Monitoring & controlling kernel-mode events by HyperPlatform

Video in TIB AV-Portal: Monitoring & controlling kernel-mode events by HyperPlatform

Formal Metadata

Title
Monitoring & controlling kernel-mode events by HyperPlatform
Title of Series
Part Number
12
Number of Parts
20
Author
Contributors
License
CC Attribution 4.0 International:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2016
Language
English

Content Metadata

Subject Area
Abstract
We will present a HyperPlatform, which is an advanced system monitoring platform for Windows Operating System (OS). Using Intel VT-x and Extended Page Table (EPT) technologies, this platform provides speedy monitoring of various events. HyperPlatform is hidden and resilient to modern anti-forensics techniques and can be easily extended for day-to-day reverse engineering work. Even nowadays, there are no suitable tools to analyze a kernel-mode code for many of researchers. Steady growth of ring0 rootkits requires a fast, undetectable and resilient tool to monitor OS events for all protection rings. Such a tool will significantly contribute to reverse-engineering. While existing virtualization infrastructures such as VirtualBox and VMware are handy for analysis by themselves, VT-x technology has much more potential for aiding reverse engineering. McAfee Deep Defender, for example, detects modification of system critical memory regions and registers. These tools are, however, proprietary and not available for everyone, or too complicated to extend for most of the engineers. HyperPlatform is a thin hypervisor, which has a potential to monitor the following: access to physical and virtual memory; functions calls from user- and kernel-modes; code execution in instruction granularity. The hypervisor can be used to monitor memory for two typical use cases. The first one is monitoring access to specified memory regions to protect system critical data such as the service descriptor table. The second case is recording any types of memory access from a specified memory region such as a potentially malicious driver to analyze its activities. Also, HyperPlatform is capable of monitoring a broad range of events such as interruptions, various registers and instructions. Tools based on HyperPlatform will be able to trace each instruction and provide dynamic analysis of executable code if necessary. We will demonstrate two examples of adaptation of HyperPlatform: MemoryMon and EopMon. The MemoryMon is able to monitor virtual memory accesses and detect dodgy kernel memory execution using EPT. It can help rootkit analysis by identifying dynamically allocated code. The EopMon is an elevation of privilege (EoP) detector. It can spot and terminate a process with a stolen system token by utilizing hypervisor’s ability to monitor process context-switching. Implementing those functions used to be challenging, but now, it can be achieved easier than ever using HyperPlatform.
Computing platform Hypercube
Type theory Computer animation Open source Semiconductor memory Multiplication sign Projective plane Planning Quicksort Logic gate Window Physical system
Context awareness Greatest element Code Multiplication sign Optical disc drive Medical imaging Computer configuration Semiconductor memory Cuboid Physical system Exception handling Social class Predictability Seitentabelle Spacetime Shared memory Instance (computer science) Window function Type theory Arithmetic mean Process (computing) Data storage device Right angle Reading (process) Reverse engineering Asynchronous Transfer Mode Point (geometry) Web page Implementation Observational study Open source Connectivity (graph theory) Real number Virtual machine Event horizon Machine vision Product (business) Causality Operator (mathematics) Computing platform Dialect Key (cryptography) Projective plane Mathematical analysis Content (media) Independence (probability theory) Directory service Cartesian coordinate system Hypercube Particle system Computer animation Visualization (computer graphics) Integrated development environment Personal digital assistant Logic Window Active contour model
Computer animation Lecture/Conference Bit Window
Computer animation Computer file Internet forum Semiconductor memory
Sign (mathematics) Computer animation Computer file Semiconductor memory Structural load Content (media) Error message Physical system
Computer animation Computer file Semiconductor memory
Computer animation Content (media)
Point (geometry) Dialect Computer animation Core dump Content (media) Function (mathematics)
Web page Computer animation Semiconductor memory Core dump Boundary value problem
Computer file Content (media) Function (mathematics) Category of being Computer animation Semiconductor memory Rootkit String (computer science) Right angle Data structure Proxy server Computing platform Reverse engineering
Point (geometry) Implementation Validity (statistics) Multiplication sign Sampling (statistics) Insertion loss Open set Exploit (computer security) Event horizon Window function Frequency Medical imaging Process (computing) Computer animation Personal digital assistant Ontology Order (biology) Data structure Cycle (graph theory) Hyperbola Physical system
Computer animation Lecture/Conference Exploit (computer security) Window
Computer animation Special unitary group
Computer animation Internet forum Sampling (statistics) Exploit (computer security) Physical system
Computer animation Multiplication sign Sampling (statistics) Principal ideal domain Endliche Modelltheorie Exploit (computer security) Computing platform Physical system
Web page Multiplication sign Mereology Machine vision Lecture/Conference Semiconductor memory Oval Authorization Cuboid Utility software Office suite Computing platform Addition Dialect Seitentabelle Uniqueness quantification Projective plane Feedback Moment (mathematics) Limit (category theory) Hypercube Type theory Computer animation Visualization (computer graphics) Right angle Window Reverse engineering
Computer animation
it half dead in the in the in the uh the and and so I'd
like to welcome the institution tender back to recon uh during after I think 5 years show is going to talk about hyper platform thanks well yet but under Michael so before I start to talk let me know that 1 funny because most mostly but this is a picture
I took 5 years ago when they came here of for the fast time the but this picture is not actually a picture of the Montreal you see that picture you start when there's heading to Montreal from Japan I had to transfer my playing a disco airport and I was ready for this but my thank you and I had to go to that different boarding gate from 2 bond I recently had to go and that was also my 1st time too busy to have different country and even take a plane so I got confused and got lost in G apology and miss the flight and ended up with a thing of hotel in the nearby Cisco airport that was that funny that memory to me and now yeah I am
pleased to be here without getting lost I didn't go to recall the song my monies to be here yeah so I am going to talk about some more open source type of ITER project name the fight but that so if you are interested in Windows Carnell hypervisor system we think was some sort of you will be invested in yeah so in this talk I am
going to tell just a couple of things so tightly feel like that if you want to have more ability to monitor and Pontil Windows system activities in a lighter-weight minor I thought that is for you and hyper platform is a hypervisor designed odds of DM it thing platform to utilize but television technology and the right new types of point the tools on Windows easier and the but that these basically what I am going to tell him this talk the so let me introduce myself could the I am subtle and our reverse-engineer investigating Windows con and I implemented type platform and I am watching out so both of us that researcher specializing eating and behavior made behavior-based mother detection but project and Bailey down independently so feel free to reach out to me directory and the goal he is up whole researcher and he's on independent researcher specializing in making cybersecurity and especially memory for NG and nudity Dicey's unfortunately he is unable to come here but you're done differently rejected sham husband as me so let me start motivation why do you need yet another high project the subprime unsellable p had issues we found that we still didn't have a good tool to analyze windows kind activities so in my case I personally wanted to analyse but still some not my by my employer by you wanted to analyze party and much that was uh challenging component to reverse engineer because it doesn't allow you to modify Windows con el in any way so you can set the neither breakpoint demand of its activity and people he also wanted to have high mutual to analyze windows Connell because he constantly deal with with Kate for his research developed there and the idea is always all always works but it is always causal time consuming the so toasters want quite efficient the but actually a lack of tle wasn't Ariel issues issue because we kind of knew of something it the solution was Vijay vision technology so there are plenty of a particle paper and an ISA systems using by television some technology and also he knew that but television technology is just more than providing found the books environment the so I lack a little wasn't our really she's don't really issue was that there was no suitable hypervisor to utilize but ization technology only for systemic dying couples on Windows the so assume that you want to monitor a system you by using but a vision technology on Windows you need a hypervisor but what options do we have the 1st of death a that there were a couple of good looking much the products but obviously those up upload by a guy and not available to us and if you take a look at some existing lighter-weight hypervisor us on Windows those lacked the modern platform support for example high but the back which is an really some projects but he didn't support 64 b . fixture and if you take a look at more comprehensive a hypervisor projects those were just too large to understand and extend if you hire the holiest you will probably be OK but if you want to be if you wanna independent use do some research it's probably too time consuming the and also also was at the 1 quite out windows ingenious friendly it requires facing going to install in the compiled for us we found that box was actually a kind of exception we find that the box was quite easy to compile and run and even understand but that were just too slow for day-to-day use age so to summarize this is our so which I and he's really believe that be share the couple and you believe that a community media of solution there it somehow of so we we decided to embark on this problems and as a solution we developed a hyper platform but that Tom allows you to monitor window system activities including con el and is open source and supports Windows 7 to can almost 64 and study to had fixtures and it is small small enough and 1 was a knife if the things of this project is that you don't compile this project on Visual Studio without any sound but you liabilities and can be developed just as of soft a
driver and it is a fast and this is how does high but the so how does the type of platform work so if you are familiar with blue bill hypervisor this is essentially a quite similar so fast all of it is loaded into kind of this space has softer driver and then it enables the VMX operation mode of as a process us and once GBM this operation more these in a but both is the study to cheat do empire system of of bottom machines and invoke a register contour based on under of came up on all eyes of southern events such as exception or execution saddened type of instructions or access to system registers like condo register the and those events of called the it and a high that platform implements g Honda so the amazing Honda in this example and to get a laugh idea of how the event handling works at these these pseudo code of all the image behind the so when of the image happened invokes this Honda and also gives a context of the system namely values all registers and also a reason why the images it happens and upholding with this reason Honda execute real implementation Alejandro so for EEG event the and you can extend to Honda for your own purpose if you want and you can understand hype up platform of DM it filtering platform and on the top of the hyper platform you can right extended logic only for events you are intensity for example when I move it to point already start the event and you don't forget about or other events you are not invested in and this is essentially how hyper platform is used then what is and other vantage of using hyper platform and why do you want to use it the a short the answer is you can do what you can not to do without but aviation technology so fast fully like the images it is a new class of events you don't fit the use high that platform you can tell opens all of Apple's solidarity then and even just on access to memory if you configure extended the page tables and secondly to be emitted at the Honda is quite flexible some you can we cannot defend register values are days say I'll read of a missile instruction and also you can read out the event memory contents are based we the memory operation in a system and importantly and all of them is easy to implement without the budget is technology but is the key idea is quite straightforward the the by utilizing souls capability you can implement meaning could logic for your own papers on the top of a hyper platform so let me share some ideas and example applications implemented on the top will hype of phone to so primary application I don't think it is cholera Paul analysys for example like the diction of dodgy instruction execution for instance smile their mitigate over modifies a value of 1 is that general did you say you memory like to prediction but this is a quite uncommon on no more system execution so you can the text that the event with the key and then made me you can make a father investigation and 2 other application is the detection of CPU execution the so by using it the you can catch execution of memory and then you can check whether to address jobless being executed it is about to buy any image or just a sheep entirely it's people the and if he didn't just stop the Bikel it is quite suspicious so you can also make father investigations are based in these regions the and with this technique it and get on up through it could call the from 2 memories we could 3 so I will demonstrate the children and as a more advanced at advanced application we be key you can implement invisible API fuck if so if you're interested in this project that breach that I did palpation page so the item on so so I'll let me demonstrate memory mom which is able to detect execution of people we use our own role driver right so in
DCMI getting when
so it's on the 64 bit Windows 7 so in this them I am
going to ram there which is packed and then I will get hung up to called
accepted don't in memory using the memory mom which uses in so this is a driver file moderate file and this is our responding identify and if you take a
look at a least all the things we don't we can see that makes these stays pretty short and yeah so most of contents in the file you just the data so this the those up quite strong signs of up to file
and then let's load memory mom memory money usually doesn't show much lovers this because the execution of Mameli is quite uncommon on anomalous systems but the few around this error
if so memory most studied to show a lot of love this so each a lipid and
execution of a memory outside of any driver files the yeah so let's take a look at these I can't read the the so the 2nd entry indicates that somebody executed these other F. and it is not backed by a driver file it is just a so let's take a look at the
contents he she local content about the no so
dependent want but contents looks like
an entry point 0 function on the sheep you it is quite
suspicious so let's take a dump of this region small all these
are S and erupting to page boundary and the love backwards in take 1 now I Ch
so that accepted death of memory convince dumps to a file and if you give it to hide
our and loading the date 2 of the right of friends the and if we take
a look at 2 to address consider executed others the the can see of nice the structure all function and also if you take a look at how the still strings indeed motivation and you don't see many interesting strings makes make b . cs P delta properties you get the for a proxy cs the or a some function names the voice opinions and we you see those strings in the static file so it is likely that this content is on pump up the root called extracted on the memory you can use this kind of you can write this kind of told to us a steel reverse engineering work using hyper platform we
it yeah so apart
from hold on but you can implement hyperbolas orders a protection if you're interested in so by that time making process instead of just my during the yield among these are such example but your among tend to get a successful exploitation of at it's escalation von validity and by taking a Toeplitz failed all up most structure in the upon and you'll be mom performance up tocompute I ran up losses that is contrary executed on the processor is changed so when up to current process is being updated windows also updates a value of the Register the and because kQ ontologies that the is a system register between SVM and and then we'll be mom performs it it checks a process that is ending its execution and systemic is this cycle for each processor and whenever you open Monte Dawkins dealing so successful abbreviate escalation accommodates the pluses In the case of we'll be mom and it is that the image it is just not to point to perform stem so he'll Piemonte doesn't even use a value of on register the it's just a harm the time event kind of things the so let me think we demonstrate the your mom least I will not there so it it I am going to run was you sample which exploits a local higher than period gestation volatility the hi
so this is studied Windows 7 and
1st I am going to run out there is that
your be mom and show the successful exploitation for us now we
have among the quantity running this will integrate the so you've
used that any as from these on the plant subplots s is going to be also blowing lady but the smaller of the sun so this guy
exploits a system biology and get system privilege for us then sponsor system 3 pitch explored OPEC of that you have these moderates and then Rex
that the same sample with your be mom
so you be 1 is also implemented on the
top of a high up platform and around the same and see if it is going to be detected the nights acute at all model the same sample PID 1864 and then it starts exploitation hopefully to protect the system now we eat couldn't make money couldn't Spong export of easy because that you'll be mom didactic and exploitation and time you did the closest before demanded doesn't really but things so you can write this kind of like protection what tools on you by using hyper platform the of they soul which
yeah so let me briefly touch upon some limitations on this project so 1st of all we cannot around inside a vital box uh because vital books doesn't support missed it by vision so you cannot simply land but you cannot run this project insight about a box and also the doesn't support became people offices and southerly it cannot run these other hypervisors us on the same books simultaneously I am trying to find the time to fix this issue but at this time it is a limitation so you it don't run thanks hypervisor hyper platform and a bunch of books at the American at the same time in the same box and as for the future this project I hope to see more use of this project FlamMap will not community in any race and so I am looking at what the Schelling more feed about and ideas on what you can do with hyper platform have some idea of the void uncle body our region right column pour the college money . for effective part in this using plus a set price will be downright memory access visualizations authorization after Eagle is watching on this project at this time at this moment and also probably be down right and we can use hype up that form for by the scholarly especially rest on some type about by analyzing memory access but on we've extended the page table and but those are all yet to be banned so so I am looking at what the Schelling more feedback and comments on this project so let me wrap up the pope so about addition technology is a powerful but still underutilized technology for reverse engineering and hyper platform is a hypervisor designed as of the emitted to prevent platform and yeah you can utilize advantage and technology and the right new types of tle Windows quickly and easily and yeah if you are interested in the technology deep however page is all the and yet develop your own unique ideas and solutions and that is all I have thank you
Feedback