the document written by Eugene Tsyrklevich from SecurityArchitects.com . It is a very interesting article and covers some interesting attacking methods to bypass HIPS. Here is a list of the attacks related to my HIPS:
- Using Symbolic Links to bypass filters
NG is actually protected against this kind of attack as it is designed to completely resolve all names before checking them against filters
- Using Service Control Manager (SCM) to install drivers or something
NG detects all requests to SCM and check them against service & driver creation/modification settings/filter and can allow or deny them
This one is also already protected by NG.
- Using ZwSetSystemInformation's SystemLoadAndCallImage & SystemLoadImage to load drivers
I'm currently working on protecting NG's users from this kind of attack (takes some time)
- Inject code by directly modifying the kernel memory (\Device\PhysicalMemory)
NG is not protected against this attack, I will work on this one after zwsetsysinfo one, it takes little time.
- If a trusted system process is still allowed to load kernel drivers, use DLL injection to inject userland code into the trusted process and then load a malicious kernel driver
NG protect processes against DLL injection.
- Modify an existing kernel driver in disk
It is also possible against NG protection, I'll work on it in the next few days.
I'll work on them and report back.
document link: http://www.blackhat.com/presentations/