Hi all,
I'm looking for a kernel-mode driver, which accesses (modifies or reads) the content of allocated memory. This memory was allocated before by a legal driver. I'm considering the case: a legitimate driver allocates memory by ExAllocatePoolWithTag routine and malware driver accesses these data illegally.
The thing is that security features in Win 10 cannot prevent this illicit access.
I've proposed the following 3 scenarios, and I need a real malware sample:
1) Malware driver patches the system structures, which were allocated by windows kernel (ntosknl.exe), for example, to change process privileges, without hiding it.
2) Malware driver patches the allocated memory, which was used by 3-rd party driver to control big machines, like SCADA, CNC etc. As a result an intruder can send false control commands to the unit or send false notification to the user.
3) Malware driver reads and writes the content of allocated memory, which includes cryptokeys or cipher data. As a result an intruder can overwrite cryptokeys with zero value and steal open text.
I came up with all these scenarios myself. Have you heard of any real examples of them?
Any information about this type of malware/APT/rootkits will work well for me. The related papers or researchers thoughts are also very desirable.
These examples will be used in the paper; the draft is here https://sites.google.com/site/igorkorki ... ects=0&d=1. The paper has been accepted to the conference, but some revision is required.
Thank you!
I'm looking for a kernel-mode driver, which accesses (modifies or reads) the content of allocated memory. This memory was allocated before by a legal driver. I'm considering the case: a legitimate driver allocates memory by ExAllocatePoolWithTag routine and malware driver accesses these data illegally.
The thing is that security features in Win 10 cannot prevent this illicit access.
I've proposed the following 3 scenarios, and I need a real malware sample:
1) Malware driver patches the system structures, which were allocated by windows kernel (ntosknl.exe), for example, to change process privileges, without hiding it.
2) Malware driver patches the allocated memory, which was used by 3-rd party driver to control big machines, like SCADA, CNC etc. As a result an intruder can send false control commands to the unit or send false notification to the user.
3) Malware driver reads and writes the content of allocated memory, which includes cryptokeys or cipher data. As a result an intruder can overwrite cryptokeys with zero value and steal open text.
I came up with all these scenarios myself. Have you heard of any real examples of them?
Any information about this type of malware/APT/rootkits will work well for me. The related papers or researchers thoughts are also very desirable.
These examples will be used in the paper; the draft is here https://sites.google.com/site/igorkorki ... ects=0&d=1. The paper has been accepted to the conference, but some revision is required.
Thank you!
