Windows Kernel Hijacking Is Not an Option: Memoryranger Comes to the Rescue Again

Home , Kernel Patch Protection, Microsoft Defender, Object Manager (Windows)

Journal of Digital Forensics, Security and Law

Volume 16 Article 4

June 2021

Windows Kernel Hijacking Is Not an Option: MemoryRanger Comes to the Rescue Again

Igor Korkin Independent Researcher, [email protected]

Follow this and additional works at: https://commons.erau.edu/jdfsl

Part of the Computer and Systems Architecture Commons, Information Security Commons, OS and Networks Commons, Software Engineering Commons, and the Systems Architecture Commons

Recommended Citation Korkin, Igor (2021) "Windows Kernel Hijacking Is Not an Option: MemoryRanger Comes to the Rescue Again," Journal of Digital Forensics, Security and Law: Vol. 16 , Article 4. Available at: https://commons.erau.edu/jdfsl/vol16/iss1/4

This Article is brought to you for free and open access by the Journals at Scholarly Commons. It has been accepted for inclusion in Journal of Digital Forensics, Security and Law by an authorized administrator of (c)ADFSL Scholarly Commons. For more information, please contact [email protected]. Windows Kernel Hijacking Is Not an Option: MemoryRanger Comes to the Rescue Again

Cover Page Footnote I would like to thank Benjamin Stein, a teacher of English, Kings Education, London, UK for his invaluable corrections of the paper. I am also extremely grateful to Michael Chaney, ERAU alumni, Cyber-Research Editor, USA, for his time and effort in checking a preliminary version of this paper and providing constructive feedback, which significantly contributed ot improving the quality of this paper.

This article is available in Journal of Digital Forensics, Security and Law: https://commons.erau.edu/jdfsl/vol16/iss1/ 4 JDFSL 2021

WINDOWS KERNEL HIJACKING IS NOT AN OPTION: MEMORYRANGER COMES TO THE RESCUE AGAIN Igor Korkin, PhD Independent Researcher Moscow, Russian Federation [email protected] ABSTRACT The security of a computer system depends on OS kernel protection. It is crucial to reveal and inspect new attacks on kernel data, as these are used by hackers. The purpose of this paper is to continue research into attacks on dynamically allocated data in the Windows OS kernel and demonstrate the capacity of MemoryRanger to prevent these attacks. This paper discusses three new hijacking attacks on kernel data, which are based on bypassing OS security mechanisms. The first two hijacking attacks result in illegal access to files open in exclusive access. The third attack escalates process privileges, without applying token swapping. Although Windows security experts have issued new protection features, access attempts to the dynamically allocated data in the kernel are not fully controlled. MemoryRanger hypervisor is designed to fill this security gap. The updated MemoryRanger prevents these new attacks as well as supporting the Windows 10 1903 x64.

Keywords: hypervisor-based protection, Windows kernel, hijacking attacks on memory, memory isolation, Kernel Data Protection

1. INTRODUCTION nerabilities. Researchers consider that “kernel modules (drivers) introduce additional The security of users’ data and applications attack surface, as they have full access to depends on the security of the OS kernel the kernel’s address space” (Yitbarek and code and data. Modern operating systems Austin, 2019). At the recent DEF CON include millions of lines of code, which makes hacking conference researchers from Eclyp- it impossible to reveal and remediate all vul- sium released a list of more than 40 drivers nerabilities. Attackers can exploit the OS from Microsoft-certiﬁed hardware vendors, vulnerabilities to perform malicious actions. which are prone to privilege escalation at- Windows OS kernel remains one of the most tacks (Jesse and Shkatov, 2019). Another vul- desired targets for hackers. Another big chal- nerability in a signed third-party driver was lenge of OS kernel protection is the third- presented at the Blue Hat IL conference by party kernel-mode drivers, which execute at security experts from the Microsoft Defender the same high privilege level as the OS ker- ATP Research Team. The vulnerable driver nel, and they also include a variety of vul- uses a watchdog mechanism based on user

APC injection, which can also be exploited access to the kernel memory. All drivers have by attackers to bypass driver signature en- full access to the system and can be used by forcement and gain escalated privileges. (Ra- attackers. Windows security features provide paport, 2019). Recently revealed Banking limited kernel memory protection. trojan “Banload”, which targets bank cus- Threat model Let us assume that using tomers in Brazil and Thailand, applied a various approaches, intruders are able to exe- malicious kernel-mode component to fight cute malicious kernel code. This paper analy- with anti-malware and banking protection ses two types of attacks on kernel data, which programs. This digitally signed malware result in the following, see Figure 1: driver is designed “to remove software drivers and executables belonging to anti-malware • gaining access to the files open in an and banking protection programs”, such as exclusive mode (Handle Hijacking and AVG, Avast, IBM Trusteer Rapport (Bisson, Hijacking NTFS data structures); 2019; Kremez, 2019). Kernel-mode drivers • escalating process privileges without us- were also used during the recent RobbinHood ing the token swapping technique (Token ransomware attack. Hackers installed a le- Hijacking). gitimate driver and exploited its vulnerability to temporarily disable the Windows OS For the attacks on files, a legal driver cre- driver signature enforcement. Finally, they ates a file via ZwCreateFile with zero flag installed a malicious kernel driver (Cimpanu, ShareAccess, which gives the caller exclusive 2020). Notorious cryptocurrency mining mal- access to the open file. While the file remains ware also applies kernel-mode rootkits to pre- opened all attempts to gain access to this file vent them from being terminated. Windows- via ZwCreateFile are in vain. Windows OS based crypto miner infected more than 50000 detects this illegal access and returns a status servers from 90 countries (Harpaz and Gold- sharing violation code (0xC0000043), which berg, 2019; O’Donnell, 2019). The Microsoft indicates that “a file cannot be opened be- Security team do their best to maintain a cause the share access flags are incompatible” high level of OS kernel protection by issuing (Microsoft, 2019). various security features, for example, Mi- This research reveals two different attacks, crosoft Kernel Patch Protection (KPP) aka which bypass Windows security features and PatchGuard etc. At the same, time secu- successfully gain unauthorized access to the rity researchers and rootkit developers are files opened without shared access by patch- discovering different techniques to bypass ing OS internal data structures, related to PatchGuard. The most notable of them was the Object Manager and NTFS driver com- GhostHook, which abused the Intel Processor ponents. The third attack escalates process Trace (PT) feature to overcome PatchGuard privileges by patching the static and the vari- and patch the kernel. Cimpanu (2019) under- able portions of _TOKEN structure, without lines that two recently published bypassing using token swapping or token stealing tech- techniques InfinityHook and ByePg “estab- niques. This type of attack is mapped to lish a permanent foothold in the kernel itself MITRE ATTCK (2020) under Access Token and open the door for the return of rootkits Manipulation. The type of escalation privi- on Windows 10”. We can see that on the one lege attack based on SeImpersonatePrivilege hand, all drivers and the OS kernel share the function is out of the scope of this paper same memory space, and on the other hand, (Bisht, 2020). All newly proposed attacks are there are no built-in mechanisms to restrict working transparently on Windows 10 1903

64 bit as well as for its security features, such the file opened in an exclusive mode. These as Patch Guard, Device Guard, and Security two hijacking attacks are based on modifying Reference Monitor. the OS internal data structures involved in To prevent all these attacks on Windows file operations. OS kernel data the updated MemoryRanger hypervisor will be presented. MemoryRanger 2.1 Control Flow and Internal prevents attacks on files by running newly Data Structures Involved loaded drivers in separated kernel spaces as in Read and Write File well as restricting access to the correspond- Operations ing sensitive memory areas. The newest key feature of MemoryRanger allows it to run a Windows OS provides four main kernel API special data enclave for sensitive OS kernel routines to create, read/write, and close files: data, such as _TOKEN structures. This en- ZwCreateFile, ZwReadFile, ZwWriteFile, Zw- clave includes these sensitive OS structures, Close. During file operations, several OS ker- OS kernel core, and a limited number of OS nel components are involved (Russinovich, kernel built-in drivers. This new scheme pre- Solomon, and Ionescu, 2012; Tanenbaum and vents illegal access from all drivers whether Bos, 2014). Each time a driver calls ZwCre- loaded before and after MemoryRanger. The ateFile the control goes to the following OS remainder of the paper is as follows. Sec- kernel subsystems: I/O manager, Object tion 2 provides the details of the control flow Manager, Security Reference Monitor, NTFS and corresponding internal data structures driver, and finally, the control goes to the involved during file operations in kernel mode. low-level drivers, such as Disk Filter Driver Two examples of hijacking attacks on files will and Disk Class Driver. These are in charge of be given. Section 3 presents the details of access to the physical disk. The key features access control issues in the Windows OS ker- revealed by Korkin (2019) are that Security nel and shows how attackers can hijack the Reference Monitor checks access rights to the corresponding structure in order to escalate file for ZwCreateFile routine, while routines the process privileges. Section 4 contains the ZwReadFile, ZwWriteFile are uncontrolled details of adapting MemoryRanger to prevent by the Security Reference Monitor. Once a these attacks. file is created via calling ZwCreateFile, the Section 5 and Section 6 focus on the main OS creates a file handle, adds an entry to conclusions and further research directions the Handle Table, allocates file object, NTFS respectively. data, and other structures. The created file handle is returned to the caller and is used 2. TWO HIJACKING as a key to read and write the open file using ATTACKS ON THE FILES functions ZwReadFile and ZwWriteFile. The details of the control flow and internal data OPENED WITHOUT structures involved in read and write file op- SHARED ACCESS erations are given in Figure 2. Using a file handle, the OS traverses through the handle This section describes the internals of file op- table to acquire the file object. By reading erations in the Windows OS kernel: data file object fields the OS locates control block structures and correlations between them. structures (NTFS data structures) and moves Two given hijacking attacks make it possible to them. Disk drivers access the opened file to illegally read and overwrite the content of on a disk by using NTFS data structures.

Figure 1. The following attacks will be considered: attacks on ﬁles and a privilege escalation attack.

OS kernel treats read and write file access by 2.2 Handle Table Hijacking traversing through these structures without This section describes the details of the Ker- any checks by Security Reference Monitor. nel Handle Table and how attackers can hi- This vulnerability can be used to gain full il- jack its values to gain illegal access to the legal access to the files opened without shared files. access. To achieve it, intruders can create a Handle Table Basics The security issue file hijacker and patch any of the structures, with access to the files, locked by an applica- see Figure 2. As a result, all intruders’ access tion from another application is typical for attempts using the file hijacker handle will Windows OS. Sysnap (2011) describes the be redirected by the OS to the secret file, see details of illegal access to the locked file by Figure 3. This is the key point of all hijack- modifying the handle table, belonging to the ing attacks on files. Intruders can modify the application. The author’s approach is de- following data to change the control flow, the signed for the user-mode handles and process corresponding attacks are in brackets: for Windows XP and 2003. This section de- • handle table entries (Handle Table Hi- scribes how to adapt Sysnap’s idea of patch- jacking); ing the handle table for kernel case in the most recent Windows OS. A way for patching • file object (Hijacking FILE_OBJECT); handle table entries for user process in order to change handle access rights is implemented • NTFS data structures (Hijacking NTFS in Blackbone by DarthTon (2019-a). structures). The Kernel Handle Table is used by the Windows OS to store the mapping from the A File Object Hijacking attack was pre- handles to the corresponding object struc- sented by Korkin (2019). The next two sub- tures (Tanenbaum and Bos, 2014; Probert, sections will describe the details of Handle 2010; Schreiber, 2000). Using a handle, Hijacking and Hijacking NTFS structures. the OS traverses through Kernel Handle

Figure 2. OS subsystems and corresponding data structures involved during read and write ﬁle operations. (Russinovich, Solomon, and Ionescu, (2012), part2, pp 441).

Figure 3. An attacker creates a file hijacker and applies three different hijacking attacks: Handle Table Hijacking, Hijacking FILE_OBJECT structure, Hijacking NTFS structures, which are based on patching handle table entries, file object, and NTFS data structures.

Table to acquire the object. Exported lockHandleTableEntry (ReactOS, n.d.; WRK. symbol nt!ObpKernelHandleTable points to n.d.). The enumeration procedure returns a this table. The address of this table can bool value. To stop the enumeration the pro- also be gained by reading the field EPRO- cedure needs to return a TRUE value and CESS.ObjectTable for SYSTEM:4 process. as a result ExEnumHandleTable also returns Kernel Handle Table is involved each time a TRUE. To continue the enumeration, the driver reads and writes a file. This handle- procedure needs to return FALSE. Using Ex- based mechanism manipulates various ob- EnumHandleTable intruders can access the jects, such as files, processes, threads, or reg- handle table entry, which belongs to the file istry keys. The presented research is focused hijacker, and patch it. only on handles related to the file system, The Algorithm of Handle Table Hijacking but the achieved results can be applied to all The research reveals that during read and kernel objects as well. For each newly created write access OS traverses through the ker- file, the kernel handle table has an entry and nel handle table and acquires the file object, an index of each entry equals the returned without any checks. Attackers can use this handle value (Hale-Ligh, M. Case, A, Levy, vulnerability to gain illegal access to the ex- J., Walters, 2014). Each entry is defined clusively open file in this way: in a HANDLE_TABLE_ENTRY structure, 1. Reveal OBJECT_HEADER address of which includes access rights granted to the ob- the secret file. ject (field GrantedAccessBits) and the link to the created object (field ObjectPointerBits). 2. Create a file hijacker and locate a corre- The field ObjectPointerBits includes 44 low sponding entry in the handle table entry. bits of OBJECT_HEADER address, which can be used to gain the FILE_OBJECT ad- 3. Overwrite the ObjectPointerBits dress (Monnappa, 2018; CodeMachine, 2019). field in this entry using the OB- Tanenbaum and Bos (2014) found that “sys- JECT_HEADER address of the secret tem calls, like ZwReadFile and ZwWriteFile, file. use the kernel handle table created by the After this handle hijacking attack all read object manager to translate a handle into a and write access using a hijacked file handle referenced pointer on the underlying object, will be redirected to the secret file, see Figure such as a file object, which contains the data 4. that is needed to implement the system calls” This hijacking attack requires overwriting (pp 899). Handle table can have several levels, just 44 bits of dynamically allocated data, the number of levels and the number of en- which is enough to gain illegal access to the tries in each level depends on which Windows exclusively opened file. This redirection will version is being used (Suma, Dija, Thomas, be carried out by the Windows OS automat- 2014; Probert, 2010; Schreiber, 2000). Win- ically and transparently for the built-in se- dows OS provides a function ExEnumHan- curity features. On the one hand, intruders dleTable to enumerate all the valid handles can tamper with entries of the kernel han- in a handle table. ExEnumHandleTable spec- dle table in order to exploit the translation ifies an enumeration callback function, which mechanism, and on the other hand, Win- is called for each valid handle in the handle dows security features do not check the in- table (DarthTon, 2019-b; Treadwell, 1989). tegrity of this table and cannot reveal this The enumeration procedure needs to release attack. 2.3. Hijacking NTFS data struc- implicit locks for each handle via call ExUn- tures This section describes the details of the

Figure 4. The control ﬂow between ﬁles structures: a) before and b) after Handle Table Hijacking

attack called “Hijacking NTFS data struc- FILE_OBJECT fields point to, see Figure 4 tures”. This attack is an improvement of the b). FILE_OBJECT structure includes fields attack presented by Korkin (2019), which was FsContext and FsContext2, which point to based on Hijacking FILE_OBJECT. Let us the control block structures: FsContext mem- assume, that a security service continuously ber points to the File Control Block, FCB provides integrity and confidentiality for all (Stream Control Block, SCB) and FsContext2 FILE_OBJECT structures. As a result, only points to the Context Control Block, CCB. OS kernel has access to the FILE_OBJECT Each file stream is uniquely represented in structures, while access attempts from all memory by an FCB structure. CCB struc- other drivers are forbidden. In this new situ- ture is created by file system drivers to rep- ation, attackers cannot use FILE_OBJECT resent an open instance of a file stream (Na- hijacking attack and they need to prepare gar, 1997). This mechanism is deeply inte- a new attack. Attackers decide to organize grated into the Windows OS kernel and is a new lower level attack on control block very rarely updated. FsContext and FsCon- structures or NTFS data structures, which text2 represent the physical stream context

and the user handle stream context. FsCon- RESOURCE_NOT_OWNED (0x000000E3) text2, is used to point to the Channel Control bug check. Block or CCB (Miller, 1991; Probert, 2004). The Algorithm of Hijacking NTFS Let us move on to the details of FCB and data To implement Hijacking NTFS data CCB structures. These structures pointed structures, intruders have to locate the by FsContext and FsContext2 are only par- NTFS data structures, which correspond tially documented, but at the same time, the to the secret file and to the file hijacker, research has revealed the following details. and engage in the following three steps: The definition of the SCB, FCB and CCB for Step 1. Overwrite the content of attack- Windows NT 4.0 are in the file “ntfsstru.h” ers’ FSRTL_ADVANCED_FCB_HEADER (Microsoft, n.d.-a). The definition of these structure using the data from the FS- structures can also be found in file “cdstruc.h” RTL_ADVANCED_FCB_HEADER struc- from ReactOS (ReactOS, n.d.-a). These defi- ture, which belongs to the secret file. How- nitions can be used for understanding some ever, this overwriting is not enough, be- basic file principles because the structures cause Windows OS reveals that a malware are partially updated in the most recent Win- driver’s thread tries to release a resource dows. According to the MSDN file object’s it did not own and Windows OS causes FsContext member stores a pointer to the FS- BSOD with RESOURCE_NOT_OWNED RTL_ADVANCED_FCB_HEADER struc- bug check. To overcome this BSOD attack- ture, which uniquely identifies the file stream ers move to the second step. Step 2. Set to the file system (MSDN, 2018-a, MSDN, attackers’ thread ID gained by PsGetCur- 2018-b, MSDN, 2018-c). The research shows rentThread to the following fields in FS- that an appropriate target for this new attack RTL_ADVANCED_FCB_HEADER struc- is a FSRTL_ADVANCED_FCB_HEADER ture: structure, which FsContext fields from a FILE_OBJECT structure points to. In • Resource->OwnerEntry.OwnerThread; addition, the research has revealed that • PagingIoResource- fields FsContext and FsContext2 point to >OwnerEntry.OwnerThread. the contiguous memory blocks and, when using a hijacking attack, intruders can This patching helps malware copy and overwrite the content of these driver to overcome BSOD with RE- two structures simultaneously. Structures SOURCE_NOT_OWNED bug check. FSRTL_ADVANCED_FCB_HEADER are Windows OS kernel changes the content of not protected by the OS security features, FSRTL_ADVANCED_FCB_HEADER and their patching does not cause any kernel structure while returning the result of security check failure errors, such as BSOD. reading and writing to the driver and In a nutshell, Hijacking NTFS data struc- if attackers try to access the file using tures is based on locating internal file ob- previously modified structure the Windows ject structures from FsContent and FsCon- OS will cause BSOD again. If attackers tent2 fields, copying their content to the cor- want to access the secret file several times, responding memory areas pointed by the they move on to Step 3. Step 3. Repeat fields of file object hijacker and additional Step 1 and Step 2 before each read and patching. Without this patching during read write access attempt during every hijacking or write operation, the OS detects afore- attack. Attackers have to repeat Step 1 and mentioned copying and causes BSOD with Step 2 before each unauthorized read and

Page 8 © 2021 JDFSL JDFSL 2021 write access attempt, thus preventing the _TOKEN structure to determine whether or aforementioned BSOD. As a result, each not this access is allowed. Attackers apply time attackers read and write a file using various techniques to elevate privileges for a hijacked file handle, OS walks through the malware process (Chebbi, (2019). API- patching structure and provides illegal read based approach to steal tokens in Windows and write access to the secret file, without was proposed by Barta (2009). The author BSOD. leverages several kernel API routines, which makes it difficult to apply this approach via 3. TOKEN HIJACKING the malware payload. The ideas of applying direct kernel object manipulation (DKOM) ATTACK: WHAT AND to the process token in order to gain elevated HOW access were discussed by Hoglund and But- ler (2006) more than 10 years ago. On the The process privilege mechanism is crucial Black Hat USA 2004 for the first time, they for OS security. This section describes the proposed an idea of adding groups to To- process privileges mechanism and how it can ken structure using DKOM (Hoglund and be hijacked by modifying the content of dy- Butler, 2004). The authors’ idea is based namically allocated memory. For each newly on patching UserAndGroups array so that created process, Windows OS allocates a new the required high privileges will be enabled EPROCESS structure and adds it to the for the process. To prevent these manipula- list. This structure includes internal infor- tions Windows experts moved one step ahead mation about this process: its name and ID, and since Windows kernel 6.x several fields threads and handles details, etc. (Monnappa, such as SidHash and RestrictedSidHash have 2018; Tanenbaum and Bos, 2014). _TOKEN been added into the _TOKEN structure to structure describes the process access token, provide the integrity of this structure. OS which contains the security related informa- checks these hashes to ensure that the SID tion about the process: user’s and group SIDs, list is not patched. These new fields pre- process privileges, etc. (Hoglund and Butler, vent attackers from directly modifying the 2006). The _TOKEN structure is pointed by SID list. Perla and Oldani (2010, pp. 295) the field Object, which is located in Token underlined three alternatives to bypass this _EX_FAST_REF in _EPROCESS struc- security hash-based barricade. One of them ture, see Figure 6. Windows OS provides is token stealing or token swapping and it discretionary access control, which is gov- is based on overwriting the Object field in erned by two main parts (Ismail, Aboelseoud, the _EPROCESS structure from the mal- and Senousy, 2014; Johnson, 2015): ware process. This uses the value from the _EPROCESS structure corresponding to the • an access token associated with each pro- higher-privileged process, for example, SYS- cess; TEM:4 (Perla and Oldani, 2010, pp 305). • a security descriptor associated with However, newly updated Microsoft Windows each object, such as a file. Defender Antivirus detects such escalation by monitoring token-swapping attempts (Oh, According to the Russinovich (1998) and 2017; Singh, Kaplan, Feng, and Sanossian, Stallings (2002) each time a process tries 2019). Bui (2019) shows that access token to access the object; the Security Reference manipulation can be detected using auditpol, Monitor reads the SIDs and group SIDs from which is based on ETW, but this detection

Figure 5. The control ﬂow between ﬁles structures: a) before and b) after hijacking the NTFS control block structures, e.g. FSRTL_ADVANCED_FCB_HEADER

approach can also be tampered with due to The key feature is to completely copy the attacks on ETW. A New Token Hijacking At- UserAndGroups array with updated internal tack I propose a new Token Hijacking Attack, structure arrangement from the Token for which is a development of ideas of Hoglund higher privilege process, while Hoglund and and Butler (2006). In a nutshell, attackers Butler (2006) proposed to overwrite just a few need to escalate privileges so that the calcu- fields. During this attack copying UserAnd- lated SidHash value will be corrected and the GroupCount field and SidHash structure is integrity check will not reveal any changes. trivial because they have the same size while Attackers can achieve this by overwriting the copying a variable part pointed by UserAnd- following whole three fields using the corre- Groups is quite complicated. The number of sponding values from the Token structure entries in UserAndGroups and sizes of SID corresponding to the higher-privileged pro- structures are not the same for various process: cesses with different credentials, Figure 6. The following two facts make this attack pos- • UserAndGroupCount; sible. Firstly, this updating is more than enough to gain elevated privileges yet not • UserAndGroups array: Attributes and being detected by the OS. Secondly, TOKEN Sid structures; structure for common processes always has enough space, because a variable portion of • SidHash structure; _TOKEN structure for System:4 process is

Figure 6. The content of _EPROCESS and _TOKEN structures for SYSTEM:4 and malware processes: a) before and b) after Token Hijacking

less than the corresponding structure for a memory enclave. MemoryRanger updates the common one. This attack has been success- memory access restrictions for each enclave fully tested on the newest Windows 10 1903 in run-time, which makes it possible to pro- x64, the source code and demo in this paper tect sensitive memory areas. MemoryRanger (Korkin, 2020). can monitor access to the kernel-mode memory and redirect the illegal access to the fake 4. MEMORYRANGER page. PREVENTS KERNEL 4.1 MemoryRanger: Key HIJACKING components MemoryRanger has the following key compo- STRUCTURES nents: This section describes the details of how • A kernel-mode driver; the updated MemoryRanger hypervisor prevents hijacking attacks (Korkin, 2018; Korkin, • DdiMon; 2019). 4.0.1 MemoryRanger Overview • MemoryMonRWX; MemoryRanger is a hypervisor-based solution • Memory Access Policy (MAP). (a bare metal hypervisor), designed to provide All the details about MemoryRanger com- integrity and confidentiality for kernel-mode ponents are given by Korkin (2019). Memo- code and data. MemoryRanger leverages ryRanger does the following: Intel VT-x technology and Extended Page Tables (EPT). MemoryRanger protects ker- • registers a driver-supplied callback that nel memory by using isolated kernel enclaves is notified whenever a new process is with specified memory access restrictions. By created/deleted and an image is loaded; running kernel drivers in separate memory enclaves MemoryRanger protects kernel mem- • hooks kernel API by using DdiMon com- ory from being tampered with: ponent; • It prevents attacks on OS kernel code • restricts memory access even to a byte and data from newly loaded drivers; by using MemoryMonRWX;

• It protects the code and data of newly • provides dynamically updated access loaded drivers from the attacks from control rules using MAP. each other. 4.2 Main Updates of After loading, MemoryRanger allocates MemoryRanger to Block the default kernel enclave: OS kernel and New Hijacking Attacks all drivers loaded before are running inside this enclave. Newly loaded drivers are run- In order to prevent the newly presented ning in separate enclaves. MemoryRanger hijacking attacks, the following modiﬁca- traps the loading of each new driver and allo- tions have been added to the MemoryRanger. cates an isolated kernel enclave for this driver. MemoryRanger prevents Handle Hijacking Each newly loaded kernel driver is running and Hijacking NTFS data structures by do- only inside the corresponding allocated kernel ing the following:

• it hooks ZwCreateFile() and ZwClose by using file handle and the ExEnumHan- routines to locate the involved data dleTable routine. structures in memory; 4.4 Details of Prevention of • To prevent Handle Hijacking, it locates Hijacking NTFS data the HANDLE_TABLE_ENTRY struc- structures ture corresponding to the opened file using the ExEnumHandleTable routine; For Hijacking NTFS data structures intruders modify the control block structures • To prevent Hijacking NTFS (FSRTL_ADVANCED_FCB_HEADER), Data, it locates the FS- which correspond to the file hijacker. To pre- RTL_ADVANCED_FCB_HEADER vent this attack MemoryRanger implements structure using the pointers from a similar approach based on locating control FILE_OBJECT. block structures and restricting access to them. • MemoryRanger restricts access to the 4.5 Details of Prevention of structures in the corresponding enclaves. Token Hijacking To prevent Token Hijacking Memo- Token Hijacking Attack is tampering with ryRanger implements a new technique, which static and dynamic parts of _TOKEN struc- is based on allocating a special isolated en- tures, which results in local privilege esca- clave, which includes only sensitive kernel lation. To block Token Hijacking a special data, see Figure 7. The details of these isolated kernel enclave is allocated to host sen- prevention techniques are given below. The sitive data. This new enclave includes only source code of updated MemoryRanger, at- sensitive kernel data, such as _TOKEN struc- tacker, and allocator drivers as well as video tures, Windows kernel core (ntoskrnl.exe), demos are here (Korkin, 2020). and a limited number of trusted Windows 4.3 Details of Prevention of drivers. All other drivers will be excluded from this enclave, see Figure 7. This new Handle Hijacking Attack scheme isolates token structures from all Preventing Handle Hijacking requires a fine- drivers loaded after and even before Memo- grained approach. MemoryRanger prevents ryRanger without restricting the OS kernel. Handle Hijacking by blocking only write ac- MemoryRanger is notified about creating a cess to ObjHeader field, which has 6 bytes new process by registering a callback routine and corresponds to the file object header, see via call PsSetCreateProcessNotifyRoutineEx. Figure 7. Neither does MemoryRanger re- 4.6 Empirical Test Results strict read access for ObjHeader, nor does it prevent any access to other fields of this All these attacks and their prevention have entry, because they are used by the OS. In been successfully tested on Windows 10 1903 fact, some fields of these entries have to be x64, details are in (Korkin, 2020). accessed for write attempts due to synchro- 4.7 Performance Impact nization issues and their restriction causes BSOD. MemoryRanger is notified about cre- MemoryRanger causes affordable perfor- ating a new file by hooking ZwCreateFile mance degradation. Switching between ker- routine and next it locates handle table entry nel enclaves is the main problem of this per-

Figure 7. MemoryRanger prevents Handle Hijacking and Token Hijacking

formance degradation. Changing the EPT access to the memory transparently for the pointer causes the flushing of TLB and fur- OS kernel. MemoryRanger is protected from ther filling the TLB. Details about measur- kernel attacks, due to running in ring -1) ing the performance were given previously by Windows OS comprises a new technology Korkin (2018). I can conclude that Memo- called Virtual Secure Mode (VSM), which ryRanger is suitable to protect the rarely ac- is designed to maintain a secure Windows en- cessed safe areas. To avoid this degradation, vironment. VSM provides a particular case the new version will support VPID, which is of enclave-based protection with only two designed to meet this need. memory partitions called VTL0 and VTL1, while MemoryRanger implements a general 4.8 MemoryRanger vs. Virtual case with an infinite number of kernel en- Secure Mode claves. MemoryRanger has been tested using three (Korkin, 2019), four (Figure 7), and One of the global security challenges for mod- five separate enclaves (Korkin, 2018). ern operating systems is to prevent illegal access to the kernel data from drivers, while 5. CONCLUSION all drivers and OS share the same memory space. MemoryRanger is designed to To sum up I would like to highlight the fol- tackle this issue by isolating newly loaded lowing: drivers inside allocated separated memory 1. Windows OS kernel manipulates dynam- enclaves from the rest of the OS kernel. This ically allocated data, which can be tam- drivers’ isolation can prevent attacks from pered with by intruders during cyberat- kernel rootkits as well as providing exploit tacks. Windows security features pro- mitigation. MemoryRanger can be applied vide integrity only for limited memory to protect Unix-based systems running on areas, while others are becoming suscep- AMD and ARM CPUs. MemoryRanger in- tible. cludes a kernel driver, which allows it to trap and parse OS-related events. Using a hy- 2. Two new presented attacks on files: Han- pervisor component MemoryRanger restricts dle Hijacking and Hijacking NTFS struc-

tures make it possible to gain illegal ac- 6.1 Prevent patching of OS cess to the files opened in an exclusive Internal Structures by mode bypassing Security Reference Mon- Intel Memory Protection itor. Keys (MPK) 3. Hijacking Attack on NTFS data struc- Prakash, Venkataramani, Yin, and Lin (2013) tures has never been presented before. revealed the following examples of how attackers can patch the OS internal structures 4. A new Token Hijacking attack results in to gain ongoing and undetectable access to process privilege escalation via copying the target system: SID with their attributes as well as SID • Hackers can prevent a malicious pro- hashes from a higher privileges process. cess from terminating by changing This attack gains elevated privileges with the corresponding EPROCESS.Flags to the correct hash value. 0xFFFFFFFF value; 5. Updated MemoryRanger prevents at- • Hackers can make a file completely inac- tacks on files by running drivers inside cessible by changing the file name field isolated enclaves and restricting access in FILE_OBJECT to an empty string; to the corresponding data structures. • Hackers can hide a program from 6. To prevent Token Hijacking, updated the process list in the Task Manager MemoryRanger implements a new spe- by changing the corresponding EPRO- cial enclave, which includes only sensi- CESS.UniqueProcessId to 0. tive data and a part of the Windows OS Despite the fact that the results were checked kernel; all other drivers as well as newly on Windows XP, the similar principles can loaded ones are not able to tamper with be expanded on the most recent Windows this data. 10 and for more OS internal structures. A recently issued key-based permission control 7. All new attacks on files and tokens have called Intel Memory Protection Keys (MPK) been successfully tested on the most re- can be leveraged to maintain and enforce cent Windows 10 1903. Updated Memo- memory access permission. MPK has several ryRanger can prevent all mentioned hi- key benefits over the page-table mechanism jacking attacks. (Park, Lee et al. 2019).

8. Various cybersecurity solutions will ben- 6.2 MemoryRanger can do eﬁt from applying MemoryRanger. The Deep Inspection of source code and all demos are uploaded Memory Access here (Korkin, 2020). The current version of MemoryRanger checks access rights using only the address of the 6. FUTURE PLANS module, which implements this access. As a result, malware can gain illegal access to Updated MemoryRanger is a very promising sensitive data by exploiting any vulnerable project and the following future directions function in the trusted module. The idea is can be outlined. to verify the function call stack additionally

to check which sequence of functions leads drivers run in the kernel memory without any to access this sensitive memory area. This restrictions. MemoryRanger can be updated new check helps to inspect memory access a to run StopZilla’s driver in isolated enclaves bit deeper and prevent the mentioned attack. and prevent the overwriting of the sensitive Finally, intruders have to exploit not only the data, such as TOKEN structures. We cannot function which accesses sensitive data but reveal all vulnerabilities, but we can protect also the whole sequence of functions, which the sensitive data, which is usually the top is very difficult and time consuming. target of attacks by hackers. 6.3 MemoryRanger vs. 6.5 Isolated Enclave for the OS Mimikatz Scheduler: Unikernels One more advanced direction is to analyze Based Protection and prevent activities of Mimikatz, which The current version of MemoryRanger has an is an effective post-exploitation tool (Delpy, issue with the protection of data from being 2020). Mimikatz applies its driver to pro- tampered with by drivers loaded before it. vide various commands to play with kernel MemoryRanger protects rarely accessed data memory: with acceptable performance degradation, • read and write kernel-mode memory while protection of frequently accessed data from user-mode applications; causes significant performance degradation. To overcome this performance degradation • disable Protected Process Light (PPL) and protect sensitive OS kernel data, such mode; as EPROCESS structures from all drivers, MemoryRanger can allocate the following en- • duplicate process token; claves:

• set all privileges for a process. • the Scheduler enclave includes sensi- 6.4 MemoryRanger vs. tive OS structures, such as EPROCESS, ETHREAD etc., which are frequently Privilege Escalation by used by OS kernel scheduler. OS sched- using buggy StopZilla uler is located in this enclave. Likewise, driver this enclave contains ﬁle system drivers and their structures. As a result, this Security researchers have revealed that enclave includes a minimal list of drivers StopZilla AntiVirus Software includes a vul- and their structures. nerable driver, which can be used to elevate process privilege. For this attack hackers • the Default enclave contains all other need to have SeLoadDriverPrivilege to load drivers loaded before MemoryRanger. a vulnerable driver and launch the exploit This enclave excludes all OS internal to patch TOKEN structure. Ideas and de- data structures from the Scheduler en- tails of such attacks were discussed by Pierini clave, while drivers from the Default en- (2019) at Hack In Paris conference and by clave are excluded from the Scheduler Cocomazzi and Pierini (2020) at the HITB- enclave. SecConf2020. Protection of the OS kernel from vulnerable signed third-party drivers • the Data-Only enclave includes only sen- is a serious security problem, because these sitive data structures, which are rarely

accessed by the OS kernel drivers, such as Token structures.

• a new enclave is allocated for each newly loaded driver.

This scheme could help to isolate sensitive OS kernel data from being tampered by the drivers, loaded before the MemoryRanger. Another solution to this challenge is to load MemoryRanger at boot time; it can be solved by using UEFI hypervisor that supports booting an operating system (Tanda, 2020). 6.6 MemoryRanger and Hyper-V The current version of MemoryRanger does not support concurrent execution with Hyper- V, which is a Windows built-in hypervisor. This issue can be solved by installing Win- dows OS in a virtual CPU without VT- x/EPT support and further enabling VT- x/EPT support to run MemoryRanger. An- other way is to manually disable or uninstall Hyper V to run MemoryRanger. However, A. Eremeev (2020) implemented a bare-metal hypervisor with VT-x/EPT support, which works well with enabled Hyper-V. This ex- perience can be used to expand features of MemoryRanger.

REFERENCES bypass-disclosed-in-microsoft- patchguard-kpp/ [1] Barta, C. (2009). Access token stealing on Windows. Retrieved from [7] Cimpanu, C. (2020, February 7). Ran- https://docplayer.net/20917850- somware installs Gigabyte driver Access-token-stealing-on- to kill antivirus products. ZD- windows-csaba-barta.html Net. Retrieved from https://www. zdnet.com/article/ransomware- [2] Bisht, S. (2020). Understanding and installs-gigabyte-driver-to- Abusing Process Tokens — Part II. Re- kill-antivirus-products/ trieved from https://securitytimes. medium.com/understanding-and- [8] Cocomazzi, A. Pierini, A. (2020). abusing-access-tokens-part-ii- Windows Privilege Escalations: b9069f432962 Still Abusing Local Service Ac- counts to Get SYSTEM Privileges. [3] Bisson, D. (March 6, 2019). Fileless HITBSecConf2020, Amsterdam. Re- Malware Targeting Brazilian and Thai trieved from https://conference. Bank Customers With Multiple Threats. hitb.org/hitbsecconf2020ams/ Security Intelligence. Retrieved from sessions/windows-privilege- https://securityintelligence. escalations-still-abusing-local- com/news/fileless-malware- service-accounts-to-get-system- targeting-brazilian-and-thai- privileges/ bank-customers-with-multiple- threats/ [9] CodeMachine. (2019). Windows 7 Object Headers. Articles on Windows [4] Bui, J. (2019). Understanding and Internals, Programming, Security Defending Against Access Token Theft: and Debugging. Retrieved from Finding Alternatives to winlogon.exe. https://codemachine.com/article_ Retrieved from https://posts. objectheader.html specterops.io/understanding-and- defending-against-access-token- [10] DarthTon. (2019-a) Blackbone Win- theft-finding-alternatives-to- dows memory hacking library. Black- winlogon-exe-80696c8a73b bone source code. Retrieved from https: //github.com/DarthTon/Blackbone [5] Chebbi, C. (2019, April 24). Win- dows Kernel exploitation: Eleva- [11] DarthTon. (2019-b). BBGrantAccess tion of privilege (EoP) with Token function. Change handle granted stealing. Retrieved from https: access. Blackbone source code. Re- //www.peerlyst.com/posts/windows- trieved from https://github.com/ kernel-exploitation-elevation- DarthTon/Blackbone/blob/master/ of-privilege-eop-with-token- src/BlackBoneDrv/Routines.c stealing-chiheb-chebbi [12] Delpy, B. (2020). A little tool [6] Cimpanu, C. (2019, November to play with Windows secu- 22). New bypass disclosed in Mi- rity. Source Code of Mimikatz. crosoft PatchGuard (KPP). https: GitHub. Retrieved from https: //www.zdnet.com/article/new- //github.com/gentilkiwi/mimikatz

[13] Eremeev, A. (2020). The Kernel- Chapter 15. Securing Windows Objects. Bridge Framework. Windows kernel Massachusetts, US: Addison-Wesley Pro- hacking framework, driver tem- fessional. plate, hypervisor and API written on C++. Github. Retrieved from [20] Korkin, I. (2018, December 5-6). Divide https://github.com/HoShiMin/ et Impera: MemoryRanger Runs Kernel-Bridge/blob/master/Kernel- Drivers in Isolated Kernel Spaces. In Bridge/API/Hypervisor.cpp Proceedings of the BlackHat Europe Conference, London, UK. Retrieved [14] Hale-Ligh, M. Case, A, Levy, J., Walters, from https://www.blackhat.com/eu- A. (2014, July 28). The Art of Mem- 18/briefings/schedule/#divide- ory Forensics: Detecting Malware and et-impera-memoryranger-runs- Threats in Windows, Linux, and Mac drivers-in-isolated-kernel- Memory (1st ed.). Indianapolis, Indiana: spaces-12668 Wiley. [21] Korkin, I. (2019, May 15-16). [15] Harpaz, O. and Goldberg, D. (2019, May MemoryRanger Prevents Hijack- 29). The Nansh0u Campaign: Hackers ing FILE_OBJECT Structures in Arsenal Grows Stronger. Retrieved from Windows Kernel. Paper presented at https://www.guardicore.com/2019/ the Proceedings of the 14th annual 05/nansh0u-campaign-hackers- Conference on Digital Forensics, Secu- arsenal-grows-stronger/ rity and Law (CDFSL), Embry-Riddle [16] Hoglund, G., Butler. J. (2006). Rootk- Aeronautical University, Daytona its: Subverting the Windows Kernel (1st Beach, Florida, USA. Retrieved from https://commons.erau.edu/adfsl/ ed.). Token Privilege and Group Ele- 2019/paper-presentation/7/ vation with DKOM. New Jersey, US: Addison-Wesley Professional. [22] Korkin, I. (2020). MemoryRanger source [17] Ismail, M., A., Aboelseoud H., code. GitHub repository. Retrieved from Senousy, M., B. (2014). An Investiga- https://github.com/IgorKorkin/ tion into Access Control in Various MemoryRanger Types of Operating Systems. In- [23] Kremez, V. (May 13, 2019). Cyber- ternational Journal of Computer crime: Groups Behind “Banload” Applications. Retrieved from https: //pdfs.semanticscholar.org/6035/ Banking Malware Implement New d4420f6038aefc511d970fc630a41cf40df3. Techniques. Security Research. Sen- https:// pdf tinelLabs. Retrieved from labs.sentinelone.com/cybercrime- [18] Jesse, M. and Shkatov, M. (2019). banload-banking-malware-fraud/ Screwed Drivers – Signed, Sealed, Delivered. Retrieved from https:// [24] Microsoft. (2019). 2.3.1 NTSTATUS Val- eclypsium.com/2019/08/10/screwed- ues. Windows Protocols. Retrieved from drivers-signed-sealed-delivered/ https://docs.microsoft.com/en- us/openspecs/windows_protocols/ [19] Johnson, M. H. (2015, October 1). Win- ms-erref/596a1078-e883-4972- dows System Programming (4th ed.). 9bbc-49e60bebca55

[25] Microsoft. (n.d.-a). NTFS File System us/windows-hardware/drivers/ Data Structures. Microsoft Corpora- ddi/ntifs/ns-ntifs-\_fsrtl\ tion. Retrieved from https://github. _advanced\_fcb\_header com/ZoloZiak/WinNT4/blob/master/ private/ntos/cntfs/ntfsstru.h [32] Nagar, R. (1997). Windows NT File System Internals: A Developer’s Guide. [26] Miller, T. (1991, October 31). Publisher: O’Reilly Media. Portable Systems Group Caching Design Note. Revision 1.3. Copy- [33] O’Donnell, L. (2019, May 29). 50k right (c) Microsoft Corporation. Servers Infected with Cryptomining File: cache.doc. Retrieved from Win- Malware in Nansh0u Campaign. Re- dows_Research_Kernel(sources) trieved from https://threatpost. NT_Design_Workbook com/50k-servers-infected-with- Get_Workbook cryptomining-malware-in-nansh0u- campaign/145140/ [27] MITRE ATTCK. (2020). Access Token Manipulation. [34] Oh, M. (2017). Detecting and mitigating elevation-of-privilege exploit for [28] Monnappa, K. (2018). Learning Mal- CVE-2017-0005. Retrieved from https: ware Analysis: Explore the Concepts, //www.microsoft.com/security/ Tools, and Techniques to Analyze and blog/2017/03/27/detecting- Investigate Windows Malware (1st ed.), and-mitigating-elevation-of- Birmingham, United Kingdom: Packt privilege-exploit-for-cve-2017- Publishing. 0005/

[29] MSDN. (2018-a). FsRtlGetPerStream- [35] Park, S., Lee, S., Xu, W., Moon, H., ContextPointer Macro. Programming Kim, T. (2019). libmpk: Software Ab- reference for Windows Driver Kit. Re- straction for Intel Memory Protection trieved from https://docs.microsoft. Keys (Intel MPK). Id in the Proceed- com/en-us/windows-hardware/ ings of the 2019 USENIX Annual drivers/ddi/ntifs/nf-ntifs- Technical Conference. July 10–12, 2019 fsrtlgetperstreamcontextpointer • Renton, WA, USA. Retrieved from https://www.usenix.org/system/ [30] MSDN. (2018-b). FS- files/atc19-park-soyeon.pdf RTL_COMMON_FCB_HEADER structure. Programming reference for [36] Perla, E. and Oldani, M. (2010). A Windows Driver Kit. Retrieved from Guide to Kernel Exploitation: Attack- https://docs.microsoft.com/en- ing the Core (1st ed.). Massachusetts, us/windows-hardware/drivers/ddi/ US: Syngress. ntifs/ns-ntifs-\_fsrtl_common\ _fcb\_header q [37] Pierini, A. (2019). Whoami priv - show me your privileges and I will lead you [31] MSDN. (2018-c). FS- to SYSTEM. Hack in Paris. Retrieved RTL_ADVANCED_FCB_HEADER from https://hackinparis.com/ structure. Programming reference for archives/2019/#talk-2019-whoami- Windows Driver Kit. Retrieved from priv-show-me-your-privileges- https://docs.microsoft.com/en- and-i-will-lead-you-to-system

[38] Prakash, A., Venkataramani, E., Yin, [43] ReactOS. (n.d.). ExUnlockHan- H., Zhiqiang, L. (2013). Manipulat- dleTableEntry. ReactOS Kernel. ing Semantic Values in Kernel Data Retrieved from https://doxygen. Structures: Attack Assessments and reactos.org/de/d51/ntoskrnl_2ex_ Implications. 43rd Annual IEEE/I- 2handle_8c_source.html#l00887 FIP International Conference on Dependable Systems and Networks [44] ReactOS. (n.d.-a). CDFS File Sys- (DSN), Budapest. Retrieved from tem Data Structures. Microsoft http://web.cse.ohio-state.edu/ Corporation. Retrieved from ~lin.3021/file/DSN13.pdf https://doxygen.reactos.org/ de/dc7/cdstruc_8h.html [39] Probert, D. (2010). Windows Kernel Architecture Internals. MSRA/UR [45] Russinovich, M. (1998, March 31). Workshop – Beijing, China. Retrieved Windows NT Architecture, Part 2. from https://repo.zenk-security. ItProToday. Retrieved from https: com/Linux\%20et\%20systemes\%20d. //www.itprotoday.com/compute- exploitations/Windows\%20Kernel\ engines/windows-nt-architecture- %20Architecture\%20Internals.pdf part-2

[40] Probert, D. (2010). Windows Kernel [46] Russinovich, M., Solomon, D., and Architecture Internals. Retrieved Ionescu, A. (2012, September 25). Win- from https://repo.zenk-security. dows Internals (6th ed.). Parts 1 and 2. com/Linux\%20et\%20systemes\%20d. Redmond, Washington: Microsoft Press. exploitations/Windows\%20Kernel\ %20Architecture\%20Internals.pdf [47] Schreiber, S. B. (2000). Undocumented Windows 2000 Secrets. Object Han- [41] Probert, D. B. (2004). Windows Kernel dles. WINDOWS 2000 OBJECT Internals: Cache Manager. Windows MANAGEMENT. pp 411. Retrieved Kernel Development Microsoft Corpora- from http://users.du.se/~hjo/ tion. Retrieved from https://www.i.u- cs/common/books/Undocumented\ tokyo.ac.jp/edu/training/ss/ %20Windows\%202000\%20Secrets/ lecture/new-documents/Lectures/ sbs-w2k-7-windows-2000-object- 15-CacheManager/CacheManager.pdf management.pdf

[42] Rapaport, A. (2019, March 25). [48] Singh, A., Kaplan, D., Feng, C., and From alert to driver vulnerability: Sanossian, H. (2019). How Windows Microsoft Defender ATP investi- Defender Antivirus integrates hardware- gation unearths privilege escala- based system integrity for informed, tion ﬂaw. Retrieved from https: extensive endpoint protection. Retrieved //www.microsoft.com/security/ from https://www.microsoft.com/ blog/2019/03/25/from-alert-to- security/blog/2019/07/31/how- driver-vulnerability-microsoft- windows-defender-antivirus- defender-atp-investigation- integrates-hardware-based- unearths-privilege-escalation- system-integrity-for-informed- flaw/ extensive-endpoint-protection/

[49] Stallings, W. (2014). Operating Get_Workbook System Security. Computer Secu- execsupp.doc” rity Handbook edited by Bosworth, S., Kabay, M. E., Whyne, E, New [56] WRK. (n.d.). ExUnlockHan- Jersey: John Wiley Sons. Re- dleTableEntry. The Windows Re- trieved from http://index-of.co.uk/ search Kernel Retrieved from https: Networking/Computer\%20Security\ //github.com/Aekras1a/Labs/blob/ %20Handbook\%204th.pdf 9c9121da3fcc34f840a3f67e14fcc2a76d4aa053/ Labs/WRK/base/ntos/ex/handle.c [50] Suma, G. S., Dija, S., Thomas, K. L. [57] Yitbarek, S. F., and Austin, T. (2019). (2014). A Novel Methodology for Win- Neverland: Lightweight Hardware Ex- dows 7 x64 Memory Forensics. DOI: tensions for Enforcing Operating Sys- 10.1109/ICCIC.2014.7238400 tem Integrity. Retrieved from https: [51] Sysnap. (2011). Hijacking Kernel //arxiv.org/pdf/1905.05975.pdf Handle. 0tutorials: Unpacking Tuto- rials, Programming Tutorials, Kernel Tutorials, Reverse Engineering Tutorials Retrieved from http://0tutorials. blogspot.com/2011/08/hijacking- kernel-handle.html

[52] Tanda, S. (2020). The research UEFI hypervisor that supports booting an operating system. Retrieved from https:// github.com/tandasat/MiniVisorPkg

[53] Tanenbaum, A. and Bos., H. (2014, March 20). Modern Operating Systems (4th ed.). New Jersey: Pearson Prentice- Hal.

[54] Tango. (2018, January 14). A Light on Windows 10’s “OBJECT_HEADER- >TypeIndex”. Retrieved from https: //medium.com/@ashabdalhalim/a- light-on-windows-10s-objectheader-typeindex-value- e8f907e7073a

[55] Treadwell, D. (1989). Windows NT Executive Support Routines Speciﬁ- cation. Manage Object Handles and Handle Tables. Retrieved from “Win- dows_Research_Kernel(sources) NT_Design_Workbook