Many of us love to play games, and as offensive security engineers, we also want to learn about how game studios are dealing with cheaters. We have observed that cheaters have used vulnerable graphic drivers to bypass anti-cheat mechanisms from several gaming cheating forums. In some cases, the cheaters tried to install vulnerable driver versions onto their computers, then exploited the vulnerability to read and write the game process's memory with the kernel privileges.
Instantly, we thought, why don't we apply this to bypass the security products or endpoint security solutions? So, we have started to research and present what we have learned in this article.
In this research, our goal is to read LSASS.exe memory from userland. We experimented against Kaspersky Total Security (KTS), one of the top security products currently. KTS has its self-defense mechanism, and it also has a strict behavior and memory monitoring mode. This article doesn't demonstrate any vulnerabilities in any Kaspersky products or imply anything to Kaspersky. Researchers can apply this technique to disable most AV products today. In essence, this is not really a weakness of AVs. This is a common weakness. We only used Kaspersky as an example to highlight that common weakness.
Typically you are blocked by KTS if you use ReadProcessMemory to read LSASS.exe memory in userland. Our idea is to find a vulnerable driver and then install it. Through the vulnerability of the installed driver, we can read and write to physical memory. Then, we develop a shellcode to read any process memory in kernel context and make it available to user context.
