N-Depth Pointer Validation
As demonstrated in the previous section, pointer based signatures
are effective. However, in some cases, they may be trivial to bypass.
The following code demonstrates an example which does what this paper
refers to as N-depth pointer validation in an attempt to create a more
complex, and potentially more difficult to bypass, signature using
pointers. The following example is also evadable using the same
principal of relocation shown above.
The algorithm assumes a given address is an executive object and
attempts validation by performing the following steps:
- Calculates an assumed OBJECT_HEADER
- Assumes pObjectHeader->Type is an OBJECT_TYPE
- Calculates an assumed OBJECT_HEADER for the OBJECT_TYPE
- Assumes pObjectHeader->Type is nt!ObpTypeObjectType
- Validates
pTypeObject->TypeInfo.DeleteProcedure ==
nt!ObpDeleteObjectType
BOOLEAN ValidateNDepthPtrSignature (
IN PVOID Address,
IN VALIDATE_ADDR pValidate
)
{
PVOID pObject;
POBJECT_TYPE pTypeObject;
POBJECT_HEADER pHdr;
pHdr = OBJECT_TO_OBJECT_HEADER( Address );
if( ! pValidate(pHdr) || ! pValidate(&pHdr->Type) ) return FALSE;
// Assume this is the OBJECT_TYPE for this assumed object
pTypeObject = pHdr->Type;
// OBJECT_TYPE's have headers too
pHdr = OBJECT_TO_OBJECT_HEADER( pTypeObject );
if( ! pValidate(pHdr) || ! pValidate(&pHdr->Type) ) return FALSE;
// OBJECT_TYPE's have an OBJECT_TYPE of nt!ObpTypeObjectType
pTypeObject = pHdr->Type;
if( ! pValidate(&pTypeObject->TypeInfo.DeleteProcedure) ) return FALSE;
// \ObjectTypes\Type has a DeleteProcedure of nt!ObpDeleteObjectType
if( pTypeObject->TypeInfo.DeleteProcedure
!= nt!ObpDeleteObjectType ) return FALSE;
return TRUE;
}
|