SecurIMAG Live computer forensics - Virtual memory acquisition and exploitation on Windows NT6+

Transcription

1 SecurIMAG Live computer forensics - Virtual memory acquisition and exploitation on Windows NT6+ Fabien Duchene 1,2 Guillaume Touron 2 1 Laboratoire d Informatique de Grenoble, VASCO team firstname.name@imag.fr 2 Grenoble Institute of Technology - Grenoble INP - Ensimag firstname.name@ensimag.fr abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 1/ / 51

2 Outline 1 Computer forensics Introduction Talk focus 2 Acquiring Windows x86 virtual memory Some methods Some tools 3 Memory exploiting / analysis The TrueCrypt example Kmode exploration DKOM attacks 4 Conclusion abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 2/ / 51

3 Outline Computer forensics 1 Computer forensics Introduction Talk focus 2 Acquiring Windows x86 virtual memory Some methods Some tools 3 Memory exploiting / analysis The TrueCrypt example Kmode exploration DKOM attacks 4 Conclusion abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 3/ / 51

4 Computer forensics Introduction Computer Forensics? What? Forensic Science: answer questions of interest to a legal system. Digital forensics: digital devices Computer forensics: identifying, preserving, recovering, analyzing, presenting facts and opinions about the digital information abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 4/ / 51

5 Computer forensics Introduction Computer Forensics? What? Forensic Science: answer questions of interest to a legal system. Digital forensics: digital devices Computer forensics: identifying, preserving, recovering, analyzing, presenting facts and opinions about the digital information Basically answer to the question: What happened? abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 4/ / 51

6 Computer forensics Introduction Computer Forensics? Types of computer forensics static / dead: system dump image analysis (eg: unplug the power cord then analyze ) live: analysis of a running system in-between: analyze memory image of a running system Write-blocking reader abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 5/ / 51

7 Forensics... why? Computer forensics Introduction Why? (forensics, live forensics?) abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 6/ / 51

8 Computer forensics Introduction Forensics... why? Why? (forensics, live forensics?) in search of the truth! because they might still be in memory: cryptographic keys credentials abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 6/ / 51

9 Computer forensics Introduction Live forensics Live acquisition: acquiring data and modifying it the less possible, and being aware of the IMPACT! the Ultimate live forensics goal Get a complete picture shot of the system CPU flags, registers, cache.. storage: RAM, HDD,.. motherboard state peripherals: NIC (buffers, own CPU and memory state..) Can we do it? abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 7/ / 51

10 Computer forensics Introduction Live forensics Live acquisition: acquiring data and modifying it the less possible, and being aware of the IMPACT! Only he can! the Ultimate live forensics goal Get a complete picture shot of the system CPU flags, registers, cache.. storage: RAM, HDD,.. motherboard state peripherals: NIC (buffers, own CPU and memory state..) Can we do it? abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 7/ / 51

11 Computer forensics Talk focus Talk topic Live memory acquisition Post-mortem analysis abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 8/ / 51

12 Outline Acquiring Windows x86 virtual memory 1 Computer forensics Introduction Talk focus 2 Acquiring Windows x86 virtual memory Some methods Some tools 3 Memory exploiting / analysis The TrueCrypt example Kmode exploration DKOM attacks 4 Conclusion abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 9/ / 51

13 cold boot attacks Acquiring Windows x86 virtual memory Some methods Works on: any computer using DRAM Requires: physical access DRAM retain their content for several seconds after powered off Attack Freeze them Plug them into a DRAM reader Dump the content.. and enjoy! [ Lest We Remember: Cold Boot Attacks on Encryption Keys 2008] article findings Bit decay increase over time Pulse decay time is longer when temperature is lower abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 10/ / 51

14 Acquiring Windows x86 virtual memory Some methods virtual machine snapshots Hypervisor examples Microsoft Hyper-V, Virtual-PC VMWare ESX Oracle VirtualBox Parallels Desktop VM snapshot What is a VM snapshot? abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 11/ / 51

15 Acquiring Windows x86 virtual memory Some methods virtual machine snapshots Hypervisor examples Microsoft Hyper-V, Virtual-PC VMWare ESX Oracle VirtualBox Parallels Desktop VM snapshot What is a VM snapshot? photo of the state and data of a VM at a given time basically, the ultimate live forensics goal + the VM power state (powered-on, off, suspended) abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 11/ / 51

16 Acquiring Windows x86 virtual memory VM snapshot attack Some methods Attack Works on: any hypervisor having at least one virtualized computer Requires: online: hypervisor snapshot privilege (take, apply).. or a way to subvert the hypervisor (eg: VM peripheral drivers), do it the teach way! offline: take snapshot and read access to the vhd file take a snapshot export the virtual machine on a storage medium import it apply the snapshot (also restores virtual DRAM content) abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 12/ / 51

17 Virtual Hard Disk Acquiring Windows x86 virtual memory Some methods [lucd 2010] [Savill 2008] Virtualized Hard Disk Types: dynamic-sized file: dynamically evolving size (sectors on which data is written) VHD file size virtual disk capacity fixed-sized file: VHD file size virtual disk capacity better performance differential: dynamic that only stores modification from the parent Snapshot operations: take one delete one merge several ones apply one abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 13/ / 51

18 Acquiring Windows x86 virtual memory Some methods random crap about the Hyper-V and VirtualPC VHD abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 14/ / 51

19 Acquiring Windows x86 virtual memory Some methods DMA attacks [ Subverting Windows 7 x64 Kernel with DMA attacks ] Direct Memory Access PCI specifications, for performance any device can issue a read/write DMA request do you spot the problem? abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 15/ / 51

20 Acquiring Windows x86 virtual memory Some methods DMA attacks [ Subverting Windows 7 x64 Kernel with DMA attacks ] Direct Memory Access PCI specifications, for performance any device can issue a read/write DMA request do you spot the problem? bypassing CPU, thus OS abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 15/ / 51

21 Acquiring Windows x86 virtual memory Some methods DMA attacks implementations Attacks implementations (public ones..) Firewire 2004 Maximilian Dornseif (Mac OS X) 2006 Adam Boileau (Windows XP) 2008 Damien Aumaitre (virtual memory reconstruction) PCI Christophe Devine and Guillaume Vissian, custom DMA engine implemented on a FPGA card PCMCIA / CardBus / ExpressCard: 2010 Damien Aumaitre, Christophe Devigne abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 16/ / 51

22 Acquiring Windows x86 virtual memory DMA attack - the PCMCIA case Some methods PCMCIA 32-bit port thus only the 4 GB physical memory are addressable need to identify the structures: not working on virtual memory, but directly on physical one! for more good beef: [ Subverting Windows 7 x64 Kernel with DMA attacks ] abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 17/ / 51

23 Acquiring Windows x86 virtual memory Some methods Hibernate file hiberfil.sys: Hibernation file Since Windows 2000 (NT5) Undocumented format File stored on the disk drive Content: physical memory dump related to pagefile.sys (virtual memory control) abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 18/ / 51

24 Acquiring Windows x86 virtual memory Some methods Sandman: from hibernation to physical memory dump Convert hibernation file hiberfil.sys into a regular memory dump [Matthieu Suiche 2008] abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 19/ / 51

25 Acquiring Windows x86 virtual memory Windows Crash Dump Some methods What is a crash dump? abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 20/ / 51

26 Acquiring Windows x86 virtual memory Windows Crash Dump Some methods What is a crash dump? yep that s it! capture of the state of an application (broad sense, including operating system) when a crash event does occur handled by Kernel emergency functions abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 20/ / 51

27 Acquiring Windows x86 virtual memory Some methods Windows Crash Dump I [Hameed 2008] Complete memory dump 1MB header complete physical memory dump Kernel memory dump 1MB header kernel R/W pages kernel non paged memory: list of running processes, loaded device drivers Fabien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 21/ / 51

28 Acquiring Windows x86 virtual memory Some methods Windows Crash Dump II Small memory dump MiniDump 64KB dump (128 KB 64-bit) stop code, parameters, list of loaded device drivers, kernel stack for the thread that crashed, information about the current process and threat abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 22/ / 51

29 Acquiring Windows x86 virtual memory automatic execution Some methods.. : fake ipod USB token loaded, then automatic mounter and commands running in the background. demo? teensy? abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 23/ / 51

30 x86 VMM Acquiring Windows x86 virtual memory Some methods abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 24/ / 51

31 x64 VMM Acquiring Windows x86 virtual memory Some methods abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 25/ / 51

32 Acquiring Windows x86 virtual memory Some tools Win32dd I Win32dd Matthieu Suiche (now part of Moonsols Memory Toolkit ) Goal: dumping physical memory using different acquisition methods Physical memory dumping on Windows XP (NT 5) \Device \PhysicalMemory... Windows Vista (NT6+) No longer available. Other acquisition methods: PFN database MmMapIoSpace abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 26/ / 51

33 PFN database Acquiring Windows x86 virtual memory Some tools abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 27/ / 51

34 Acquiring Windows x86 virtual memory Some tools Win32dd I We focus on MmMapIoSpace method How does it work? Do some RE on Win32 driver User/Kernel comm in Windows Physical memory access only in kernel mode Win32 extracts its driver and registers it Driver creates a device User-land program opens the device and sends commands DeviceIoControl API, sends IRP to driver abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 28/ / 51

35 Acquiring Windows x86 virtual memory Physical address space layout Some tools abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 29/ / 51

36 Acquiring Windows x86 virtual memory Some tools Win32dd I First: Win32dd retrieves physical memory runs runs are physical memory ranges actually used by the system For >= NT5.1: Get MmPhysicalMemoryBlock in KDDEBUGGER DATA64 Otherwise: Use MmGetPhysicalMemoryRanges Build MmPhysicalMemoryBlock yourself abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 30/ / 51

37 Acquiring Windows x86 virtual memory Some tools Win32dd II Second: Win32dd knows every physical runs, global algo: Iterate each run Map it with MmMapIoSpace Write it into your memory dump file Repeat iterations NumberOfRuns times... abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 31/ / 51

38 Outline Memory exploiting / analysis 1 Computer forensics Introduction Talk focus 2 Acquiring Windows x86 virtual memory Some methods Some tools 3 Memory exploiting / analysis The TrueCrypt example Kmode exploration DKOM attacks 4 Conclusion abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 32/ / 51

39 Memory exploiting / analysis Memory forensics Kernel objects listing See next slides Extracting in-memory cryptographic key material TrueCrypt case User can choose to cache its passphrase Go through kernel structures Fabien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 33/ / 51

40 Memory exploiting / analysis The TrueCrypt example Memory forensics - TrueCrypt example I Hypothesis: user enabled passphrase-caching Passphrase-caching Passsphrase is stored by TrueCrypt kernel driver How to find this material? 1: Find DRIVER OBJECT structure Brute-force approach Look for specific structure patterns and constants OBJECT HEADER, DISPATCH HEADER... Kernel addresses > MmSystemRangeStart (0x ) List walking approach (e.g PsLoadedModuleList) KDDEBUGGER DATA64 abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 34/ / 51

41 Memory exploiting / analysis The TrueCrypt example Memory forensics - TrueCrypt example II 2: Find DEVICE OBJECT structure Check DRIVER OBJECT.DeviceObject Devices list walking: DeviceObject.NextDevice Retrieve DeviceObject.DeviceExtension Used by driver programmer to store device-specific data Persistent data (non-paged pool) DeviceExtension found, then? Then, analyze TrueCrypt-specific structures and extract master keys abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 35/ / 51

42 Memory exploiting / analysis Kmode exploration Volatility I Volatility framework Framework for Windows physical memory dump exploration Useful features: List process (PSLIST, see next slides...) Dump Windows registry... Focus on PSLIST Goal: retrieve list of active processes when snapshot was taken abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 36/ / 51

43 Volatility II Memory exploiting / analysis Kmode exploration abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 37/ / 51

44 Memory exploiting / analysis Kmode exploration Volatility - PSLIST I First goal Retrieve KPCR.ActiveProcessListHead Problem: where is KPCR? (in phy space) We must find a Page Directory Table Take EPROCESS.PageDirectoryTable[0] (== CR3 x86) EACH PROCESS SHARES THE SAME KERNEL SPACE MAPPING (modulo session space, osef) First step Find a EPROCESS structure in memory By recognizing some patterns abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 38/ / 51

45 Memory exploiting / analysis Kmode exploration Volatility - PSLIST II Once CR3 is found, retrieve KPCR KPCR always mapped at FS:[0] in KMODE At fixed virtual address: 0xffdff 000 We are now able to retrieve KPCR.ActiveProcessListHead PSLIST We can list active process and dump them (their whole vspace) abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 39/ / 51

46 Memory exploiting / analysis DKOM attacks Reminders of windows security mechanisms I [Windows Internal 5th Ed. - Vista and 2008 Server] Windows Internal 5th Ed. - Vista and 2008 Server Securable objects Protected with SECURITY DESCRIPTOR Access Control Lists (SIDs ; associated allowed operations on object) eg: Peripherals, Files, Jobs, Shared memory sections, Pipes, LPC ports, Events, Mutexes, Timers, Semaphores, Access tokens, Window stations, Desktops, SMB shares, Services, Registry keys... abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 40/ / 51

47 Memory exploiting / analysis DKOM attacks Reminders of windows security mechanisms II abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 41/ / 51

48 Memory exploiting / analysis DKOM attacks Reminders of windows security mechanisms III Security Token When accessing an object, the Security Reference Monitor checks the TOKEN of the process: Process owner: user SID, groups SIDs Privileges (f(process, user SIDs)) Virtualization state Session abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 42/ / 51

49 Memory exploiting / analysis DKOM attacks Reminders of windows security mechanisms IV abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 43/ / 51

50 Memory exploiting / analysis DKOM attacks DKOM attacks I DKOM Direct Kernel Object Manipulation Example: Hibernate file retrieved with Sandman Snapshot file (virtual machine) Or DKOM on a living machine, with a kernel driver e.g Rootkits abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 44/ / 51

51 Memory exploiting / analysis DKOM attacks DKOM attacks II FULL ACCESS to physical memory (user and kernel!) YOU CAN READ/MODIFY EVERYTHING YOU WANT Hypothesis: you can re-inject your modifications Get Token TOKEN accessed from EPROCESS structure Possible attack: privilege escalation Find approriate EPROCESS structure e.g a process you can exploit and make exec YOUR shellcode Modify your TOKEN SID Be r00t, take NT AUTHORITY/SYSTEM SID Subsequent object access or process creation performed under SYSTEM abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 45/ / 51

52 DKOM attacks III Memory exploiting / analysis DKOM attacks Conclusion Powerful attack but hard to use IRL Similar escalation process used for kernel vuln exploitation abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 46/ / 51

53 Memory exploiting / analysis DKOM attacks DKOM application: unlocking Windows 7 x64 computer Idea: modify the password validation function msv1 0.dll!MsvpPasswordValidate [Boileau 2006] That password validate function will compare hash(inputted password) and the stored hash(user password) then jump to a location if they are not equal (cmp then jnz) How to modify the memory? [ Subverting Windows 7 x64 Kernel with DMA attacks ] abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 47/ / 51

54 Memory exploiting / analysis DKOM attacks DKOM application: unlocking Windows 7 x64 computer Idea: modify the password validation function msv1 0.dll!MsvpPasswordValidate [Boileau 2006] That password validate function will compare hash(inputted password) and the stored hash(user password) then jump to a location if they are not equal (cmp then jnz) How to modify the memory? jnz jmp [ Subverting Windows 7 x64 Kernel with DMA attacks ] abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 47/ / 51

55 Outline Conclusion 1 Computer forensics Introduction Talk focus 2 Acquiring Windows x86 virtual memory Some methods Some tools 3 Memory exploiting / analysis The TrueCrypt example Kmode exploration DKOM attacks 4 Conclusion abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 48/ / 51

56 Conclusion Conclusion many methods for acquiring memory on a live system: OS independant: cold boot, DMA, snapshot dependent: snapshot (if hypervisor evadation), dumping tools, crash regarding exploitation: take care of keeping the kernel structure coherent (or might have a BSOD!) watch out kernel protection such as PatchGuard (basically periodical checks, so the trick has not to last for too long) abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 49/ / 51

57 Conclusion For Further Reading Boileau, Adam (2006). winlockpwn attack (Firewire). In: Damien Aumaitre, Christophe Devine. Subverting Windows 7 x64 Kernel with DMA attacks. In: Sogeti-ESEC 0-hitbamsterdam-dmaattacks.pdf. Hameed, CC (2008). Understanding Crash Dump Files. In: WeblogApp=askperf&y=2008&m=01&d=0 8&WeblogPostName=understanding-crash-dump-files&GroupKeys=. Lest We Remember: Cold Boot Attacks on Encryption Keys (2008). In: J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum and Edward W. Felten abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 50/ / 51

58 Conclusion For Further Reading lucd (2010). yadr A vdisk reporter. In: Mark E. Russinovich David A. Solomon, Alex Ionescu and so many more (incl. Bernard Ourghanlian). Windows Internal 5th Ed. - Vista and 2008 Server. Matthieu Suiche, Nicolas Ruff (@Newsoft) (2008). Sandman. In: Savill, John (2008). Q. I m deleting a Hyper-V virtual machine (VM) that had snapshots. Why is the VM delete taking so long? In: leting-a-hyper-v-virtual-machine-vm-that-had-snapshots-wh y-is-the-vm-delete-taking-so-long-. abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 51/ / 51