Monitoring & Controlling Kernel-mode Events by HyperPlatgorm - - PowerPoint PPT Presentation

monitoring controlling kernel mode events by hyperplatgorm
SMART_READER_LITE
LIVE PREVIEW

Monitoring & Controlling Kernel-mode Events by HyperPlatgorm - - PowerPoint PPT Presentation

Oct 23, 2023 132 likes •401 views

Monitoring & Controlling Kernel-mode Events by HyperPlatgorm Satoshi Tanda Threat Researcher 1 2 Takeaway If you want to have more ability to monitor and control Windows system actjvitjes in a lightweight manner, HyperPlatgrom is

slide-1
SLIDE 1

1

Satoshi Tanda

Threat Researcher

Monitoring & Controlling Kernel-mode Events by HyperPlatgorm

slide-2
SLIDE 2

2

slide-3
SLIDE 3

3

  • If you want to have more ability to monitor and control

Windows system actjvitjes in a lightweight manner, HyperPlatgrom is for you

  • HyperPlatgrom is the hypervisor designed as a VM-exit

fjltering platgorm to utjlize virtualizatjon technology (VT) and write new types of tools on Windows quicker and easier

Takeaway

slide-4
SLIDE 4

4

  • Satoshi Tanda (@standa_t)

Reverse engineer interested in the Windows kernel

Implemented HyperPlatgorm

Threat Researcher at Sophos specializing in behaviour based detectjon on Windows

  • Igor Korkin (@Igorkorkin)

An independent researcher focusing on cyber security science: memory forensics, rootkit detectjon & spy technologies

Co-researcher, focused on applicatjon of HyperPlatgorm

About Us

slide-5
SLIDE 5

5

  • Issue: Lack of tools for kernel mode code analysis on Windows

Debugger and IDA are tjme consuming

Existjng tools were not effjcient

  • Solutjon: Virtualizatjon Technology (VT)

Plenty of analysis systems, and academic papers

VT is more than just sandbox

Background

slide-6
SLIDE 6

6

  • No suitable hypervisor to take advantage of VT only for

system monitoring on Windows

  • Existjng lightweight hypervisors for Windows?

lacked modern platgorm support

  • More comprehensive hypervisors?

Too large to understand and extend

Not straightgorward to compile and run

Very slow (i.e., Bochs)

Challenges

slide-7
SLIDE 7

7

  • Lack of tools to monitor kernel actjvitjes
  • Commercial and proprietary
  • Insuffjcient modern platgorm support
  • Large to use VT just for system monitoring
  • Not Windows researchers friendly
  • Too slow

Challenges: Summary

slide-8
SLIDE 8

8

  • Allows you to monitor system actjvitjes incl. kernel-mode
  • Open source under the relaxed license (MIT License)
  • Supports Windows 7-10 on x86/x64
  • Small (7KLOC)
  • Can be compiled on Visual Studio w/o any 3rd party libraries,

and debugged just like ordinary Windows drivers

  • Fast (about 10% of overhead)

Answer: HyperPlatform

slide-9
SLIDE 9

9

Processors

User Mode Kernel Mode

How It Works: Overview

Applications Kernel Drivers HyperPlatform.sys Enables VMX operation mode

slide-10
SLIDE 10

10

Processors VMX enabled

User Mode Kernel Mode

How It Works: Overview

Applications Kernel Drivers HyperPlatform.sys

CPUID MOV CR3, RAX Exception VMExitHandler()

VM-exit handler is executed upon

  • ccurrence of certain events (VM-exit)

VM-exit

slide-11
SLIDE 11

11

void VMExitHandler( GuestRegisters* context, int exit_reason) { switch (exit_reason) { case VMEXIT_CPUID: CpuidHandler(context); break; case VMEXIT_EXCEPTION: ExceptionHandler(context); break; //... } }

How It Works: Implementation

Context of the system and VM-exit reason are given Invoked on VM-exit Handle an event accordingly

slide-12
SLIDE 12

12

HyperPlatform Processors VMX enabled

As a VM-exit Filtering Platform

MOV CR3, RAX Exception VM-exit CPUID

Windows

MOV CR3, RAX

Your extended logic for “move-to-cr3” event

YourDriver.sys

slide-13
SLIDE 13

13

  • You can do what you cannot do without VT
  • VM-exit is a new class of events

access to system registers

  • ccurrence of exceptjons and interruptjons

executjon of certain instructjons

access to memory using extended page tables (EPT)

  • VM-exit handler is fmexible

returning difgerent register values and/or memory contents

  • None of them is easy to achieve without VT

Advantage

slide-14
SLIDE 14

14

  • Kernel mode code analysis

Detectjon of dodgy instructjon executjon (e.g., modifjcatjon of CR0.WP)

  • GuardMon – PatchGuard monitor

Detectjon of pool memory executjon

  • MemoryMon – Memory executjon monitor

Invisible API hook

  • DdiMon – kernel-mode API monitor

Application (part 1)

driver_x.sys driver_y.sys driver_z.sys Kernel space Execution

OK

Execution

Dodgy

Pool Memory

slide-15
SLIDE 15

15

  • MemoryMon against Turla (Uroburos)

gettjng unpacked code from memory

Demo (part 1)

slide-16
SLIDE 16

16

  • Hypervisor based protectjon

Instead of monitoring, terminate a process upon dodgy events

Checking certain conditjons on task switching

  • EopMon – elevatjon of privilege exploit (token stealing) monitor

Application (part 2)

Time

Running Running

MOV CR3, RAX

Running

MOV CR3, RAX EopMon

Check Check Process A Process B Process C VM-exit VM-exit

slide-17
SLIDE 17

17

  • EopMon against Gozi (Ursnif)

Detectjng and killing elevated malware (stole a system token)

Demo (part 2)

slide-18
SLIDE 18

18

  • Cannot run inside VirtualBox by design
  • No AMD processors support (#2, won't fjx)
  • Cannot run with other hypervisors simultaneously (#14)

Limitations

slide-19
SLIDE 19

19

  • Looking for more ideas on what we can do

Kernel code coverage with Intel Processor Trace for efgectjve fuzzing

Memory access visualizatjon and authorizatjon

Race conditjon (TOCTOU) bug discovery with memory access monitoring

Future

slide-20
SLIDE 20

20

  • Virtualizatjon technology (VT) is powerful but underutjlized in

reverse engineering

  • HyperPlatgrom is the hypervisor designed as a VM-exit

fjltering platgorm to utjlize VT and write new types of tools on Windows quickly and easily

  • Check out GitHub pages, develop your own unique ideas and

solutjons

github.com/tandasat/HyperPlatgorm

Conclusion

slide-21
SLIDE 21

21

  • Contacts:

– Satoshi Tanda (@standa_t)

  • tanda.sat@gmail.com

– Igor Korkin (@Igorkorkin)

  • igor.korkin@gmail.com

Thank You

slide-22
SLIDE 22

22

Appendix 1: Performance Metrics

PCMark8 Home Novabench RAM Speed Novabench CPU T ests Novabench Graphics T ests Novabench Drive Write Speed 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Performence Comparison

Base EopMon MemoryMon

slide-23
SLIDE 23

23

  • VMRay

htups://www.vmray.com/features/

  • McAfee Deep Defender

htup://www.intel.com/content/dam/www/public/us/en/documents/white- papers/mcafee-deep-defender-deepsafe-rootkit-protectjon-paper.pdf

  • SecVisor: A Tiny Hypervisor to Provide Lifetjme Kernel Code Integrity for Commodity OSes

htups://www.cs.cmu.edu/~arvinds/pubs/secvisor.pdf

  • SPIDER: Stealthy Binary Program Instrumentatjon and Debugging via Hardware Virtualizatjon

htups://www.cerias.purdue.edu/assets/pdf/bibtex_archive/2013-5.pdf

  • DRAKVUF

htup://drakvuf.com/

References 1

slide-24
SLIDE 24

24

  • HyperDbg

htups://github.com/rmusser01/hyperdbg

  • Virtdbg

htups://github.com/upring/virtdbg

  • BluePill

htup://invisiblethingslab.com/resources/bh07/nbp-0.32-public.zip

  • MoRE

htups://github.com/ainfosec/MoRE

References 2

slide-25
SLIDE 25

25

  • Bochs

htups://github.com/svn2github/bochs

  • Xen

htup://xenbits.xen.org/gitweb/?p=xen.git

  • QEMU

htup://git.qemu.org/qemu.git

  • VirtualBox

htups://www.virtualbox.org/

References 3