Hence, the “Bring Your Own Driver” technique has been abused often in the past by adversaries. The easier option is the second one, as there is a wide range of legitimate drivers available and blacklisting all of them is simply not possible. Abuse existing signed drivers to read, write, or execute code in kernel memory.Steal valid code signing certificates or acquire them anonymously.In order to bypass this security feature, the attacker has the following options: However, modern OS mitigations like Driver Signature Enforcement mean that attackers cannot simply load their own rootkit or driver onto the target system to read from or write to kernel memory. One goal of an attacker might be to remove these callbacks from kernel memory. These routines are often used by drivers related to security products to collect information about system activity. This entire process is illustrated below.įigure 2: How Kernel Notify Routines work at a high level After the driver routine is finished, the control will be transferred back to the kernel, and allow continuation of the user-mode code. If a driver has registered a callback via PsSetCreateProcessNotifyRoutine, the kernel will hand over control and execute the registered driver callback function. Process B.EXE stays in a suspended state first. The Windows kernel will assign a new process ID to the soon-to-be created process, but will not allow executing the user-mode code of B.EXE yet. A.EXE will notify the windows kernel NTOSKRNL.EXE that a new process should be created. To envision this, imagine a process A.EXE, which tries to create a new process B.EXE. For example, the array containing all registered callbacks via PsSetCreateProcessNotifyRoutine is called PspCreateProcessNotifyRoutine. When a callback function is registered, the address of the callback function address is added to an array. Whether an image is loaded, registered via PsSetLoadImageNotifyRoutine.Whether a process is created, registered via PsSetCreateProcessNotifyRoutine.Whether a thread is created, registered via PsSetCreateThreadNotifyRoutine.Some of these notified system activities include: Kernel Notify Routines are used by loaded drivers to be notified by the kernel of system activity. Later in this article, we will explain how BlackByte abuses this vulnerability to disable security products.įigure 1: Unprotected control codes in RTCore64.sys allowing read and write operations to kernel memory No shellcode or exploit is required to abuse the vulnerability - just accessing these control codes with malicious intent. As stated by Microsoft’s guideline on securing IOCTL codes in drivers, defining IOCTL codes that allow callers to read or write nonspecific areas of kernel memory is considered dangerous. The I/O control codes in RTCore64.sys are directly accessible by user-mode processes. CVE-2019-16098 allows an authenticated user to read and write to arbitrary memory, which could be exploited for privilege escalation, code execution under high privileges, or information disclosure. RTCore64.sys and RTCore32.sys are drivers used by Micro-Star’s MSI AfterBurner 4.8, a widely used graphics card overclocking utility that gives extended control over graphic cards on the system. To help the industry proactively prevent such attacks, we share our findings in this report. Now that the actors behind BlackByte ransomware and this sophisticated technique are back from a brief hiatus, chances are good that they will continue abusing legitimate drivers to bypass security products. In May 2022, another report showcased how an AvosLocker ransomware variant likewise abused the vulnerable Avast anti-rootkit driver aswarpot.sys to bypass security features. In July 2022, Trend Micro reported on the abuse of a vulnerable anti-cheat driver for the game Genshin Impact, named mhyprot2.sys, to kill antivirus processes and services for mass-deploying ransomware. “Bring Your Own Driver” is the name given to this technique - exploiting a targeted system by abusing a legitimate signed driver with an exploitable vulnerability. Sophos products provide mitigations against the tactics discussed in this article. The evasion technique supports disabling a whopping list of over 1,000 drivers on which security products rely to provide protection. We found a sophisticated technique to bypass security products by abusing a known vulnerability in the legitimate vulnerable driver RTCore64.sys. With reports of a new data-leak site published by actors behind the BlackByte ransomware, we decided to take another look at the most recent variant written in Go.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |