FFR GreenKiller - Automatic kernel-mode malware analysis system
-
Upload
ffri-inc -
Category
Technology
-
view
212 -
download
2
Transcript of FFR GreenKiller - Automatic kernel-mode malware analysis system
![Page 1: FFR GreenKiller - Automatic kernel-mode malware analysis system](https://reader033.fdocuments.net/reader033/viewer/2022060110/555c417ad8b42a2c068b4dcb/html5/thumbnails/1.jpg)
AVAR 2009@kyoto
FFR GreenKillerAutomatic kernel-mode malware analysis system
Junichi Murakami,[email protected]
Director of Research, Fourteenforty Research Institute, Inc.
![Page 2: FFR GreenKiller - Automatic kernel-mode malware analysis system](https://reader033.fdocuments.net/reader033/viewer/2022060110/555c417ad8b42a2c068b4dcb/html5/thumbnails/2.jpg)
Who am I?
• MURAKAMI Junichi(村上純一)– Reverse Engineer, both Windows and Linux kernel
development
– BlackHat speaker at US and Japan 08
– Security & Programming Camp Instructor(2006 - )
– ITProホワイトハッカー道場(White Hacker Dojo)http://itpro.nikkeibp.co.jp/article/COLUMN/20070927/283156/
2
![Page 3: FFR GreenKiller - Automatic kernel-mode malware analysis system](https://reader033.fdocuments.net/reader033/viewer/2022060110/555c417ad8b42a2c068b4dcb/html5/thumbnails/3.jpg)
FFR GreenKiller
Analyzing malicious driver from VMM
version
0.0.1
ring 0
FFR GreenKiller(based on BitVisor)
Agent
Kernelmalware
log
ring 3
Tracer
Guest
VMM
VMCALL
3
![Page 4: FFR GreenKiller - Automatic kernel-mode malware analysis system](https://reader033.fdocuments.net/reader033/viewer/2022060110/555c417ad8b42a2c068b4dcb/html5/thumbnails/4.jpg)
Background
Rootkits, Part1of 3: The Growing Threat(McAfee Avert Labs)http://www.mcafee.com/us/local_content/white_papers/threat_center/wp_akapoor_rootkits1_en.pdf
4
![Page 5: FFR GreenKiller - Automatic kernel-mode malware analysis system](https://reader033.fdocuments.net/reader033/viewer/2022060110/555c417ad8b42a2c068b4dcb/html5/thumbnails/5.jpg)
Why kernel-mode (is troublesome) ?
ring 0 Kernelmalware
ring 3 malware IDA Pro, etc.
User-mode malware is a process, Kernel-mode malware is a part of system
BSOD is very welcomed 5
![Page 6: FFR GreenKiller - Automatic kernel-mode malware analysis system](https://reader033.fdocuments.net/reader033/viewer/2022060110/555c417ad8b42a2c068b4dcb/html5/thumbnails/6.jpg)
FFR GreenKiller
Analyzing malicious driver from VMM
version
0.0.1
ring 0
FFR GreenKiller(based on BitVisor)
Agent
Kernelmalware
log
ring 3
Tracer
Guest
VMM
VMCALL
6
![Page 7: FFR GreenKiller - Automatic kernel-mode malware analysis system](https://reader033.fdocuments.net/reader033/viewer/2022060110/555c417ad8b42a2c068b4dcb/html5/thumbnails/7.jpg)
BitVisor - http://www.bitvisor.org
• Open-source VMM software(BSD License)
• Secure VM Project (National Project in Japan)
• Intel-VT and AMD-v supported
• GreenKiller uses BitVisor as a VMM framework
Hardware
BitVisor
VMM Core
Security Features
Disk Encryption
VPN
・・・
Guest OS
device driver
7
![Page 8: FFR GreenKiller - Automatic kernel-mode malware analysis system](https://reader033.fdocuments.net/reader033/viewer/2022060110/555c417ad8b42a2c068b4dcb/html5/thumbnails/8.jpg)
BitVisor (cont.)
BIOS
NTLDR Grub BitVisor
Windows
8
![Page 9: FFR GreenKiller - Automatic kernel-mode malware analysis system](https://reader033.fdocuments.net/reader033/viewer/2022060110/555c417ad8b42a2c068b4dcb/html5/thumbnails/9.jpg)
Initialization
ring 0
FFR GreenKiller
Agent
Kernel
ring 3
VMCALL
1. Build up kernel API database
2. Hook driver-loading API in Guest
ptr_PsLoadedModuleListptr_IopLoadDriverHookAddr
9
![Page 10: FFR GreenKiller - Automatic kernel-mode malware analysis system](https://reader033.fdocuments.net/reader033/viewer/2022060110/555c417ad8b42a2c068b4dcb/html5/thumbnails/10.jpg)
PsLoadedModuleList
Kernel
ntoskrnl.exe
DriverObject
win32k.sys
DriverObject
...
DriverObject
PsLoadedModuleList
10
![Page 11: FFR GreenKiller - Automatic kernel-mode malware analysis system](https://reader033.fdocuments.net/reader033/viewer/2022060110/555c417ad8b42a2c068b4dcb/html5/thumbnails/11.jpg)
DriverObject
kd> dt nt!_DRIVER_OBJECT+0x000 Type : Int2B+0x002 Size : Int2B+0x004 DeviceObject : Ptr32 _DEVICE_OBJECT+0x008 Flags : Uint4B+0x00c DriverStart : Ptr32 Void+0x010 DriverSize : Uint4B+0x014 DriverSection : Ptr32 Void+0x018 DriverExtension : Ptr32 _DRIVER_EXTENSION+0x01c DriverName : _UNICODE_STRING+0x024 HardwareDatabase : Ptr32 _UNICODE_STRING+0x028 FastIoDispatch : Ptr32 _FAST_IO_DISPATCH+0x02c DriverInit : Ptr32 long +0x030 DriverStartIo : Ptr32 void +0x034 DriverUnload : Ptr32 void +0x038 MajorFunction : [28] Ptr32 long
MZ.........................................PE........
ntoskrnl.exe
DbgPrint 0x5002eDbgPrintEx 0x50050....
[.edata section]
11
0x804d9000
DbgPrint 0x8052902e (0x804d9000 + 0x5002e)DbgPrintEx 0x80529050 (0x804d9000 + 0x50050)・・・・・・
![Page 12: FFR GreenKiller - Automatic kernel-mode malware analysis system](https://reader033.fdocuments.net/reader033/viewer/2022060110/555c417ad8b42a2c068b4dcb/html5/thumbnails/12.jpg)
Initialization
ring 0
FFR GreenKiller
Agent
Kernel
ring 3
VMCALL
1. Build up kernel API database
2. Hook driver-loading API in Guest
ptr_PsLoadedModuleListptr_IopLoadDriverHookAddr
12
![Page 13: FFR GreenKiller - Automatic kernel-mode malware analysis system](https://reader033.fdocuments.net/reader033/viewer/2022060110/555c417ad8b42a2c068b4dcb/html5/thumbnails/13.jpg)
IopLoadDriver
13
Break(switch to VMM)
![Page 14: FFR GreenKiller - Automatic kernel-mode malware analysis system](https://reader033.fdocuments.net/reader033/viewer/2022060110/555c417ad8b42a2c068b4dcb/html5/thumbnails/14.jpg)
Break at DriverEntry
14
FFR GreenKiller
Kernel
mov eax, dword ptr [guest_esp]mov edx, eaxpush eaxcall GetAddressOfEntryPointadd edx, eax
mov byte ptr [edx], 0xcc
malwareIopLoadDriver
![Page 15: FFR GreenKiller - Automatic kernel-mode malware analysis system](https://reader033.fdocuments.net/reader033/viewer/2022060110/555c417ad8b42a2c068b4dcb/html5/thumbnails/15.jpg)
Software BP vs. Hardware BP
• Software BP– Replace original byte with int3(0xcc)
• Processor generates an #BP when int3 is hit
– No limit on number of BPs
• Hardware BP– Use Debug Register(DR0-DR3)
– Needless to modify original code
– Only 4 BPs simultaneously
15
![Page 16: FFR GreenKiller - Automatic kernel-mode malware analysis system](https://reader033.fdocuments.net/reader033/viewer/2022060110/555c417ad8b42a2c068b4dcb/html5/thumbnails/16.jpg)
Code Tracing
16
DriverEntry
ret
call
retcall
DbgPrint
ret
sub_10031
A) Insert ‘0xcc’ into closest branch by disassembling the code from DriverEntry
B) Execution is suspended on the branchCheck whether execution takes the branch according to EFLAGS’s value• If true: Insert ‘0xcc’ into branched addr.• If not: Working the same as A.
C) Execution is suspended on the branched addr.Check whether it is an entry of kernel API• if true: Insert ‘0xcc’ into retaddr• if not: Working the same as A.
![Page 17: FFR GreenKiller - Automatic kernel-mode malware analysis system](https://reader033.fdocuments.net/reader033/viewer/2022060110/555c417ad8b42a2c068b4dcb/html5/thumbnails/17.jpg)
Definition of an FSM
17
SEARCH_B
EVAL_BCHECK_A
Eval branch
Branch not taken, find next branch
Branch taken, check address
checked, find next branch
![Page 18: FFR GreenKiller - Automatic kernel-mode malware analysis system](https://reader033.fdocuments.net/reader033/viewer/2022060110/555c417ad8b42a2c068b4dcb/html5/thumbnails/18.jpg)
That’s all?
• No, we have to consider multiple context for callbacks
• Driver is a plug-in for the kernel
18
![Page 19: FFR GreenKiller - Automatic kernel-mode malware analysis system](https://reader033.fdocuments.net/reader033/viewer/2022060110/555c417ad8b42a2c068b4dcb/html5/thumbnails/19.jpg)
Callbacks
19
Kernel
malware
FFR GreenKiller
IRP
Process Management
Kernel ThreadTimer
DriverEntry
![Page 20: FFR GreenKiller - Automatic kernel-mode malware analysis system](https://reader033.fdocuments.net/reader033/viewer/2022060110/555c417ad8b42a2c068b4dcb/html5/thumbnails/20.jpg)
Ex)PsSetCreateProcessNotifyRoutine
20
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{…PsSetCreateProcessNotifyRoutine(
CreateProcessNotifyCallback, ; NotifyRoutineFALSE ; Remove
);…
}
VOID CreateProcessNotifyCallback(IN HANDLE ParentId, IN HANDLE ProcessId,IN BOOLEAN Create)
{DbgPrint(“Pid %d is %s¥n”,
ProcessId, Create ? “created” : “exit”);}
![Page 21: FFR GreenKiller - Automatic kernel-mode malware analysis system](https://reader033.fdocuments.net/reader033/viewer/2022060110/555c417ad8b42a2c068b4dcb/html5/thumbnails/21.jpg)
Callbacks(cont.)
• IRP Handlers
• DPC Routines
• Registry Callbacks
• Fs/Ndis/Tdi filters
• PsSetCreateProcessNotifyRoutine
• PsSetLoadImageNotifyRoutine
• PsCreateSystemThread
• etc.
21
![Page 22: FFR GreenKiller - Automatic kernel-mode malware analysis system](https://reader033.fdocuments.net/reader033/viewer/2022060110/555c417ad8b42a2c068b4dcb/html5/thumbnails/22.jpg)
Lookup Kernel API
22
FFR GreenKiller
Kernel
malware
State: CHECK_A
Kernel API DB
API Address
DbgPrint 0x8052902e
DbgPrintEx 0x80529050
… ….
call 0x8052902e
![Page 23: FFR GreenKiller - Automatic kernel-mode malware analysis system](https://reader033.fdocuments.net/reader033/viewer/2022060110/555c417ad8b42a2c068b4dcb/html5/thumbnails/23.jpg)
Lookup Kernel API(cont.)
23
FFR GreenKiller
Kernel
malwarecall PsSetCreateProcessNotifyRoutine
NTSTATUSPsSetCreateProcessNotifyRoutine(IN PCREATE_PROCESS_NOTIFY_ROUTINE NotifyRoutine,IN BOOL Remove);
ReturnAddress = [GUEST_ESP]Arg1 = [GUEST_ESP+4]; NotifyRoutineArg2 = [GUEST_ESP+8]; Remove
State: CHECK_A
Break
![Page 24: FFR GreenKiller - Automatic kernel-mode malware analysis system](https://reader033.fdocuments.net/reader033/viewer/2022060110/555c417ad8b42a2c068b4dcb/html5/thumbnails/24.jpg)
Output
[DriverEntry]0xfd965012: DbgPrint(“DriverEntry: 0x%lx¥n”)0xfd065054: IoCreateDevice(“¥¥Device¥m3z1”)0xfd065067: IoCreateSymbolicLink(“¥¥Device¥m3z1”, “¥¥DosDevices¥m3z1”)0xfd06508c: PsSetCreateProcessNotifyRoutine(CB#1)
[DriverUnload]0xfd9650c0: IoDeleteSymbolicLink(“¥¥DosDevices¥m3z1”)0xfd9650cc: IoDeleteDevice
[CB#1: PsSetCreateProcessNotityRoutine]0xfd965134: PsGetCurrentProcessId0xfd965140: DbgPrint(“CreateProcessCallback %d %d %d¥n”)0xfd96710c: ExFreePool
24
![Page 25: FFR GreenKiller - Automatic kernel-mode malware analysis system](https://reader033.fdocuments.net/reader033/viewer/2022060110/555c417ad8b42a2c068b4dcb/html5/thumbnails/25.jpg)
Limitation
• Require Intel-VT
• Require an Agent in guest’s ring3
– Request for quick hack :)
• Limited API support
– Callback, Argument recognization
25
![Page 26: FFR GreenKiller - Automatic kernel-mode malware analysis system](https://reader033.fdocuments.net/reader033/viewer/2022060110/555c417ad8b42a2c068b4dcb/html5/thumbnails/26.jpg)
Related Work
We can detect memory-patching by malware
• Viton, Hypervisor IPS(BlackHat USA 08)
– Manipulate Guest PageTable/PageTableEntry,
– To protect memory patching by malicious driver
JP: http://www.fourteenforty.jp/research/research_papers/bh-japan-08-Murakami.pdf
EN: http://www.fourteenforty.jp/research/research_papers/bh-usa-08-Murakami.pdf
26
![Page 27: FFR GreenKiller - Automatic kernel-mode malware analysis system](https://reader033.fdocuments.net/reader033/viewer/2022060110/555c417ad8b42a2c068b4dcb/html5/thumbnails/27.jpg)
Q & A
27