# MemoryRanger **Repository Path**: AbstractFactory/MemoryRanger ## Basic Information - **Project Name**: MemoryRanger - **Description**: This hypervisor isolates the memory of protected drivers using separate EPT structures for each of them - **Primary Language**: Unknown - **License**: Not specified - **Default Branch**: master - **Homepage**: None - **GVP Project**: No ## Statistics - **Stars**: 0 - **Forks**: 0 - **Created**: 2020-03-14 - **Last Updated**: 2020-12-19 ## Categories & Tags **Categories**: Uncategorized **Tags**: None ## README # MemoryRanger MemoryRanger hypervisor moves newly loaded drivers into isolated kernel spaces by using VT-x and EPT. MemoryRanger has been presented at Black Hat Europe 2018 and CDFSL 2019. MemoryRanger runs driver inside separate enclaves to protect the following kernel-mode areas: - allocated data, drivers code, and EPROCESS.token fields (BlackHat 2018); - FILE_OBJECT structures (CDFSL 2019). ## MemoryRanger at the CDFSL 2019: * demonstration of illegal access to an exclusive open file via FILE_OBJECT hijacking; * prevention of FILE_OBJECT hijacking; * paper, slides, demos are [here](https://igorkorkin.blogspot.com/2019/04/memoryranger-prevents-hijacking.html). [![The Hijacking Attack](https://img.youtube.com/vi/2mU85RluOSA/mqdefault.jpg)](https://www.youtube.com/watch?v=2mU85RluOSA&index=1&list=PL0Aerbf3kwUKlHszFlcIFivmslRl4xmhB) [![The Attack Prevention](https://img.youtube.com/vi/8ONmC5Do4I4/mqdefault.jpg)](https://www.youtube.com/watch?v=8ONmC5Do4I4&index=2&list=PL0Aerbf3kwUKlHszFlcIFivmslRl4xmhB) ## MemoryRanger at the Black Hat Europe 2018 ![alt text](https://github.com/IgorKorkin/MemoryRanger/blob/master/before_and_after_memoryranger.png) * demonstration of illegal access to allocated data, drivers code, and EPROCESS.token field; * protection of the dynamically allocated data; * preventing newly loaded drivers to escalate process priviledges; * paper, slides, demos are [here](https://igorkorkin.blogspot.com/2018/12/divide-et-impera-memoryranger-runs.html). [![The Attack](https://img.youtube.com/vi/HNxc-tjy3QA/mqdefault.jpg)](https://www.youtube.com/watch?v=HNxc-tjy3QA&index=1&list=PL0Aerbf3kwULpVhoHyjMUeUFLwnvur5iu) [![The Attack Prevention](https://img.youtube.com/vi/vrm9cgn5DsU/mqdefault.jpg)](https://www.youtube.com/watch?v=vrm9cgn5DsU&index=2&list=PL0Aerbf3kwULpVhoHyjMUeUFLwnvur5iu) ## Details MemoryRanger hypervisor is based on these projects: - [MemoryMonRWX](https://github.com/tandasat/MemoryMon/tree/rwe_cdfs) by [Satoshi Tanda](https://twitter.com/standa_t); - [DdiMon](https://github.com/tandasat/DdiMon) by [Satoshi Tanda](https://twitter.com/standa_t); - [AllMemPro](https://github.com/IgorKorkin/AllMemPro).