Informative Information for the Uninformed | ||||||||||||||
|
||||||||||||||
Pointer Based SignaturesUsing a memory signature which is a valid pointer to some common object or static data is a very appealing signature to use for detection due to its reliability, however is also an easy signature to bypass. The following demonstrates the most simplistic method of bypassing the OBJECT_HEADER->Type signature this paper uses as a generic object memory signature. This is possible because the OBJECT_TYPE is just an allocated structure of fairly stable data. Many pointer based signatures with similar static characteristics are open to the same attack.
NTSTATUS KillObjectTypeSignature ( IN PVOID Object ) { NTSTATUS ntStatus = STATUS_SUCESS; PVOID pDummyObject; POBJECT_HEADER pHdr; pHdr = OBJECT_TO_OBJECT_HEADER( Object ); pDummyObject = ExAllocatePool( sizeof(OBJECT_TYPE) ); RtlCopyMemory( pDummyObject, pHdr->Type, sizeof(OBJECT_TYPE) ); pHdr->Type = pDummyObject; return STATUS_SUCCESS; }
|