Monday, August 21, 2006

Attacking Host-based Intrusion Prevention Systems

Few days ago Thomas emailed me a document about Attacking HIPS. (thanks thomas)
the document written by Eugene Tsyrklevich from . It is a very interesting article and covers some interesting attacking methods to bypass HIPS. Here is a list of the attacks related to my HIPS:

  1. Using Symbolic Links to bypass filters
    NG is actually protected against this kind of attack as it is designed to completely resolve all names before checking them against filters

  2. Using Service Control Manager (SCM) to install drivers or something
    NG detects all requests to SCM and check them against service & driver creation/modification settings/filter and can allow or deny them

  3. ZwLoadDriver()
    This one is also already protected by NG.

  4. Using ZwSetSystemInformation's SystemLoadAndCallImage & SystemLoadImage to load drivers
    I'm currently working on protecting NG's users from this kind of attack (takes some time)

  5. Inject code by directly modifying the kernel memory (\Device\PhysicalMemory)
    NG is not protected against this attack, I will work on this one after zwsetsysinfo one, it takes little time.

  6. If a trusted system process is still allowed to load kernel drivers, use DLL injection to inject userland code into the trusted process and then load a malicious kernel driver
    NG protect processes against DLL injection.

  7. Modify an existing kernel driver in disk
    It is also possible against NG protection, I'll work on it in the next few days.
I think thats enough description about attacks,
I'll work on them and report back.

document link:

No comments: