Detect Kernel-Mode Rootkits Via Real Time Logging & Controlling

2017 Annual ADFSL Conference on Digital Forensics, Security and Law Proceedings

May 15th, 1:00 PM Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access Satoshi Tanda [email protected]

Irvin Homem Stockholm University, [email protected]

Igor Korkin [email protected]

Follow this and additional works at: https://commons.erau.edu/adfsl Part of the Forensic Science and Technology Commons, and the Information Security Commons

Scholarly Commons Citation Tanda, Satoshi; Homem, Irvin; and Korkin, Igor, "Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access" (2017). Annual ADFSL Conference on Digital Forensics, Security and Law. 5. https://commons.erau.edu/adfsl/2017/papers/5

This Peer Reviewed Paper is brought to you for free and open access by the Conferences at Scholarly Commons. It has been accepted for inclusion in Annual ADFSL Conference on Digital Forensics, Security and Law by an authorized administrator of Scholarly Commons. For more information, please contact [email protected], [email protected]. (c)ADFSL Detect Kernel-Mode Rootkits Via Real Time Logging ... CDFSL Proceedings 2017

DETECT KERNEL-MODE ROOTKITS VIA REAL TIME LOGGING & CONTROLLING MEMORY ACCESS Irvin Homem [email protected] Satoshi Tanda Igor Korkin CrowdStrike, Inc Independent Researcher Vancouver, Canada Moscow, Russia { tanda.sat, igor.korkin }@gmail.com ABSTRACT Modern malware and spyware platforms attack existing antivirus solutions and even Microsoft PatchGuard. To protect users and business systems, new technologies developed by Intel and AMD CPUs may be applied. To deal with the new malware we propose monitoring and controlling access to the memory in real time using Intel VT-x with EPT. We have checked this concept by developing MemoryMonRWX, which is a bare-metal hypervisor. MemoryMonRWX is able to track and trap all types of memory access: read, write, and execute. MemoryMonRWX also has the following competitive advantages: fine-grained analysis, support of multi-core CPUs and 64-bit Windows 10. MemoryMonRWX is able to protect critical kernel memory areas even when PatchGuard has been disabled by malware. Its main innovative features are as follows: guaranteed interception of every memory access, resilience, and low performance degradation. Keywords: memory protection; tracking memory access; information leakage; kernel integrity; hypervisor 1. INTRODUCTION malware: Turla rootkit, which remained undiscovered for at least three years and Modern malware attacks on Windows ProjectSauron, which has never been stored on machines are becoming increasingly a disk. sophisticated and extremely difficult to detect. Newest integrated security mechanisms on the According to the security response by modern Windows 10 x64 such as Kernel Mode Symantec, Turla trojan which was created by Code Signing (KMCS) and Kernel Patch the W aterbug hackers group successfully Protection (KPP), also known as PatchGuard, compromised more than 4,500 computers from are unable to prevent malicious activity. 100 countries (Symantec, 2016). Even the Swiss Federal Department of Defense Modern malware attacks are 'surgical' and (GovCERT, 2016) was under a cyber infect networks of huge organizations even espionage attack via Turla (Paganini, 2016). when their computers, have never been This malware remained undiscovered for at connected to the Internet 'air-gapped' least three years due to its stealth features, computers' (Paganini, 2014). Let us consider which helped to overcome both built-in some recent incidents with the following

@ 2017 ADFSL Page 39

Sensitive data SuspiciousDriver.sys DestinationAddr1

SourceAddr1

SourceAddr2 System Tables

DestinationAddr2

HiddenDriver.sys

SourceAddr3

Execution •

•

Methods for monitoring access to memory

OS-based

Hooking Memory Management routines

Handling Page-Fault Exceptions by IDT

Hypervisor-based

Handling Page-Fault Exceptions by Hypervisor

Leverages Intel VT-x with EPT technology Proposed system

Paging Data Structures PageA Drv.sys Bits Read Page Table D P PageB PTE for PageA 1 1 PTE for PageB 1 1 PTE for PageC 1 0 Secret PageC data ...... PageFault (#PF)

Virtual memory VM exit Physical memory

Hypervisor PageC Dispatcher

•

PageA Drv.sys Guest Virtual Address

PageB Secret data

PML4 Table CR3 PDPT Page Directory Page Table

Guest Paging Data Structures

OS in VMX-non root mode Guest Physical Address Hypervisor in VMX root mode

VMCS

EPT PML4 Table EPT Paging Data Structures EPT pointer EPT Hypervisor dispatcher EPT PDPT Violation controls access EPT PD EPT Page Table

PTE for PageB 1 0

Host Physical Address Host Physical Address

•

Memory access to the guest OS

8 1 A A Page walk via guest pages 6 1 8 1

7 2 B B

Page walk via 3 Bare-metal 5 2 7 2 EPT pages hypervisor 4 3 C C 4 Hyp 6 5 4 3 6 5

Physical Memory

a) b) c)

EPT Normal View EPT Monitor View • SRC.read = true • SRC.read = true • SRC.write = true • SRC.write = true • SRC.exec = false • SRC.exec = true (any execution access generates VM-Exit) • DST.read = false • DST.read = true (any read access generates VM-Exit) • DST.write = true • DST.write = false • DST.exec = true (any write access generates VM-Exit) • DST.exec = false • OTH.read = true (any execution access generates VM-Exit) • OTH.write = true • OTH.exec = true • OTH.read = true • OTH.write = true • OTH.exec = false (any execution access generates VM-Exit)

a) b)

init Step 1

EPT normal view

VMCS Step 2 Step 5

EPT pointer EPT monitor view

. . . Step 3 Step 4

EPT monitor view with • Replaced EPT.DST.PFN • EPT.DST.read=true EPT.DST.write=true • MTF=true

SRC Range Drv.sys

Read\Write or Execute

Secret DST Range data

OS in VMX-non root mode Guest Physical Address VMX root mode

HyperPlatform MemoryMonRWX (bare-metal hypervisor)

Image Load Source/Destination V2P Map EPT Detector Range Manager Manager controller

EPT Paging Data Structures

EPT Normal View EPT Monitor View

Host Physical Address

6.1 6

4 3.1 3

1 Lines of code, millions ofcode, Lines 0.012 0.32 0 MemoryMonRWX Xen QEMU VirtualBox

PatchGuard has been disabled ZwClose RootkitDriver.sys ZwReadFile ZwCreateKey System Service Descriptor Table Hook ...

Unlink List with drivers information

SpywareDriver.sys Sensitive data

Read Crypto Keys Passwords Steal Credentials

100%

75%

50%

25% 18% 7% 5% 5% 2% 0% PCMark8 Novabench Novabench Novabench Novabench Home RAM Speed CPU Tests Graphics Drive Write Tests Speed