MemoryRanger hypervisor moves newly loaded drivers into isolated kernel spaces by using VT-x and EPT. MemoryRanger has been presented at Black Hat Europe 2018 and CDFSL 2019. MemoryRanger runs driver inside separate enclaves to protect the following kernel-mode areas:
- allocated data, drivers code, and EPROCESS.token fields (BlackHat 2018);
- FILE_OBJECT structures (CDFSL 2019).
- demonstration of illegal access to an exclusive open file via FILE_OBJECT hijacking;
- prevention of FILE_OBJECT hijacking;
- paper, slides, demos are here.
- demonstration of illegal access to allocated data, drivers code, and EPROCESS.token field;
- protection of the dynamically allocated data;
- preventing newly loaded drivers to escalate process priviledges;
- paper, slides, demos are here.
MemoryRanger hypervisor is based on these projects: