1. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra
Monitoring Systems & Binaries
Marcus Botacin1
1Informatics - Federal University of Parana (UFPR) - Brazil
mfbotacin@inf.ufpr.br
November 2018
Monitoring Systems & Binaries FAU @ Erlangen
6. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra
Real Trace Examples
1 7/4/2014 −13:5:1.895| DeleteOperation |2032|C:
deposito . exe |C: ProgramData r r . t x t |
1 7/4/2014 −13:3:48.294| CreateProcess |3028|C: Monitor
Malware v i s u a l i z a r . exe |2440|C: WindowsSysWOW64
d l l . exe
1 2014−05−14 20:02:40.963113 10.10.100.101 XX.
YY. ZZ.121 HTTP 290 GET /. swim01/
c o n t r o l . php? i a&mi=00B5AB4E−47098BC3 HTTP/1.1
Monitoring Systems & Binaries FAU @ Erlangen
12. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra
In Practice...
Figure: Real malware claiming a registry problem when an anti-analysis
trick succeeded.
Monitoring Systems & Binaries FAU @ Erlangen
13. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra
In Practice...
Figure: Commercial solution armored with anti-debug technique.
Monitoring Systems & Binaries FAU @ Erlangen
14. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra
In Practice...
Figure: Real malware impersonating a secure solution which cannot run
under an hypervisor.
Monitoring Systems & Binaries FAU @ Erlangen
15. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra
Detecting Analysis Procedures
1 i f ( IsDebuggerPresent () )
2 p r i n t f (” debuggedn ”) ;
3 e l s e
4 p r i n t f (”NO DBGn ”) ;
1 cmp [ eax+0xe9 ] , eax ; ; 0xe9 = JMP
2 pop rbp
Monitoring Systems & Binaries FAU @ Erlangen
16. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra
Anti-Analysis Summary
Table: Anti-Analysis: Tricks summary. Malware samples may employ
multiple techniques to evade distinct analysis procedures.
Technique Description Reason Implementation
Anti Check if running Blocks reverse
Fingerprinting
Debug inside a debugger engineering attempts
Anti Check if running Analysts use VMs Execution
VM inside a VM for scalability Side-effect
Anti Fool disassemblers AV signatures may Undecidable
Disassembly to generate wrong opcodes be based on opcodes Constructions
Monitoring Systems & Binaries FAU @ Erlangen
18. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra
Transparency
1 Higher privileged.
2 No non-privileged side-effects.
3 Identical Basic Instruction Semantics.
4 Transparent Exception Handling.
5 Identical Measurement of Time.
Monitoring Systems & Binaries FAU @ Erlangen
19. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra
Hardware Features Summary
Technique PROS CONS Gaps
HVM Ring -1
Hypervisor High
development overhead
SMM Ring -2
BIOS High
development implementation cost
AMT Ring -3
Chipset No malware
code change analysis solution
HPCs Lightweight
Context-limited No malware
information analysis solution
GPU Easy to program
No register No introspection
data procedures
SGX Isolates goodware
Also isolates No enclave
malware inspection
SOCs Tamper-proof
Passive
Raise alarms
components
Monitoring Systems & Binaries FAU @ Erlangen
24. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra
A ring to rule them all!
Figure: Privileged rings. Figure: New privileged rings.
Monitoring Systems & Binaries FAU @ Erlangen
31. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra
References
Who watches the watchmen: A security-focused review on
current state-of-the-art techniques, tools and methods for
systems and binary analysis on modern platforms—ACM
Computing Surveys.
Enhancing Branch Monitoring for Security Purposes: From
Control Flow Integrity to Malware Analysis and
Debugging—ACM Transactions on Privacy and Security.
The other guys: automated analysis of marginalized
malware—Journal of Computer Virology and Hacking
techniques.
Monitoring Systems & Binaries FAU @ Erlangen
32. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra
Conclusions
Thanks Tilo for hosting me.
Open to hear your questions.
Monitoring Systems & Binaries FAU @ Erlangen
35. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra
Could I develop a performance-counter-based malware
analyzer?
Could I isolate processes’ actions?
Figure: Data Storage (DS) AREA.
Monitoring Systems & Binaries FAU @ Erlangen
36. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra
Could I develop a performance-counter-based malware
analyzer?
Could I isolate processes’ actions?
Figure: Local Vector Table (LVT).
Monitoring Systems & Binaries FAU @ Erlangen
37. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra
Could I develop a performance-counter-based malware
analyzer?
Is CG reconstruction possible?
Table: ASLR - Library placement after two consecutive reboots.
Library NTDLL KERNEL32 KERNELBASE
Address 1 0xBAF80000 0xB9610000 0xB8190000
Address 2 0x987B0000 0x98670000 0x958C0000
Monitoring Systems & Binaries FAU @ Erlangen
38. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra
Could I develop a performance-counter-based malware
analyzer?
Is CG reconstruction possible?
Table: Function Offsets from ntdll.dll library.
Function Offset
NtCreateProcess 0x3691
NtCreateProcessEx 0x30B0
NtCreateProfile 0x36A1
NtCreateResourceManager 0x36C1
NtCreateSemaphore 0x36D1
NtCreateSymbolicLinkObject 0x36E1
NtCreateThread 0x30C0
NtCreateThreadEx 0x36F1
Monitoring Systems & Binaries FAU @ Erlangen
39. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra
Could I develop a performance-counter-based malware
analyzer?
Is CG reconstruction possible?
Figure: Introspection Mechanism.
Monitoring Systems & Binaries FAU @ Erlangen
40. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra
Could I develop a performance-counter-based malware
analyzer?
Is CG reconstruction possible?
_lock_file+0x90printf+0xe3__iob_funcprintf+0xcaprintfNewToy
Figure: Step Into.
scanf+0x3f NewToy printf
Figure: Step Over.
Monitoring Systems & Binaries FAU @ Erlangen
41. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra
Is CFG reconstruction possible?
Figure: Code block identification.
Monitoring Systems & Binaries FAU @ Erlangen
42. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra
Is the final solution transparent?
Identified tricks
1 0x190 xor eax , eax
2 0x192 jnz 0x19c
1 0x180 push 0x10a
2 0x185 r e t
Monitoring Systems & Binaries FAU @ Erlangen
44. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra
Is the final solution transparent?
Deviating Behavior
Figure: Deviating behavior identification.
Monitoring Systems & Binaries FAU @ Erlangen
45. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra
Is the final solution transparent?
Deviating Behavior
Figure: Divergence: True Positive. Figure: Divergence: False Positive.
Monitoring Systems & Binaries FAU @ Erlangen
46. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra
Could I develop a Debugger?
Inverted I/O
Figure: Debugger’s working mechanism.
Monitoring Systems & Binaries FAU @ Erlangen
47. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra
Could I develop a Debugger?
Suspending Processes
EnumProcessThreads + SuspendThread.
DebugActiveProcess.
NtSuspendProcess.
Monitoring Systems & Binaries FAU @ Erlangen
48. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra
Could I develop a Debugger?
Integration
Figure: GDB integration.
Monitoring Systems & Binaries FAU @ Erlangen
49. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra
Does the solution handle ROP attacks?
ROP Attacks
Figure: ROP chain example.
Monitoring Systems & Binaries FAU @ Erlangen
50. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra
Does the solution handle ROP attacks?
CALL-RET Policy
Figure: CALL-RET CFI policy.
Monitoring Systems & Binaries FAU @ Erlangen
51. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra
Does the solution handle ROP attacks?
Gadget-size policy
Figure: KBouncer’s exploit stack.
Monitoring Systems & Binaries FAU @ Erlangen
52. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra
Does the solution handle ROP attacks?
Exploit Analysis
Table: Excerpt of the branch window of the ROP payload.
FROM TO
—- 0x7c346c0a
0x7c346c0b 0x7c37a140
0x7c37a141 —-
Monitoring Systems & Binaries FAU @ Erlangen
53. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra
Does the solution handle ROP attacks?
Exploit Analysis
1 7 c346c08 : f2 0 f 58 c3 addsd %xmm3,%xmm0
2 7 c346c0c : 66 0 f 13 44 24 04 movlpd %xmm0,0 x4(%esp )
1 0x1000 ( s i z e =1) pop rax
2 0x1001 ( s i z e =1) r e t
Monitoring Systems & Binaries FAU @ Erlangen
54. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra
Is the solution easy to implement?
Lines of Code comparison
100
1000
10000
100000
1×106
Ether:Comp
Ether:Xen
Ether:Patches
Ether:Patch
Ether:Ctl
MAVMM:Comp
MAVMM:Rep
Bit:Comp
Our:Comp
Our:Cli
Our:Drv
Our:Scr
Lines of Code by solution
Solution
Figure: Lines of Code by solution.
Monitoring Systems & Binaries FAU @ Erlangen
55. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra
Is the solution portable?
Talking about Linux
1 s t a t i c i n i t i n t b t s i n i t ( void )
2 bts pmu . c a p a b i l i t i e s = PERF PMU CAP AUX NO SG
| PERF PMU CAP ITRACE
3 bts pmu . t a s k c t x n r = p e r f s w c o n t e x t ;
4 bts pmu . e v e n t i n i t = b t s e v e n t i n i t ;
5 bts pmu . add = b t s e v e n t a d d ;
6 bts pmu . d e l = b t s e v e n t d e l ;
7 bts pmu . s t a r t = b t s e v e n t s t a r t ;
8 bts pmu . stop = b t s e v e n t s t o p ;
9 bts pmu . read = b t s e v e n t r e a d ;
10 r e t u r n p e r f p m u r e g i s t e r (&bts pmu ,
11 ” i n t e l b t s ”,−1)
Monitoring Systems & Binaries FAU @ Erlangen
56. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra
Is the solution portable?
Talking about Linux
1 p e r f i n i t (&pe , MMAP PAGES) ;
2 f c n t l ( g b l s t a t u s . fd evt , F SETOWN,
get pid () ) ;
3 monitor loop ( p i d c h i l d , s o u t f i l e ) ;
Monitoring Systems & Binaries FAU @ Erlangen
57. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra
Is solution’s overhead acceptable?
Could the solution run in real-time?
Task Base value
System
monitoring Penalty
Benchmark
monitoring Penalty
Floating-point
operations (op/s) 101530464 99221196 2.27% 97295048 4.17%
Integer operations
(op/s) 285649964 221666796 22.40% 219928736 23.01%
MD5 Hashes
(hash/s) 777633 568486 26.90% 568435 26.90%
RAM transfer
(MB/s) 7633 6628 13.17% 6224 18.46%
HDD transfer
(MB/s) 90 80 11.11% 75 16.67%
Overall (benchm. pt) 518 470 9.27% 439 15.25%
Monitoring Systems & Binaries FAU @ Erlangen