csw2016 macaulay eh_trace-rop_hooks

RoPHooksShane.Macaulay@IOACTIVE.com

Introduction•  K2/ktwo@ktwo.ca

•  Shane.Macaulay@ioactive.com

Intro/Outline•  Hooking/Tracing

•  Whatisabinarydoing?

•  Canwemodify/detour

•  Frustrations/Hurdles

•  Friendlyinputs•  Symbolsupport

TOOLS/Open/Github/CODE•  Github.com/K2

•  inVtero.net•  EvolutionfromCSW14(processdetection)

•  Crossplatform(Windows,*BSD,Linux)memoryanalysis

•  Crossmicro-architechture(sandybridge,skylake,…)

•  Crosshypervisor(basedonauto-magicVMCS/EPTPextraction)•  Includesnestedsupport

•  EhTrace(pronounced“ATrace”)•  Whatweregoingtocoverthistime@CSW!J

•  LetmeknowifImissedanycodeinthecheck-in!!

EhTrace•  Aboottimeforatraceeh?

•  UsesVEHunderthecovers•  Needtobealittlecareful•  Don’twanttoalterorchange

behaviorofwhatwerelookingat

Hookingexecution•  Detours

•  Requiresaninstructionlengthdecoder•  Rewritesfunctionprologintoaspecializedfunctionwhichperformslogging,analysis

etc…

•  Usuallystatic,canbedynamic/jitter,•  mayjmptoaleaflikedetourwhichcanworkwithoutknowingthefunctionprototype/

stackrequirements

•  Mostofthetimeyouwillneedsymbolsorreallygoodlogicinthehookertonotbreakexecution

What’stheproblemagain?•  Debuggersareslow

•  Secondprocesscontextswitchingisfairlyexpensive

•  Logicforconditionalbreakpointsisexponentiallymoreexpensive

•  Checksums•  Maliciousbinariesoftenchecksumtheircodetovalidatetheyarenotbeinganalyzed

•  Highlysecureenvironmentsmaychecksumtheirbinariestomakesuretheyarenottamperedwith

Ret2code•  Originallibcwork,Solardesigner

•  http://seclists.org/bugtraq/1997/Aug/63

•  Handysincemostoverflowscontainapointertousefuladdresses•  Yourinput•  Systemlibraries

•  Stillusedtothisday(RoP)

StackHooking•  Attemptedtouseasalternativetowhatwewoundupusing

•  Fromasecond“manager”thread•  LoadfromaRoPchainpool(memoryareawithRoPgagets)

•  Borrowmemoryfromtheexecutingstackfromabovethestacktop•  Usuallysomesparememorythere

•  Notverygreat•  Onlypostconditionhooking

•  Havetofindawaytogetnotificationonnewcalls•  Dosomesortofshadowstack/memoryprotectiontrickery

•  Tendstobefairlyfragile

RET

RET

EhTrace–howitworks

• Remarkablyeasytotriggerbranchsteppingofabinary•  IntheVEHhandlerset3bitsandreturn.

•  THAT’SIT•  TRAPFLAG•  OTHERFLAGS:D

LONGWINAPIvEhTracer(PEXCEPTION_POINTERSExceptionInfo){ //singlestepExceptionInfo->ContextRecord->EFlags|=0x100;//setupbranchtracingExceptionInfo->ContextRecord->Dr7|=0x300;

EhTrace–RoPHooks•  RegisteraVEHhandlerCreateRemoteThread(…&VeH_RoP,..);

•  VeH_RoP–useaRoPgadgetfinder(therearemany)

•  Handleronlyneedstosetthe3bitsthenexitwithcontinuestatus

•  Usingtheexceptiondispatcherwereabletonowgetthepreconditionswemissedwiththestack/shadowmodel

•  Debuggerfunctionalityw/oadebugger•  i.e.passesallchecksfromhttps://github.com/Trietptm-on-Security/DebugDetector

•  Mayintroduceaplugintoallowwindbgtouseourengineasasideloadedinprocdebugger

Whatelseisitgoodfor?•  Branchsteppingisprettysweet!

•  Alotmorethandetoursonfunctions

•  Basicblockanalysis•  Codecoverages•  CanweputthisintoaDBI(DynamicBinaryInstrumentation)framework?

•  Doweneedtoemulate?Isn’tthatslow?•  Ifweredealingwithamaliciousbinarywehaveseveralthingstoconsider.

•  Ofcourseweneedtoalsowatchoutforanotherwisenon-malbinarydoingsomethingthatmightdisruptourtrace

Maintainingcontrol•  Maybeusepageprotectiontoforceanexceptiononexecution(don’twanttoplaceanint3obviously)•  Whenpageisattemptedtobeexecutedwechecktoseewhatemulationisneeded

•  IfsomebodytriestotakeoverVEH

•  Whataboutintra-blockstuff?•  Can’ttheyjustwriteoverourVEHhandlerinmemory?

•  Sure,mayberegister2!AlsosetuptheVEHcontinuehandler

Blockfightingwithahooker• BlockFighterhastobesmart,fastandintotalcontrol!

•  MuchlikeaStreetFighterIIchamp!

BlockFighting

BlockFighting

•  Simplifiedanalysis•  Usingcapstonewe&thebranchstep•  Atthepointofanyjmp/ret/callcontroltransferwecanstopourfightuntilthenextround•  Round2FIGHT!•  Actuallyweresogoodwealways“givesecondround”!•  Thatmeansreallythatifthere’saconditionalweneedtofollowthroughaconditional

•  Jne–wefollowthenon-jumptoensurewecompletethecontextuntilaret/jmp/call

BlockFighting•  Watchtheeflags&DRanymanipulationwillcauseproblemsforus

•  DEBUG_MSR?

•  Lotsofthingsprobably

•  Overallhoweverwehaveaplatformtobuildprimitivesonthatcaneventuallydobattleinastructuredway•  Maybecombineblockfighterwithstackinjectiontoensurewehaveadditionalpost-

conditionchecksonourflag/branch-step/vehstate

Coverage•  Canyouhearmenow?

•  Flamegraph•  CurrentminimalstateincludesRIP,LAST_RIP,TID,FLAGSandESP

•  Thisissufficienttobuildanycodegraph!Intra-procedural,callgraphorfulltrace

•  FLAMINGBlockFighter!•  http://www.brendangregg.com/FlameGraphs

CPUFLAMEGRAPH•  CLICKHERE

•  Origfromhere->http://www.brendangregg.com/FlameGraphs/cpu-bash-flamegraph.svg

(PowerPointdoesn’tdoSVG’z)

Wehaveallthedatarequiredforgeneratingthese,howeverit’saTODO

Upcomingstuff…•  MSAGLgraphmaps–fun/interactivemeshgraph,sortoflookslikeanexpandablespiderweb!

•  SVGbuilder(withoutthe.plscriptsfromBrendan)

•  TighterSymbols(graphsandimagesnotasfunwithoutEnglisheh?)

•  Strace/ltrace/*traceforWindows(autoinject&logtoconsole)

Upcomingstuff:Blockfighters•  AFlagfighter

•  Rflagschecks

•  APageFighter•  Pageprotectionmonitor

•  E.g.protecttheentrypointCreateRemoteThreadcall’sbeforeitcallsthespecified&funcargumenttodetectremotethreadsbeforetheDLLthreadnotificationrun’s•  Usetrickslikethistoensureyournotbeingtrickedyourself

•  EmuFighter•  Emulateanoperationthatwouldotherwisedetectus

Privateimplementationsdiffer!

•  Yourfighterswillbevarious•  i.e.ifyournotusinganysystem/runtimeAPIyoudon’tneedtoworryaboutlockingas

much(obviously)

Notepad.exeBasicBlocksexecution

Withdisassembly

FlameGraph–nosymbolsyet

Questions?•  Feedback,bugs&Featurerequestsplease

•  https://github.com/K2•  Keepwatchingforupdates

Thankyou•