hypervisor based analysis of macos malware
play

Hypervisor-based Analysis of macOS Malware Felix Seele June 2 nd - PowerPoint PPT Presentation

May 09, 2023 •335 likes •706 views

Hypervisor-based Analysis of macOS Malware Felix Seele June 2 nd 2019 whoami Technical Lead @ VMRay M. Sc. IT-Security Released first preview version of macOS sandbox in March @c1truz_ 2 Structure of this Talk => => Why?

  1. Hypervisor-based Analysis of macOS Malware Felix Seele June 2 nd 2019

  2. whoami • Technical Lead @ VMRay • M. Sc. IT-Security • Released first preview version of macOS sandbox in March @c1truz_ 2

  3. Structure of this Talk => => Why? How? Challenges Motivation Background Virtual Machine Introspection 3

  4. The Marketing Pitch Need better tools for efficient and sound, automated analysis of macOS malware! 4

  5. State of the Art • Many tools to monitor different aspects of the system: ProcInfo, BlockBlock - Goals: dtrace (fs_usage, dtruss, …) - Firewalls Full visibility of function calls at - • => every level (soundness) Debugger - ✗ No function call tracer Isolation & Transparency • (like ltrace ) Efficiency & Automation • ✗ Tools run inside analysis VM ✗ No automation 5

  6. Full Visibility of Function Calls [NSData dataWithContentsOfURL :] CFURLRequestCreate(...) Foundation.framework Evil.app high-level application frameworks socket(...) CFNetwork.framework connect(...) syscall 97 syscall 98 low-level system libraries libsystem_kernel.dylib kernelspace kernel 6

  7. Isolation & Performance • Analysis system must be higher privileged than the analyzed sample • Full system visibility requires hypervisor-level analysis • Emulators are extremely slow, unsuited for full system Hypervisor analysis • Hardware-assisted virtualization provides isolation Kernelspace with small performance overhead Userspace → How to instrument the hypervisor for malware analysis? 7

  8. Two-Dimensional Paging Address translation 101 (x86_64) Virtual Address Physical Address 0x00000 00 10 ad 5f 000 PDPT PDT PML4T PT Memory r-x CR3 8

  9. Two-Dimensional Paging Address translation 101 (x86_64) Virtual Address Physical Address Execution will cause page fault and trap to kernel! EXC_BAD_ACCESS (code=2, address=0x7ffeefbff408) 0x00000 00 10 ad 5f 000 PDPT PDT PML4T PT Memory rw- CR3 9

  10. Two-Dimensional Paging Second-level page tables Virtual Machine Hypervisor r-x r-x Guest Virtual Guest Physical Host Physical Memory Memory Memory 10

  11. Two-Dimensional Paging Second-level page tables Execution will cause page fault and trap Virtual Machine Hypervisor to hypervisor! r-x r-- Guest Virtual Guest Physical Host Physical Memory Memory Memory 11

  12. Two-Dimensional Paging Using TDP to monitor API calls • Divide memory regions into two sets: Set A: Target - Evil.app Foundation.framework executable Set B: System libraries - and kernel CFNetwork.framework libsystem_kernel.dylib kernel 12

  13. Two-Dimensional Paging Using TDP to monitor API calls • Divide memory regions into two sets: ✗ Set A: Target - Evil.app Foundation.framework executable Set B: System libraries - and kernel CFNetwork.framework • One of the sets is executable, the other libsystem_kernel.dylib non-executable kernel 13

  14. Two-Dimensional Paging Using TDP to monitor API calls • Divide memory ✗ regions into two sets: Set A: Target - Evil.app Foundation.framework executable Set B: System libraries - and kernel CFNetwork.framework • One of the sets is executable, the other libsystem_kernel.dylib non-executable kernel 14

  15. Two-Dimensional Paging Using TDP to monitor API calls • Divide memory regions into two sets: Set A: Target - Evil.app Foundation.framework executable Set B: System libraries - and kernel CFNetwork.framework ✗ • One of the sets is executable, the other libsystem_kernel.dylib non-executable kernel 15

  16. Two-Dimensional Paging Summary • Approach was presented first by Carsten Willems and Ralf Hund 1) • Transparency & Isolation: Page permission are only modified outside of the guest No modifications to the OS necessary - Not detectable, even from the kernel - • Efficiency: Calls are intercepted at the highest level possible Preserves high-level semantics - Simplifies behavior analysis - 1) https://www.syssec.ruhr-uni-bochum.de/media/emma/veroeffentlichungen/2012/11/26/TR-HGI-2012-002.pdf 16

  17. Virtual Machine Introspection 17

  18. Virtual Machine Introspection The basics Objective-C ??? Inter-Process Communication Resolve function and syscalls Function Call Monitoring Extract parameters Parse virtual address space Virtual Memory Resolve loaded libraries Process creation & termination Process Monitoring Process & thread switches Process information 18

  19. Objective-C Runtime Introspection Extracting function call parameters [0040.706] -[NSString writeToFile:(NSString *) atomically:(BOOL)] Arguments in rdx, rcx, r8, … Instance Method Pointer to object in rdi • Need to know the class to extract value NSString • Can’t trust the function prototype (class clusters, protocols) NSCFString NSPathStore2 => Need to determine class at runtime NSCFConstantString 19

  20. Objective-C Runtime Introspection Finding an object’s class 0x011dffff87f471d8 0x011dffff87f471d8 & ISA_MASK struct objc_object { 0x100503930 union isa_t { = 0x7fff87f471d8 struct objc_class *cls; uintptr_t bits; } } struct objc_class : objc_object { // Class ISA; Class superclass; // +0x08 #define ISA_MASK 0x00007ffffffffff8ULL cache_t cache; // +0x10 “__NSCFConstantString” struct { class_data_bits_t bits; // +0x20 uintptr_t nonpointer : 1; } 4 pointer derefs and 1 string read 👏 uintptr_t has_assoc : 1; uintptr_t has_cxx_dtor : 1; uintptr_t shiftcls : 44; uintptr_t magic : 6; struct class_rw_t { struct class_ro_t { uintptr_t weakly_referenced : 1; uint32_t flags; // +0x00 uint32_t flags; // +0x00 uintptr_t deallocating : 1; uint32_t version; // +0x04 // ... uintptr_t has_sidetable_rc : 1; const class_ro_t *ro; // +0x08 const char *name; // +0x18 uintptr_t extra_rc : 8; // ... } }; } 20

  21. Objective-C Runtime Introspection Finding an object’s class (the efficient way) 0x011dffff87f471d8 & ISA_MASK struct objc_object { 0x100503930 union isa_t { = 0x7fff87f471d8 struct objc_class *cls; uintptr_t bits; } } __DATA 00007fff87e12000-00007fff87f55000 rw-/rwx SM=COW /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation __DATA + 0x1351D8 000000000057a340 s _OBJC_CLASS_$___NSCFCharacterSet 000000000057a1d8 s _OBJC_CLASS_$___NSCFConstantString 000000000057a390 s _OBJC_CLASS_$___NSCFData 000000000057a020 s _OBJC_CLASS_$___NSCFDictionary 21

  22. Objective-C Runtime Introspection Finding an object’s class (the efficient way) • Need to know the location of DATA segments in memory • Not trivial due to the use of dyld shared caches • But: Only one pointer deref required + compare to precomputed offsets • Next: Reconstruct the objects internal data representation - Fairly straightforward for CoreFoundation (open-source) - Needs to be done for every class that should be reconstructed from the hypervisor • Idea: Automatically extract even unknown classes using Objective-C’s ivar information 22

  23. Objective-C Runtime Introspection Example Code Analysis Log NSLog(@"Hello, World!"); [0045.565] NSLog (format="Hello, World!") [0045.706] +[NSProcessInfo processInfo] NSProcessInfo *processInfo = [NSProcessInfo processInfo]; returned 0x7f9a3740d080 NSLog(@"Process ID is: %d", [processInfo processIdentifier]); [0045.706] -[NSProcessInfo<0x7f9a3740d080> processIdentifier] returned 488 [0045.706] NSLog (format="Process ID is: %d") NSString *username = [processInfo userName]; [0045.706] -[NSProcessInfo<0x7f9a3740d080> userName] returned="xsbgsz” NSFileManager *filemgr = [NSFileManager defaultManager]; NSString *filename = [[filemgr currentDirectoryPath] [0045.824] +[NSFileManager defaultManager] stringByAppendingPathComponent:@"user.txt"]; returned 0x7f9a37402850 [0045.824] -[NSFileManager<0x7f9a37402850> currentDirectoryPath] returned="/Users/xsbgsz" [username writeToFile:filename [0045.916] -[NSString<0x7f9a3740d150> stringByAppendingPathComponent:"user.txt"] atomically:YES returned="/Users/xsbgsz/user.txt” encoding:NSStringEncodingConversionAllowLossy error:nil]; [0045.916] -[NSString<0x7a736762737865> writeToFile:"/Users/xsbgsz/user.txt" atomically:1 encoding:0x1 error:0x0] returned 1 NSLog(@"Content written to path: %@\n", filename); [0045.923] NSLog (format="Content written to path: %@\n") 23

  24. Inter-Process Communication • XPC is used heavily on macOS Install and control LaunchAgents/Daemons - XPC-based Launch processes out of context ( open(1) ) - RPC Remote Procedure Calls - ... - CFPort MIG XPC messages • Used by > 90% of samples • Can be used to evade dynamic malware Mach messages analysis systems https://thecyberwire.com/events/docs/IanBeer_JSS_Slides.pdf 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Reverse Engineering by Crayon: Game Changing Hypervisor and Visualization Analysis Game Changing

Reverse Engineering by Crayon: Game Changing Hypervisor and Visualization Analysis Game Changing

Reverse Engineering by Crayon: Game Changing Hypervisor and Visualization Analysis Game Changing Hypervisor Based Malware Analysis and Visualization Danny Quist Danny Quist Lorie Liebrock New Mexico Tech Computer Science Dept. Offensive

898 views • 64 slides
Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al [FSE 14] Presented by Maaz Ahmad The Malware Problem (Feb, 2015) Motive Security Labs estimates 16 million infected mobile devices. [1]

828 views • 30 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS AGENDA Something about malware Malware internals Current analysis

398 views • 27 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
MacOS &amp; iOS Maintenance MacOS Maintenance iOS Maintenance (the iPad will be used as our

MacOS &amp; iOS Maintenance MacOS Maintenance iOS Maintenance (the iPad will be used as our

MacOS &amp; iOS Maintenance MacOS Maintenance iOS Maintenance (the iPad will be used as our example for all your iDevices including iPhones, iPod touches, and iPods) TOP TEN Your iPad is fragile Battery life is exhaustible TIPS

330 views • 15 slides
Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that does something that causes harm to a user, computer or network, including viruses, trojan horses, worms, rootkits, scareware and spyware. Malware

119 views • 9 slides
Machine Virtualization: Efficient Hypervisors, Stealthy Malware Muli Ben-Yehuda Technion &amp;

Machine Virtualization: Efficient Hypervisors, Stealthy Malware Muli Ben-Yehuda Technion &amp;

Machine Virtualization: Efficient Hypervisors, Stealthy Malware Muli Ben-Yehuda Technion &amp; Hypervisor Technologies and Consulting Ltd Muli Ben-Yehuda (Technion &amp; Hypervisor) Efficient Hypervisors, Stealthy Malware Cyberday, 2013 1 /

553 views • 21 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
T owards Network Containment in Malware Analysis Systems Mariano Graziano, Corrado Leita, Davide

T owards Network Containment in Malware Analysis Systems Mariano Graziano, Corrado Leita, Davide

T owards Network Containment in Malware Analysis Systems Mariano Graziano, Corrado Leita, Davide Balzarotti ACSAC, Orlando, Florida, 3-7 December 2012 Malware Analysis Scenario Analysis based on Sandboxes (API Hooking, Emulation)

798 views • 23 slides
Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal and Wenke Lee College of Computing Georgia Institute of Technology Agenda l Background l Defeating Automated Malware Analysis Host

1.28k views • 28 slides
Getting Started with .NET Core 2.0 on macOS (and Windows, too) Jeremy Clark

Getting Started with .NET Core 2.0 on macOS (and Windows, too) Jeremy Clark

Getting Started with .NET Core 2.0 on macOS (and Windows, too) Jeremy Clark www.jeremybytes.com @jeremybytes What is .NET Core? Cross-Platform .NET Runs on macOS, Linux, and Windows Can be compiled to machine code based on

1.17k views • 15 slides
Identifying Infections with Spamming Malware in a Network, based on Analysis of DNS MX Requests

Identifying Infections with Spamming Malware in a Network, based on Analysis of DNS MX Requests

Introduction Research Question Background Dataset Approach Results Conclusion Identifying Infections with Spamming Malware in a Network, based on Analysis of DNS MX Requests Bas Vlaszaty Bas.Vlaszaty@os3.nl Universiteit van Amsterdam

899 views • 89 slides
CS7038 - Malware Analysis - Wk07.2 Malware Research Online Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk07.2 Malware Research Online Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk07.2 Malware Research Online Coleman Kane kaneca@mail.uc.edu February 22, 2018 Exploring the Online Ecosystem One nice aspect of malware analysis is that, since much of it originates online and

119 views • 10 slides
When Malware is Packin Heat; Limits of Machine Learning Classifiers Based on Static Analysis

When Malware is Packin Heat; Limits of Machine Learning Classifiers Based on Static Analysis

When Malware is Packin Heat; Limits of Machine Learning Classifiers Based on Static Analysis Features Hojjat Aghakhani , Fabio Gri*, Francesco Mecca, Mar0na Lindorfer, Stefano Ortolani, Davide Balzaro*, Giovanni Vigna, Christopher Kruegel

1.01k views • 53 slides
CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane

CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane

CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane kaneca@mail.uc.edu January 24, 2017 Why Classification is Important Malware classification helps us in multiple ways. Here are a couple key ways:

787 views • 16 slides
GroDDViewer: Dynamic dual view of Android malware Jean-Franois Lalande Mathieu Simon Valrie

GroDDViewer: Dynamic dual view of Android malware Jean-Franois Lalande Mathieu Simon Valrie

Introduction Malware analysis Visualization Conclusion GroDDViewer: Dynamic dual view of Android malware Jean-Franois Lalande Mathieu Simon Valrie Viet Triem Tong GraMSec 2020 CIDRE team June 22th 2020 Introduction Malware analysis

530 views • 28 slides
Evolutionary Computation for Improving Malware Analysis Kevin Leach 1 , Ryan Dougherty 2 , Chad

Evolutionary Computation for Improving Malware Analysis Kevin Leach 1 , Ryan Dougherty 2 , Chad

Evolutionary Computation for Improving Malware Analysis Kevin Leach 1 , Ryan Dougherty 2 , Chad Spensky 3 , Stephanie Forrest 2 , Westley Weimer 1 1 University of Michigan 2 Arizona State University 3 University of California, Santa Babara May 23,

357 views • 6 slides
Linux malware presentation @r00tbsd Paul Rascagnres Malware.lu July 2013 @r00tbsd

Linux malware presentation @r00tbsd Paul Rascagnres Malware.lu July 2013 @r00tbsd

Linux malware presentation Linux malware presentation @r00tbsd Paul Rascagnres Malware.lu July 2013 @r00tbsd Paul Rascagnres from Malware.lu Linux malware presentation Plan - Presentation - Darkleech/Chapro - Cdorked - Wirenet

425 views • 31 slides
A Semantics-based Approach to Malware Detection Mila Dalla Preda University of Verona, Italy

A Semantics-based Approach to Malware Detection Mila Dalla Preda University of Verona, Italy

A Semantics-based Approach to Malware Detection Mila Dalla Preda University of Verona, Italy Mihai Christodorescu, Somesh Jha University of Wisconsin, USA Saumya Debray University of Arizona, USA 17-19 Jan, POPL 07, Nice A

828 views • 52 slides
welfare and prediction markets are used to determine which policies will have the most positive

welfare and prediction markets are used to determine which policies will have the most positive

futarchy a form of government in which elected officials define measures of national welfare and prediction markets are used to determine which policies will have the most positive effect. 1 Victor, Im worried we wont be taken

670 views • 40 slides
II Timothy 3:16-4:5 Opening Considerations: Worldview affects our understanding of masculinity.

II Timothy 3:16-4:5 Opening Considerations: Worldview affects our understanding of masculinity.

II Timothy 3:16-4:5 Opening Considerations: Worldview affects our understanding of masculinity. Progressive ideologies are seeking to eradicate traditional masculinity from our society. While the meathead man ought not be desired,

155 views • 4 slides
Diffie-Hellman not secure against Man-in-the-Middle-attack: Want to guarantee authenticity. Alice

Diffie-Hellman not secure against Man-in-the-Middle-attack: Want to guarantee authenticity. Alice

Diffie-Hellman not secure against Man-in-the-Middle-attack: Want to guarantee authenticity. Alice Mallory Bob Can achieve this with publc-key cryptography as well. g a a First example: Schnorr Signature g m m a 1024 bit

283 views • 3 slides
CSC304 Lecture 14 Mechanism Design w/o Money 2: Stable Matching Gale-Shapley Algorithm CSC304 -

CSC304 Lecture 14 Mechanism Design w/o Money 2: Stable Matching Gale-Shapley Algorithm CSC304 -

CSC304 Lecture 14 Mechanism Design w/o Money 2: Stable Matching Gale-Shapley Algorithm CSC304 - Nisarg Shah 1 Stable Matching Recap Graph Theory: In graph = (, ) , a matching is a set of edges with no common

581 views • 26 slides

More recommend