MemoryRanger protects kernel data and code by running drivers and hosting data in isolated kernel enclaves using VT-x and EPT features. MemoryRanger has been presented at the BlackHat, HITB, CDFSL.
Hi Igor Korkin, I have read your paper that published in S&P 2021 recently.
As well as I'm interested in whether the MemoryRanger can prevent malware from modifying ntoskrnl.exe? Because malware can disable the Register and Process callback by modifying the SupportsObjectCallbacks flag or Callback List, and then malware can terminate AV or modify register key to disable AV. But MR is designed to just protect the PPL of process, is that correct? Maybe I miss some details.
I am currently experimenting with the memranger driver. My setup is vs2015 update 3 and WDK and SDK 10.0.14393. When I try to build it some files are missing in hyperplatform and capstone arch directory. After, copying the file from tandsaat project, I have problem in installing memranger (i am running as memranger_console.exe) driver in windows 10 10240 build x64. It says I/O operation abort and the driver installation failed.
Pls. help me.