The security of a computer system depends on OS kernel protection. It is crucial to reveal and inspect new attacks on kernel data, as these are used by hackers. The purpose of this paper is to continue research into attacks on dynamically allocated data in the Windows OS kernel and demonstrate the capacity of MemoryRanger to prevent these attacks. This paper discusses three new hijacking attacks on kernel data, which are based on bypassing OS security mechanisms. The first two hijacking attacks result in illegal access to files open in exclusive access. The third attack escalates process privileges, without applying token swapping. Although Windows security experts have issued new protection features, access attempts to the dynamically allocated data in the kernel are not fully controlled. MemoryRanger hypervisor is designed to fill this security gap. The updated MemoryRanger prevents these new attacks as well as supporting the Windows 10 1903 x64.

中文翻译：

---

Windows 内核劫持不是一种选择：MemoryRanger 再次来救援

计算机系统的安全性取决于操作系统内核保护。揭示和检查对内核数据的新攻击至关重要，因为这些被黑客使用。本文的目的是继续研究对 Windows 操作系统内核中动态分配数据的攻击，并展示 MemoryRanger 防止这些攻击的能力。本文讨论了三种新的内核数据劫持攻击，它们基于绕过操作系统安全机制。前两次劫持攻击导致非法访问以独占访问方式打开的文件。第三次攻击提升进程权限，而不应用令牌交换。尽管 Windows 安全专家发布了新的保护功能，但对内核中动态分配的数据的访问尝试并未得到完全控制。MemoryRanger 管理程序旨在填补这一安全漏洞。更新的 MemoryRanger 可防止这些新攻击并支持 Windows 10 1903 x64。