EATGuard
Implementation of an export address table protection mitigation, like Export Address Filtering (EAF)
How It Works
This project is composed of three binaries that, when compiled, can be found in EATGuard\bin\. They are:
EATGuardApplication.exe- "Malicious" application that loadsEATGuardDll.dllinto the process and then executes some executable code (shellcode) which executesnotepad.exe.EATGuardDll.dll- DLL that provides a "bridge" between user-mode and kernel-mode. This DLL registers a Vectored Exception Handler (VEH) which sends detections of access to thekernel32.dllExport Address Table (EAT) to theEATGuardDriver.sysdriver. This DLL allocates a guard page on thekernel32.dllEAT which causes an exception when the EAT is accessed within theEATGuardApplication.exeprocess space. This routes execution to the registered VEH which processes these exceptions and is responsible for continuing execution after analysis is completed.EATGuardDriver.sys- Kernel-mode device driver which verifies access to thekernel32.dllEAT. Currently, as a POC, it checks if the memory which accesseskernel32.dllis backed by disk.
How To Use
Please note that EATGuardApplication.exe loads EATGuardDll.dll from the relative path of EATGuardApplication.exe. This means both the .exe and .dll need to be in the same directory when executing. Please note also do not run this project on a machine that has kernel debugging enabled. This can cause issues, as the EATGuardDll.dll uses a single-step exception for continuation of execution. Here is an example usage of the project:
C:\Users\ANON\Desktop>sc create EATGUARD type= kernel binPath= C:\Users\ANON\Desktop\EATGuardDriver.sys
[SC] CreateService SUCCESS
C:\Users\ANON\Desktop>sc start EATGUARD
SERVICE_NAME: EATGUARD
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 0
FLAGS :
C:\Users\ANON\Desktop>EATGuardApplication.exe
[+] KERNEL32.dll EAT: 0x00007FFB1D83F898
[+] Number of functions in the KERNEL32.dll EAT: 1678
[+] EATGuard analysis complete!
[+] Target address: 0x24AA138005C
[>] IsRipRwxMemory: TRUE
[>] IsRipMappedSection: FALSE
[>] IsRipBackedByImage: FALSE
[>] HasPageProtectionChanged: FALSE
[>] RegionBaseAddress: 0x24AA1380000
[>] MemoryRegionSize: 0x1000
[>] MemoryCommtSize: 0x1000
[+] EATGuard analysis complete!
[+] Target address: 0x24AA138005F
[>] IsRipRwxMemory: TRUE
[>] IsRipMappedSection: FALSE
[>] IsRipBackedByImage: FALSE
[>] HasPageProtectionChanged: FALSE
[>] RegionBaseAddress: 0x24AA1380000
[>] MemoryRegionSize: 0x1000
[>] MemoryCommtSize: 0x1000
[+] EATGuard analysis complete!
[+] Target address: 0x24AA138008F
[>] IsRipRwxMemory: TRUE
[>] IsRipMappedSection: FALSE
[>] IsRipBackedByImage: FALSE
[>] HasPageProtectionChanged: FALSE
[>] RegionBaseAddress: 0x24AA1380000
[>] MemoryRegionSize: 0x1000
[>] MemoryCommtSize: 0x1000
[+] EATGuard analysis complete!
[+] Target address: 0x24AA138009B
[>] IsRipRwxMemory: TRUE
[>] IsRipMappedSection: FALSE
[>] IsRipBackedByImage: FALSE
[>] HasPageProtectionChanged: FALSE
[>] RegionBaseAddress: 0x24AA1380000
[>] MemoryRegionSize: 0x1000
[>] MemoryCommtSize: 0x1000
[+] EATGuard analysis complete!
[+] Target address: 0x24AA13800A2
[>] IsRipRwxMemory: TRUE
[>] IsRipMappedSection: FALSE
[>] IsRipBackedByImage: FALSE
[>] HasPageProtectionChanged: FALSE
[>] RegionBaseAddress: 0x24AA1380000
[>] MemoryRegionSize: 0x1000
[>] MemoryCommtSize: 0x1000
(...)TRUNCATED(...)
This project is a POC which mimics the functionality of Export Address Filtering.