monitoring controlling kernel mode events by hyperplatgorm
play

Monitoring & Controlling Kernel-mode Events by HyperPlatgorm - PowerPoint PPT Presentation

Monitoring & Controlling Kernel-mode Events by HyperPlatgorm Satoshi Tanda Threat Researcher 1 2 Takeaway If you want to have more ability to monitor and control Windows system actjvitjes in a lightweight manner, HyperPlatgrom is


  1. Monitoring & Controlling Kernel-mode Events by HyperPlatgorm Satoshi Tanda Threat Researcher 1

  2. 2

  3. Takeaway ● If you want to have more ability to monitor and control Windows system actjvitjes in a lightweight manner, HyperPlatgrom is for you ● HyperPlatgrom is the hypervisor designed as a VM-exit fjltering platgorm to utjlize virtualizatjon technology (VT) and write new types of tools on Windows quicker and easier 3

  4. About Us ● Satoshi Tanda (@standa_t) – Reverse engineer interested in the Windows kernel – Implemented HyperPlatgorm – Threat Researcher at Sophos specializing in behaviour based detectjon on Windows ● Igor Korkin (@Igorkorkin) – An independent researcher focusing on cyber security science: memory forensics, rootkit detectjon & spy technologies – Co-researcher, focused on applicatjon of HyperPlatgorm 4

  5. Background ● Issue: Lack of tools for kernel mode code analysis on Windows – Debugger and IDA are tjme consuming – Existjng tools were not effjcient ● Solutjon: Virtualizatjon Technology (VT) – Plenty of analysis systems, and academic papers – VT is more than just sandbox 5

  6. Challenges ● No suitable hypervisor to take advantage of VT only for system monitoring on Windows ● Existjng lightweight hypervisors for Windows? – lacked modern platgorm support ● More comprehensive hypervisors? – Too large to understand and extend – Not straightgorward to compile and run – Very slow (i.e., Bochs) 6

  7. Challenges: Summary ● Lack of tools to monitor kernel actjvitjes ● Commercial and proprietary ● Insuffjcient modern platgorm support ● Large to use VT just for system monitoring ● Not Windows researchers friendly ● Too slow 7

  8. Answer: HyperPlatform ● Allows you to monitor system actjvitjes incl. kernel-mode ● Open source under the relaxed license (MIT License) ● Supports Windows 7-10 on x86/x64 ● Small (7KLOC) ● Can be compiled on Visual Studio w/o any 3 rd party libraries, and debugged just like ordinary Windows drivers ● Fast (about 10% of overhead) 8

  9. How It Works: Overview Applications User Mode Kernel Mode Kernel Drivers HyperPlatform.sys Enables VMX operation mode Processors 9

  10. How It Works: Overview Applications CPUID User Mode VM-exit handler is executed upon Kernel Mode occurrence of certain events (VM-exit) Kernel Drivers HyperPlatform.sys MOV CR3, RAX Exception VMExitHandler() VM-exit Processors VMX enabled 10

  11. How It Works: Implementation Invoked on VM-exit void VMExitHandler( Context of the system and GuestRegisters* context, VM-exit reason are given int exit_reason) { switch (exit_reason) { case VMEXIT_CPUID: CpuidHandler(context); break; Handle an event accordingly case VMEXIT_EXCEPTION: ExceptionHandler(context); break; //... } } 11

  12. As a VM-exit Filtering Platform YourDriver.sys Your extended logic for “move-to-cr3” event Windows MOV CR3, RAX HyperPlatform MOV CR3, RAX Exception CPUID VM-exit Processors VMX enabled 12

  13. Advantage ● You can do what you cannot do without VT ● VM-exit is a new class of events – access to system registers – occurrence of exceptjons and interruptjons – executjon of certain instructjons – access to memory using extended page tables (EPT) ● VM-exit handler is fmexible – returning difgerent register values and/or memory contents ● None of them is easy to achieve without VT 13

  14. Application (part 1) ● Kernel mode code analysis – Detectjon of dodgy instructjon executjon (e.g., modifjcatjon of CR0.WP) ● GuardMon – PatchGuard monitor – Detectjon of pool memory executjon ● MemoryMon – Memory executjon monitor Execution OK driver_x.sys driver_y.sys Kernel space Execution Dodgy Pool Memory driver_z.sys – Invisible API hook ● DdiMon – kernel-mode API monitor 14

  15. Demo (part 1) ● MemoryMon against Turla (Uroburos) – gettjng unpacked code from memory 15

  16. Application (part 2) ● Hypervisor based protectjon – Instead of monitoring, terminate a process upon dodgy events – Checking certain conditjons on task switching ● EopMon – elevatjon of privilege exploit (token stealing) monitor EopMon Check Process A VM-exit Running Check MOV CR3, RAX VM-exit Process B Running MOV CR3, RAX Process C Running Time 16

  17. Demo (part 2) ● EopMon against Gozi (Ursnif) – Detectjng and killing elevated malware (stole a system token) 17

  18. Limitations ● Cannot run inside VirtualBox by design ● No AMD processors support (#2, won't fjx) ● Cannot run with other hypervisors simultaneously (#14) 18

  19. Future ● Looking for more ideas on what we can do – Kernel code coverage with Intel Processor Trace for efgectjve fuzzing – Memory access visualizatjon and authorizatjon – Race conditjon (TOCTOU) bug discovery with memory access monitoring 19

  20. Conclusion ● Virtualizatjon technology (VT) is powerful but underutjlized in reverse engineering ● HyperPlatgrom is the hypervisor designed as a VM-exit fjltering platgorm to utjlize VT and write new types of tools on Windows quickly and easily ● Check out GitHub pages, develop your own unique ideas and solutjons – github.com/tandasat/HyperPlatgorm 20

  21. Thank You ● Contacts: – Satoshi Tanda (@standa_t) ● tanda.sat@gmail.com – Igor Korkin (@Igorkorkin) ● igor.korkin@gmail.com 21

  22. Appendix 1: Performance Metrics Base Performence Comparison EopMon MemoryMon 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% Novabench RAM Speed Novabench Graphics T ests PCMark8 Home Novabench CPU T ests Novabench Drive Write Speed 22

  23. References 1 ● VMRay – htups://www.vmray.com/features/ ● McAfee Deep Defender – htup://www.intel.com/content/dam/www/public/us/en/documents/white- papers/mcafee-deep-defender-deepsafe-rootkit-protectjon-paper.pdf ● SecVisor: A Tiny Hypervisor to Provide Lifetjme Kernel Code Integrity for Commodity OSes – htups://www.cs.cmu.edu/~arvinds/pubs/secvisor.pdf ● SPIDER: Stealthy Binary Program Instrumentatjon and Debugging via Hardware Virtualizatjon – htups://www.cerias.purdue.edu/assets/pdf/bibtex_archive/2013-5.pdf ● DRAKVUF – htup://drakvuf.com/ 23

  24. References 2 ● HyperDbg – htups://github.com/rmusser01/hyperdbg ● Virtdbg – htups://github.com/upring/virtdbg ● BluePill – htup://invisiblethingslab.com/resources/bh07/nbp-0.32-public.zip ● MoRE – htups://github.com/ainfosec/MoRE 24

  25. References 3 ● Bochs – htups://github.com/svn2github/bochs ● Xen – htup://xenbits.xen.org/gitweb/?p=xen.git ● QEMU – htup://git.qemu.org/qemu.git ● VirtualBox – htups://www.virtualbox.org/ 25

Recommend


More recommend