Many of us love to
play games, and as offensive security engineers, we also want to learn about
how game studios are dealing with cheaters. We have observed that cheaters have
used vulnerable graphic drivers to bypass anti-cheat mechanisms from several
gaming cheating forums. In some cases, the cheaters tried to install vulnerable
driver versions onto their computers, then exploited the vulnerability to read
and write the game process's memory with the kernel privileges.
Instantly, we
thought, why don't we apply this to bypass the security products or endpoint
security solutions? So, we have started to research and present what we have
learned in this article.
In this research, our
goal is to read LSASS.exe memory from userland.
We experimented against Kaspersky Total Security (KTS), one of the top
security products currently. KTS has its self-defense mechanism, and it also
has a strict behavior and memory monitoring mode. This article doesn't
demonstrate any vulnerabilities in any Kaspersky products or imply anything to
Kaspersky. Researchers can apply
this technique to disable most AV products today. In essence, this is not
really a weakness of AVs. This is a common weakness. We only used Kaspersky as
an example to highlight that common weakness.
Typically you are
blocked by KTS if you use ReadProcessMemory to read LSASS.exe memory in
userland. Our idea is to find a vulnerable driver and then install it.
Through the vulnerability of the installed driver, we can read and write to
physical memory. Then, we develop a shellcode to read any process memory in
kernel context and make it available to user context.
