2017 Annual ADFSL Conference on Digital Forensics, Security and Law Proceedings
May 15th, 1:00 PM Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access Satoshi Tanda [email protected]
Irvin Homem Stockholm University, [email protected]
Igor Korkin [email protected]
Follow this and additional works at: https://commons.erau.edu/adfsl Part of the Forensic Science and Technology Commons, and the Information Security Commons
Scholarly Commons Citation Tanda, Satoshi; Homem, Irvin; and Korkin, Igor, "Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access" (2017). Annual ADFSL Conference on Digital Forensics, Security and Law. 5. https://commons.erau.edu/adfsl/2017/papers/5
This Peer Reviewed Paper is brought to you for free and open access by the Conferences at Scholarly Commons. It has been accepted for inclusion in Annual ADFSL Conference on Digital Forensics, Security and Law by an authorized administrator of Scholarly Commons. For more information, please contact [email protected], [email protected]. (c)ADFSL Detect Kernel-Mode Rootkits Via Real Time Logging ... CDFSL Proceedings 2017
DETECT KERNEL-MODE ROOTKITS VIA REAL TIME LOGGING & CONTROLLING MEMORY ACCESS Irvin Homem [email protected] Satoshi Tanda Igor Korkin CrowdStrike, Inc Independent Researcher Vancouver, Canada Moscow, Russia { tanda.sat, igor.korkin }@gmail.com ABSTRACT Modern malware and spyware platforms attack existing antivirus solutions and even Microsoft PatchGuard. To protect users and business systems, new technologies developed by Intel and AMD CPUs may be applied. To deal with the new malware we propose monitoring and controlling access to the memory in real time using Intel VT-x with EPT. We have checked this concept by developing MemoryMonRWX, which is a bare-metal hypervisor. MemoryMonRWX is able to track and trap all types of memory access: read, write, and execute. MemoryMonRWX also has the following competitive advantages: fine-grained analysis, support of multi-core CPUs and 64-bit Windows 10. MemoryMonRWX is able to protect critical kernel memory areas even when PatchGuard has been disabled by malware. Its main innovative features are as follows: guaranteed interception of every memory access, resilience, and low performance degradation. Keywords: memory protection; tracking memory access; information leakage; kernel integrity; hypervisor 1. INTRODUCTION malware: Turla rootkit, which remained undiscovered for at least three years and Modern malware attacks on Windows ProjectSauron, which has never been stored on machines are becoming increasingly a disk. sophisticated and extremely difficult to detect. Newest integrated security mechanisms on the According to the security response by modern Windows 10 x64 such as Kernel Mode Symantec, Turla trojan which was created by Code Signing (KMCS) and Kernel Patch the W aterbug hackers group successfully Protection (KPP), also known as PatchGuard, compromised more than 4,500 computers from are unable to prevent malicious activity. 100 countries (Symantec, 2016). Even the Swiss Federal Department of Defense Modern malware attacks are 'surgical' and (GovCERT, 2016) was under a cyber infect networks of huge organizations even espionage attack via Turla (Paganini, 2016). when their computers, have never been This malware remained undiscovered for at connected to the Internet 'air-gapped' least three years due to its stealth features, computers' (Paganini, 2014). Let us consider which helped to overcome both built-in some recent incidents with the following
@ 2017 ADFSL Page 39
Sensitive data SuspiciousDriver.sys DestinationAddr1
SourceAddr1
SourceAddr2 System Tables
DestinationAddr2
HiddenDriver.sys
SourceAddr3
Execution •
•
•
•
Methods for monitoring access to memory
OS-based
Hooking Memory Management routines
Handling Page-Fault Exceptions by IDT
Hypervisor-based
Handling Page-Fault Exceptions by Hypervisor
Leverages Intel VT-x with EPT technology Proposed system
Paging Data Structures PageA Drv.sys Bits Read Page Table D P PageB PTE for PageA 1 1 PTE for PageB 1 1 PTE for PageC 1 0 Secret PageC data ...... PageFault (#PF)
Virtual memory VM exit Physical memory
Hypervisor PageC Dispatcher
•
•
•
•
•
•
PageA Drv.sys Guest Virtual Address
PageB Secret data
PML4 Table CR3 PDPT Page Directory Page Table
Guest Paging Data Structures
OS in VMX-non root mode Guest Physical Address Hypervisor in VMX root mode
VMCS
EPT PML4 Table EPT Paging Data Structures EPT pointer EPT Hypervisor dispatcher EPT PDPT Violation controls access EPT PD EPT Page Table
PTE for PageB 1 0
Host Physical Address Host Physical Address
•
•
•
Memory access to the guest OS
8 1 A A Page walk via guest pages 6 1 8 1
7 2 B B
Page walk via 3 Bare-metal 5 2 7 2 EPT pages hypervisor 4 3 C C 4 Hyp 6 5 4 3 6 5
Physical Memory
a) b) c)
EPT Normal View EPT Monitor View • SRC.read = true • SRC.read = true • SRC.write = true • SRC.write = true • SRC.exec = false • SRC.exec = true (any execution access generates VM-Exit) • DST.read = false • DST.read = true (any read access generates VM-Exit) • DST.write = true • DST.write = false • DST.exec = true (any write access generates VM-Exit) • DST.exec = false • OTH.read = true (any execution access generates VM-Exit) • OTH.write = true • OTH.exec = true • OTH.read = true • OTH.write = true • OTH.exec = false (any execution access generates VM-Exit)
a) b)
init Step 1
EPT normal view
VMCS Step 2 Step 5
EPT pointer EPT monitor view
. . . Step 3 Step 4
EPT monitor view with • Replaced EPT.DST.PFN • EPT.DST.read=true EPT.DST.write=true • MTF=true
SRC Range Drv.sys
Read\Write or Execute
Secret DST Range data
OS in VMX-non root mode Guest Physical Address VMX root mode
HyperPlatform MemoryMonRWX (bare-metal hypervisor)
Image Load Source/Destination V2P Map EPT Detector Range Manager Manager controller
EPT Paging Data Structures
EPT Normal View EPT Monitor View
Host Physical Address
6.1 6
5
4 3.1 3
2
1 Lines of code, millions ofcode, Lines 0.012 0.32 0 MemoryMonRWX Xen QEMU VirtualBox
PatchGuard has been disabled ZwClose RootkitDriver.sys ZwReadFile ZwCreateKey System Service Descriptor Table Hook ...
Unlink List with drivers information
SpywareDriver.sys Sensitive data
Read Crypto Keys Passwords Steal Credentials
100%
75%
50%
25% 18% 7% 5% 5% 2% 0% PCMark8 Novabench Novabench Novabench Novabench Home RAM Speed CPU Tests Graphics Drive Write Tests Speed