anti-forensic resilient memory acquisition -...
TRANSCRIPT
Anti-Forensic Resilient Memory Acquisition
Johannes Stüttgen+ and Michael Cohen*
+Department of Computer Science *Google Inc.University Erlangen-Nuremberg Zurich
Germany Switzerland
07.08.2013
Johannes Stüttgen Anti-Forensic Resilient Memory Acquisition 1 / 16
Motivation
Physical memory analysis increasingly common in IR scenariosMemory images are often acquired by softwareThis has raised the attention of malware authorsWe analyse the attack surface of current acquisition tools andpropose an anti-forensic resilient approach for memory acquisition
ScenarioLive AnalysisCompromised MachineNo physical access
Software Acquisition
No access to hardware virtualization supportAbility to load driver/kernel module
Johannes Stüttgen Anti-Forensic Resilient Memory Acquisition 2 / 16
Motivation
Physical memory analysis increasingly common in IR scenariosMemory images are often acquired by softwareThis has raised the attention of malware authorsWe analyse the attack surface of current acquisition tools andpropose an anti-forensic resilient approach for memory acquisition
ScenarioLive AnalysisCompromised MachineNo physical access
Software Acquisition
No access to hardware virtualization supportAbility to load driver/kernel module
Johannes Stüttgen Anti-Forensic Resilient Memory Acquisition 2 / 16
Accessing the Physical Address Space
Device DMA Buffer
PCI Resource
OS Memory
Reserved
MMU
CR3 + PTE
Physical Memory
Virtual (Linear) Address Space
Physical Memory
ReservedMemory Access
Memory Access
BIOS Layout as reported by Int 15
AX:E820
OS Memory
Physical Address Space
Reserved
Potentially Hidden
Johannes Stüttgen Anti-Forensic Resilient Memory Acquisition 3 / 16
The Anti-Forensics Problem
Defeating WindowsDefeating Windowsmemory forensicsmemory forensics29c329c3
December 28, 2012.December 28, 2012.
Luka Milković[email protected]
INFIGO IS http://www.infigo.hr
Copyright Security-Assessment.com 2006
Low Down and Dirty:Anti-forensic Rootkits
Presented by Darren BilbyRuxcon 2006
Johannes Stüttgen Anti-Forensic Resilient Memory Acquisition 4 / 16
The Live Analysis Dilemma
Inherent Problems of Live ForensicsWe work on a potentially compromised machineUsing a potentially subverted operating systemWith the same privileges as an intruderWho was there first
ConclusionsPerform only the most essential steps of analysis on the systemUsing as little APIs as possibleOn the highest possible privilege levelAnd still be aware our results might be wrong
Johannes Stüttgen Anti-Forensic Resilient Memory Acquisition 5 / 16
The Live Analysis Dilemma
Inherent Problems of Live ForensicsWe work on a potentially compromised machineUsing a potentially subverted operating systemWith the same privileges as an intruderWho was there first
ConclusionsPerform only the most essential steps of analysis on the systemUsing as little APIs as possibleOn the highest possible privilege levelAnd still be aware our results might be wrong
Johannes Stüttgen Anti-Forensic Resilient Memory Acquisition 5 / 16
Experiment with Current Tools
Take a „modern“ system (Win 7 x64 SP1)Manipulate a number of commonly used APIs and structures for
Memory Enumeration (GetPhysicalMemoryRanges)Memory (MapMemoryDumpMdl)Location of Kernel Symbols (KDBG)
Evaluate the performance of „current“ memory acquisition tools
Tool Version Format KDBG GetPhysicalMemoryRanges MapMemoryDumpMdlMemoryze 2.0 raw
FTK Imager 3.1.2 raw
Win64dd 1.4.0 raw /Win64dd 1.4.0 dmp
DumpIt 1.4.0 raw
WinPmem 1.3.1 raw
WinPmem 1.3.1 dmp
WindowsMemoryReader 1.0 raw
WindowsMemoryReader 1.0 dmp
Johannes Stüttgen Anti-Forensic Resilient Memory Acquisition 6 / 16
The Cause of these Problems
Trust compromised kernelTo report the precise memory geometryTo map memory correctly
Platform independent problemWindows
MmGetPhysicalMemoryRanges() / SMBIOSMapViewOfSection() / MmMapIoSpace() /MmMapMemoryDumpMdl()
Mac OS XPE_state.bootArgsPhysicalMemoryDescriptor
Linuxiomem_ressourcekmap()
Johannes Stüttgen Anti-Forensic Resilient Memory Acquisition 7 / 16
The Cause of these Problems
Trust compromised kernelTo report the precise memory geometryTo map memory correctly
Platform independent problemWindows
MmGetPhysicalMemoryRanges() / SMBIOSMapViewOfSection() / MmMapIoSpace() /MmMapMemoryDumpMdl()
Mac OS XPE_state.bootArgsPhysicalMemoryDescriptor
Linuxiomem_ressourcekmap()
Johannes Stüttgen Anti-Forensic Resilient Memory Acquisition 7 / 16
Possible Solution
Memory EnumerationDo not trust the information provided by BIOS/EFI/KernelFind out where exactly MMIO is locatedAcquire everything except MMIO regions
Memory MappingWe don’t need the kernel for thatAny driver running in ring 0 has access to the page tablesEdit the page tables ourselves to map physical memoryDo so in a stealthy manner to make detection hard
Johannes Stüttgen Anti-Forensic Resilient Memory Acquisition 8 / 16
Possible Solution
Memory EnumerationDo not trust the information provided by BIOS/EFI/KernelFind out where exactly MMIO is locatedAcquire everything except MMIO regions
Memory MappingWe don’t need the kernel for thatAny driver running in ring 0 has access to the page tablesEdit the page tables ourselves to map physical memoryDo so in a stealthy manner to make detection hard
Johannes Stüttgen Anti-Forensic Resilient Memory Acquisition 8 / 16
Memory Enumeration
MMIO is managed by the northbridgeMost devices are attached to PCI(e) busUsing Port I/O, we can query all PCI devices and bridges andretrieve the base address register (BAR) and buffer size
FeasabilityThis is exactly what lspci doesIt does so even from userspacelspci -H1 -v
Johannes Stüttgen Anti-Forensic Resilient Memory Acquisition 9 / 16
Direct PTE Remapping I
PML4 Offset PDPT Offset PDT Offset PT Offset Frame Offset
Page Table
PTE
Page Directory
PDE
Page Directory Pointer Table
PDPTE
Page Map Level 4
PML4E
CR3
Virtual Address Space
Rogue Page
Physical Address Space
Rogue Frame
Rogue Page Virtual Address
Allocate one non-paged page of memoryLocate page table entry (PTE)
Johannes Stüttgen Anti-Forensic Resilient Memory Acquisition 10 / 16
Direct PTE Remapping II
PML4 Offset PDPT Offset PDT Offset PT Offset Frame Offset
Page Table
PTE
Page Directory
PDE
Page Directory Pointer Table
PDPTE
Page Map Level 4
PML4E
CR3
Virtual Address Space
Rogue Page
Physical Address Space
Rogue Frame
Rogue Page Virtual Address
Arbitrary Frame
Flush TLB
Overwrite PTE physical offsetFlush PTE from TLB
Johannes Stüttgen Anti-Forensic Resilient Memory Acquisition 11 / 16
Stability
ConcernsSoftware is not supposed to map physical page simultaneouslywith different cache attributesOperating system might use our PTE and crashThere are more than just PCI devices connected to the memorybus (RCT, HPET, APIC, ...)
ExperiencesSince we only read from the rogue mapping caching shouldn’t bea problemUsing non-paged memory prevented the operating system fromtouching the rogue PTE in our testsFor all standard devices present in our test system reading wasnot a problem
Johannes Stüttgen Anti-Forensic Resilient Memory Acquisition 12 / 16
Limitations
Memory EnumerationA debug register hook can detect Port I/OWith the general detect bit on this is virtually undetectableA rootkit could simulate a PCI device and mark its memory asdevice memoryOf course this could also point an investigator directly to its code...
Memory MappingA page-fault handler hook together with marking the page tablesread only can detect direct modifications of the rogue PTEA solution to this could be creating and using our own page tablesduring the acquisition step
Johannes Stüttgen Anti-Forensic Resilient Memory Acquisition 13 / 16
Limitations
Memory EnumerationA debug register hook can detect Port I/OWith the general detect bit on this is virtually undetectableA rootkit could simulate a PCI device and mark its memory asdevice memoryOf course this could also point an investigator directly to its code...
Memory MappingA page-fault handler hook together with marking the page tablesread only can detect direct modifications of the rogue PTEA solution to this could be creating and using our own page tablesduring the acquisition step
Johannes Stüttgen Anti-Forensic Resilient Memory Acquisition 13 / 16
Conclusions
Software acquisition can always be subverted on the sameprivilege levelCurrently it’s shockingly simple, we should make this harder to do
Code ReleaseInitial release for WindowsGrab it at: http://goo.gl/9VnnkYSlides at http://goo.gl/ALFfT4Our code works on any x86 cpu, regardless of the OSSuccessful tests on OSX and Linux, expect cross platform releaseat https://code.google.com/p/pmem
Johannes Stüttgen Anti-Forensic Resilient Memory Acquisition 14 / 16
Conclusions
Software acquisition can always be subverted on the sameprivilege levelCurrently it’s shockingly simple, we should make this harder to do
Code ReleaseInitial release for WindowsGrab it at: http://goo.gl/9VnnkYSlides at http://goo.gl/ALFfT4Our code works on any x86 cpu, regardless of the OSSuccessful tests on OSX and Linux, expect cross platform releaseat https://code.google.com/p/pmem
Johannes Stüttgen Anti-Forensic Resilient Memory Acquisition 14 / 16
Tool Testing
It is very important to test our tools to find such weaknessesEspecially in the context of an active adversaryWe are not trying to criticise any specific toolThe problem is a general one in any tool relying on kernel API’s
MoonsolsWe would like to thank Mathieu Suiche for openly sharing his toolswith us for testingHe set a great example in a community where many others try tokeep their methods secret
Johannes Stüttgen Anti-Forensic Resilient Memory Acquisition 15 / 16
Tool Testing
It is very important to test our tools to find such weaknessesEspecially in the context of an active adversaryWe are not trying to criticise any specific toolThe problem is a general one in any tool relying on kernel API’s
MoonsolsWe would like to thank Mathieu Suiche for openly sharing his toolswith us for testingHe set a great example in a community where many others try tokeep their methods secret
Johannes Stüttgen Anti-Forensic Resilient Memory Acquisition 15 / 16
EOF
Questions?
Johannes Stüttgen Anti-Forensic Resilient Memory Acquisition 16 / 16