Abstract image of a woman sitting on books and studying on a laptop

Oleksyk applied-anti-forensics

DefconRussia, profile picture
DefconRussia

The document discusses exploiting vulnerabilities in the Windows registry and kernel to execute malicious code without detection. It describes how vulnerabilities in functions like RtlQueryRegistryValues and win32k.sys that improperly read registry values can be triggered to cause a buffer overflow and gain kernel code execution. The goal is to store malicious code in the registry and have it execute by exploiting these vulnerabilities during system startup before detection can occur.

1 of 52
Downloaded 29 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
Oleksiuk Dmytro (aka Cr4sh)
 What do you think when you hear this term?
 What do you think when you hear this term?  Rustock  TDSS/Alureon  ZeroAccess  Carberp
 What do you think when you hear this term?  Rustock  TDSS/Alureon  ZeroAccess  Carberp  My talk about another: rootkits for the target attacks
 The purpose of malicious code puts certain requirements over it  In general, the requirements are persistence and activity hiding, but also there is some special cases  Case #1: rootkits for the mass-spreading malware  Prevent active infection curing by the popular anti-virus software  Case #2: rootkits for the target attacks  Prevent active infection detection even by the professional during forensic analysis  The main subject of this talk
 Specific requirements dictate the necessity of the specific technical solutions  All rootkits listed above in the case #1 and all known «cyber-weapon» stuff are very easy detectable  We need to design something fundamentally new that will be good enough for the case #2  But first - let's look at the common rootkit detection scenarios for better understanding of the task
 In order to be working the malicious code must get execution somehow  System service installation or using of the less obvious auto-run capabilities (documented or not) of OS ▪ TDL 2, Rustock, Srizbi, Stuxnet, Duqu  Infection of the existing executable file ▪ TDL 3, ZeroAccess, Virut  OS booting control (modification of the boot code, partition table or playing with the UEFI boot drivers and services) ▪ TDL 4, Mebroot, Olmarik, Rovnix, UEFI rootkit by @snare
 Apart from getting the execution rootkits also have to hide the evidences of their work (we're still talking about rootkits?)  Hidden objects and resources of the operating system make the rootkit detection more easy  How exactly?
 Step 1: collect the database (like name/path + hash) of interesting resources (files, system registry, boot sectors) inside the environment of presumably infected by rootkit OS  Step 2: collect the same database but with the mounting of the target OS system volume inside the environment of clear and trusted OS  Step 3: diff of the two databases will show us the resources that were hidden or locked by the rootkit inside the environment of the target OS  Reliability is close to 100% in the absence of implementation errors  Very hard for to bypass such detection  I'm using this method successfully in the different practical cases
 Rootkit sample: Trojan.Srizbi.cx
 Rootkit sample: Win32.TDSS.aa
 Rootkit sample: Rootkit.Win32.Agent.aibm
 The malicious code also can have nothing to hide (because not only rootkits are useful)  Developers can masquerade the malicious module as a legitimate program component (from OS or 3-rd party software)  Actually, such case is much more harder for investigation and detection than “true rootkit”, that hides any files/processes/registry keys/etc.  But we still can compare collected resources database with the some reference  Good system administrator always knows, exactly what software and drivers are installed on his servers and workstations. Find something extraneous among known components and data is a much than possible
 So, for these reasons our ideal rootkit for target attacks is strictly prohibited to use:  All the regular ways of auto-run  Existing files modification and new files creation  Interfere in the process of OS booting with the modification of MBR, VBR, NTFS $Boot and so on.  But where should we store the malicious code and how to pass execution into it?  Maybe, firmware infection is the most obvious way?  Yes: that’s a powerful technology and it can solve our tasks  No: in practice – very expensive, depends on the specific hardware and have a lot of other limitations
 Let’s store malicious code inside some REG_BINARY or REG_SZ system registry value!
 The main goal: Windows system registry – is the millions of keys and values  There is no any complete documentation on all of these  Usually, the forensic analysis is limited by checking only a small part of registry keys (that stores critical system settings and known auto-run locations)  The main problem: how to execute a code, that located inside a system registry value?  Of course, the Windows haven’t any regular capabilities for that   But some registry keys can contain the data that very interesting and sensitive itself  Also, there are a lot of code and program components that read something from the system registry, and, of course, such code can have vulnerabilities
 What interesting is kept in the system registry?  Settings, users password hashes, certificates and secret/public keys  Maybe, anything else?
 Windows ACPI driver stores a copy of the DSDT table (that was read from the firmware) inside a system registry  sometimes this feature is used by enthusiasts to fix the hardware vendor bugs  DSDT – is the part of ACPI specification, this table stores machine- independent subprograms, that are interpreting by ACPI driver in the occurrence of different power events  ACPI spec 4.0a, «5.2 ACPI System Description Tables»  DSDT had already got under the attention of researchers  «Implementing and Detecting an ACPI BIOS Rootkit» (John Heasman, Black Hat 2006)  I propose to modify the copy of DSDT inside the system registry, but not inside the firmware
 DSDT can contain data objects and control methods  They forming a hierarchical ACPI namespace  Control methods are represented in the form of an AML byte- code (ACPI Machine Language), in which compiles the programs written in ASL (ACPI Source Language)  Compilers and disassemblers are available in toolkits from Intel and Microsoft  It’s possible to browse ACPI namespace and debug the AML code with the acpikd extension for WinDbg  AML byte-code interpreter located inside the operating system ACPI driver (ACPI.sys on Windows)
 ASL provides a lot of capabilities for working with the hardware resources  OperationRegion directive (ACPI spec 4.0a, «18.5.89 Declare Operation Region») can give the access to the different memory regions
 Example: ASL code that writes 0x1337 into the physical memory at 0x80000000
 Write ASL program, that generates the malicious machine code directly into the physical memory, and then – patches OS kernel for redirecting control flow to the generated code  Read DSDT contents from the system registry  Add written program into the code of some control method, that will be called during OS startup  Write modified DSDT back into the system registry  PROFFIT!  At the next reboot modified control method code will be interpreted by ACPI driver and after that – our malicious code will be generated and executed
 ASL code can work only with the physical memory, so, for accessing to the virtual memory we need to make the address translation manually  Windows stores PDE/PTE tables at the constant virtual addresses 0xC0300000/0xC0000000 (for x86)  Then we should find the address of the some kernel mode code to patch, the using of hardcoded address is possible  Will work on NT 5.x  Will not work NT 6.x because there is a kernel-mode ASLR  … but it’s better to modify the code, that located in the SystemCallPad field of the _KUSER_SHARED_DATA structure  This structure located at the executable memory page with the constant address 0xffdf0000 (at least – up to NT 6.1 including)  The end of this page can be used to store the malicious code
DEMO: vimeo.com/56595256
 Unfortunately, considered DSDT modification works fine only on the NT 5.x and gives the strange BSoD on the NT 6.x:
 The reason – KeBugCheckEx call inside the ACPI.sys
 ACPI!MapPhysMem calls the AmlpValidateFirmwareMemoryAddress function, that checks the physical address from the OperationRegion for belonging to the I/O ports addresses ranges  If the control method code trying to read or write something different (executable images that mapped to the memory, kernel structures and so on) – ACPI.sys drops the system into the BSoD  ACPI.sys reads the information about the allowed memory regions from the special keys of the system registry, that located in HARDWAREDESCRIPTIONSystemMultifunctionAdapter  This key is not a permanent – it’s creating during the operating system startup  PnP driver puts I/O memory information inside it during the hardware resources enumeration and initialization
 Well… we can try to put fake I/O memory information into the system registry and corrupt the hive binary structure somehow to prevent the system to modify data  Also, the possible way is exploring the other ACPI features  Already done by Alex Ionescu: «ACPI 5.0 Rootkit Attacks Against Windows 8»  One more variant: to find the vulnerability in the AML byte-code interpreter code  But stop, out primary task – is executing of the code, that is located inside the system registry. Let’s leave ACPI and find some different way
 Do you remember the local privileges escalation vulnerability CVE-2010-4398 (MS11-010)?  The another one vulnerability in the win32k.sys  Incorrect usage of the RtlQueryRegistryValues kernel function causes stack-based buffer overflow during reading the registry value contents  Because the RtlQueryRegistryValues – is really overcomplicated  Seems that even the Windows developers don’t know all the documented features of the some kernel functions 
 The RtlQueryRegistryValues has a lot of options and different data reading modes  The most interesting stuff located in the RTL_QUERY_REGISTRY_TABLE structure, that must be passed to the RtlQueryRegistryValues as an argument
 The Flags field can contain the RTL_QUERY_REGISTRY_DIRECT flag:  The MSDN quote about this flag: «The QueryRoutine member is not used (and must be NULL), and the EntryContext points to the buffer to store the value»  From the type of the value, that you’re reading, depends on how exactly the data will be written into the buffer  REG_SZ, REG_EXPAND_SZ: «EntryContext must point to an initialized UNICODE_STRING structure»  Non-string data with size <=sizeof(ULONG): «The value is stored in the memory location specified by EntryContext»  Non-string data with size >sizeof(ULONG): «The buffer pointed to by EntryContext must begin with a signed LONG value. The magnitude of the value must specify the size, in bytes, of the buffer»
 The usage of the RtlQueryRegistryValues causes the BoF when:  The code is trying to read REG_DWORD or REG_SZ value with the RTL_QUERY_REGISTRY_DIRECT flag but without the correct type value in the DefaultType field  … and buffer, that pointed by the EntryContext field, has a non-zero DWORD at the beginning (for example – when the EntryContext points to the initialized UNICODE_STRING structure)  … and attacker can replace the reading value (REG_DWORD or REG_SZ) by malicious one, that has a REG_BINARY type  Result –100% controllable overflow with the trivial exploitation!  Number of overwritten bytes – is the first DWORD value from the EntryContext pointed buffer
 Simple PoC for the CVE-2010-4398 as a .REG file:
 The vulnerable code fragment in win32k.sys:
 Of course, Microsoft has released a path for the CVE-2011-4398  That patch also adds some improvements and mitigations for the RtlQueryRegistryValues function:  The RTL_QUERY_REGISTRY_TYPECHECK flag has been added, if it is specified – the RtlQueryRegistryValues will return an error in case of the zero DefaultType field  In Windows 8 the RTL_QUERY_REGISTRY_DIRECT flag works only for the trusted registry keys (that can’t be overwritten under limited user account)  But these improvements will not make the already written code more secure  On Windows 7 we still have a good LPE vector  … and local-admin-to-ring0 on Windows 8
 Even reverse engineering of the vulnerabilities that were already fixed can give you a valuable experience  As a result of the patched vulnerabilities discovery it’s possible to obtain a new attack vector and a "template" of the vulnerable code, that can be used to find new zero-day vulnerabilities  Let’s try to find zero-day vulnerabilities that are similar to the CVE-2010-4398
 Fuzzing? Static dataflow analysis? Symbolic execution?
 Fuzzing? Static dataflow analysis? Symbolic execution?  Keep it simple. IDA, win32k.sys and one hour of the time!
 Some interesting piece of code in win32k.sys:
 The win32!bInitializeEUDC function unsafely reading the «FontLink» value (REG_DWORD) of the «SoftwareMicrosoftWindows NTCurrentVersion» key  No DefaultType specified, EntryContext pointed buffer – is uninitialized stack variable with the non-zero value  We can trigger the vulnerability by replacing these values with the REG_BINARY one
 Yes, it drops a system into the BSoD and we can control the EIP value 
 Vulnerable function takes the execution from the NtUserInitialize system call handler. Windows kernel is using this system call for the per-session initialization of the Win32 subsystem  So, the vulnerability can be triggered during the system boot, all that we need – is just put the malicious value into the system registry
 There is a DEP and ASLR in the NT 6.x kernels, and we need to bypass them absolutely blindly without any pre-interaction with the OS  Good thing – there is no stack cookies in win32!bInitializeEUDC  Exploit should not violate the normal execution flow and global state of the OS kernel, if it will – BSoD and unbootable OS  Need to restore overwritten stack frames and correctly pass the execution from the shellcode back to the win32k.sys  Overflow happens too close to the bottom of the stack, we have only about 70 bytes for the shellcode  It’s not possible to do the spray or something, because we can’t interact with the OS at the exploitation stage, all that we have – is the data that overwrites the stack
 A little fail: I haven’t got the ROP chain with the short enough length for DEP/ASLR bypass inside the Windows kernel environment (and it seems that nobody has)  The shortest what I know – has a 68 bytes length without the shellcode  See the «Bypassing Windows 7 kernel ASLR» by Stéfan LE BERRE  Compromise solution – to disable the DEP inside the Windows boot loader configuration  … and enable it for the user-mode processes back when the shellcode has been successfully executed  There is no way to disable ASLR  But it seems that it’s not a very critical for the vulnerability that I’m talking about
 I’m using the JMP ESP that is located at the constant address inside the KUSER_SHARED_DATA for defeating the kernel ASLR  70 bytes is a pretty enough for the egg-hunting stage 1 shellcode, that locates and executes stage 2 shellcode in the kernel-space virtual memory by the binary signature lookup  Stage 2 shellcode is originally located inside some another registry value – Windows kernel maps the big parts of the registry hives in the virtual memory  Also, in stage 1 shellcode I’m finding an address of the MmIsAddressValid kernel function  Stage 1 shellcode is obtaining the kernel image base from the _KPCR structure (we can access it via FS segment register)
 Whole stage 1 assembly code:
 For the OS code execution state normalization the stage 2 shellcode must perform some operations, that weren’t executed in the win32k.sys code because of the buffer overflow  It sets the WIN32_PROCESS_FLAGS flag inside the Win32 Process Information structure (W32PROCESS) for the current process  It finds the address of the non-exportable function win32k!UserInitialize and calls it manually  Then, the stage 2 shellcode loads, initializes and runs the ring 0 payload  After that, the stage 2 shellcode sets the return address and ESP values in order to return the execution of the current system call back to the system calls manager (nt!_KiFastCallEntry) with the STATUS_SUCCESS return value
 Regular Windows kernel mode driver PE image  Is also stored inside the system registry value  It hides itself from the modern anti-rootkits  In order to avoid unknown executable code detection it moves itself in the memory over discardable sections of some default Windows drivers  It installs the kernel mode network backdoor  Undetectable NDIS miniport level hooks allows to monitor the incoming network traffic on all of the interfaces  When network backdoor finds the magic sequence in the traffic – it injects meterpreter/bind_tcp payload (from the Metasploit framework) for execution into the WINLOGON.EXE user mode process
DEMO: vimeo.com/56625551
Check out the rootkit source code on GitHub! github.com/Cr4sh/WindowsRegistryRootkit
 I’m not reported about these win32k.sys vulnerability into the Microsoft  Not very critical vulnerability because of the strange practical use-cases  Vulnerable systems – all the NT 6.x (up to the Windows 8), for x86 and x64  Seems that stable exploitation of vulnerability in the win32!bInitializeEUDC function is impossible on the x64 Windows version  The win32k!bInitializeEUDC function have the stack cookies on Windows x64 because of the stack frames elimination  Impossible to exploit such cases completely blindly, without the pre- interaction with the OS
root@cr4.sh @d_olex

More Related Content

PDF
Hunting malware with volatility v2.0
Frank Boldewin
 
PDF
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
CODE BLUE
 
PDF
Hunting rootkits with windbg
Frank Boldewin
 
PDF
CarolinaCon 2008 Rootkits Then and Now
Tyler Shields
 
PPTX
Code Injection in Windows
n|u - The Open Security Community
 
PDF
Hta w22
SelectedPresentations
 
PDF
64 bit rugrats
UltraUploader
 
PPT
Building HMI with VB Tutorial [1998]
Sarod Paichayonrittha
 
Hunting malware with volatility v2.0
Frank Boldewin
 
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
CODE BLUE
 
Hunting rootkits with windbg
Frank Boldewin
 
CarolinaCon 2008 Rootkits Then and Now
Tyler Shields
 
Code Injection in Windows
n|u - The Open Security Community
 
Hta w22
SelectedPresentations
 
64 bit rugrats
UltraUploader
 
Building HMI with VB Tutorial [1998]
Sarod Paichayonrittha
 

What's hot (20)

PPTX
Malware Analysis and Defeating using Virtual Machines
intertelinvestigations
 
PPTX
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Igor Korkin
 
PDF
Automated defense from rootkit attacks
UltraUploader
 
PPTX
How to drive a malware analyst crazy
Michael Boman
 
PPTX
Halvar Flake: Why Johnny can’t tell if he is compromised
Area41
 
PDF
SANS Windows Artifact Analysis 2012
Rian Yulian
 
PDF
How security broken? - Android internals and malware infection possibilities
FFRI, Inc.
 
PDF
Hunting Mac Malware with Memory Forensics
Andrew Case
 
PPT
Live Memory Forensics on Android devices
Nikos Gkogkos
 
PPTX
Protected Process Light will be Protected – MemoryRanger Fills the Gap Again
Igor Korkin
 
PPTX
Applying Memory Forensics to Rootkit Detection
Igor Korkin
 
PPTX
[Wroclaw #3] Trusted Computing
OWASP
 
PPT
Unix Security
replay21
 
PPTX
Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"
EPAM Systems
 
PDF
Fermín J. Serna - Exploits & Mitigations: EMET [RootedCON 2010]
RootedCON
 
PDF
Android Mind Reading: Android Live Memory Analysis with LiME and Volatility
Joe Sylve
 
PPT
Linux forensics
Santosh Khadsare
 
PDF
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
CODE BLUE
 
PDF
Windows Internals: fuzzing, hijacking and weaponizing kernel objects
Nullbyte Security Conference
 
PDF
A Hypervisor IPS based on Hardware Assisted Virtualization Technology
FFRI, Inc.
 
Malware Analysis and Defeating using Virtual Machines
intertelinvestigations
 
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Igor Korkin
 
Automated defense from rootkit attacks
UltraUploader
 
How to drive a malware analyst crazy
Michael Boman
 
Halvar Flake: Why Johnny can’t tell if he is compromised
Area41
 
SANS Windows Artifact Analysis 2012
Rian Yulian
 
How security broken? - Android internals and malware infection possibilities
FFRI, Inc.
 
Hunting Mac Malware with Memory Forensics
Andrew Case
 
Live Memory Forensics on Android devices
Nikos Gkogkos
 
Protected Process Light will be Protected – MemoryRanger Fills the Gap Again
Igor Korkin
 
Applying Memory Forensics to Rootkit Detection
Igor Korkin
 
[Wroclaw #3] Trusted Computing
OWASP
 
Unix Security
replay21
 
Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"
EPAM Systems
 
Fermín J. Serna - Exploits & Mitigations: EMET [RootedCON 2010]
RootedCON
 
Android Mind Reading: Android Live Memory Analysis with LiME and Volatility
Joe Sylve
 
Linux forensics
Santosh Khadsare
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
CODE BLUE
 
Windows Internals: fuzzing, hijacking and weaponizing kernel objects
Nullbyte Security Conference
 
A Hypervisor IPS based on Hardware Assisted Virtualization Technology
FFRI, Inc.
 
Ad

Similar to Oleksyk applied-anti-forensics (20)

PPT
Rootkit Hunting & Compromise Detection
amiable_indian
 
PDF
RING 0/-2 ROOKITS : COMPROMISING DEFENSES
Priyanka Aash
 
PDF
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
Alexandre Borges
 
PDF
ADVANCED MALWARE THREATS -- NO HAT 2019 (BERGAMO / ITALY)
Alexandre Borges
 
PDF
CNIT 152 12. Investigating Windows Systems (Part 3)
Sam Bowne
 
PDF
Stealthy Rootkit : How bad guy fools live memory forensics? - PacSec 2009
Tsukasa Oi
 
PDF
Technical Workshop - Win32/Georbot Analysis
Positive Hack Days
 
PPTX
Advanced malware analysis training session 7 malware memory forensics
Cysinfo Cyber Security Community
 
PDF
Lack of System Registers and two simple anti-forensic attacks - AVTokyo 2009
Tsukasa Oi
 
PDF
Reversing & malware analysis training part 12 rootkit analysis
Abdulrahman Bassam
 
PDF
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Scott K. Larson
 
PDF
Defeating Windows memory forensics
lmilkovic
 
PPTX
Security research over Windows #defcon china
Peter Hlavaty
 
PDF
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Malachi Jones
 
PPTX
Concepts of Malicious Windows Programs
Natraj G
 
PDF
CNIT 126: 10: Kernel Debugging with WinDbg
Sam Bowne
 
PPT
Joanna Rutkowska Subverting Vista Kernel
guestf1a032
 
PDF
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat Security Conference
 
PDF
CH1- Introduction to malware analysis-v2.pdf
WajdiElhamzi3
 
PPTX
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
securityxploded
 
Rootkit Hunting & Compromise Detection
amiable_indian
 
RING 0/-2 ROOKITS : COMPROMISING DEFENSES
Priyanka Aash
 
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
Alexandre Borges
 
ADVANCED MALWARE THREATS -- NO HAT 2019 (BERGAMO / ITALY)
Alexandre Borges
 
CNIT 152 12. Investigating Windows Systems (Part 3)
Sam Bowne
 
Stealthy Rootkit : How bad guy fools live memory forensics? - PacSec 2009
Tsukasa Oi
 
Technical Workshop - Win32/Georbot Analysis
Positive Hack Days
 
Advanced malware analysis training session 7 malware memory forensics
Cysinfo Cyber Security Community
 
Lack of System Registers and two simple anti-forensic attacks - AVTokyo 2009
Tsukasa Oi
 
Reversing & malware analysis training part 12 rootkit analysis
Abdulrahman Bassam
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Scott K. Larson
 
Defeating Windows memory forensics
lmilkovic
 
Security research over Windows #defcon china
Peter Hlavaty
 
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Malachi Jones
 
Concepts of Malicious Windows Programs
Natraj G
 
CNIT 126: 10: Kernel Debugging with WinDbg
Sam Bowne
 
Joanna Rutkowska Subverting Vista Kernel
guestf1a032
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat Security Conference
 
CH1- Introduction to malware analysis-v2.pdf
WajdiElhamzi3
 
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
securityxploded
 
Ad

More from DefconRussia (20)

PPTX
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
DefconRussia
 
PDF
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
DefconRussia
 
PPTX
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
DefconRussia
 
PDF
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
DefconRussia
 
PDF
Георгий Зайцев - Reversing golang
DefconRussia
 
PDF
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
DefconRussia
 
PPTX
Cisco IOS shellcode: All-in-one
DefconRussia
 
PPT
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
DefconRussia
 
PPTX
HTTP HOST header attacks
DefconRussia
 
PPTX
Attacks on tacacs - Алексей Тюрин
DefconRussia
 
PPTX
Weakpass - defcon russia 23
DefconRussia
 
PDF
nosymbols - defcon russia 20
DefconRussia
 
PDF
static - defcon russia 20
DefconRussia
 
PDF
Zn task - defcon russia 20
DefconRussia
 
PDF
Vm ware fuzzing - defcon russia 20
DefconRussia
 
PDF
Nedospasov defcon russia 23
DefconRussia
 
PDF
Advanced cfg bypass on adobe flash player 18 defcon russia 23
DefconRussia
 
PDF
Miasm defcon russia 23
DefconRussia
 
PDF
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
DefconRussia
 
PDF
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
DefconRussia
 
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
DefconRussia
 
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
DefconRussia
 
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
DefconRussia
 
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
DefconRussia
 
Георгий Зайцев - Reversing golang
DefconRussia
 
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
DefconRussia
 
Cisco IOS shellcode: All-in-one
DefconRussia
 
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
DefconRussia
 
HTTP HOST header attacks
DefconRussia
 
Attacks on tacacs - Алексей Тюрин
DefconRussia
 
Weakpass - defcon russia 23
DefconRussia
 
nosymbols - defcon russia 20
DefconRussia
 
static - defcon russia 20
DefconRussia
 
Zn task - defcon russia 20
DefconRussia
 
Vm ware fuzzing - defcon russia 20
DefconRussia
 
Nedospasov defcon russia 23
DefconRussia
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
DefconRussia
 
Miasm defcon russia 23
DefconRussia
 
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
DefconRussia
 
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
DefconRussia
 

Oleksyk applied-anti-forensics

  • 2. What do you think when you hear this term?
  • 3. What do you think when you hear this term?  Rustock  TDSS/Alureon  ZeroAccess  Carberp
  • 4. What do you think when you hear this term?  Rustock  TDSS/Alureon  ZeroAccess  Carberp  My talk about another: rootkits for the target attacks
  • 5. The purpose of malicious code puts certain requirements over it  In general, the requirements are persistence and activity hiding, but also there is some special cases  Case #1: rootkits for the mass-spreading malware  Prevent active infection curing by the popular anti-virus software  Case #2: rootkits for the target attacks  Prevent active infection detection even by the professional during forensic analysis  The main subject of this talk
  • 6. Specific requirements dictate the necessity of the specific technical solutions  All rootkits listed above in the case #1 and all known «cyber-weapon» stuff are very easy detectable  We need to design something fundamentally new that will be good enough for the case #2  But first - let's look at the common rootkit detection scenarios for better understanding of the task
  • 7. In order to be working the malicious code must get execution somehow  System service installation or using of the less obvious auto-run capabilities (documented or not) of OS ▪ TDL 2, Rustock, Srizbi, Stuxnet, Duqu  Infection of the existing executable file ▪ TDL 3, ZeroAccess, Virut  OS booting control (modification of the boot code, partition table or playing with the UEFI boot drivers and services) ▪ TDL 4, Mebroot, Olmarik, Rovnix, UEFI rootkit by @snare
  • 8. Apart from getting the execution rootkits also have to hide the evidences of their work (we're still talking about rootkits?)  Hidden objects and resources of the operating system make the rootkit detection more easy  How exactly?
  • 9. Step 1: collect the database (like name/path + hash) of interesting resources (files, system registry, boot sectors) inside the environment of presumably infected by rootkit OS  Step 2: collect the same database but with the mounting of the target OS system volume inside the environment of clear and trusted OS  Step 3: diff of the two databases will show us the resources that were hidden or locked by the rootkit inside the environment of the target OS  Reliability is close to 100% in the absence of implementation errors  Very hard for to bypass such detection  I'm using this method successfully in the different practical cases
  • 10. Rootkit sample: Trojan.Srizbi.cx
  • 11. Rootkit sample: Win32.TDSS.aa
  • 12. Rootkit sample: Rootkit.Win32.Agent.aibm
  • 13. The malicious code also can have nothing to hide (because not only rootkits are useful)  Developers can masquerade the malicious module as a legitimate program component (from OS or 3-rd party software)  Actually, such case is much more harder for investigation and detection than “true rootkit”, that hides any files/processes/registry keys/etc.  But we still can compare collected resources database with the some reference  Good system administrator always knows, exactly what software and drivers are installed on his servers and workstations. Find something extraneous among known components and data is a much than possible
  • 14. So, for these reasons our ideal rootkit for target attacks is strictly prohibited to use:  All the regular ways of auto-run  Existing files modification and new files creation  Interfere in the process of OS booting with the modification of MBR, VBR, NTFS $Boot and so on.  But where should we store the malicious code and how to pass execution into it?  Maybe, firmware infection is the most obvious way?  Yes: that’s a powerful technology and it can solve our tasks  No: in practice – very expensive, depends on the specific hardware and have a lot of other limitations
  • 15. Let’s store malicious code inside some REG_BINARY or REG_SZ system registry value!
  • 16. The main goal: Windows system registry – is the millions of keys and values  There is no any complete documentation on all of these  Usually, the forensic analysis is limited by checking only a small part of registry keys (that stores critical system settings and known auto-run locations)  The main problem: how to execute a code, that located inside a system registry value?  Of course, the Windows haven’t any regular capabilities for that   But some registry keys can contain the data that very interesting and sensitive itself  Also, there are a lot of code and program components that read something from the system registry, and, of course, such code can have vulnerabilities
  • 17. What interesting is kept in the system registry?  Settings, users password hashes, certificates and secret/public keys  Maybe, anything else?
  • 18. Windows ACPI driver stores a copy of the DSDT table (that was read from the firmware) inside a system registry  sometimes this feature is used by enthusiasts to fix the hardware vendor bugs  DSDT – is the part of ACPI specification, this table stores machine- independent subprograms, that are interpreting by ACPI driver in the occurrence of different power events  ACPI spec 4.0a, «5.2 ACPI System Description Tables»  DSDT had already got under the attention of researchers  «Implementing and Detecting an ACPI BIOS Rootkit» (John Heasman, Black Hat 2006)  I propose to modify the copy of DSDT inside the system registry, but not inside the firmware
  • 19. DSDT can contain data objects and control methods  They forming a hierarchical ACPI namespace  Control methods are represented in the form of an AML byte- code (ACPI Machine Language), in which compiles the programs written in ASL (ACPI Source Language)  Compilers and disassemblers are available in toolkits from Intel and Microsoft  It’s possible to browse ACPI namespace and debug the AML code with the acpikd extension for WinDbg  AML byte-code interpreter located inside the operating system ACPI driver (ACPI.sys on Windows)
  • 20. ASL provides a lot of capabilities for working with the hardware resources  OperationRegion directive (ACPI spec 4.0a, «18.5.89 Declare Operation Region») can give the access to the different memory regions
  • 21. Example: ASL code that writes 0x1337 into the physical memory at 0x80000000
  • 22. Write ASL program, that generates the malicious machine code directly into the physical memory, and then – patches OS kernel for redirecting control flow to the generated code  Read DSDT contents from the system registry  Add written program into the code of some control method, that will be called during OS startup  Write modified DSDT back into the system registry  PROFFIT!  At the next reboot modified control method code will be interpreted by ACPI driver and after that – our malicious code will be generated and executed
  • 23. ASL code can work only with the physical memory, so, for accessing to the virtual memory we need to make the address translation manually  Windows stores PDE/PTE tables at the constant virtual addresses 0xC0300000/0xC0000000 (for x86)  Then we should find the address of the some kernel mode code to patch, the using of hardcoded address is possible  Will work on NT 5.x  Will not work NT 6.x because there is a kernel-mode ASLR  … but it’s better to modify the code, that located in the SystemCallPad field of the _KUSER_SHARED_DATA structure  This structure located at the executable memory page with the constant address 0xffdf0000 (at least – up to NT 6.1 including)  The end of this page can be used to store the malicious code
  • 25. Unfortunately, considered DSDT modification works fine only on the NT 5.x and gives the strange BSoD on the NT 6.x:
  • 26. The reason – KeBugCheckEx call inside the ACPI.sys
  • 27. ACPI!MapPhysMem calls the AmlpValidateFirmwareMemoryAddress function, that checks the physical address from the OperationRegion for belonging to the I/O ports addresses ranges  If the control method code trying to read or write something different (executable images that mapped to the memory, kernel structures and so on) – ACPI.sys drops the system into the BSoD  ACPI.sys reads the information about the allowed memory regions from the special keys of the system registry, that located in HARDWAREDESCRIPTIONSystemMultifunctionAdapter  This key is not a permanent – it’s creating during the operating system startup  PnP driver puts I/O memory information inside it during the hardware resources enumeration and initialization
  • 28. Well… we can try to put fake I/O memory information into the system registry and corrupt the hive binary structure somehow to prevent the system to modify data  Also, the possible way is exploring the other ACPI features  Already done by Alex Ionescu: «ACPI 5.0 Rootkit Attacks Against Windows 8»  One more variant: to find the vulnerability in the AML byte-code interpreter code  But stop, out primary task – is executing of the code, that is located inside the system registry. Let’s leave ACPI and find some different way
  • 29. Do you remember the local privileges escalation vulnerability CVE-2010-4398 (MS11-010)?  The another one vulnerability in the win32k.sys  Incorrect usage of the RtlQueryRegistryValues kernel function causes stack-based buffer overflow during reading the registry value contents  Because the RtlQueryRegistryValues – is really overcomplicated  Seems that even the Windows developers don’t know all the documented features of the some kernel functions 
  • 30. The RtlQueryRegistryValues has a lot of options and different data reading modes  The most interesting stuff located in the RTL_QUERY_REGISTRY_TABLE structure, that must be passed to the RtlQueryRegistryValues as an argument
  • 31. The Flags field can contain the RTL_QUERY_REGISTRY_DIRECT flag:  The MSDN quote about this flag: «The QueryRoutine member is not used (and must be NULL), and the EntryContext points to the buffer to store the value»  From the type of the value, that you’re reading, depends on how exactly the data will be written into the buffer  REG_SZ, REG_EXPAND_SZ: «EntryContext must point to an initialized UNICODE_STRING structure»  Non-string data with size <=sizeof(ULONG): «The value is stored in the memory location specified by EntryContext»  Non-string data with size >sizeof(ULONG): «The buffer pointed to by EntryContext must begin with a signed LONG value. The magnitude of the value must specify the size, in bytes, of the buffer»
  • 32. The usage of the RtlQueryRegistryValues causes the BoF when:  The code is trying to read REG_DWORD or REG_SZ value with the RTL_QUERY_REGISTRY_DIRECT flag but without the correct type value in the DefaultType field  … and buffer, that pointed by the EntryContext field, has a non-zero DWORD at the beginning (for example – when the EntryContext points to the initialized UNICODE_STRING structure)  … and attacker can replace the reading value (REG_DWORD or REG_SZ) by malicious one, that has a REG_BINARY type  Result –100% controllable overflow with the trivial exploitation!  Number of overwritten bytes – is the first DWORD value from the EntryContext pointed buffer
  • 33. Simple PoC for the CVE-2010-4398 as a .REG file:
  • 34. The vulnerable code fragment in win32k.sys:
  • 35. Of course, Microsoft has released a path for the CVE-2011-4398  That patch also adds some improvements and mitigations for the RtlQueryRegistryValues function:  The RTL_QUERY_REGISTRY_TYPECHECK flag has been added, if it is specified – the RtlQueryRegistryValues will return an error in case of the zero DefaultType field  In Windows 8 the RTL_QUERY_REGISTRY_DIRECT flag works only for the trusted registry keys (that can’t be overwritten under limited user account)  But these improvements will not make the already written code more secure  On Windows 7 we still have a good LPE vector  … and local-admin-to-ring0 on Windows 8
  • 36. Even reverse engineering of the vulnerabilities that were already fixed can give you a valuable experience  As a result of the patched vulnerabilities discovery it’s possible to obtain a new attack vector and a "template" of the vulnerable code, that can be used to find new zero-day vulnerabilities  Let’s try to find zero-day vulnerabilities that are similar to the CVE-2010-4398
  • 37. Fuzzing? Static dataflow analysis? Symbolic execution?
  • 38. Fuzzing? Static dataflow analysis? Symbolic execution?  Keep it simple. IDA, win32k.sys and one hour of the time!
  • 39. Some interesting piece of code in win32k.sys:
  • 40. The win32!bInitializeEUDC function unsafely reading the «FontLink» value (REG_DWORD) of the «SoftwareMicrosoftWindows NTCurrentVersion» key  No DefaultType specified, EntryContext pointed buffer – is uninitialized stack variable with the non-zero value  We can trigger the vulnerability by replacing these values with the REG_BINARY one
  • 41. Yes, it drops a system into the BSoD and we can control the EIP value 
  • 42. Vulnerable function takes the execution from the NtUserInitialize system call handler. Windows kernel is using this system call for the per-session initialization of the Win32 subsystem  So, the vulnerability can be triggered during the system boot, all that we need – is just put the malicious value into the system registry
  • 43. There is a DEP and ASLR in the NT 6.x kernels, and we need to bypass them absolutely blindly without any pre-interaction with the OS  Good thing – there is no stack cookies in win32!bInitializeEUDC  Exploit should not violate the normal execution flow and global state of the OS kernel, if it will – BSoD and unbootable OS  Need to restore overwritten stack frames and correctly pass the execution from the shellcode back to the win32k.sys  Overflow happens too close to the bottom of the stack, we have only about 70 bytes for the shellcode  It’s not possible to do the spray or something, because we can’t interact with the OS at the exploitation stage, all that we have – is the data that overwrites the stack
  • 44. A little fail: I haven’t got the ROP chain with the short enough length for DEP/ASLR bypass inside the Windows kernel environment (and it seems that nobody has)  The shortest what I know – has a 68 bytes length without the shellcode  See the «Bypassing Windows 7 kernel ASLR» by Stéfan LE BERRE  Compromise solution – to disable the DEP inside the Windows boot loader configuration  … and enable it for the user-mode processes back when the shellcode has been successfully executed  There is no way to disable ASLR  But it seems that it’s not a very critical for the vulnerability that I’m talking about
  • 45. I’m using the JMP ESP that is located at the constant address inside the KUSER_SHARED_DATA for defeating the kernel ASLR  70 bytes is a pretty enough for the egg-hunting stage 1 shellcode, that locates and executes stage 2 shellcode in the kernel-space virtual memory by the binary signature lookup  Stage 2 shellcode is originally located inside some another registry value – Windows kernel maps the big parts of the registry hives in the virtual memory  Also, in stage 1 shellcode I’m finding an address of the MmIsAddressValid kernel function  Stage 1 shellcode is obtaining the kernel image base from the _KPCR structure (we can access it via FS segment register)
  • 46. Whole stage 1 assembly code:
  • 47. For the OS code execution state normalization the stage 2 shellcode must perform some operations, that weren’t executed in the win32k.sys code because of the buffer overflow  It sets the WIN32_PROCESS_FLAGS flag inside the Win32 Process Information structure (W32PROCESS) for the current process  It finds the address of the non-exportable function win32k!UserInitialize and calls it manually  Then, the stage 2 shellcode loads, initializes and runs the ring 0 payload  After that, the stage 2 shellcode sets the return address and ESP values in order to return the execution of the current system call back to the system calls manager (nt!_KiFastCallEntry) with the STATUS_SUCCESS return value
  • 48. Regular Windows kernel mode driver PE image  Is also stored inside the system registry value  It hides itself from the modern anti-rootkits  In order to avoid unknown executable code detection it moves itself in the memory over discardable sections of some default Windows drivers  It installs the kernel mode network backdoor  Undetectable NDIS miniport level hooks allows to monitor the incoming network traffic on all of the interfaces  When network backdoor finds the magic sequence in the traffic – it injects meterpreter/bind_tcp payload (from the Metasploit framework) for execution into the WINLOGON.EXE user mode process
  • 50. Check out the rootkit source code on GitHub! github.com/Cr4sh/WindowsRegistryRootkit
  • 51. I’m not reported about these win32k.sys vulnerability into the Microsoft  Not very critical vulnerability because of the strange practical use-cases  Vulnerable systems – all the NT 6.x (up to the Windows 8), for x86 and x64  Seems that stable exploitation of vulnerability in the win32!bInitializeEUDC function is impossible on the x64 Windows version  The win32k!bInitializeEUDC function have the stack cookies on Windows x64 because of the stack frames elimination  Impossible to exploit such cases completely blindly, without the pre- interaction with the OS