Attack Method: Physical Memory Modification
Description: Physical memory modification can basically be achieved in two ways - by code running in kernel-mode (such as drivers), or by user-mode programs that open the \device\physicalmemory object. Both methods bypass the security of the Windows OpenProcess() API function. ProcessGuard allows you to protect against both of these powerful attacks.
Example: A tool exists called
SDTRestore which runs in user-mode and writes to physical memory by using the
\device\physicalmemory object, allowing it to unhook kernel-mode hooks and
bypass security. However, with ProcessGuard running on the system and the
"Protect Physical Memory" option enabled we see that it's unable to
open the memory device.
Solution: To
protect against physical memory attacks all you need to do is check the
"Protect Physical Memory" checkbox. To protect against kernel-mode
code you need to ensure malicious drivers aren't installed. This too is easily
accomplished - simply select "Block Rootkit/Driver/Service
Installation":
Related websites:
Phrack: Playing with Windows /dev/(k)mem
Zone-h: Disabling Sebek Win32 Client by Direct Service Table Restoration
SIG^2: Vulnerability Research Advisory
LURHQ: Berbew/Webber/Padodor Trojan Analysis
Copyright © 2008, Diamond Computer Systems Pty. Ltd. All rights reserved.