Uninformed: Informative Information for the Uninformed

Vol 4» 2006.Jun

N-Depth Pointer Validation

As demonstrated in the previous section, pointer based signatures are effective. However, in some cases, they may be trivial to bypass. The following code demonstrates an example which does what this paper refers to as N-depth pointer validation in an attempt to create a more complex, and potentially more difficult to bypass, signature using pointers. The following example is also evadable using the same principal of relocation shown above.

The algorithm assumes a given address is an executive object and attempts validation by performing the following steps:

  1. Calculates an assumed OBJECT_HEADER
  2. Assumes pObjectHeader->Type is an OBJECT_TYPE
  3. Calculates an assumed OBJECT_HEADER for the OBJECT_TYPE
  4. Assumes pObjectHeader->Type is nt!ObpTypeObjectType
  5. Validates pTypeObject->TypeInfo.DeleteProcedure == nt!ObpDeleteObjectType

BOOLEAN ValidateNDepthPtrSignature (
    IN  PVOID           Address,
    IN VALIDATE_ADDR    pValidate
    PVOID           pObject;
    POBJECT_TYPE    pTypeObject;

    pHdr = OBJECT_TO_OBJECT_HEADER( Address );

    if( ! pValidate(pHdr) || ! pValidate(&pHdr->Type) ) return FALSE;

    // Assume this is the OBJECT_TYPE for this assumed object
    pTypeObject = pHdr->Type;

    // OBJECT_TYPE's have headers too
    pHdr = OBJECT_TO_OBJECT_HEADER( pTypeObject );

    if( ! pValidate(pHdr) || ! pValidate(&pHdr->Type) ) return FALSE;

    // OBJECT_TYPE's have an OBJECT_TYPE of nt!ObpTypeObjectType
    pTypeObject = pHdr->Type;

    if( ! pValidate(&pTypeObject->TypeInfo.DeleteProcedure) ) return FALSE;

    // \ObjectTypes\Type has a DeleteProcedure of nt!ObpDeleteObjectType
    if( pTypeObject->TypeInfo.DeleteProcedure
            != nt!ObpDeleteObjectType ) return FALSE;

    return TRUE;