Monitoring & controlling kernel-mode events by HyperPlatform
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Part Number | 12 | |
| Number of Parts | 20 | |
| Author | ||
| Contributors | ||
| License | CC Attribution 4.0 International: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/32745 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
REcon 201612 / 20
3
5
6
9
10
13
15
17
20
00:00
Computing platformHypercubeJSONXMLUML
00:44
Logic gateSemiconductor memoryPlanningMultiplication sign
01:39
Projective planeMultiplication signProduct (business)WindowComputer configurationMachine visionIntegrated development environmentPhysical systemObservational studyParticle systemType theoryWindow functionOpen sourceComputing platformHypercubeCausalityConnectivity (graph theory)Independence (probability theory)Directory serviceReverse engineeringData storage deviceCASE <Informatik>Semiconductor memoryRight angleOptical disc driveQuicksortShared memoryCuboidException handlingPoint (geometry)Electronic mailing listVirtualizationGame controllerMathematical analysisRootkitUtility softwareSoftware developerKernel (computing)Computer forensicsCybersex32-bitWritingFerry CorstenEndliche ModelltheorieComputer animation
07:47
Event horizonProjective planePhysical systemLogicImplementationReal numberMedical imagingCartesian coordinate systemContext awarenessSemiconductor memoryComputing platformCodeKey (cryptography)Type theoryPredictabilityInstance (computer science)Process (computing)Mathematical analysisDialectGreatest elementCheat <Computerspiel>Observational studyArithmetic meanOperator (mathematics)Exception handlingActive contour modelContent (media)Virtual machineVisualization (computer graphics)Reading (process)Social classAsynchronous Transfer ModeSeitentabelleSpacetimeWeb pageVirtualizationFerry CorstenSpeicheradresseRootkitNormal (geometry)Mathematical analysisWritingGame controllerMalwareSystem callKernel (computing)HypercubeSoftwareAddress spaceDevice driverDifferent (Kate Ryan album)RoboticsMemory managementComputer animation
13:55
WindowBitSemiconductor memoryCodeComputer animation
14:21
Sign (mathematics)Error messageContent (media)Semiconductor memoryComputer filePhysical systemInternet forumStructural loadRootkitPoint (geometry)Electronic mailing listDebuggerKernel (computing)Local ringCorrespondence (mathematics)MalwareMemory managementFunktionalanalysisComputer animation
16:57
Point (geometry)FunktionalanalysisCore dumpData structureContent (media)Proxy serverCodeRootkitBitReverse engineeringSemiconductor memoryBoundary value problemWeb pageString (computer science)SpeicheradresseElectronic mailing listComputer fileDialectComputing platformRight angleCategory of beingSource codeComputer animation
19:14
Process (computing)Vulnerability (computing)Field (computer science)Local ringMalwareWindowCASE <Informatik>Physical systemGame controllerPoint (geometry)Cycle (graph theory)Token ringKernel (computing)Data structureReal numberCodeExploit (computer security)Event horizonImplementationFrequencyMultiplication signOntologyOrder (biology)HyperbolaInsertion lossSampling (statistics)Validity (statistics)Medical imagingOpen setWindow functionComputer animation
21:33
WindowMalwareSpecial unitary groupExploit (computer security)INTEGRALProcess (computing)Computer animationXMLProgram flowchart
22:22
Vulnerability (computing)Physical systemSampling (statistics)MalwareInternet forumExploit (computer security)Computer animation
22:44
Sampling (statistics)Computing platformExploit (computer security)Physical systemPrincipal ideal domainEndliche ModelltheorieMultiplication signMalwareProcess (computing)Computer animationSource code
23:53
Computing platformPattern languageMultiplication signSoftware bugType theorySemiconductor memoryProjective planeUtility softwareFerry CorstenView (database)CuboidFeedbackLimit (category theory)Condition numberWeb pageWindowHypercubeTracing (software)Process (computing)Fuzzy logicField extensionAuthorizationVisualization (computer graphics)WritingVirtualizationSource codeReverse engineeringSeitentabelleSound effectKernel (computing)Office suiteMoment (mathematics)Right angleDialectMereologyOvalAdditionMachine visionUniqueness quantificationComputer animation
27:00
Computer animation
Transcript: English(auto-generated)
00:22
So, I'd like to welcome Satoshi Tanda back to recon, returning after, I think, five years, so he's going to talk about hyper platform. Thanks. Yeah, welcome to my talk. So, before I start the talk, let me add one funny personal story.
00:44
So, this is a picture I took five years ago when I came here for recon for the first time. But this picture is not actually a picture in Montreal. This is a picture in Chicago. When I was heading to Montreal from Japan, I had to transfer my plane at the Chicago airport.
01:05
And I was ready for this, but my flight delayed, and I had to go to a different boarding gate from Japan I originally had to go. And that was also my first time to visit different countries and even take a plane.
01:22
So, I got confused and got lost in the airport and missed the flight, and ended up with staying in a hotel nearby the Chicago airport. That was a funny memory to me. And now, yeah, I'm pleased to be here without getting lost.
01:42
I didn't go to recon.com. I managed to be here. Yeah, so, I am going to talk about open source hypervisor project named the hyper platform. So, if you are interested in Windows kernel, hypervisor, system monitoring, or some sort, you will be interested in.
02:09
Yeah, so in this talk, I am going to tell just a couple of things. So, if you want to have more ability to monitor and control Windows system activities in a lightweight manner,
02:22
hyperplatform is for you. And hyperplatform is a hypervisor designed as a VM exit filtering platform to utilize virtualization technology, and to write new types of monitoring tools on Windows easier and quicker. So, that is basically what I am going to tell in this talk.
02:46
So, let me introduce myself quickly. I am Satoshi, a reverse engineer interested in Windows kernel, and I implemented hyperplatform. And I am working at Sophos as a threat researcher specializing in behavior-based model detection.
03:04
But this project is entirely done independently, so feel free to reach out to me directly. And Igor, he is a co-researcher, and he is an independent researcher specializing in cyber security,
03:22
especially memory forensics and rootkit analysis. Unfortunately, he is unable to come here, but you can definitely reach out to him as well as me. So, let me start with motivation. Why do you need yet another hypervisor project?
03:44
So, a few months ago, we had issues. We found that we still didn't have a good tool to analyze Windows kernel activities. So, in my case, I personally wanted to analyze PatchGuard, not by my employer.
04:01
I personally wanted to analyze PatchGuard. And PatchGuard was a challenging component to reverse engineer, because it doesn't allow you to modify Windows kernel in any way. So, you can set neither breakpoint or fork to monitor its activity.
04:21
And Igor, he also wanted to have a new tool to analyze Windows kernel, because he constantly deals with rootkit for his research. Developer and IDA always works, but it is always also time-consuming.
04:42
So, those tools weren't quite efficient. But actually, a lack of tool wasn't a real issue, because we kind of knew a solution to it. The solution was virtualization technology. So, there are plenty of academic paper and analysis systems using virtualization technology.
05:05
And also, we knew that virtualization technology is just more than providing sandbox environment. So, a lack of tool wasn't a real issue. The real issue was that there was no suitable hypervisor to utilize virtualization technology,
05:26
only for system monitoring purpose on Windows. So, assume that you want to monitor a system by using virtualization technology on Windows. You need a hypervisor.
05:41
But what options do we have? First off, there were a couple of good-looking commercial products, but obviously those were proprietary and not available to us. And if you take a look at some existing lightweight hypervisors on Windows,
06:01
those lacked modern platform support. For example, Hyper Debug, which is a really awesome project, but it didn't support 64-bit architecture. And if you take a look at more comprehensive hypervisor projects, those were just too large to understand and extend.
06:24
If you are hired for this, you will probably be okay, but if you want to independently do some research, it's probably too time-consuming. And also, those projects weren't quite Windows-engineered friendly.
06:42
It required, say, Seagrin to install and compile first. We found that Box was actually a kind of exception. We found that Box was quite easy to compile and run and even understand,
07:00
but that was just too slow for day-to-day usage. So to summarize, this is our list of challenges we believe that we should tackle, and we believe that a community needed a solution to it somehow.
07:22
So we decided to work on these problems, and as a solution, we developed a hyper platform. Hyper platform allows you to monitor Windows system activities, including kernel, and it is open source,
07:40
and supports Windows 7 to 10 on both 64 and 32-bit architectures. And it is small enough, and one of the nice things of this project is that you can compile this project on Visual Studio without any third-party libraries, and it can be debugged just as a software driver.
08:04
And it is fast. And this is how does hyper platform work. So if you are familiar with Blue Pill Hypervisor, this is essentially quite similar.
08:21
So first off, it is loaded into kernel address space as a software driver, and then it enables the VMX operation mode of the processors. And once the VM exit operation mode is enabled,
08:41
processors start to treat the entire system as a virtual machine and invoke a registered handler routine upon occurrence of certain events, such as exception or execution of certain type of instructions,
09:00
or access to system registers, like control register 3. And those events are called VM exit, and hyper platform implements the handler. So VM exit handler in this example. And to get a rough idea of how event handling works,
09:25
this is pseudocode for VM exit handler. So when a VM exit happened, processor invokes this handler directly and also gives a context of the system, namely values of registers,
09:42
and also a reason why VM exit happened. And according with this reason, handler execute real implementation of handler for each event. And you can extend the handler for your own purpose if you want,
10:04
and you can understand hyper platform as a VM exit filtering platform. And on the top of the hyper platform, you can write extended logic only for events you are interested in.
10:21
For example, move to control register 3 event. And you can forget about all other events you are not interested in. And this is essentially how hyper platform is used. Then, what is an advantage of using hyper platform,
10:43
and why do you want to use it? A short answer is, you can do what you cannot do without virtualization technology. So firstly, VM exit is a new class of events you can filter.
11:01
So with hyper platform, you can tell occurrence of a processor-level event, and even just an access to memory if you configure extended page tables. And secondly, the VM exit handler is quite flexible. So you can return a different register value
11:22
against, say, read MSL instruction. And also, you can return different memory contents against read memory operation in a system. And importantly, none of them is easy to implement without virtualization technology.
11:41
But with VT, it is quite straightforward. By utilizing those capabilities, you can implement meaningful logic for your own purpose on the top of hyper platform. So let me share some ideas and example application
12:01
implemented on the top of hyper platform. The primary application I can think of is kernel call analysis. For example, like detection of dodgy instruction execution. For instance, malware rootkit often modifies a value of control register 0
12:22
to disable memory write protection. But this is quite uncommon on normal system execution. So you can detect that event with VT, and then you can make further investigation. And the other application is detection of pool execution.
12:45
So by using EPT, you can catch execution of memory, and then you can check whether the address being executed is backed by any image or just a heap. In kernel, it's called pool.
13:03
And if it is just backed by pool, it is quite suspicious, so you can also make further investigation against this region. And with this technique, you can get unpacked rootkit code from memory pretty quickly. So I will demonstrate it shortly.
13:21
And as more advanced application of EPT, you can implement invisible API fork. So if you are interested in this project, please check out GitHub page, so DDI mom.
13:42
Okay, so let me demonstrate memory mom, which is able to detect execution of pool with a robot driver. In this demo, I am...
14:04
All right, so let's run 64-bit Windows 7. So in this demo, I am going to run malware, which is packed.
14:20
And then I will get unpacked code extracted onto memory using memory mom, which uses EPT. So this is a driver file, malware rootkit file. And this is a corresponding IDA file. And if you take a look at a list of strings,
14:44
you can see that this is pretty short. And yeah, so most of the contents in the file is just data.
15:05
So those are quite strong sign of packed file. And then let's load memory mom. Memory mom usually doesn't show much logs,
15:26
because execution of memory is quite uncommon on normal system. But if you run this malware,
15:49
so memory mom started to show a lot of logs. Each log represents execution of memory outside of any driver file.
16:07
Yeah, so let's take a look at this entry. So this entry indicates that somebody executed this address.
16:25
And it is not backed by a driver file. It is just a pool. So let's take a look at the contents. It's the local kernel debugger.
16:57
So the contents, the contents looks like an entry point of function on the heap.
17:05
It is quite suspicious. So let's take a dump of this region.
17:24
This address and the wrapping to page boundary. And a little bit backward and take one megabyte.
17:45
So that's a memory contents dumped to a file. And if you give it to idler and loading it to a right place.
18:09
And if you take a look at the address, executed address, you can see a nice structure of function.
18:22
And also if you take a look at a list of strings in this memory region, you can see many interesting strings. Like beep.chess, cpiip.chess, probably TCPIP,
18:44
proxy.chess, or some function names or API names. And we didn't see those strings in a static file. So it is likely that this content is unpacked rootkit code extracted onto memory.
19:01
You can write this kind of tool to assist your reverse engineering work using hyperplatform.
19:32
Yeah, so apart from code analysis, you can implement hypervisor-based protection if you're interested in.
19:41
So by terminating a process instead of just monitoring. EOPmon is such example. EOPmon can detect a successful exploitation of privileged escalation vulnerability by checking a token field of a process structure in a kernel.
20:02
And EOPmon performs a token field check when a process that is currently executed on the processor is changed. So when a current process is being updated, Windows also updates a value of control register 3.
20:24
And because control register 3 is a system register, it triggers VM-exist. And then EOPmon performs, it checks a process that is ending its execution. And system repeats this cycle for each process.
20:43
And whenever EOPmon detects token stealing, so successful privileged escalation, it terminates the process. And in case of EOPmon, it is like VM-exist is just a trigger point to perform scam.
21:01
So EOPmon doesn't even use a value of control register 3. It's just a handy timer event kind of thing. So let me quickly demonstrate EOPmon with real malware. So I am going to run Gozi sample,
21:20
which exploits a local kind of privileged escalation vulnerability.
21:42
So this is 32-bit Windows 7. And first I am going to run malware without EOPmon and show a successful exploitation first. Now we have a command prompt running with low integrity.
22:02
So if you start any process from this command prompt, subprocess is going to be also low integrity. But this malware, this one,
22:28
so this guy exploits a system vulnerability and gets system privilege first, then spawns system privilege explorer.exe. So that is how this malware works.
22:43
And then let's learn the same sample with EOPmon. So EOPmon is also implemented on the top of a hyper platform. And run the same malware
23:01
and see if it is going to be detected. So now I executed malware, the same sample, PID 1864. And then it starts exploitation, hopefully to protect the system.
23:23
Now malware couldn't spawn explorer.exe because EOPmon detected an exploitation and terminated the process before the malware does really bad things.
23:41
So you can write this kind of protection or tools by using hyper platform.
24:16
So let me briefly touch upon some limitations on this project.
24:21
So first of all, it cannot run inside VirtualBox because VirtualBox doesn't support nested virtualization. So you cannot simply run, you cannot run this project inside VirtualBox. And also it doesn't support AMD processors. And sadly, it cannot run with other hypervisors
24:44
on the same box simultaneously. I am trying to find the time to fix this issue, but at this time it is a limitation. So you can run like hyper platform and VirtualBox VMware at the same time in the same box.
25:05
And as for the future of this project, I hope to see more views of this project from our community in any ways. And so I am looking forward to hearing more feedback and ideas on what you can do with hyper platform.
25:21
I have some idea though. For example, probably we can write kernel called coverage monitor for effective fuzzing with using Intel processor trace. Or we can write memory access visualization or authorization. Actually, Igor is working on this project at this time,
25:42
at this moment. And also probably we can write, we can use hyper platform for bug discovery, especially rest condition type of bugs by analyzing memory access pattern with extended page table. But those are all yet to be planned.
26:02
So I am looking forward to hearing more feedback and comments on this project. So let me wrap up the talk. So virtualization technology is powerful, but still underutilized technology for reverse engineering. And hyper platform is a hypervisor
26:22
designed as a VM exit built-in platform. And yeah, you can utilize virtualization technology and write new types of tools on Windows quickly and easily. And yeah, if you are interested in, please check out GitHub web page. It is open source.
26:41
And yeah, develop your own unique ideas and solutions. Yeah, that is all I have. Thank you.
Recommendations
Series of 374 media