找回密码
 加入我们

QQ登录

只需一步,快速开始

搜索
查看: 51261|回复: 125

[科普]WIN10(1607)之后PatchGuard有了兄弟HyperGuard

 火... [复制链接]

857

主题

2632

回帖

2

精华

管理员

此生无悔入华夏,  长居日耳曼尼亚。  

积分
36129
发表于 2017-5-17 19:40:42 | 显示全部楼层 |阅读模式
相比起内核明星PatchGuard,HyperGuard可谓完全没有知名度。直到最近,Mark E .Russinovich才在一本新书里宣告了它的存在,并做了如下描述:
On systems that run with virtualization-based security (described earlier in this chapter in the section
“Virtualization-based security”), it is no longer true that attackers with kernel-mode privileges are essentially
running at the same security boundary as a detection/prevention mechanism. In fact, such attackers
would operate at VTL 0, while a mechanism could be implemented in VTL 1. In the Anniversary
Update of Windows 10 (version 1607), such a mechanism does indeed exist, which is appropriately
named HyperGuard. HyperGuard has a few interesting properties that set it apart from PatchGuard:
■ It does not need to rely on obfuscation. The symbol files and function names that implement
HyperGuard are available for anyone to see, and the code is not obfuscated. Complete static
analysis is possible. This is because HyperGuard is a true security boundary.
■ It does not need to operate non-deterministically because this would provide no advantage
due to the preceding property. In fact, by operating deterministically, HyperGuard can crash
the system at the precise time unwanted behavior is detected. This means crash data will contain
clear and actionable data for the administrator (and Microsoft’s analysis teams), such as the
kernel stack, which will show the code that performed the undesirable behavior.
■ Due to the preceding property, it can detect a wider variety of attacks, because the malicious
code does not have the chance to restore a value back to its correct value during a precise time
window, which is an unfortunate side-effect of PatchGuard’s non-determinism.
HyperGuard is also used to extend PatchGuard’s capabilities in certain ways, and to strengthen its
ability to run undetected by attackers trying to disable it. When HyperGuard detects an inconsistency,
it too will crash the system, albeit with a different code: 0x18C (HYPERGUARD_VIOLATION). As before, it
might be valuable to understand, at a generic level, what kind of things HyperGuard will detect, which
you can see in Table 7-24.
1.JPG
On systems with VBS enabled, there is another security-related feature that is worth describing,
which is implemented in the hypervisor itself: Non-Privileged Instruction Execution Prevention (NPIEP).
This mitigation targets specific x64 instructions that can be used to leak the kernel-mode addresses of
the GDT, IDT, and LDT, which are SGDT, SIDT, and SLDT. With NPIEP, these instructions are still allowed
to execute (due to compatibility concerns), but will return a per-processor unique number that is not
actually the kernel address of these structures. This serves as a mitigation against Kernel ASLR (KASLR)
information leaks from local attackers.
Finally, note that there is no way to disable PatchGuard or HyperGuard once they are enabled.
However, because device-driver developers might need to make changes to a running system as part
of debugging, PatchGuard is not enabled when the system boots in debugging mode with an active
remote kernel-debugging connection. Similarly, HyperGuard is disabled if the hypervisor boots in
debugging mode with a remote debugger attached.
如果懒得看英语,我就简单总结几句:
游客,如果您要查看本帖隐藏内容请回复
这本新书的名字是:
游客,如果您要查看本帖隐藏内容请回复

1

主题

80

回帖

1

精华

铂金会员

积分
1818
发表于 2017-5-17 19:44:22 | 显示全部楼层
学习大牛的翻译

4

主题

145

回帖

0

精华

金牌会员

积分
1189
发表于 2017-5-17 19:44:35 | 显示全部楼层
搞起搞起

1

主题

35

回帖

0

精华

铜牌会员

积分
274
发表于 2017-5-17 19:44:38 | 显示全部楼层
学习,感谢!

0

主题

29

回帖

0

精华

铜牌会员

积分
87
发表于 2017-5-17 19:45:08 | 显示全部楼层
感谢分享!

0

主题

34

回帖

0

精华

铜牌会员

积分
68
发表于 2017-5-17 19:47:09 | 显示全部楼层
不是懒 得看。是看也看不懂。!~~

0

主题

9

回帖

0

精华

铜牌会员

积分
113
发表于 2017-5-17 19:52:04 | 显示全部楼层
学习

0

主题

20

回帖

0

精华

铜牌会员

积分
76
发表于 2017-5-17 20:06:51 | 显示全部楼层
求看翻译!

0

主题

49

回帖

0

精华

铜牌会员

积分
76
发表于 2017-5-17 20:08:41 | 显示全部楼层
什么名字

0

主题

7

回帖

0

精华

铜牌会员

积分
42
发表于 2017-5-17 20:10:58 | 显示全部楼层
如此强大!!!!!!!!

8

主题

68

回帖

0

精华

钻石会员

积分
4115
发表于 2017-5-17 20:26:36 | 显示全部楼层
123

0

主题

21

回帖

0

精华

铜牌会员

积分
48
发表于 2017-5-17 20:44:37 | 显示全部楼层
学习

3

主题

75

回帖

0

精华

银牌会员

积分
440
发表于 2017-5-17 20:49:00 | 显示全部楼层
新的东西越来越多啊

1

主题

56

回帖

1

精华

贵宾会员

积分
2075
发表于 2017-5-17 21:44:16 来自手机 | 显示全部楼层
看看学习

3

主题

52

回帖

0

精华

金牌会员

积分
1043
发表于 2017-5-17 21:54:55 | 显示全部楼层
哇!嗯虽说英文看得懂。。

0

主题

5

回帖

0

精华

铜牌会员

积分
83
发表于 2017-5-17 22:03:25 | 显示全部楼层
学习!

0

主题

46

回帖

0

精华

铜牌会员

积分
195
发表于 2017-5-17 22:13:03 | 显示全部楼层
一项来 直接看总结=-=。

0

主题

9

回帖

0

精华

贵宾会员

积分
2030
发表于 2017-5-17 23:04:58 | 显示全部楼层
支持一下

0

主题

1

回帖

0

精华

初来乍到

积分
49
发表于 2017-5-17 23:32:47 | 显示全部楼层
我就是有中文就不看英文的孩子~

0

主题

111

回帖

0

精华

银牌会员

积分
340
发表于 2017-5-17 23:54:25 | 显示全部楼层
学习,感谢!

0

主题

24

回帖

0

精华

铜牌会员

积分
117
发表于 2017-5-18 07:53:49 | 显示全部楼层
直接来看翻译了

2

主题

43

回帖

0

精华

银牌会员

积分
397
发表于 2017-5-18 08:52:29 | 显示全部楼层
搞起搞起

0

主题

2

回帖

0

精华

初来乍到

积分
30
发表于 2017-5-18 09:11:08 | 显示全部楼层
感谢TA大神的分享,学习了!!!

2

主题

165

回帖

0

精华

金牌会员

积分
944
发表于 2017-5-18 09:25:51 | 显示全部楼层
楼主英文真好

0

主题

21

回帖

0

精华

铜牌会员

积分
67
发表于 2017-5-18 11:15:33 | 显示全部楼层
谢谢楼主分享

0

主题

25

回帖

0

精华

银牌会员

积分
330
发表于 2017-5-18 18:27:27 | 显示全部楼层
英文看不懂

0

主题

15

回帖

0

精华

铜牌会员

积分
99
发表于 2017-5-19 17:35:22 | 显示全部楼层
感谢分享

0

主题

7

回帖

0

精华

铜牌会员

积分
236
发表于 2017-5-20 08:50:43 | 显示全部楼层
看看新guard

0

主题

15

回帖

0

精华

铜牌会员

积分
127
发表于 2017-5-20 11:05:46 | 显示全部楼层
还是看翻译吧,英文有点累

0

主题

6

回帖

0

精华

初来乍到

积分
10
发表于 2017-5-20 12:57:38 | 显示全部楼层


搞起搞起

0

主题

6

回帖

0

精华

铜牌会员

积分
36
发表于 2017-5-21 20:10:26 | 显示全部楼层
新书的名字估计是windows internal 第七版

0

主题

18

回帖

0

精华

贵宾会员

积分
10032
发表于 2017-5-23 09:42:45 | 显示全部楼层
啊啊啊啊啊
您需要登录后才可以回帖 登录 | 加入我们

本版积分规则

快速回复 返回顶部 返回列表