Informative Information for the Uninformed | ||||||||||||||
|
||||||||||||||
Next: Minor Functional Differences Between
Up: Attacks (and Counter-Attacks) on
Previous: Use of Hardware Breakpoints
Main Process Image Module Base Address RestrictionAn attacker seeking to execute the Lockdown module in an untrusted process would need to bypass the restrictions on the base address of the main process image. The most likely approach to this would be a combination attack, whereby the attacker would use something like a set of hardware breakpoints to alter the hardcoded restrictions on module base addresses, and import table or code patch style hooks on the GetModuleHandleA API in order to defeat the secondary check on the module base address for the main executable image. Another approach would be to simply create the main executable image as a process, suspended, and then either create a new thread in the process or assume control of the initial thread in order to execute the Lockdown module. This gets the would-be attacker out of having to patch checks in the module, as there is currently no defense against this case implemented in the module. In order to strengthen this protection mechanism, the following approaches could be taken:
|