Sample of kernel-mode malware, which modifies allocated memory in kernel

Forum for analysis and discussion about malware.
Post Reply
igorkorkin
Posts: 1
Joined: Thu Mar 22, 2018 7:50 am

Sample of kernel-mode malware, which modifies allocated memory in kernel

Post by igorkorkin » Thu Mar 22, 2018 7:52 am

Hi all,

I'm looking for a kernel-mode driver, which accesses (modifies or reads) the content of allocated memory. This memory was allocated before by a legal driver. I'm considering the case: a legitimate driver allocates memory by ExAllocatePoolWithTag routine and malware driver accesses these data illegally.

The thing is that security features in Win 10 cannot prevent this illicit access.

I've proposed the following 3 scenarios, and I need a real malware sample:

1) Malware driver patches the system structures, which were allocated by windows kernel (ntosknl.exe), for example, to change process privileges, without hiding it.

2) Malware driver patches the allocated memory, which was used by 3-rd party driver to control big machines, like SCADA, CNC etc. As a result an intruder can send false control commands to the unit or send false notification to the user.

3) Malware driver reads and writes the content of allocated memory, which includes cryptokeys or cipher data. As a result an intruder can overwrite cryptokeys with zero value and steal open text.

I came up with all these scenarios myself. Have you heard of any real examples of them?

Any information about this type of malware/APT/rootkits will work well for me. The related papers or researchers thoughts are also very desirable.

These examples will be used in the paper; the draft is here https://sites.google.com/site/igorkorki ... ects=0&d=1. The paper has been accepted to the conference, but some revision is required.

Thank you!

User avatar
EP_X0FF
Global Moderator
Posts: 4782
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Sample of kernel-mode malware, which modifies allocated memory in kernel

Post by EP_X0FF » Fri Mar 23, 2018 8:55 am

CPU-Z driver version 1.41 and below can do all what you listed because it allows R/W to physical memory.
Ring0 - the source of inspiration

Post Reply