using memory management to
play

Using Memory Management to Detect and Extract Illegitimate Code - PowerPoint PPT Presentation

Mar 10, 2024 •253 likes •718 views

Using Memory Management to Detect and Extract Illegitimate Code [21.9.2012 12:11:24] [ 24] to 0x77c15ed5 msvcrt._pi_by_2_to_61+0x12db [21.9.2012 12:11:24] [ 23] from 0x80541fc7 ntkrnlpa.Kei386EoiHelper+0xab for Malware Analysis

  1. Using Memory Management to Detect and Extract Illegitimate Code [21.9.2012 12:11:24] [ 24] to 0x77c15ed5 msvcrt._pi_by_2_to_61+0x12db [21.9.2012 12:11:24] [ 23] from 0x80541fc7 ntkrnlpa.Kei386EoiHelper+0xab for Malware Analysis [21.9.2012 12:11:24] [ 23] to 0x77c15ed5 msvcrt._pi_by_2_to_61+0x12db [21.9.2012 12:11:24] [ 22] from 0x77c15ed6 msvcrt._pi_by_2_to_61+0x12dc [21.9.2012 12:11:24] ROP-RET #################### ACSAC 28 | December 3-7, 2012 [21.9.2012 12:11:24] [ 22] to 0x77c29e29 msvcrt._aligned_offset_malloc+0x7a [21.9.2012 12:11:24] [ 21] from 0x77c29e2d msvcrt._aligned_offset_malloc+0x7e Carsten Willems 1 , Felix C. Freiling 2 , Thorsten Holz 1 [21.9.2012 12:11:24] ROP-RET #################### [21.9.2012 12:11:24] [ 21] to 0x77c22666 msvcrt.type_info::name+0x96 [21.9.2012 12:11:24] [ 20] from 0x80541fc7 ntkrnlpa.Kei386EoiHelper+0xab 1 Horst Görtz Institute for IT-Security, Chair for Systems Security 2 Friedrich-Alexander-Universität Erlangen-Nürnberg, Department Informatik [21.9.2012 12:11:24] [ 20] to 0x77c22666 msvcrt.type_info::name+0x96 [21.9.2012 12:11:24] [ 19] from 0x77c22667 msvcrt.type_info::name+0x97 [21.9.2012 12:11:24] ROP-RET #################### [21.9.2012 12:11:24] [ 19] to 0x77c3ed6e msvcrt._flsbuf+0x111 [21.9.2012 12:11:24] [ 18] from 0x77c3ed77 msvcrt._flsbuf+0x11a [21.9.2012 12:11:24] ROP-RET #################### [21.9.2012 12:11:24] [ 18] to 0x77c244c6 msvcrt.UnDecorator::getVCallThunkType+0x37 [21.9.2012 12:11:24] [ 17] from 0x80541fc7 ntkrnlpa.Kei386EoiHelper+0xab [21.9.2012 12:11:24] [ 17] to 0x77c244c6 msvcrt.UnDecorator::getVCallThunkType+0x37 [21.9.2012 12:11:24] [ 16] from 0x77c244c7 msvcrt.UnDecorator::getVCallThunkType+0x38 [21.9.2012 12:11:24] RET -------------------- [21.9.2012 12:11:24] [ 16] to 0x77c244c3 msvcrt.UnDecorator::getVCallThunkType+0x34 [21.9.2012 12:11:24] [ 15] from 0x77c244c7 msvcrt.UnDecorator::getVCallThunkType+0x38 [21.9.2012 12:11:24] ROP-RET ####################

  2. Motivation • Attackers use illegitimate code (ILC) when exploiting systems – e.g. shellcode in network packets, malicious documents, .. • NX+ASLR is a hurdle, but not a barrier – implementation flaws, information leakage, unrandomized modules, legacy systems , … • Insight into shellcode helps to protect systems • Amount of malware demands automation Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis | ACSAC 2012 | Orlando | December 3-7, 2012 2

  3. Overview of the Talk 1. Motivation 2. General Approach 3. Prototype Implementation 4. Evaluation 5. Discussion Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis | ACSAC 2012 | Orlando | December 3-7, 2012 3

  4. Approach General Idea • Build a generic tool that – hooks into a system – detects the execution of ILC – automatically dumps ILC for later analysis – continues operation until all ILC has been dumped • Not meant for protection , but only for analysis Analysis system with appropriate viewer application, e.g. Adobe Acrobat Reader, Microsoft Word , … Malicious data ILC that contains ILC dumpfiles Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis | ACSAC 2012 | Orlando | December 3-7, 2012 4

  5. Approach Implementation Idea • Partition memory into regions that contain – legitimate code (LC) – and (possibly) illegitimate code (ILC) • Instrument memory related system calls – force ILC memory to be always non-executable • Instrument page fault handler – attempt to execute NX memory  page-fault  ILC detected • How to decide which code is legitimate? Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis | ACSAC 2012 | Orlando | December 3-7, 2012 5

  6. Approach LC vs ILC memory Userspace Memory Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis | ACSAC 2012 | Orlando | December 3-7, 2012 6

  7. Approach LC vs ILC memory regions containing legitimate code … Userspace Memory Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis | ACSAC 2012 | Orlando | December 3-7, 2012 7

  8. Approach LC vs ILC memory regions containing legitimate code … allowed to reside in executable memory Userspace Memory Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis | ACSAC 2012 | Orlando | December 3-7, 2012 8

  9. Approach LC vs ILC memory regions regions containing that may contain legitimate illegitimate … code … code allowed to reside in executable memory Userspace Memory Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis | ACSAC 2012 | Orlando | December 3-7, 2012 9

  10. Approach LC vs ILC memory regions regions containing that may contain legitimate illegitimate … code … code forced to allowed to reside in reside in executable non-executable memory memory Userspace Memory Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis | ACSAC 2012 | Orlando | December 3-7, 2012 10

  11. Approach Memory Regions • Memory regions are either – Mapped files, e.g. • applications • shared libraries • data files – or dynamically allocated, e.g. • heaps • thread stacks • control blocks • JIT code Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis | ACSAC 2012 | Orlando | December 3-7, 2012 11

  12. How to decide if code is illegitimate Memory Mapped Files • Divide memory-mapped files into – Trusted files • belong to the OS or the analyzed benign application • results in LC memory – Untrusted files • unknown source • results in ILC memory • Use simple heuristic: trust only files that – already existed before the analysis – and have not been modified since then Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis | ACSAC 2012 | Orlando | December 3-7, 2012 12

  13. How to decide if code is illegitimate Dynamically Allocated Memory • Is dynamically allocated memory LC or ILC? – initial approach: only memory allocated by trusted files is LC • But: programmers make mistakes – only very few functions from all trusted files really need privileges to create executable memory • e.g. loader functions or JIT compiler – identify those functions and name them trusted callers – better approach: only memory allocated by a trusted caller is LC Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis | ACSAC 2012 | Orlando | December 3-7, 2012 13

  14. How to decide if code is illegitimate Dynamically Allocated Memory Example Userspace Memory Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis | ACSAC 2012 | Orlando | December 3-7, 2012 14

  15. How to decide if code is illegitimate Dynamically Allocated Memory Example trusted files  mapped into X memory Userspace Memory Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis | ACSAC 2012 | Orlando | December 3-7, 2012 15

  16. How to decide if code is illegitimate Dynamically Allocated Memory Example trusted callers in some trusted files Userspace Memory Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis | ACSAC 2012 | Orlando | December 3-7, 2012 16

  17. How to decide if code is illegitimate Dynamically Allocated Memory Example untrusted files  mapped into NX memory Userspace Memory Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis | ACSAC 2012 | Orlando | December 3-7, 2012 17

  18. How to decide if code is illegitimate Dynamically Allocated Memory Example Userspace Memory Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis | ACSAC 2012 | Orlando | December 3-7, 2012 18

  19. How to decide if code is illegitimate Dynamically Allocated Memory Example trusted caller tries to allocate X memory Userspace Memory Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis | ACSAC 2012 | Orlando | December 3-7, 2012 19

  20. How to decide if code is illegitimate Dynamically Allocated Memory Example trusted caller OK tries to allocate X memory Userspace Memory Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis | ACSAC 2012 | Orlando | December 3-7, 2012 20

  21. How to decide if code is illegitimate Dynamically Allocated Memory Example trusted caller OK tries to allocate X memory Userspace Memory Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis | ACSAC 2012 | Orlando | December 3-7, 2012 21

  22. How to decide if code is illegitimate Dynamically Allocated Memory Example Userspace Memory Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis | ACSAC 2012 | Orlando | December 3-7, 2012 22

  23. How to decide if code is illegitimate Dynamically Allocated Memory Example untrusted file tries to allocate X memory Userspace Memory Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis | ACSAC 2012 | Orlando | December 3-7, 2012 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Memory Management Memory Management 5A. Memory Management and Address Spaces 1. allocate/assign

Memory Management Memory Management 5A. Memory Management and Address Spaces 1. allocate/assign

4/14/2018 Memory Management Memory Management 5A. Memory Management and Address Spaces 1. allocate/assign physical memory to processes 5B. Memory Allocation explicit requests: malloc (sbrk) implicit: program loading, stack extension

555 views • 9 slides
Memory Management Memory Management 5A. Memory Management and Address Spaces 1. allocate/assign

Memory Management Memory Management 5A. Memory Management and Address Spaces 1. allocate/assign

4/12/2017 Memory Management Memory Management 5A. Memory Management and Address Spaces 1. allocate/assign physical memory to processes 5B. Simple Memory Allocation explicit requests: malloc (sbrk) implicit: program loading, stack

205 views • 8 slides
Lecture 5: Memory Management 1 / 54 Memory Management Administrivia Assignment 1 is due on

Lecture 5: Memory Management 1 / 54 Memory Management Administrivia Assignment 1 is due on

Memory Management Lecture 5: Memory Management 1 / 54 Memory Management Administrivia Assignment 1 is due on September 7th @ 11:59pm 2 / 54 Memory Management Poll https: // www.strawpoll.me / 20863490 3 / 54 Memory Management Recap

952 views • 54 slides
28.05.04 09:50 Memory Management The computer memory is a limited resource so the Memory

28.05.04 09:50 Memory Management The computer memory is a limited resource so the Memory

28.05.04 09:50 Memory Management The computer memory is a limited resource so the Memory Management memory use of programs has to be managed in some way. Memory Management The memory management is usually performed by a runtime system

782 views • 13 slides
Memory Management Memory Management Memory a linear array of bits, bytes, words, pages ... -

Memory Management Memory Management Memory a linear array of bits, bytes, words, pages ... -

CS510 Operating System Foundations Jonathan Walpole Memory Management Memory Management Memory a linear array of bits, bytes, words, pages ... - Each byte is named by a unique memory address - Holds instructions and data for OS and user

761 views • 56 slides
Kernel level memory management 1. The very base on boot vs memory management 2. Memory Nodes

Kernel level memory management 1. The very base on boot vs memory management 2. Memory Nodes

Advanced Operating Systems MS degree in Computer Engineering University of Rome Tor Vergata Lecturer: Francesco Quaglia Kernel level memory management 1. The very base on boot vs memory management 2. Memory Nodes (UMA vs NUMA) 3. x86

1.17k views • 115 slides
Kernel level memory management 1. The very base on boot vs memory management 2. Memory Nodes

Kernel level memory management 1. The very base on boot vs memory management 2. Memory Nodes

Advanced Operating Systems MS degree in Computer Engineering University of Rome Tor Vergata Lecturer: Francesco Quaglia Kernel level memory management 1. The very base on boot vs memory management 2. Memory Nodes (UMA vs NUMA) 3. x86

1.18k views • 114 slides
Kernel level memory management 1. The very base on boot vs memory management 2. Memory Nodes

Kernel level memory management 1. The very base on boot vs memory management 2. Memory Nodes

Advanced Operating Systems MS degree in Computer Engineering University of Rome Tor Vergata Lecturer: Francesco Quaglia Kernel level memory management 1. The very base on boot vs memory management 2. Memory Nodes (UMA vs NUMA) 3. x86

1.42k views • 117 slides
CS333 Intro to Operating Systems Jonathan Walpole Memory Management Memory Management Memory

CS333 Intro to Operating Systems Jonathan Walpole Memory Management Memory Management Memory

CS333 Intro to Operating Systems Jonathan Walpole Memory Management Memory Management Memory a linear array of bytes - Holds O.S. and programs (processes) - Each cell (byte) is named by a unique memory address Recall, processes are

576 views • 55 slides
Memory Management Outline Processes (done) Memory Management Basic (done)

Memory Management Outline Processes (done) Memory Management Basic (done)

Memory Management Outline Processes (done) Memory Management Basic (done) Paging (done) Operating Systems Virtual memory Virtual Memory (Chapter 9) Motivation Demand Paging Logical address space larger

347 views • 9 slides
Chapter 4: Memory Management Part 1: Mechanisms for Managing Memory Memory management n Basic

Chapter 4: Memory Management Part 1: Mechanisms for Managing Memory Memory management n Basic

Chapter 4: Memory Management Part 1: Mechanisms for Managing Memory Memory management n Basic memory management n Swapping n Virtual memory n Page replacement algorithms n Modeling page replacement algorithms n Design issues for paging systems n

817 views • 35 slides
Memory Management Ideally programmers want memory that is large fast non

Memory Management Ideally programmers want memory that is large fast non

Memory Management Virtual Memory Background; key issues Memory allocation schemes Virtual memory Memory management design and implementation issues 1 Memory Management Ideally programmers want memory that is large fast non

410 views • 30 slides
Memory Management 1 Overview Basic memory management Address Spaces Virtual

Memory Management 1 Overview Basic memory management Address Spaces Virtual

Memory Management 1 Overview Basic memory management Address Spaces Virtual memory Page replacement algorithms Design issues for paging systems Implementation issues Segmentation 2 1 Memory Management

530 views • 39 slides
Dynamic Memory Management 333 Dynamic Memory Management Process Memory Layout Process Memory

Dynamic Memory Management 333 Dynamic Memory Management Process Memory Layout Process Memory

Dynamic Memory Management Dynamic Memory Management 333 Dynamic Memory Management Process Memory Layout Process Memory Layout (1) Each Linux process runs within its own virtual address space tables and the MMU (if available) security due to

1.25k views • 68 slides
Memory Management 5A. Memory Management and Address Spaces 5B. Allocation Algorithms Operating

Memory Management 5A. Memory Management and Address Spaces 5B. Allocation Algorithms Operating

4/10/2016 Memory Management 5A. Memory Management and Address Spaces 5B. Allocation Algorithms Operating Systems Principles 5C. Advanced Allocation Techniques Memory Management 5D. Segment Relocation 5E. Garbage Collection Mark Kampe

711 views • 9 slides
Chapter 4: Memory Management Part 1: Mechanisms for Managing Memory Memory management Basic

Chapter 4: Memory Management Part 1: Mechanisms for Managing Memory Memory management Basic

Chapter 4: Memory Management Part 1: Mechanisms for Managing Memory Memory management Basic memory management Swapping Virtual memory Page replacement algorithms Modeling page replacement algorithms Design issues for paging

950 views • 69 slides
A Black Hole as A Particle Zhenbin Yang Princeton University ArXiv:1809.08647 What is a Black

A Black Hole as A Particle Zhenbin Yang Princeton University ArXiv:1809.08647 What is a Black

A Black Hole as A Particle Zhenbin Yang Princeton University ArXiv:1809.08647 What is a Black Hole? The Black Hole I understand is: -1.40135791465086 -1.40135791465086 -1.40135791465080 -1.39627342166226 -1.39627342166226

1.81k views • 152 slides
Music Recommendation Based on Multiple Contextual Similarity

Music Recommendation Based on Multiple Contextual Similarity

Music Recommendation Based on Multiple Contextual Similarity Information Chih-Ming Chen, Ming-Feng Tsai Department of Computer Science & Program in Digital

326 views • 20 slides
Writing Fabulous VADs Dial: 866-504-1987 Connecting to Audio Dial: 866-609-4997 Audio

Writing Fabulous VADs Dial: 866-504-1987 Connecting to Audio Dial: 866-609-4997 Audio

The webinar will begin soon. While you wait, please share in the chat panel: W hat do you find m ost challenging w hen creating a VAD? Writing Fabulous VADs Dial: 866-504-1987 Connecting to Audio Dial: 866-609-4997 Audio resource tools

699 views • 12 slides
ANALOGUE TELEVISION ANALOGUE TELEVISION Fernando Pereira Fernando Pereira Instituto Superior

ANALOGUE TELEVISION ANALOGUE TELEVISION Fernando Pereira Fernando Pereira Instituto Superior

ANALOGUE TELEVISION ANALOGUE TELEVISION Fernando Pereira Fernando Pereira Instituto Superior Tcnico Instituto Superior Tcnico Audiovisual Communications, Fernando Pereira, 2012 The box that changed the World or A picture is worth a

906 views • 89 slides
Leaders Dr Mark Merolli Chair, HISA Vic State Committee PhD, B.Physio (Hons) Senior

Leaders Dr Mark Merolli Chair, HISA Vic State Committee PhD, B.Physio (Hons) Senior

Careers for Emerging Clinical Digital Health Leaders Dr Mark Merolli Chair, HISA Vic State Committee PhD, B.Physio (Hons) Senior Lecturer/Research Fellow Career Perspective The University of Melbourne @HISA_HIC #HIC19 Bio

347 views • 8 slides
Intentions & Interfaces Making patterns concrete Udi Dahan The Software Simplist .NET

Intentions & Interfaces Making patterns concrete Udi Dahan The Software Simplist .NET

Intentions & Interfaces Making patterns concrete Udi Dahan The Software Simplist .NET Development Expert & SOA Specialist www.UdiDahan.com email@UdiDahan.com Books, and books, and books, and books Flexibility brings many benefits

641 views • 41 slides
Towards Interval Techniques The Thermal . . . Thermal Challenge . . . for Model Validation

Towards Interval Techniques The Thermal . . . Thermal Challenge . . . for Model Validation

Measurement Under . . . Approximate Model: . . . How to Solve This . . . Towards Interval Techniques The Thermal . . . Thermal Challenge . . . for Model Validation Thermal Challenge . . . Results Jaime Nava and Vladik Kreinovich Additional

342 views • 20 slides
T H R E AT S TO VA L I D I T Y PMAP 8521: Program Evaluation for Public Service October 7, 2019

T H R E AT S TO VA L I D I T Y PMAP 8521: Program Evaluation for Public Service October 7, 2019

T H R E AT S TO VA L I D I T Y PMAP 8521: Program Evaluation for Public Service October 7, 2019 Fill out your reading report on iCollege! P L A N F O R T O D A Y Potential outcomes The Four Horsemen of Validity Questions! P OT E N T I A

769 views • 55 slides

More recommend