Your SlideShare is downloading. ×
0
FFR GreenKiller - Automatic kernel-mode malware analysis system
FFR GreenKiller - Automatic kernel-mode malware analysis system
FFR GreenKiller - Automatic kernel-mode malware analysis system
FFR GreenKiller - Automatic kernel-mode malware analysis system
FFR GreenKiller - Automatic kernel-mode malware analysis system
FFR GreenKiller - Automatic kernel-mode malware analysis system
FFR GreenKiller - Automatic kernel-mode malware analysis system
FFR GreenKiller - Automatic kernel-mode malware analysis system
FFR GreenKiller - Automatic kernel-mode malware analysis system
FFR GreenKiller - Automatic kernel-mode malware analysis system
FFR GreenKiller - Automatic kernel-mode malware analysis system
FFR GreenKiller - Automatic kernel-mode malware analysis system
FFR GreenKiller - Automatic kernel-mode malware analysis system
FFR GreenKiller - Automatic kernel-mode malware analysis system
FFR GreenKiller - Automatic kernel-mode malware analysis system
FFR GreenKiller - Automatic kernel-mode malware analysis system
FFR GreenKiller - Automatic kernel-mode malware analysis system
FFR GreenKiller - Automatic kernel-mode malware analysis system
FFR GreenKiller - Automatic kernel-mode malware analysis system
FFR GreenKiller - Automatic kernel-mode malware analysis system
FFR GreenKiller - Automatic kernel-mode malware analysis system
FFR GreenKiller - Automatic kernel-mode malware analysis system
FFR GreenKiller - Automatic kernel-mode malware analysis system
FFR GreenKiller - Automatic kernel-mode malware analysis system
FFR GreenKiller - Automatic kernel-mode malware analysis system
FFR GreenKiller - Automatic kernel-mode malware analysis system
FFR GreenKiller - Automatic kernel-mode malware analysis system
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

FFR GreenKiller - Automatic kernel-mode malware analysis system

235

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
235
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. AVAR 2009@kyoto FFR GreenKiller Automatic kernel-mode malware analysis system Junichi Murakami, murakami@fourteenforty.jp Director of Research, Fourteenforty Research Institute, Inc.
  • 2. Who am I? • MURAKAMI Junichi(村上 純一) – Reverse Engineer, both Windows and Linux kernel development – BlackHat speaker at US and Japan 08 – Security & Programming Camp Instructor(2006 - ) – ITPro ホワイトハッカー道場(White Hacker Dojo) http://itpro.nikkeibp.co.jp/article/COLUMN/20070927/283156/ 2
  • 3. FFR GreenKiller Analyzing malicious driver from VMM version 0.0.1 ring 0 FFR GreenKiller(based on BitVisor) Agent Kernelmalware log ring 3 Tracer Guest VMM VMCALL 3
  • 4. Background Rootkits, Part1of 3: The Growing Threat(McAfee Avert Labs) http://www.mcafee.com/us/local_content/white_papers/threat_center/wp_akapoor_rootkits1_en.pdf 4
  • 5. Why kernel-mode (is troublesome) ? ring 0 Kernelmalware ring 3 malware IDA Pro, etc. User-mode malware is a process, Kernel-mode malware is a part of system BSOD is very welcomed  5
  • 6. FFR GreenKiller Analyzing malicious driver from VMM version 0.0.1 ring 0 FFR GreenKiller(based on BitVisor) Agent Kernelmalware log ring 3 Tracer Guest VMM VMCALL 6
  • 7. BitVisor - http://www.bitvisor.org • Open-source VMM software (BSD License) • Secure VM Project (National Project in Japan) • Intel-VT and AMD-v supported • GreenKiller uses BitVisor as a VMM framework  Hardware BitVisor VMM Core Security Features Disk Encryption VPN ・・・ Guest OS device driver 7
  • 8. BitVisor (cont.) BIOS NTLDR Grub BitVisor Windows 8
  • 9. Initialization ring 0 FFR GreenKiller Agent Kernel ring 3 VMCALL 1. Build up kernel API database 2. Hook driver-loading API in Guest ptr_PsLoadedModuleList ptr_IopLoadDriverHookAddr 9
  • 10. PsLoadedModuleList Kernel ntoskrnl.exe DriverObject win32k.sys DriverObject ... DriverObject PsLoadedModuleList 10
  • 11. DriverObject kd> dt nt!_DRIVER_OBJECT +0x000 Type : Int2B +0x002 Size : Int2B +0x004 DeviceObject : Ptr32 _DEVICE_OBJECT +0x008 Flags : Uint4B +0x00c DriverStart : Ptr32 Void +0x010 DriverSize : Uint4B +0x014 DriverSection : Ptr32 Void +0x018 DriverExtension : Ptr32 _DRIVER_EXTENSION +0x01c DriverName : _UNICODE_STRING +0x024 HardwareDatabase : Ptr32 _UNICODE_STRING +0x028 FastIoDispatch : Ptr32 _FAST_IO_DISPATCH +0x02c DriverInit : Ptr32 long +0x030 DriverStartIo : Ptr32 void +0x034 DriverUnload : Ptr32 void +0x038 MajorFunction : [28] Ptr32 long MZ.... .....................................PE... ..... ntoskrnl.exe DbgPrint 0x5002e DbgPrintEx 0x50050 .... [.edata section] 11 0x804d9000 DbgPrint 0x8052902e (0x804d9000 + 0x5002e) DbgPrintEx 0x80529050 (0x804d9000 + 0x50050) ・・・ ・・・
  • 12. Initialization ring 0 FFR GreenKiller Agent Kernel ring 3 VMCALL 1. Build up kernel API database 2. Hook driver-loading API in Guest ptr_PsLoadedModuleList ptr_IopLoadDriverHookAddr 12
  • 13. IopLoadDriver 13 Break (switch to VMM)
  • 14. Break at DriverEntry 14 FFR GreenKiller Kernel mov eax, dword ptr [guest_esp] mov edx, eax push eax call GetAddressOfEntryPoint add edx, eax mov byte ptr [edx], 0xcc malwareIopLoadDriver
  • 15. Software BP vs. Hardware BP • Software BP – Replace original byte with int3(0xcc) • Processor generates an #BP when int3 is hit – No limit on number of BPs • Hardware BP – Use Debug Register(DR0-DR3) – Needless to modify original code – Only 4 BPs simultaneously 15
  • 16. Code Tracing 16 DriverEntry ret call ret call DbgPrint ret sub_10031 A) Insert ‘0xcc’ into closest branch by disassembling the code from DriverEntry B) Execution is suspended on the branch Check whether execution takes the branch according to EFLAGS’s value • If true: Insert ‘0xcc’ into branched addr. • If not: Working the same as A. C) Execution is suspended on the branched addr. Check whether it is an entry of kernel API • if true: Insert ‘0xcc’ into retaddr • if not: Working the same as A.
  • 17. Definition of an FSM 17 SEARCH_B EVAL_BCHECK_A Eval branch Branch not taken, find next branch Branch taken, check address checked, find next branch
  • 18. That’s all? • No, we have to consider multiple context for callbacks • Driver is a plug-in for the kernel 18
  • 19. Callbacks 19 Kernel malware IRP Process Management Kernel Thread Timer DriverEntry
  • 20. Ex)PsSetCreateProcessNotifyRoutine 20 NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath) { … PsSetCreateProcessNotifyRoutine( CreateProcessNotifyCallback, ; NotifyRoutine FALSE ; Remove ); … } VOID CreateProcessNotifyCallback(IN HANDLE ParentId, IN HANDLE ProcessId, IN BOOLEAN Create) { DbgPrint(“Pid %d is %s¥n”, ProcessId, Create ? “created” : “exit”); }
  • 21. Callbacks(cont.) • IRP Handlers • DPC Routines • Registry Callbacks • Fs/Ndis/Tdi filters • PsSetCreateProcessNotifyRoutine • PsSetLoadImageNotifyRoutine • PsCreateSystemThread • etc. 21
  • 22. Lookup Kernel API 22 FFR GreenKiller Kernel malware State: CHECK_A Kernel API DB API Address DbgPrint 0x8052902e DbgPrintEx 0x80529050 … …. call 0x8052902e
  • 23. Lookup Kernel API(cont.) 23 FFR GreenKiller Kernel malware call PsSetCreateProcessNotifyRoutine NTSTATUS PsSetCreateProcessNotifyRoutine( IN PCREATE_PROCESS_NOTIFY_ROUTINE NotifyRoutine, IN BOOL Remove ); ReturnAddress = [GUEST_ESP] Arg1 = [GUEST_ESP+4]; NotifyRoutine Arg2 = [GUEST_ESP+8]; Remove State: CHECK_A Break
  • 24. Output [DriverEntry] 0xfd965012: DbgPrint(“DriverEntry: 0x%lx¥n”) 0xfd065054: IoCreateDevice(“¥¥Device¥m3z1”) 0xfd065067: IoCreateSymbolicLink(“¥¥Device¥m3z1”, “¥¥DosDevices¥m3z1”) 0xfd06508c: PsSetCreateProcessNotifyRoutine(CB#1) [DriverUnload] 0xfd9650c0: IoDeleteSymbolicLink(“¥¥DosDevices¥m3z1”) 0xfd9650cc: IoDeleteDevice [CB#1: PsSetCreateProcessNotityRoutine] 0xfd965134: PsGetCurrentProcessId 0xfd965140: DbgPrint(“CreateProcessCallback %d %d %d¥n”) 0xfd96710c: ExFreePool 24
  • 25. Limitation • Require Intel-VT • Require an Agent in guest’s ring3 – Request for quick hack :) • Limited API support – Callback, Argument recognization 25
  • 26. Related Work We can detect memory-patching by malware • Viton, Hypervisor IPS(BlackHat USA 08) – Manipulate Guest PageTable/PageTableEntry, – To protect memory patching by malicious driver JP: http://www.fourteenforty.jp/research/research_papers/bh-japan-08-Murakami.pdf EN: http://www.fourteenforty.jp/research/research_papers/bh-usa-08-Murakami.pdf 26
  • 27. Q & A 27

×