hypervisor memory forensics · 2013-10-22 · hypervisor memory forensics mariano graziano and...
TRANSCRIPT
![Page 1: Hypervisor Memory Forensics · 2013-10-22 · Hypervisor Memory Forensics Mariano Graziano and Davide Balzarotti SANS DFIR EU SUMMIT October 2013 ... –The HOST_CR3 register points](https://reader031.vdocuments.site/reader031/viewer/2022041002/5ea2ec2630b9ba42ee163ed3/html5/thumbnails/1.jpg)
Hypervisor Memory Forensics
Mariano Graziano and Davide Balzarotti
SANS DFIR EU SUMMIT
October 2013 - Prague
S3 GROUP – EURECOM http://s3.eurecom.fr
HYPERVISOR
ME
MORY
FO
RENS
ICS
![Page 2: Hypervisor Memory Forensics · 2013-10-22 · Hypervisor Memory Forensics Mariano Graziano and Davide Balzarotti SANS DFIR EU SUMMIT October 2013 ... –The HOST_CR3 register points](https://reader031.vdocuments.site/reader031/viewer/2022041002/5ea2ec2630b9ba42ee163ed3/html5/thumbnails/2.jpg)
S3 GROUP
S3 GROUP – EURECOM http://s3.eurecom.fr
HYPE
RVISO
R MEMORY FORENSICS
![Page 3: Hypervisor Memory Forensics · 2013-10-22 · Hypervisor Memory Forensics Mariano Graziano and Davide Balzarotti SANS DFIR EU SUMMIT October 2013 ... –The HOST_CR3 register points](https://reader031.vdocuments.site/reader031/viewer/2022041002/5ea2ec2630b9ba42ee163ed3/html5/thumbnails/3.jpg)
S3 GROUP
S3 GROUP – EURECOM http://s3.eurecom.fr
HYPE
RVISO
R MEMORY FORENSICS
![Page 4: Hypervisor Memory Forensics · 2013-10-22 · Hypervisor Memory Forensics Mariano Graziano and Davide Balzarotti SANS DFIR EU SUMMIT October 2013 ... –The HOST_CR3 register points](https://reader031.vdocuments.site/reader031/viewer/2022041002/5ea2ec2630b9ba42ee163ed3/html5/thumbnails/4.jpg)
Actaeon
• Memory forensics of virtualization environments
• Locate any Intel Hardware assisted Hypervisor
• Detect nested Virtualization
• Transparent Guest Introspection
S3 GROUP – EURECOM http://s3.eurecom.fr
HYPE
RVISO
R MEMORY FORENSICS
![Page 5: Hypervisor Memory Forensics · 2013-10-22 · Hypervisor Memory Forensics Mariano Graziano and Davide Balzarotti SANS DFIR EU SUMMIT October 2013 ... –The HOST_CR3 register points](https://reader031.vdocuments.site/reader031/viewer/2022041002/5ea2ec2630b9ba42ee163ed3/html5/thumbnails/5.jpg)
Actaeon [Use Cases]
• Hypervisors are everywhere: – Xen, KVM, VirtualBox, Vmware, Hyper-V, bhyve – Cloud (Amazon, Microsoft, Google, Apple) – Domestic use (Running multiple operating systems) – Security Solutions (Sandboxes, DeepDefender, Bromium
etc) – POC Malware (BluePill, Vitriol)
• The forensics community needs tools for digital investigations of virtual environments
S3 GROUP – EURECOM http://s3.eurecom.fr
HYPE
RVISO
R MEMORY FORENSICS
![Page 6: Hypervisor Memory Forensics · 2013-10-22 · Hypervisor Memory Forensics Mariano Graziano and Davide Balzarotti SANS DFIR EU SUMMIT October 2013 ... –The HOST_CR3 register points](https://reader031.vdocuments.site/reader031/viewer/2022041002/5ea2ec2630b9ba42ee163ed3/html5/thumbnails/6.jpg)
What Actaeon is NOT
• Real time hypervisor detector
• Physical memory dumper
• Hypervisor-based malware detector
S3 GROUP – EURECOM http://s3.eurecom.fr
HYPE
RVISO
R MEMORY FORENSICS
![Page 7: Hypervisor Memory Forensics · 2013-10-22 · Hypervisor Memory Forensics Mariano Graziano and Davide Balzarotti SANS DFIR EU SUMMIT October 2013 ... –The HOST_CR3 register points](https://reader031.vdocuments.site/reader031/viewer/2022041002/5ea2ec2630b9ba42ee163ed3/html5/thumbnails/7.jpg)
Actaeon framework
• VMCS memory layout dumper
• Hyperls
• Volatility patch for guest introspection
S3 GROUP – EURECOM http://s3.eurecom.fr
HYPE
RVISO
R MEMORY FORENSICS
![Page 8: Hypervisor Memory Forensics · 2013-10-22 · Hypervisor Memory Forensics Mariano Graziano and Davide Balzarotti SANS DFIR EU SUMMIT October 2013 ... –The HOST_CR3 register points](https://reader031.vdocuments.site/reader031/viewer/2022041002/5ea2ec2630b9ba42ee163ed3/html5/thumbnails/8.jpg)
VMCS Dumper [Theory]
• Intel gives process level support for virtualization
• There are 2 main VMX operations: root and non root
S3 GROUP – EURECOM http://s3.eurecom.fr
HYPE
RVISO
R MEMORY FORENSICS
*From the Intel Manual
![Page 9: Hypervisor Memory Forensics · 2013-10-22 · Hypervisor Memory Forensics Mariano Graziano and Davide Balzarotti SANS DFIR EU SUMMIT October 2013 ... –The HOST_CR3 register points](https://reader031.vdocuments.site/reader031/viewer/2022041002/5ea2ec2630b9ba42ee163ed3/html5/thumbnails/9.jpg)
VMCS Dumper [VMCS]
• Virtual Machine Control Structure
• VMCS controls both VMX non root operation and VMX transitions
• The format to store the VMCS data is implementation specific
• Every field is associated with a 32 bit value (its encoding) used by VMREAD/VMWRITE instructions
• The VMCS data is divided in 6 groups
S3 GROUP – EURECOM http://s3.eurecom.fr
HYPE
RVISO
R MEMORY FORENSICS
![Page 10: Hypervisor Memory Forensics · 2013-10-22 · Hypervisor Memory Forensics Mariano Graziano and Davide Balzarotti SANS DFIR EU SUMMIT October 2013 ... –The HOST_CR3 register points](https://reader031.vdocuments.site/reader031/viewer/2022041002/5ea2ec2630b9ba42ee163ed3/html5/thumbnails/10.jpg)
VMCS Dumper [Reversing]
• Custom Hypervisor initialization code (based on HyperDbg) :
– VMCS memory region allocation
– Fill the region with an 16 bit incremental counter
– Perform VMREAD operations
– Same approach valid for nested VMCS structures
S3 GROUP – EURECOM http://s3.eurecom.fr
HYPE
RVISO
R MEMORY FORENSICS
![Page 11: Hypervisor Memory Forensics · 2013-10-22 · Hypervisor Memory Forensics Mariano Graziano and Davide Balzarotti SANS DFIR EU SUMMIT October 2013 ... –The HOST_CR3 register points](https://reader031.vdocuments.site/reader031/viewer/2022041002/5ea2ec2630b9ba42ee163ed3/html5/thumbnails/11.jpg)
VMCS Dumper [Demo]
DEMO
S3 GROUP – EURECOM http://s3.eurecom.fr
HYPE
RVISO
R MEMORY FORENSICS
![Page 12: Hypervisor Memory Forensics · 2013-10-22 · Hypervisor Memory Forensics Mariano Graziano and Davide Balzarotti SANS DFIR EU SUMMIT October 2013 ... –The HOST_CR3 register points](https://reader031.vdocuments.site/reader031/viewer/2022041002/5ea2ec2630b9ba42ee163ed3/html5/thumbnails/12.jpg)
Hyperls [Scanning]
• Memory scanner looking for VMCS structures
• We use selected VMCS fields:
– REVISION_ID
– VMX_ABORT_INDICATOR
– VMCSLINKPOINTER
– HOST_CR4
• These fields cannot be obfuscated
S3 GROUP – EURECOM http://s3.eurecom.fr
HYPE
RVISO
R MEMORY FORENSICS
![Page 13: Hypervisor Memory Forensics · 2013-10-22 · Hypervisor Memory Forensics Mariano Graziano and Davide Balzarotti SANS DFIR EU SUMMIT October 2013 ... –The HOST_CR3 register points](https://reader031.vdocuments.site/reader031/viewer/2022041002/5ea2ec2630b9ba42ee163ed3/html5/thumbnails/13.jpg)
Hyperls [Validation]
• HOST_CR3 property: – The HOST_CR3 register points to the hypervisor page tables
– The page tables need to map the page containing the VMCS
• For every VMCS candidate we extract the HOST_CR3 – We walk the entire page tables
– We obtain all the allocated physical pages
– The VMCS is validated if and only if it is in the set of the allocated physical pages
S3 GROUP – EURECOM http://s3.eurecom.fr
HYPE
RVISO
R MEMORY FORENSICS
![Page 14: Hypervisor Memory Forensics · 2013-10-22 · Hypervisor Memory Forensics Mariano Graziano and Davide Balzarotti SANS DFIR EU SUMMIT October 2013 ... –The HOST_CR3 register points](https://reader031.vdocuments.site/reader031/viewer/2022041002/5ea2ec2630b9ba42ee163ed3/html5/thumbnails/14.jpg)
Hyperls [Validation]
S3 GROUP – EURECOM http://s3.eurecom.fr
HYPE
RVISO
R MEMORY FORENSICS
![Page 15: Hypervisor Memory Forensics · 2013-10-22 · Hypervisor Memory Forensics Mariano Graziano and Davide Balzarotti SANS DFIR EU SUMMIT October 2013 ... –The HOST_CR3 register points](https://reader031.vdocuments.site/reader031/viewer/2022041002/5ea2ec2630b9ba42ee163ed3/html5/thumbnails/15.jpg)
Hyperls [DEMO]
DEMO 1
S3 GROUP – EURECOM http://s3.eurecom.fr
HYPE
RVISO
R MEMORY FORENSICS
![Page 16: Hypervisor Memory Forensics · 2013-10-22 · Hypervisor Memory Forensics Mariano Graziano and Davide Balzarotti SANS DFIR EU SUMMIT October 2013 ... –The HOST_CR3 register points](https://reader031.vdocuments.site/reader031/viewer/2022041002/5ea2ec2630b9ba42ee163ed3/html5/thumbnails/16.jpg)
Hyperls [Nested]
• A guest virtual machine can run an hypervisor
• In x86 only one hypervisor is in root mode
S3 GROUP – EURECOM http://s3.eurecom.fr
HYPE
RVISO
R MEMORY FORENSICS
![Page 17: Hypervisor Memory Forensics · 2013-10-22 · Hypervisor Memory Forensics Mariano Graziano and Davide Balzarotti SANS DFIR EU SUMMIT October 2013 ... –The HOST_CR3 register points](https://reader031.vdocuments.site/reader031/viewer/2022041002/5ea2ec2630b9ba42ee163ed3/html5/thumbnails/17.jpg)
Hyperls [DEMO NESTED]
DEMO 2
S3 GROUP – EURECOM http://s3.eurecom.fr
HYPE
RVISO
R MEMORY FORENSICS
![Page 18: Hypervisor Memory Forensics · 2013-10-22 · Hypervisor Memory Forensics Mariano Graziano and Davide Balzarotti SANS DFIR EU SUMMIT October 2013 ... –The HOST_CR3 register points](https://reader031.vdocuments.site/reader031/viewer/2022041002/5ea2ec2630b9ba42ee163ed3/html5/thumbnails/18.jpg)
Guest Introspection [EPT]
• Extended Page Tables (EPT): “New” Intel Hardware feature
• Address translation from Guest Physical Addresses (GPA) to Host Physical Addresses (HPA)
• It has different stages (very similar to IA-32e)
S3 GROUP – EURECOM http://s3.eurecom.fr
HYPE
RVISO
R MEMORY FORENSICS
![Page 19: Hypervisor Memory Forensics · 2013-10-22 · Hypervisor Memory Forensics Mariano Graziano and Davide Balzarotti SANS DFIR EU SUMMIT October 2013 ... –The HOST_CR3 register points](https://reader031.vdocuments.site/reader031/viewer/2022041002/5ea2ec2630b9ba42ee163ed3/html5/thumbnails/19.jpg)
Guest Introspection [Algorithm]
• We extract the EPT_POINTER from the VMCS
• We translate, when required, all the GPA to HPA through the EPT table
• We patched Volatility to use this pointer during the address translation
S3 GROUP – EURECOM http://s3.eurecom.fr
HYPE
RVISO
R MEMORY FORENSICS
![Page 20: Hypervisor Memory Forensics · 2013-10-22 · Hypervisor Memory Forensics Mariano Graziano and Davide Balzarotti SANS DFIR EU SUMMIT October 2013 ... –The HOST_CR3 register points](https://reader031.vdocuments.site/reader031/viewer/2022041002/5ea2ec2630b9ba42ee163ed3/html5/thumbnails/20.jpg)
Guest Introspection [DEMO]
DEMO
S3 GROUP – EURECOM http://s3.eurecom.fr
HYPE
RVISO
R MEMORY FORENSICS
![Page 21: Hypervisor Memory Forensics · 2013-10-22 · Hypervisor Memory Forensics Mariano Graziano and Davide Balzarotti SANS DFIR EU SUMMIT October 2013 ... –The HOST_CR3 register points](https://reader031.vdocuments.site/reader031/viewer/2022041002/5ea2ec2630b9ba42ee163ed3/html5/thumbnails/21.jpg)
Limitations
• Actaeon supports only Intel hardware assisted hypervisors (No AMD support, no paravirtualization)
• Actaeon supports EPT (no shadow page tables)
• Dump is not our concern (VT-d disabled)
S3 GROUP – EURECOM http://s3.eurecom.fr
HYPE
RVISO
R MEMORY FORENSICS
![Page 22: Hypervisor Memory Forensics · 2013-10-22 · Hypervisor Memory Forensics Mariano Graziano and Davide Balzarotti SANS DFIR EU SUMMIT October 2013 ... –The HOST_CR3 register points](https://reader031.vdocuments.site/reader031/viewer/2022041002/5ea2ec2630b9ba42ee163ed3/html5/thumbnails/22.jpg)
Future Works
• We are working to support:
– Hyper-V
– Introspection for Linux Guests
– VMCS Shadowing
– VMWare ESXi
– AMD
S3 GROUP – EURECOM http://s3.eurecom.fr
HYPE
RVISO
R MEMORY FORENSICS
![Page 23: Hypervisor Memory Forensics · 2013-10-22 · Hypervisor Memory Forensics Mariano Graziano and Davide Balzarotti SANS DFIR EU SUMMIT October 2013 ... –The HOST_CR3 register points](https://reader031.vdocuments.site/reader031/viewer/2022041002/5ea2ec2630b9ba42ee163ed3/html5/thumbnails/23.jpg)
Questions?
Mariano Graziano
graziano at eurecom dot fr
@emd3l
Davide Balzarotti
balzarotti at eurecom dot fr
@balzarot
S3 GROUP – EURECOM http://s3.eurecom.fr
HYPE
RVISO
R MEMORY FORENSICS