Académique Documents
Professionnel Documents
Culture Documents
BlackHatUSA2010,LasVegas July29th
NGUYENAnhQuynh,KuniyasuSUZAKI AIST,Japan
Whoarewe?
VNSecuritymember(http://vnsecurity.net)
VMrelatedresearchareas
PracticalsecurityproblemsregardingVirtual Machine(VM)
ProtectVM
LeverageVMforvarioussecurityrelatedareas
VirtICEpreview
Toeasethejobofmalwareanalyst
Presentationoverview
Problemsofdebuggerinmalawareanalysis VirtICEsolution
Architecture,Design&Implementation Mainfeatures
Part I
Problemsofdebuggerinmalawareanalysis VirtICEsolution
Architecture,Design&Implementation Mainfeatures
Malwareanalysis
Staticanalysis
Disassemble/decompilemalwarebinarycode Analyzedeadlisttounderstanditsactivities
Mostmalwarearepackedandobfuscated
Dynamicanalysis
Runmalwareandmonitoritsactivitiesatruntime Analyzemalwarewhenitisrunning,lively
Debuggeragainstmalware
Runmalwareunderthemonitorofadebugger
Disassemble/Decompilemalwarebinary Monitorexecutionflow
Usingsoftware/hardwarebreakpoints Usingmemorywatchpoints
Monitordataflow
Singlestepforfinegranularitytracing etc...
Problemsofdebugger
Malwarecandetectdebuggerandchangebehavior
Knowingthatitisbeingdebugged/monitored, malwarecanbehavedifferently
Xuetal[NDSS08]reportedthepopularityof antidebuggingmalware
93.9%malwarehaveantidebugger techniques!
Malwarecantamperwithdebugger
Fooldebugger,tomakeitfunctionincorrectly Attackdebugger
Detectingdebugger(1)
Debuggerusessystemservicetohandledebugevents
WindowsOSleavestracesinvariousplacesaboutthe existenceofdebugger
PEB::NtGlobalFlag PEB::BeingDebugged
Detectingdebugger(2)
Debuggermodifymalware
Detectingdebugger(3)
Debuggerisvisibleinthesamesystem
Detectthatadebuggerisinstalledinsystem Detectthatadebuggerisrunning
Tamperwithdebugger
Tamperwithdebuggeroperationtomakeitwork incorrectly
Directlyattackdebugger
Demo
PeterFerrie,Antiunpackertricksseries1~9
andmoreisstillcoming:(
Attackandtamperwithdebuggeristrivial Unfortuanately,unfixable!!
Whytheseproblems?
Unfixabledebugger
Becausedebuggerisneverdesignedtoanalyze malwareinthefirstplace
Unfortunately,malwaredoesthatwithlotsof sophisticatedtricks
Part II
Problemsofdebuggerinmalawareanalysis VirtICEsolution
Architecture,Design&Implementation Mainfeatures
Ideastosolveproblems
Makethedebuggerinvisibletomalware
Putthedebuggeroutofthereachofmalware
VirtICEapproach
RunmalwareinsideVirtualMachine(VM)
Putthedebuggerinhypervisor/emulatorlayer
VirtICEarchitecture
Otherbenefits
Debuganywhereispossible
Fixtheunfixableproblems
VirtICEisinvisibletomalware
Debuggerusessystemservicefordebugging?
Debuggermodifymalwareprocess?
Debuggerispresentinthesamedomainwithmalware?
VirtICEcannotbeattackedbymalware
GuaranteedbyVMdesign
VirtICErequirement
Understandguestcontextfromoutside InstrumentguestVMexecution
AccesstoVMcontext
ManageVM
Understandguestcontext
Mustbedonefromoutside,withoutanysupportof guestVM
Leverageworksfromlastyear
ExtractOSsemanticobjectsfromVM'smemory SupportWindowsOS
EaglEyeFramework
GetaccesstoguestmemoryandCPUcontextfromhost
ProvidedbyKobutaframework(seelater)
RetrieveOSobjectsfromvirtual/physicalmemoryof guestVM
Focusonimportantobjects,especiallywhichusually exploitedbymalware
25
EaglEyearchitecture
26
Challenges
Retrievesemanticobjectsrequiresexcellentunderstandingon
Howtheobjectsarestructured?
27
LocateOS'sobjects
28
Retrieveobjects'intenals
Mustunderstandobjectstructure
MightchangebetweenWindowsversions,orevenServicePack
struct _EPROCESS { KPROCESS Pcb; LARGE_INTEGER CreateTime; LARGE_INTEGER ExitTime; .... offset 0, size 0x6c offset 0x70, size 8 offset 0x78, size 8 offset 0x80, size 4 EX_PUSH_LOCK ProcessLock; offset 0x6c, size 4
EX_RUNDOWN_REF RundownProtect;
29
Currentsolutions?
Hardcodeallthepopularobjects,withoffsets&size ofpopularfields?
Doesbyeverybodyelse Butthisisfarfromgoodenough!
Limitedtoobjectsyouspecify Limitedtoonlytheoffsetsyouspecify
30
Adream...
Tobeabletoquerystructureofalltheobjects,withtheirfields
SupportallkindofOS,withdifferentversions
Ondemand,atruntime,withallkindofobjects Variousquestionsarepossible
31
...Comestrue:LibDI
Satisfyalltheaboverequests,andmakeyourdeam cometrue
Comeinashapeofanotherframework RelyonpublicinformationonOSobjects
OSindependence
WindowsandLinuxarewellsupportedsofar
HaveinformationindebuggingformatsDWARF,and extracttheirstructureoutatruntime
32
Windowsinternalsinformation
ReactOSfileheaderprototypes
Free&opentopublic(http://www.reactos.org) SupportWin2k3andup.
WindowsXPandpriorarenotsupported
33
SampleReactOScode
typedefstruct_EPROCESS{//removedsomefieldsforbrevity
#if(NTDDI_VERSION<NTDDI_WS03) FAST_MUTEXWorkingSetLock; #endif ULONGWorkingSetPage; #if(NTDDI_VERSION>=NTDDI_LONGHORN) EX_PUSH_LOCKAddressCreationLock; PETHREADRotateInProgress; #else KGUARDED_MUTEXAddressCreationLock; KSPIN_LOCKHyperSpaceLock; #endif }EPROCESS,*PEPROCESS;
34
Windowsobjects
CompileReactOSfileheaderprototypeswithdebugging information
Dynamicallyextractoutinformationfromobjectfiles
g++gwindows.cDNTDDI_XPSP3cowindows_XPSP3.o
35
WindowsobjectsProblems
ReactOSonlysupportsWin2k3andup
NeedtopatchReactOSheaderstosupportWinXPandprior versions
Fixincorrectandnotupdateddatastructures
PatchtosupportrecentWindowsOS,likeWindows7
36
SampleLibDIAPI
/*<libdi/di.h>*/ /*Getthestructsize,givenitsstructname*/ intdi_struct_size(di_th,char*struct_name); /*Getthesizeofafieldofastruct,givennamesofstructandmember.*/ intdi_member_size(di_th,char*struct_name,char*struct_member);
/*Gettheoffsetofafieldmemberofastruct*/
intdi_member_offset(di_th,char*struct_name,char*struct_member);
37
SamplecodeusingLibDI
#include<libdi/di.h> ... di_th; /*InitializeLibDItogetaLibDIhandle*/ di_open("windows_XPSP3.o",&h); /*retrievethesizeof_EPROCESS*/ ints1=di_struct_size(h,"_EPROCESS"); /*retrievethesizeof_EPROCESS::CreateTime*/ intm1=di_member_size(h,"_EPROCESS","CreateTime"); /*retrievetheoffsetof_EPROCESS::CreateTime*/ into1=di_member_offset(h,"_EPROCESS","CreateTime"); /*closewhenyouaredonewithLibDI*/ di_close(h);
38
EaglEye:retrieveobjects
SeparateAPIforeachkindofobjects DesignedsoitishardtobeabusedortamperedbyguestVM
Getfirstobjectinthelistofobjects
Usingpatternmatchingtechnique
Getnextobjects Onebyone,untilreachthelastobject
39
SampleEaglEyeAPI(1)
/*<eagleye/eagleye.h>*/ /*@task:outputvalue,pointedthethekernelmemorykeeptaskinfo*/
intee_get_task_first(ee_th,unsignedlong*task);
/*@task:outputvalue,pointedthethekernelmemorykeeptaskinfo*/
intee_get_task_next(ee_th,unsignedlong*task);
/*getthepointertotheprocessstruct,giventheprocess'spid.
intee_get_task_pid(ee_th,unsignedlongpid,unsignedlong*task);
/*getthefirstopendllfileofataskwithagivenprocessid. *onreturn,dllpointstotheuserspacememorythatkeepsdllinfo*/
intee_get_task_dll_first(ee_th,unsignedlongpid,unsignedlong*dll);
/*getthenextopendllfileofataskwithagivenprocessid.
intee_get_task_dll_next(ee_th,unsignedlong*dll);
40
SampleEaglEyeAPI(2)
/*<eagleye/windows.h>*/ /*getprocessimagefilename,givenitsEPROCESSaddress*/
intwindows_task_imagename(ee_th,unsignedlongeprocess,char*name, unsignedintcount);
/*getprocessid,givenitsEPROCESSaddress*/
intwindows_task_pid(ee_th,unsignedlongeprocess,unsignedlong*pid);
/*getparentprocessid,givenitsEPROCESSaddress*/
intwindows_task_ppid(ee_th,unsignedlongeprocess,unsignedlong *ppid);
/*getprocesscmdline,givenitsEPROCESSaddress*/
intwindows_task_cmdline(ee_th,unsignedlongeprocess,char*cmdline, unsignedintcount);
41
EaglEyearchitecture
42
VirtICEdesign
ChooseVMforVirtICE
Opensource,socustomizable(thereforeVMWareis notsuitable)
0.12.4version
VirtICEarchitecture
InstrumentguestVM
Kobutaframework
Genericinstrumentationframework
Instrumentbinarytranslationprocess
SupportdynamicloadedmodulebuiltontopofKobuta
InstrumentguestVMChallenges
Originally,QEMUprovidesnosupportfor instrumentation
Weareonourown,andhavetobuildKobuta instrumentationframeworkfromscratch
QEMUusesJustintime(JIT)compilertoperform binarytranslation
Translatedcodeissaved,andisnottranslatedagainif availableincache
Wehavetodigdeeplyintothetranslationprocessof QEMUtoprovideinstrumentalhooks
QEMUJITcompiler
WehavetosynchronizeCPUcontextourselveswhenneeded Onx86,onlyEFLAGSvalueisoutofsync
Instrumentationhooks
InstrumentationisatTCGIRlevel(aftertargetcodeistranslated toTCGIR)
Thisisrequiredduetotranslatedcodeiscachedforfuture reference
Atallcost,avoidputtingstatichooksintoarchitecturerelated code,sosupportingallarchitecturecanbedoneuniversally
Instructionlevelinstrumentationisexception Architecturespecificinstrumentationisalsoexception
UpdateCR0/2/3/4,RDMSR,WRMSR, SYSENTER/SYSEXIT
Makesureperformanceoverheadisminimizedwhenno instrumentationhookisregistered
SampleKobutainstrumentation
/*targeti386/op_helper.c*/ voidhelper_sysenter(void) {.... if(kobuta_ins_sysenter){ /*SYSENTERhookhasbeenregistered?*/
kobuta_sysenter();/*Finally,executeallregisteredhandlersforSYSENTER*/ }... }
Kobutaframework
Hookingvariousplacesusefulforgenericpurposes Finegraininstrumentation
Performancechallenge
VanillaQEMUisquiteslow AccelerateQEMUwithKQEMU
SupportdroppedfromQEMU0.12.0version
Kobutamodule
NeedtoregisterwithKobutaframeworkforinterested instrumentationevents
Thenprovideinstrumentationhandlersforthoseevents HandlersbeexecutedwheneventshappeninguestVM
Leverageexportedfunctions(fromKobutaframework) tomanageguestVM
Kobutamodule
DesignKobutamoduletobejustaDynamicLinked module
ManageKobutamodule
ManageKobutamodules
LoadmoduleintoQemuprocess
SimplyusingDLLserviceprovidedbyhostOS
dlopen()inLinux,LoadLibrary()inWindows
Loadmodulewithastringparameter
AlsouseDLLserviceofhostOS
UnloadmodulefromQemuprocess
dlclose()inLinux
Buthowaboutcode(instrumentationhandlers)stillrunning?
UnloadingKobutamodule
UsereferencecounterforKobutainstrumentation handlers
Exportfunctions(1)
KobutamoduleneedstomanageguestVM
NeedtoexportthemoutforexternalKobutamoduleto use
Exportfunctions(2)
TwowaystoexportthesefunctionsfromQEMU/Kobuta toexternalmodules
RefactorQEMUcodetoexportrequiredfunctionsouttoan externalDLLlibrary
SelectivelyexportsneededfunctionpointerstoKobuta module
Exportedfunctions(3)
/*kobuta.h*/ structkobuta_ins{ kobuta_cpu_tcpu_read; kobuta_cpu_tcpu_write; /*readCPUcontext*/ /*modifyCPUcontext*/
kobuta_manager_tevent_manager;/*manageinstrumentationhooks*/ intunload();/*request(fromKobutalayer)tounloadthismodule*/ };
Exportedfunctions(4)
enumkobuta_handler_reg_t{ KOBUTA_HANDLER_INSTALL,KOBUTA_HANDLER_DELETE,... }; enumkobuta_cpusync_t{ KOBUTA_CPUSYNC_DISABLE=0,KOBUTA_CPUSYNC_ENABLE,... }; enumkobuta_event_t{ KOBUTA_EVENT_JMPCALL,KOBUTA_EVENT_INSN_BEGIN, KOBUTA_EVENT_INSN_END,KOBUTA_EVENT_SYSENTER, KOBUTA_EVENT_MEM_READ,KOBUTA_EVENT_MEM_WRITE,.... };
SampleofKobutamodule
staticvoidsysenter(void) { } intk_module_init(structkobuta_ins*ins,constchar*args) {... ins>event_manager(KOBUTA_HANDLER_INSTALL, KOBUTA_EVENT_SYSENTER,KOBUTA_CPUSYNC_DISABLE,sysenter); ... } intk_module_exit(void) { return0; }
VirtICEdebuggerdesign
AVirtICEserver:aKobutamodule
Registerrelatedinstrumentationhooks(ondemand)
AVirtICEclient
VirtICEarchitecture
HandlingrequestforVirtICE
Haveaseparatethreadtohandleexternalcommandsfrom VirtICEclient
TCPprotocol Receivecommandsfromclient
UsingexportedfunctionsfromKobutatomanageVM
VirtICEgenericcommands
InspectmalwareprocessrunninginsideVM
pe:PEfileanalyzing view:Viewmemoryinhex/stringformat dump:Dumpmemoryout(physicalorprocessorkernel) write:Writetomemory search:Searching(patternmatching,regex,...) ps/pstree:Processes dlls:DLLs,registry:Registries,files:Openfiles,vad:VADs kmod:Kernelmodules address:Attributesofamemoryaddress connection:Opennetworkconnections,socket:opensockets disasm:Disassemblememoryrange register:Viewalltheregisters
64
VirtICEdebugcommands
Setexecutionbreakpoint:dbs<address>
Setsyscallbreakpoint
VirtICEadvancedfeatures
Malwarebehaviormonitoring
APImonitoring:dbM<filename>
PopularWindowsAPIs(withsemanticarguments)
MalwarerelatedAPImonitoring
Syscallmonitoring(withsemanticarguments)
dbY[filename|ALL|NULL]
Reportantidebuggingtechniquesusedbymalware
dbA Focusonmostpopulartrickssofar
Demo
Part IV
Problemsofdebuggerinmalawareanalysis VirtICEsolution
Architecture,Design&Implementation Mainfeatures
AntiVirtICE
DetectingVirtICE?
Everybodysuffers,notonlyus! Wefixtheproblemwithinternalclock,however
AttackVirtICE?
Antivirtualizationmalware?
FutureplanDevelopment
Improvebinaryanalysis
Moresemanticinformation GUI?
UsingKVMtospeedupevenfurther
Evencurrently,KQEMUisnottoobad,either
Replayabledebugger
Soreplaydebugprocessispossible TakesnapshotofmemoryandHDDandrollback
Conclusions
VirtICEisanewdebuggerthatcanfixmost problemsofcurrentdebuggersagainstmalware
References
PeterFerrie[VIRUSBULLETIN]
XuChen[NDSS08]
BitBlazeproject
VirtICE:nextgenerationdebugger formalwareanalysis
Q&A
NGUYENAnhQuynh<aquynh@gmail.com> KuniyasuSUZAKI<k.suzaki@aist.go.jp>