Research On The Methods Of Breaking Through Windows Memory Protection Mechanisms

APT(Advanced Persistent Threats)attacks increasing in recent years,APT attackers use advanced vulnerability technology to avoid operating system security mechanisms,and penetrate the target continuously.Windows system is the most widely used system now,its own defense capability determines the security of the whole system.Therefore,it is of great significance to study the defense mechanism of Windows system,and to find out its defects and breakthrough methods to prevent APT attacks.This paper from the two aspects of SEH attack and ROP attack with the use of exploits to find a breakthrough in the different security mechanism of Windows,as follows:(1)Aiming at the defense of SEH security mechanism,this paper presents a breakthrough method of reverse analysis to search for available weaknesses.Firstly,the SEH mechanism is analyzed by using dynamic tracing technology in Windows system,from the two aspects of the program flow and data structure to obtain the key function of the SEH process and to find the potential security factors in the SEH mechanism.Based on this,this paper presents a typical framework for exploiting SEH vulnerabilities.After that,we study the principle of SafeSEH and SEHOP security mechanism to find out its defects and breakthrough methods.And finally in the third-party software to dig out SEH zero-day vulnerability,successfully bypassing the defence of SafeSEH and SEHOP security mechanism.(2)Aiming at the defense of the DEP+ASLR+PSS joint mechanism,this paper on the basis of the traditional JIT-ROP attack methods to improve it and proposes the JIT-ROP attack of forging PSS method.First,the offline gadget search method is used to improve the defects which memory overhead is too large in the traditional JIT-ROP attacks.And using the dictionary tree structure to search gadget,which increases the number of available.Second,the use of ROP chain+shellcode combination method to solve the problem which ROP chain is too long.Third,proposed the method of forging PSS to bypass the protection of ret instructions by PSS mechanism.The information of memory leakage is compared with the characteristics of the PSS plug instruction,and find out the PSS offset of the embedded instruction by using string matching.Finally,the paper gives the concrete implementation scheme and the attack code,and the experiment shows that this method has successfully bypassed the DEP+ASLR+PSS joint mechanism.