SlideShare une entreprise Scribd logo

Stealthy Rootkit : How bad guy fools live memory forensics? - PacSec 2009

Tsukasa Oi
Tsukasa Oi
Technologie
1  sur  54
Télécharger pour lire hors ligne
Stealthy Rootkit How bad guy fools live memory forensics? Tsukasa Ooi <li@livegrid.org> Livegrid Incorporated, Lead Analyst
Related Topics • Live Memory Forensics • Anti-forensics • Rootkits
What is “Live Memory Forensics?” • Forensics based on memory contents of running machine – Finding “Evidence” – Searching malware • Normally, we use physical memory dump acquired by dedicated tools – Contents of physical memory
Live Memory Forensics Process 1. Acquire Physical Memory with Dedicated Tool a. Map physical memory range b. Copy memory mapped contents c. Save contents 2. Put memory dump into Forensic Software 3. Analyze with Forensic Software a. Recover System contents from dump b. Analyze recovered system
What is “Anti-forensics?” (1) • Way to prevent/fake forensics • Not only Attackers! – “Bad guy” who wants to get rid of investigation CAN INSTALL rootkit on his OWN machine to fool investigator.
What is “Anti-forensics?” (2) • EXISTING “Anti-Forensic Way” can have Great Meaning… – Reliability of Forensics is lowered… – No longer needed to “hack” – Can lose in court even if you have “evidence” • Reliability of Forensics is Very Important
Live Memory Forensics Process 1. Acquire Physical Memory with Dedicated Tool a. Map physical memory range b. Copy memory mapped this! We want to exploit contents c. Save contents 2. Put memory dump into Forensic Software 3. Analyze with Forensic Software a. Recover System contents from dump b. Analyze recovered system
Result was… WHAT ROOTKIT CAN DO?
Like “Mythbusters”… • EnCase • WinEN • FastDump • dd, Forensic Acquisition Tools, win32dd, Memory DD… • Windows Hibernation (hiberfil.sys) • Microsoft Windows Crashdump (*.dmp)
Fact (1): INVISIBLE FROM ALMOST ALL FORENSIC SOFTWARE
Why rootkit hidden from these? • Subverting Page Table(s) – Shadow Paging • Weakness of current (dedicated) forensic tools
What is Page Table? (1) • A Mechanism to separate Physical memory layout and Logical structure • Table to translate Linear Address (that CPU use) to the physical one • Manage Logical memory space with divided chunk (called “page”), normally 4KiB block
What is Page Table? (2) Chunk A Page Table Chunk B Physical Memory Logical Space
What is Page Table? (3) Linear Physical 0x12345000 0x14fab000 0x12346000 0x0c812000 0x12347000 (Not Present) 0x12348000 0x215d9000 0x12349000 0x4991f000 Linear Address Physical Address 0x12346804 0x0c812804
What is Page Table? (4) Linear Physical 0x12345000 0x14fab000 0x12346000 0x0c812000 0x12347000 (Not Present) 0x12348000 0x215d9000 0x12349000 0x4991f000 Linear Address 0x12347804 Page Fault occur!
What is Page Table? (5) • Page Fault (exception) – Occur when… • There is no Physical Address present associated to Linear address • Access Violating Page’s access control – Page Fault Handler specified by IDT (Interrupt Descriptor Table) handles this exception • Access Control of Page – Physical Address of Page is Present (P bit) – Is Page Writable (R/W bit) – Is Page access Prohibited by application (U/S bit) – Is Page execution Prohibited (NX bit)
What is Page Table? (6) • System Registers related to Page Table – CR3 Specify Physical Address of Page Table – CR2 When Page Fault occur, Linear Address that caused Page Fault is stored
What is Page Table? (7) • Page Table is very important structure to manage memory! • Also Useful for rootkits…
Way to do this: TAKE CONTROL OF PAGE TABLE
Shadow Paging (1) • Originally, This is one of the way to virtualize memory of guest OS • Make a copy of Page Table and Reflect one Shadow Page Table change from original Page Table’s one • Normally, Shadow Paging cannot be implemented without CPU support of virtualization (such as Intel VT-x, AMD-V…)
“NORMAL” Shadow Paging (1) • Write-protect Page Table of guest OS • Detect Page Table write of guest OS by Page Fault and do correspond changes to “SHADOW” Page Table Linear Physical Linear Physical (Virtualized) Physical (Real) 0x12345000 0x14fab000 0x12345000 0x14fab000 0x24f03000 0x12346000 0x0c812000 0x12346000 0x0c812000 0x12580000 0x12347000 0x44ab1000 → 0x31442000 0x12347000 0x44ab1000 → 0x31442000 0x1dabc000 → 0x4d3f2000 0x12348000 0x215d9000 0x12348000 0x215d9000 0x379df000 0x12349000 0x4991f000 0x12349000 0x4991f000 0x0732f000 (Virtualized) Page Table Shadow (Real) Page Table
“NORMAL” Shadow Paging (2) • Normally, two Page Table Entries points same data are “SAME” Data Page Table Shadow Page Table
Shadow Paging (2) • Despite of this, Shadow Paging can be implemented if some conditions are fulfilled – CR0.WP bit is always set – All Changes of CR3 registers are done by known point of operating system – Page Table Handler is hooked – (Other conditions are abridged) • In normal condition, most of operating system fulfills these conditions (Windows, Linux…)
Taking control of Page Table! 1. Set own (rootkit’s) Page Fault Handler 2. Make copy of Page Table (for rootkit) and Do Shadow Paging 3. Impersonate (or camouflage) address range of re-mapped memory
“NORMAL” Shadow Paging (2) • Normally, two Page Table Entries points same data are “SAME” Data Page Table Shadow Page Table
“MALICIOUS” Shadow Paging (1) • In “Malicious” Shadow Paging, modify mapping of certain (malicious) memory ranges Malicious Data Page Table Shadow Page Table Patch! Normal Data
“MALICIOUS” Shadow Paging (2) • Watch Page Table write • If Page Table is written, check if… – Physical Address is malicious (modified) data/code – Corresponding Linear Address is NOT a address where should be • If these two conditions are fulfilled, rootkit alter this Page Table Entry mapping
“MALICIOUS” Shadow Paging (3) Address A Malicious Data Address A the address where should be (e.g. in the kernel) Normal Data
“MALICIOUS” Shadow Paging (3) Address A Malicious Data Address A the address where should be (e.g. in the kernel) Address B Address B the address Forensic Software expects this behavior forensic software remaps Normal Data
“MALICIOUS” Shadow Paging (3) Address A Malicious Data Address A the address where should be (e.g. in the kernel) Address B Address B the address This remapping is forensic software redirected! remaps Normal Data
“MALICIOUS” Shadow Paging (4) • These remapping like previous example is WHAT FORENSIC SOFTWARE DOES – When making Hibernation File and Crashdump File, Same remapping will occur • As a result, this rootkit is invisible from almost all forensic software and Windows-made memory dump • Rootkit can fake “nearly everything”
Weakness of Forensic Software (1) • Doing physical memory acquisition UNDER THE CONTEXT THAT ROOTKIT CAN EXIST – Page Fault can happen on mapping – Trusting operating system features (that may be tainted) • Not only this…
Weakness of Forensic Software (2) • Many software still use ¥Device¥PhysicalMemory! – Anti-forensic implementation is announced 3 years ago! (DDefy : http://www.slideshare.net/amiable_indian/antiforensic-rootkits) – Many forensic software (such as EnCase, FastDump) uses this device to acquire physical memory • This device can be “single-point-of-failure” – Many forensic software (not much as Shadow Paging based rootkit) can be faked if we just hook this device
Fact (2): DON’T USE FORENSICS FOR ROOTKIT DETECTION
Way to Workaround (1) • To detect rootkit, use local detection software (such as GMER, Rootkit Unhooker…) – Actually, this rootkit is not so difficult to detect locally. – Using these software, we can detect changes done by rootkit • Don’t trust forensic input when rootkit infection is possible
Way to Workaround (2) • But this is only symptomatic way – Forensic input is a “dump” if machine is tainted by rootkit • Can we improve implementation of forensic software? …YES
Anti-Anti-Forensics: ACQUIRE CORRECT MEMORY AGAINST ROOTKITS
Remember previous slides…
Previous Slide : Shadow Paging (2) • Despite of this, Shadow Paging can be implemented if some conditions are fulfilled – CR0.WP bit is always set – All Changes of CR3 registers are done by known point of operating system – Page Table Handler is hooked – (Other conditions are abridged) • In normal condition, most of operating system fulfills these conditions (Windows, Linux…)
Way to Acquire correct memory contents (1) • Destroy Context of Shadow Paging – Reset CR0.WP bit – Change CR3 register to own Page Table (CR3 is pointer to Page Table) – Set own Page Fault Handler • These are easy to implement and effective
Way to Acquire correct memory contents (2) CR3 Shadow Page Table Page Table
Way to Acquire correct memory contents (2) CR3 Shadow Own Page Table Page Table Page Table
Way to Acquire correct memory content (3) • To hook all interrupts (including exceptions), modify interrupt vector by LIDT instruction • Make own Page Table (for acquisition) • Set CR3 to own Page Table and acquire physical memory • They are still problems, but we can acquire correct contents of memory
Problems left [But no need to deal with] (1) • In rootkit context, there are no way to get correct Physical Address associated to Linear Address – In other words, there are no way to validate if own Page Table points valid memory range – rootkit still can prevent acquisition of memory • For instance, rootkit can force reset computer if forensic software tries to acquire memory
Problems left [But no need to deal with] (2) • Even though, faking physical memory content without any doubt is nearly impossible – rootkit actually can reset computer but… it makes user doubt! – some driver compatibility is lost
Also problems for these rootkits CONSIDERATIONS OF THESE ROOTKITS
Considerations (1) • Proof-of-Concept was built for x86+Windows, but this anti-forensic technique is cross-platform. – Another operating systems running on x86 • Linux, Mac OS X… – x86_64 architecture – Other CPUs supporting paging
Considerations (2) • This rootkit cannot detected from Hibernation File – In other words, rootkit is (temporally) removed if you hibernate the computer. – Reinfection code is needed to prevent that behavior, but it also raises possibilities of detection
Considerations (3) • Implementation for SMP is very, very difficult – State of Page Table can be “unstable” therefore many code is needed to handle these state • No SMP implementation in public proof-of-concept source code
Considerations (4) • Forensic input unaffected: – Improved Forensic Implementation – State File of Virtual Machines • vmem file in VMware – Acquisition using Hardware • 1394memimage (FireWire / IEEE1394)
About all of this: CONCLUSION
Conclusion • Current live memory forensics is “a broken concept” • If you want to detect rootkits, use local rootkit detection software (GMER, Rootkit Unhooker…) even you use live memory forensics • There are ways to counter with rootkits • It is not time sensitive, but future forensic implementation must be updated
Have any questions? THANK YOU. Tsukasa Ooi <li@livegrid.org> Livegrid Incorporated, Lead Analyst
Technical Articles and Sources • … will be available November, 2009 • at http://a4lg.com/

Recommandé

20070407 Rit2007 Xmltype Samokhvalov
20070407 Rit2007 Xmltype Samokhvalov20070407 Rit2007 Xmltype Samokhvalov
20070407 Rit2007 Xmltype SamokhvalovNikolay Samokhvalov
 
Input and Output Devices and Systems
Input and Output Devices and SystemsInput and Output Devices and Systems
Input and Output Devices and SystemsNajma Alam
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningSecurityMetrics
 
Vulnerability Scanning or Penetration Testing?
Vulnerability Scanning or Penetration Testing?Vulnerability Scanning or Penetration Testing?
Vulnerability Scanning or Penetration Testing?amiable_indian
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
Security Testing by Ken De Souza
Security Testing by Ken De SouzaSecurity Testing by Ken De Souza
Security Testing by Ken De SouzaQA or the Highway
 
Lack of System Registers and two simple anti-forensic attacks - AVTokyo 2009
Lack of System Registers and two simple anti-forensic attacks - AVTokyo 2009Lack of System Registers and two simple anti-forensic attacks - AVTokyo 2009
Lack of System Registers and two simple anti-forensic attacks - AVTokyo 2009Tsukasa Oi
 
Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...
Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...
Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...MongoDB
 

Recommandé

20070407 Rit2007 Xmltype Samokhvalov
20070407 Rit2007 Xmltype Samokhvalov20070407 Rit2007 Xmltype Samokhvalov
20070407 Rit2007 Xmltype SamokhvalovNikolay Samokhvalov
 
Input and Output Devices and Systems
Input and Output Devices and SystemsInput and Output Devices and Systems
Input and Output Devices and SystemsNajma Alam
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningSecurityMetrics
 
Vulnerability Scanning or Penetration Testing?
Vulnerability Scanning or Penetration Testing?Vulnerability Scanning or Penetration Testing?
Vulnerability Scanning or Penetration Testing?amiable_indian
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
Security Testing by Ken De Souza
Security Testing by Ken De SouzaSecurity Testing by Ken De Souza
Security Testing by Ken De SouzaQA or the Highway
 
Lack of System Registers and two simple anti-forensic attacks - AVTokyo 2009
Lack of System Registers and two simple anti-forensic attacks - AVTokyo 2009Lack of System Registers and two simple anti-forensic attacks - AVTokyo 2009
Lack of System Registers and two simple anti-forensic attacks - AVTokyo 2009Tsukasa Oi
 
Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...
Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...
Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...MongoDB
 
You suck at Memory Analysis
You suck at Memory AnalysisYou suck at Memory Analysis
You suck at Memory AnalysisFrancisco Ribeiro
 
MongoDB: Optimising for Performance, Scale & Analytics
MongoDB: Optimising for Performance, Scale & AnalyticsMongoDB: Optimising for Performance, Scale & Analytics
MongoDB: Optimising for Performance, Scale & AnalyticsServer Density
 
ikh311-07
ikh311-07ikh311-07
ikh311-07Anung Ariwibowo
 
Eat my data
Eat my dataEat my data
Eat my dataPeng Zuo
 
Monitoring MongoDB (MongoSV)
Monitoring MongoDB (MongoSV)Monitoring MongoDB (MongoSV)
Monitoring MongoDB (MongoSV)Boxed Ice
 
MongoDB Best Practices in AWS
MongoDB Best Practices in AWS MongoDB Best Practices in AWS
MongoDB Best Practices in AWS Chris Harris
 
Android Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and VolatilityAndroid Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and VolatilityJoe Sylve
 
Data recovery
Data recoveryData recovery
Data recoveryRavi Malik
 
Extreme Apache Spark: how in 3 months we created a pipeline that can process ...
Extreme Apache Spark: how in 3 months we created a pipeline that can process ...Extreme Apache Spark: how in 3 months we created a pipeline that can process ...
Extreme Apache Spark: how in 3 months we created a pipeline that can process ...Josef A. Habdank
 
Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devicesNikos Gkogkos
 
Ganesh naik linux_kernel_internals
Ganesh naik linux_kernel_internalsGanesh naik linux_kernel_internals
Ganesh naik linux_kernel_internalsGanesh Naik
 
Ganesh naik linux_kernel_internals
Ganesh naik linux_kernel_internalsGanesh naik linux_kernel_internals
Ganesh naik linux_kernel_internalsnullowaspmumbai
 
Preventing and Resolving MySQL Downtime
Preventing and Resolving MySQL DowntimePreventing and Resolving MySQL Downtime
Preventing and Resolving MySQL DowntimeJervin Real
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesScott K. Larson
 
Performance and predictability (1)
Performance and predictability (1)Performance and predictability (1)
Performance and predictability (1)RichardWarburton
 
Performance and Predictability - Richard Warburton
Performance and Predictability - Richard WarburtonPerformance and Predictability - Richard Warburton
Performance and Predictability - Richard WarburtonJAXLondon2014
 
Monitoring MongoDB (MongoUK)
Monitoring MongoDB (MongoUK)Monitoring MongoDB (MongoUK)
Monitoring MongoDB (MongoUK)Boxed Ice
 
BSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwertyBSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwertyJerome Smith
 
Deploying MongoDB for the Win
Deploying MongoDB for the WinDeploying MongoDB for the Win
Deploying MongoDB for the WinMongoDB
 
Capacity Planning For Web Operations Presentation
Capacity Planning For Web Operations PresentationCapacity Planning For Web Operations Presentation
Capacity Planning For Web Operations Presentationjward5519
 
Farewell, Stagefright bugs!
Farewell, Stagefright bugs!Farewell, Stagefright bugs!
Farewell, Stagefright bugs!Tsukasa Oi
 
さらば、Stagefright 脆弱性
さらば、Stagefright 脆弱性さらば、Stagefright 脆弱性
さらば、Stagefright 脆弱性Tsukasa Oi
 

Contenu connexe

Similaire à Stealthy Rootkit : How bad guy fools live memory forensics? - PacSec 2009

MongoDB: Optimising for Performance, Scale & Analytics
MongoDB: Optimising for Performance, Scale & AnalyticsMongoDB: Optimising for Performance, Scale & Analytics
MongoDB: Optimising for Performance, Scale & AnalyticsServer Density
 
Eat my data
Eat my dataEat my data
Eat my dataPeng Zuo
 
Monitoring MongoDB (MongoSV)
Monitoring MongoDB (MongoSV)Monitoring MongoDB (MongoSV)
Monitoring MongoDB (MongoSV)Boxed Ice
 
MongoDB Best Practices in AWS
MongoDB Best Practices in AWS MongoDB Best Practices in AWS
MongoDB Best Practices in AWS Chris Harris
 
Android Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and VolatilityAndroid Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and VolatilityJoe Sylve
 
Extreme Apache Spark: how in 3 months we created a pipeline that can process ...
Extreme Apache Spark: how in 3 months we created a pipeline that can process ...Extreme Apache Spark: how in 3 months we created a pipeline that can process ...
Extreme Apache Spark: how in 3 months we created a pipeline that can process ...Josef A. Habdank
 
Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devicesNikos Gkogkos
 
Ganesh naik linux_kernel_internals
Ganesh naik linux_kernel_internalsGanesh naik linux_kernel_internals
Ganesh naik linux_kernel_internalsGanesh Naik
 
Ganesh naik linux_kernel_internals
Ganesh naik linux_kernel_internalsGanesh naik linux_kernel_internals
Ganesh naik linux_kernel_internalsnullowaspmumbai
 
Preventing and Resolving MySQL Downtime
Preventing and Resolving MySQL DowntimePreventing and Resolving MySQL Downtime
Preventing and Resolving MySQL DowntimeJervin Real
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesScott K. Larson
 
Performance and predictability (1)
Performance and predictability (1)Performance and predictability (1)
Performance and predictability (1)RichardWarburton
 
Performance and Predictability - Richard Warburton
Performance and Predictability - Richard WarburtonPerformance and Predictability - Richard Warburton
Performance and Predictability - Richard WarburtonJAXLondon2014
 
Monitoring MongoDB (MongoUK)
Monitoring MongoDB (MongoUK)Monitoring MongoDB (MongoUK)
Monitoring MongoDB (MongoUK)Boxed Ice
 
BSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwertyBSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwertyJerome Smith
 
Deploying MongoDB for the Win
Deploying MongoDB for the WinDeploying MongoDB for the Win
Deploying MongoDB for the WinMongoDB
 
Capacity Planning For Web Operations Presentation
Capacity Planning For Web Operations PresentationCapacity Planning For Web Operations Presentation
Capacity Planning For Web Operations Presentationjward5519
 

Similaire à Stealthy Rootkit : How bad guy fools live memory forensics? - PacSec 2009 (20)

You suck at Memory Analysis
You suck at Memory AnalysisYou suck at Memory Analysis
You suck at Memory Analysis
 
MongoDB: Optimising for Performance, Scale & Analytics
MongoDB: Optimising for Performance, Scale & AnalyticsMongoDB: Optimising for Performance, Scale & Analytics
MongoDB: Optimising for Performance, Scale & Analytics
 
ikh311-07
ikh311-07ikh311-07
ikh311-07
 
Eat my data
Eat my dataEat my data
Eat my data
 
Monitoring MongoDB (MongoSV)
Monitoring MongoDB (MongoSV)Monitoring MongoDB (MongoSV)
Monitoring MongoDB (MongoSV)
 
MongoDB Best Practices in AWS
MongoDB Best Practices in AWS MongoDB Best Practices in AWS
MongoDB Best Practices in AWS
 
Android Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and VolatilityAndroid Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and Volatility
 
Data recovery
Data recoveryData recovery
Data recovery
 
Extreme Apache Spark: how in 3 months we created a pipeline that can process ...
Extreme Apache Spark: how in 3 months we created a pipeline that can process ...Extreme Apache Spark: how in 3 months we created a pipeline that can process ...
Extreme Apache Spark: how in 3 months we created a pipeline that can process ...
 
Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devices
 
Ganesh naik linux_kernel_internals
Ganesh naik linux_kernel_internalsGanesh naik linux_kernel_internals
Ganesh naik linux_kernel_internals
 
Ganesh naik linux_kernel_internals
Ganesh naik linux_kernel_internalsGanesh naik linux_kernel_internals
Ganesh naik linux_kernel_internals
 
Preventing and Resolving MySQL Downtime
Preventing and Resolving MySQL DowntimePreventing and Resolving MySQL Downtime
Preventing and Resolving MySQL Downtime
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
 
Performance and predictability (1)
Performance and predictability (1)Performance and predictability (1)
Performance and predictability (1)
 
Performance and Predictability - Richard Warburton
Performance and Predictability - Richard WarburtonPerformance and Predictability - Richard Warburton
Performance and Predictability - Richard Warburton
 
Monitoring MongoDB (MongoUK)
Monitoring MongoDB (MongoUK)Monitoring MongoDB (MongoUK)
Monitoring MongoDB (MongoUK)
 
BSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwertyBSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwerty
 
Deploying MongoDB for the Win
Deploying MongoDB for the WinDeploying MongoDB for the Win
Deploying MongoDB for the Win
 
Capacity Planning For Web Operations Presentation
Capacity Planning For Web Operations PresentationCapacity Planning For Web Operations Presentation
Capacity Planning For Web Operations Presentation
 

Plus de Tsukasa Oi

Farewell, Stagefright bugs!
Farewell, Stagefright bugs!Farewell, Stagefright bugs!
Farewell, Stagefright bugs!Tsukasa Oi
 
さらば、Stagefright 脆弱性
さらば、Stagefright 脆弱性さらば、Stagefright 脆弱性
さらば、Stagefright 脆弱性Tsukasa Oi
 
Windows をより安全にする SafeSEH on MinGW
Windows をより安全にする SafeSEH on MinGWWindows をより安全にする SafeSEH on MinGW
Windows をより安全にする SafeSEH on MinGWTsukasa Oi
 
A New Tracer for Reverse Engineering - PacSec 2010
A New Tracer for Reverse Engineering - PacSec 2010A New Tracer for Reverse Engineering - PacSec 2010
A New Tracer for Reverse Engineering - PacSec 2010Tsukasa Oi
 
リバースエンジニアリングのための新しいトレース手法 - PacSec 2010
リバースエンジニアリングのための新しいトレース手法 - PacSec 2010リバースエンジニアリングのための新しいトレース手法 - PacSec 2010
リバースエンジニアリングのための新しいトレース手法 - PacSec 2010Tsukasa Oi
 
ステルスルートキット : 悪いヤツはどうライブメモリフォレンジックをすり抜ける? - PacSec 2009
ステルスルートキット : 悪いヤツはどうライブメモリフォレンジックをすり抜ける? - PacSec 2009ステルスルートキット : 悪いヤツはどうライブメモリフォレンジックをすり抜ける? - PacSec 2009
ステルスルートキット : 悪いヤツはどうライブメモリフォレンジックをすり抜ける? - PacSec 2009Tsukasa Oi
 
Creating Secure VM (Comarison between Intel and AMD, and one more thing...) -...
Creating Secure VM (Comarison between Intel and AMD, and one more thing...) -...Creating Secure VM (Comarison between Intel and AMD, and one more thing...) -...
Creating Secure VM (Comarison between Intel and AMD, and one more thing...) -...Tsukasa Oi
 
システムレジスタの不足と2つのシンプルなアンチフォレンジック攻撃 - AVTokyo 2009
システムレジスタの不足と2つのシンプルなアンチフォレンジック攻撃 - AVTokyo 2009システムレジスタの不足と2つのシンプルなアンチフォレンジック攻撃 - AVTokyo 2009
システムレジスタの不足と2つのシンプルなアンチフォレンジック攻撃 - AVTokyo 2009Tsukasa Oi
 
セキュアVMの構築 (IntelとAMDの比較、あともうひとつ...) - AVTokyo 2009
セキュアVMの構築 (IntelとAMDの比較、あともうひとつ...) - AVTokyo 2009セキュアVMの構築 (IntelとAMDの比較、あともうひとつ...) - AVTokyo 2009
セキュアVMの構築 (IntelとAMDの比較、あともうひとつ...) - AVTokyo 2009Tsukasa Oi
 

Plus de Tsukasa Oi (9)

Farewell, Stagefright bugs!
Farewell, Stagefright bugs!Farewell, Stagefright bugs!
Farewell, Stagefright bugs!
 
さらば、Stagefright 脆弱性
さらば、Stagefright 脆弱性さらば、Stagefright 脆弱性
さらば、Stagefright 脆弱性
 
Windows をより安全にする SafeSEH on MinGW
Windows をより安全にする SafeSEH on MinGWWindows をより安全にする SafeSEH on MinGW
Windows をより安全にする SafeSEH on MinGW
 
A New Tracer for Reverse Engineering - PacSec 2010
A New Tracer for Reverse Engineering - PacSec 2010A New Tracer for Reverse Engineering - PacSec 2010
A New Tracer for Reverse Engineering - PacSec 2010
 
リバースエンジニアリングのための新しいトレース手法 - PacSec 2010
リバースエンジニアリングのための新しいトレース手法 - PacSec 2010リバースエンジニアリングのための新しいトレース手法 - PacSec 2010
リバースエンジニアリングのための新しいトレース手法 - PacSec 2010
 
ステルスルートキット : 悪いヤツはどうライブメモリフォレンジックをすり抜ける? - PacSec 2009
ステルスルートキット : 悪いヤツはどうライブメモリフォレンジックをすり抜ける? - PacSec 2009ステルスルートキット : 悪いヤツはどうライブメモリフォレンジックをすり抜ける? - PacSec 2009
ステルスルートキット : 悪いヤツはどうライブメモリフォレンジックをすり抜ける? - PacSec 2009
 
Creating Secure VM (Comarison between Intel and AMD, and one more thing...) -...
Creating Secure VM (Comarison between Intel and AMD, and one more thing...) -...Creating Secure VM (Comarison between Intel and AMD, and one more thing...) -...
Creating Secure VM (Comarison between Intel and AMD, and one more thing...) -...
 
システムレジスタの不足と2つのシンプルなアンチフォレンジック攻撃 - AVTokyo 2009
システムレジスタの不足と2つのシンプルなアンチフォレンジック攻撃 - AVTokyo 2009システムレジスタの不足と2つのシンプルなアンチフォレンジック攻撃 - AVTokyo 2009
システムレジスタの不足と2つのシンプルなアンチフォレンジック攻撃 - AVTokyo 2009
 
セキュアVMの構築 (IntelとAMDの比較、あともうひとつ...) - AVTokyo 2009
セキュアVMの構築 (IntelとAMDの比較、あともうひとつ...) - AVTokyo 2009セキュアVMの構築 (IntelとAMDの比較、あともうひとつ...) - AVTokyo 2009
セキュアVMの構築 (IntelとAMDの比較、あともうひとつ...) - AVTokyo 2009
 

Dernier

TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 

Dernier (20)

TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 

Stealthy Rootkit : How bad guy fools live memory forensics? - PacSec 2009

  • 1. Stealthy Rootkit How bad guy fools live memory forensics? Tsukasa Ooi <li@livegrid.org> Livegrid Incorporated, Lead Analyst
  • 2. Related Topics • Live Memory Forensics • Anti-forensics • Rootkits
  • 3. What is “Live Memory Forensics?” • Forensics based on memory contents of running machine – Finding “Evidence” – Searching malware • Normally, we use physical memory dump acquired by dedicated tools – Contents of physical memory
  • 4. Live Memory Forensics Process 1. Acquire Physical Memory with Dedicated Tool a. Map physical memory range b. Copy memory mapped contents c. Save contents 2. Put memory dump into Forensic Software 3. Analyze with Forensic Software a. Recover System contents from dump b. Analyze recovered system
  • 5. What is “Anti-forensics?” (1) • Way to prevent/fake forensics • Not only Attackers! – “Bad guy” who wants to get rid of investigation CAN INSTALL rootkit on his OWN machine to fool investigator.
  • 6. What is “Anti-forensics?” (2) • EXISTING “Anti-Forensic Way” can have Great Meaning… – Reliability of Forensics is lowered… – No longer needed to “hack” – Can lose in court even if you have “evidence” • Reliability of Forensics is Very Important
  • 7. Live Memory Forensics Process 1. Acquire Physical Memory with Dedicated Tool a. Map physical memory range b. Copy memory mapped this! We want to exploit contents c. Save contents 2. Put memory dump into Forensic Software 3. Analyze with Forensic Software a. Recover System contents from dump b. Analyze recovered system
  • 9. Like “Mythbusters”… • EnCase • WinEN • FastDump • dd, Forensic Acquisition Tools, win32dd, Memory DD… • Windows Hibernation (hiberfil.sys) • Microsoft Windows Crashdump (*.dmp)
  • 10. Fact (1): INVISIBLE FROM ALMOST ALL FORENSIC SOFTWARE
  • 11. Why rootkit hidden from these? • Subverting Page Table(s) – Shadow Paging • Weakness of current (dedicated) forensic tools
  • 12. What is Page Table? (1) • A Mechanism to separate Physical memory layout and Logical structure • Table to translate Linear Address (that CPU use) to the physical one • Manage Logical memory space with divided chunk (called “page”), normally 4KiB block
  • 13. What is Page Table? (2) Chunk A Page Table Chunk B Physical Memory Logical Space
  • 14. What is Page Table? (3) Linear Physical 0x12345000 0x14fab000 0x12346000 0x0c812000 0x12347000 (Not Present) 0x12348000 0x215d9000 0x12349000 0x4991f000 Linear Address Physical Address 0x12346804 0x0c812804
  • 15. What is Page Table? (4) Linear Physical 0x12345000 0x14fab000 0x12346000 0x0c812000 0x12347000 (Not Present) 0x12348000 0x215d9000 0x12349000 0x4991f000 Linear Address 0x12347804 Page Fault occur!
  • 16. What is Page Table? (5) • Page Fault (exception) – Occur when… • There is no Physical Address present associated to Linear address • Access Violating Page’s access control – Page Fault Handler specified by IDT (Interrupt Descriptor Table) handles this exception • Access Control of Page – Physical Address of Page is Present (P bit) – Is Page Writable (R/W bit) – Is Page access Prohibited by application (U/S bit) – Is Page execution Prohibited (NX bit)
  • 17. What is Page Table? (6) • System Registers related to Page Table – CR3 Specify Physical Address of Page Table – CR2 When Page Fault occur, Linear Address that caused Page Fault is stored
  • 18. What is Page Table? (7) • Page Table is very important structure to manage memory! • Also Useful for rootkits…
  • 19. Way to do this: TAKE CONTROL OF PAGE TABLE
  • 20. Shadow Paging (1) • Originally, This is one of the way to virtualize memory of guest OS • Make a copy of Page Table and Reflect one Shadow Page Table change from original Page Table’s one • Normally, Shadow Paging cannot be implemented without CPU support of virtualization (such as Intel VT-x, AMD-V…)
  • 21. “NORMAL” Shadow Paging (1) • Write-protect Page Table of guest OS • Detect Page Table write of guest OS by Page Fault and do correspond changes to “SHADOW” Page Table Linear Physical Linear Physical (Virtualized) Physical (Real) 0x12345000 0x14fab000 0x12345000 0x14fab000 0x24f03000 0x12346000 0x0c812000 0x12346000 0x0c812000 0x12580000 0x12347000 0x44ab1000 → 0x31442000 0x12347000 0x44ab1000 → 0x31442000 0x1dabc000 → 0x4d3f2000 0x12348000 0x215d9000 0x12348000 0x215d9000 0x379df000 0x12349000 0x4991f000 0x12349000 0x4991f000 0x0732f000 (Virtualized) Page Table Shadow (Real) Page Table
  • 22. “NORMAL” Shadow Paging (2) • Normally, two Page Table Entries points same data are “SAME” Data Page Table Shadow Page Table
  • 23. Shadow Paging (2) • Despite of this, Shadow Paging can be implemented if some conditions are fulfilled – CR0.WP bit is always set – All Changes of CR3 registers are done by known point of operating system – Page Table Handler is hooked – (Other conditions are abridged) • In normal condition, most of operating system fulfills these conditions (Windows, Linux…)
  • 24. Taking control of Page Table! 1. Set own (rootkit’s) Page Fault Handler 2. Make copy of Page Table (for rootkit) and Do Shadow Paging 3. Impersonate (or camouflage) address range of re-mapped memory
  • 25. “NORMAL” Shadow Paging (2) • Normally, two Page Table Entries points same data are “SAME” Data Page Table Shadow Page Table
  • 26. “MALICIOUS” Shadow Paging (1) • In “Malicious” Shadow Paging, modify mapping of certain (malicious) memory ranges Malicious Data Page Table Shadow Page Table Patch! Normal Data
  • 27. “MALICIOUS” Shadow Paging (2) • Watch Page Table write • If Page Table is written, check if… – Physical Address is malicious (modified) data/code – Corresponding Linear Address is NOT a address where should be • If these two conditions are fulfilled, rootkit alter this Page Table Entry mapping
  • 28. “MALICIOUS” Shadow Paging (3) Address A Malicious Data Address A the address where should be (e.g. in the kernel) Normal Data
  • 29. “MALICIOUS” Shadow Paging (3) Address A Malicious Data Address A the address where should be (e.g. in the kernel) Address B Address B the address Forensic Software expects this behavior forensic software remaps Normal Data
  • 30. “MALICIOUS” Shadow Paging (3) Address A Malicious Data Address A the address where should be (e.g. in the kernel) Address B Address B the address This remapping is forensic software redirected! remaps Normal Data
  • 31. “MALICIOUS” Shadow Paging (4) • These remapping like previous example is WHAT FORENSIC SOFTWARE DOES – When making Hibernation File and Crashdump File, Same remapping will occur • As a result, this rootkit is invisible from almost all forensic software and Windows-made memory dump • Rootkit can fake “nearly everything”
  • 32. Weakness of Forensic Software (1) • Doing physical memory acquisition UNDER THE CONTEXT THAT ROOTKIT CAN EXIST – Page Fault can happen on mapping – Trusting operating system features (that may be tainted) • Not only this…
  • 33. Weakness of Forensic Software (2) • Many software still use ¥Device¥PhysicalMemory! – Anti-forensic implementation is announced 3 years ago! (DDefy : http://www.slideshare.net/amiable_indian/antiforensic-rootkits) – Many forensic software (such as EnCase, FastDump) uses this device to acquire physical memory • This device can be “single-point-of-failure” – Many forensic software (not much as Shadow Paging based rootkit) can be faked if we just hook this device
  • 34. Fact (2): DON’T USE FORENSICS FOR ROOTKIT DETECTION
  • 35. Way to Workaround (1) • To detect rootkit, use local detection software (such as GMER, Rootkit Unhooker…) – Actually, this rootkit is not so difficult to detect locally. – Using these software, we can detect changes done by rootkit • Don’t trust forensic input when rootkit infection is possible
  • 36. Way to Workaround (2) • But this is only symptomatic way – Forensic input is a “dump” if machine is tainted by rootkit • Can we improve implementation of forensic software? …YES
  • 39. Previous Slide : Shadow Paging (2) • Despite of this, Shadow Paging can be implemented if some conditions are fulfilled – CR0.WP bit is always set – All Changes of CR3 registers are done by known point of operating system – Page Table Handler is hooked – (Other conditions are abridged) • In normal condition, most of operating system fulfills these conditions (Windows, Linux…)
  • 40. Way to Acquire correct memory contents (1) • Destroy Context of Shadow Paging – Reset CR0.WP bit – Change CR3 register to own Page Table (CR3 is pointer to Page Table) – Set own Page Fault Handler • These are easy to implement and effective
  • 41. Way to Acquire correct memory contents (2) CR3 Shadow Page Table Page Table
  • 42. Way to Acquire correct memory contents (2) CR3 Shadow Own Page Table Page Table Page Table
  • 43. Way to Acquire correct memory content (3) • To hook all interrupts (including exceptions), modify interrupt vector by LIDT instruction • Make own Page Table (for acquisition) • Set CR3 to own Page Table and acquire physical memory • They are still problems, but we can acquire correct contents of memory
  • 44. Problems left [But no need to deal with] (1) • In rootkit context, there are no way to get correct Physical Address associated to Linear Address – In other words, there are no way to validate if own Page Table points valid memory range – rootkit still can prevent acquisition of memory • For instance, rootkit can force reset computer if forensic software tries to acquire memory
  • 45. Problems left [But no need to deal with] (2) • Even though, faking physical memory content without any doubt is nearly impossible – rootkit actually can reset computer but… it makes user doubt! – some driver compatibility is lost
  • 46. Also problems for these rootkits CONSIDERATIONS OF THESE ROOTKITS
  • 47. Considerations (1) • Proof-of-Concept was built for x86+Windows, but this anti-forensic technique is cross-platform. – Another operating systems running on x86 • Linux, Mac OS X… – x86_64 architecture – Other CPUs supporting paging
  • 48. Considerations (2) • This rootkit cannot detected from Hibernation File – In other words, rootkit is (temporally) removed if you hibernate the computer. – Reinfection code is needed to prevent that behavior, but it also raises possibilities of detection
  • 49. Considerations (3) • Implementation for SMP is very, very difficult – State of Page Table can be “unstable” therefore many code is needed to handle these state • No SMP implementation in public proof-of-concept source code
  • 50. Considerations (4) • Forensic input unaffected: – Improved Forensic Implementation – State File of Virtual Machines • vmem file in VMware – Acquisition using Hardware • 1394memimage (FireWire / IEEE1394)
  • 51. About all of this: CONCLUSION
  • 52. Conclusion • Current live memory forensics is “a broken concept” • If you want to detect rootkits, use local rootkit detection software (GMER, Rootkit Unhooker…) even you use live memory forensics • There are ways to counter with rootkits • It is not time sensitive, but future forensic implementation must be updated
  • 53. Have any questions? THANK YOU. Tsukasa Ooi <li@livegrid.org> Livegrid Incorporated, Lead Analyst
  • 54. Technical Articles and Sources • … will be available November, 2009 • at http://a4lg.com/