Founder, MoonSols SARL msuiche@moonsols.com Founder of MoonSols - - PowerPoint PPT Presentation

Matthieu Suiche Founder, MoonSols SARL msuiche@moonsols.com

Founder of MoonSols SARL, based in France

Various security services, Forensics Products, Trainings, Kernel code consulting

Co-Organizer of Hackito Ergo Sum (April 2011, Paris – France) Author of

SandMan (Windows Hibernation File) Win32/64dd (Windows Memory Acquisition) Mac OS X Physical Memory Analysis Research MoonSols Windows Memory Toolkit LiveCloudKd http://msdn.moonsols.com (Online resource for undocumented structure definition)

BlackHat, PacSec, CanSecWest etc. speakers.

• New vulnerabilities
• 0days
• About guest to host escalation

– It’s more about host to guest descalation

• Free beers
• Hot chicks

• A Tool

– Hyper-V – VMWare

• Using physical memory of virtual machine as

interface

• Offensive / Defensive / Offensics / Forensics /

Rootkits / Utilities /

• MoonSols LiveCloudKd

– Kernel developers – Kernel troubleshooters – Bug hunter – Investigator – Forensic Expert – Malware Analyst – Incident Responder

• Your physical memory in a nutshell

– Debugger – Read / Write access ?

• New generation of Rootkits

Remember when folks got excited about Ring - 1 Rootkit (BluePill, Vitriol, ...) ?

Taking over the existing Hypervisor The physical memory

• Since virtualization is widely used for servers.
• Most of Hypervisors do have an “pause”/

”suspend” feature of the state of the virtual machine.

– State is saved and/or maintained on disk. – E.g. .vmem file with VMWare Workstation – E.g. .bin file with Microsoft Hyper-V

0.00 GB 3.50 GB 4.00 GB

RAM

Device Memory (MMIO)

6.00 GB 2.00 GB 2.50 GB 4096 B BIOS reserved 2 GB 512 MB 1 GB 512 MB 2 GB

0x1000 bytes on 32-bits system. 0x2000 bytes on 64-bits system. X0 MB X1 MB X2 MB X3 MB X4 MB X5 MB Microsoft Crash Dump Header X1 MB X3 MB X5 MB

• Bin2dmp

– The Professional Edition can work with running VMWare Workstation Virtual Machine on vmem files.

• MoonSols LiveCloudKd

– Works with Microsoft Hyper-V R2 Virtual Machines.

• Physical Memory
• VMWare Workstation

– .vmem files (raw mapping)

• Microsoft Hyper-V

– VM Infrastructure Driver (Vid.sys)

• Hypervisor APIs has APIs to

– Write Memory – Modify the processor state

• EIP/RIP registers.
• Half-documented kernel functions (winhv.sys)

Hypervisor C-Language Functions

http://msdn.microsoft.com/en-us/library/ff543229%28VS.85%29.aspx

But mentioned functions do not exist … And there is no library in the WDK. (Create your own winhv.lib) HvWriteGpa -> WinHvWriteGpa Vid.h VidDefs.h (Singularity Version – Google it) Not in the WDK – Interface for vid.sys It looks like an intern copied the wrong files 

• Administrator rights access required on the

Microsoft Hyper-V hypervisor, to use these APIs.

– Not with vmem file (SHARE_READ)

• Works for Hyper-V Hypervisor and VMWare

– Make possible to crash dump analyze VM – No debug mode required – Can also create either a raw or a Microsoft memory crash dump. – Windbg/Kd Write commands (eb/ed/e*) works!

• In other words you can modify the guest memory if you

want.

– LiveKd 5 update (Hyper-V Only, Read Access only)

VM 0

Physical Memory

VM 1

Physical Memory

VM 2

Physical Memory

VM n

Physical Memory

User Interface Parent Partition (Host Machine) VirtualMemory (HIBR, DMP, ..) Information (Processes, …) MoonSols DLL

Evil Virtual Machine Manager VM1 VM2 VM3

Code injection Code injection Code injection

• Be lazy, be efficient.
• Forensic based research of memory analysis

can be now used for a lot of things.

Twitter: MoonSols or msuiche Email: msuiche@moonsols.com Web: http://www.moonsols.com

Download LiveCloudKd @ www.moonsols.com