Research On Memory Protection Of Windows Application

Confidential information is encrypted in the external media. After loading the confidential information, the application will decrypt the cipher text into plain text. During the period of dealing this confidential information, the malware can get the confidential information by attacking the runtime memory of the application. So it is necessary to doing research on memory protection of the application.Through analysis of the memory management of Windows operating system and the technology of hardware assist virtualization, a memory protection model is developed to protect the runtime memory of the application. The main ideas and achievements of this paper include:1. The memory management of Windows operating system is introduced. The threats of the memory attacks are classified into two kinds, which are from the malicious codes out of the application and from the malicious codes inside the application. The attacks from the malicious codes out of the application can be then divided into two methods, which are by modifying the CR3register and by modifying the page table. The malicious codes inside the application include the kernel mode Rootkits and the user mode code injected into the application.2. The present solutions are analyzed, including the online game protection model, NICKLE and SP3. The advantages and disadvantages are also analyzed.3. A memory protection system based on Hypervisor is developed. By intercepting the access of CR3register and the write access of the page table, memory protection system can redirect the unauthorized access to the protected memory to the cipher text copy. And by intercepting the mode switch between kernel mode and user mode, memory protection system can replace the CR3register as a new one which points to the shadow page table of kernel mode. At last, the authorized user mode codes should be encrypted before loading to memory. Any unauthorized codes of user mode could not be run after decrypting.4. The difficulties of memory protection are from the malicious codes inside the application. By intercepting the mode switch between kernel mode and user mode, the page table in the address translation between kernel mode and user mode are different. So the kernel mode Rootkits can only access the cipher text. At the same time, user mode codes injection can be prevented by code encryption and data executive protection.