working ROP chain can then be constructed.
Therefore, it is crucial that those two addresses change before any operations happen in the kernel. At this point, the malicious code properly executes in the kernel and the attacker can execute whatever payload is desired. They then can proceed to execute a user-mode payload directly.
The only difficulty with this approach is precalculating a valid CR4 value. Although most of the CR4 values can be guessed from user mode by running the CPUID instruction, there may be some inconsistencies between different versions of Windows.
Supervisor Mode Access Prevention SMAP is a newer mitigation that has been introduced to complement SMEP and further restrict access from the kernel to user-mode pages — it disallows both reads and writes. A system with SMAP active will bluescreen the moment it tries to access the stack after transitioning to the kernel via the system call. Even on the newest Windows 11 machines, the mask does not have the AC flag bit set, which means it is not cleared upon transitioning to the kernel so SMAP can be disabled by the user.
It is worth noting that SMAP has only recently been enabled by default in Windows 10 x64 with newer hardware. KVA shadowing was introduced as a software mitigation for the Meltdown CPU vulnerability discovered at the end of The basic idea of this mitigation is that the virtual address space is split into two — user mode and kernel mode.
The user-mode address space has access only to very restricted parts of the ntoskrnl module, specifically a single code section called. The rest of the kernel is completely separated and mapped to its own address space and cannot be accessed even directly by the CPU from user-mode address space until the context is appropriately switched.
Figure 4. Comparison of KiSystemCall64 and KiSystemCall64Shadow versions of the system call handler — minor differences can be spotted at the beginning of the function.
While KVA shadowing was designed as a fix for the Meltdown vulnerability, it also potentially causes trouble for other kinds of vulnerabilities, including the MSR one. There are generally two approaches to disable the mitigation — one is to disable it as a setting in the registry. This requires admin access and a reboot afterwards for the changes to take effect.
Being able to directly read and write physical memory seems to be a common feature in many low-level kernel drivers. This is achieved by mapping a specific range of physical memory to a virtual memory buffer that can be read or written and even passed to a user-mode application. No jargon. Pictures helped. Didn't match my screen. Incorrect instructions.
Too technical. Not enough information. Not enough pictures. Any additional feedback? The capture driver can "manually" flip overlays. The Windows and later miniport video transport driver can provide V-sync notification from the hardware video port or display; it can also get field polarities, which can be useful when capturing vertical blanking interval VBI data.
Although the primary purpose of the kernel-mode driver is to enhance hardware video port autoflipping capabilities, it also supports video bus masters, which can write data while in kernel mode. The bus master can be notified before losing the surface because of a mode change, or because a full-screen Command Prompt instance is launched.
Because the new driver support allows a bus master to be called before the changes occur, the bus master can shut off without causing a problem. Skip to main content. Download Now. Windows Advanced Server Patch Details. Windows Advanced Server Patches. Patch Name :.
0コメント