Subverting Windows 7 x64 Kernel with DMA attacks. Damien Aumaitre Christophe Devine

Similar documents
Virtdbg. Using virtualization features for debugging the Windows 7 kernel. Damien Aumaitre. Recon 2011

SecurIMAG Live computer forensics - Virtual memory acquisition and exploitation on Windows NT6+

I/O Attacks in Intel-PC Architectures and Countermeasures

A Hypervisor IPS based on Hardware assisted Virtualization Technology

Linux Driver Devices. Why, When, Which, How?

Introducing Ring -3 Rootkits

Code Injection From the Hypervisor: Removing the need for in-guest agents. Matt Conover & Tzi-cker Chiueh Core Research Group, Symantec Research Labs

Recon Montreal

Software based Finite State Machine (FSM) with general purpose processors

Operating System Overview. Otto J. Anshus

1. Computer System Structure and Components

OPERATING SYSTEM SERVICES

Virtual Machines. COMP 3361: Operating Systems I Winter

An Implementation Of Multiprocessor Linux

Last Class: OS and Computer Architecture. Last Class: OS and Computer Architecture

Implementation and Implications of a Stealth Hard-Drive Backdoor

Chapter 1 Computer System Overview

Lecture 25 Symbian OS

CS161: Operating Systems

Virtualization Technology

Last Class: OS and Computer Architecture. Last Class: OS and Computer Architecture

Embedded Programming in C/C++: Lesson-1: Programming Elements and Programming in C

Uses for Virtual Machines. Virtual Machines. There are several uses for virtual machines:

CPS221 Lecture: Operating System Structure; Virtual Machines

Embedded Systems. Review of ANSI C Topics. A Review of ANSI C and Considerations for Embedded C Programming. Basic features of C

Objectives. Chapter 2: Operating-System Structures. Operating System Services (Cont.) Operating System Services. Operating System Services (Cont.

Chapter 5 Cloud Resource Virtualization

UNCLASSIFIED Version 1.0 May 2012

Hybrid Platform Application in Software Debug

A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e. Chapter 3 Installing Windows

Fall Lecture 1. Operating Systems: Configuration & Use CIS345. Introduction to Operating Systems. Mostafa Z. Ali. mzali@just.edu.

Hotpatching and the Rise of Third-Party Patches

VBootKit Attacking Windows 7 via Boot Sectors

How do Users and Processes interact with the Operating System? Services for Processes. OS Structure with Services. Services for the OS Itself

Research and Design of Universal and Open Software Development Platform for Digital Home

Review from last time. CS 537 Lecture 3 OS Structure. OS structure. What you should learn from this lecture

How To Write A Windows Operating System (Windows) (For Linux) (Windows 2) (Programming) (Operating System) (Permanent) (Powerbook) (Unix) (Amd64) (Win2) (X

High Performance or Cycle Accuracy?

RTOS Debugger for ecos

Analysis of Open Source Drivers for IEEE WLANs

The PC Boot Process - Windows XP.

VMware and CPU Virtualization Technology. Jack Lo Sr. Director, R&D

Outline: Operating Systems

Pre-tested System-on-Chip Design. Accelerates PLD Development

Keil C51 Cross Compiler

TLM-2.0 in Action: An Example-based Approach to Transaction-level Modeling and the New World of Model Interoperability

Lecture 22: C Programming 4 Embedded Systems

Intel s Virtualization Extensions (VT-x) So you want to build a hypervisor?

Attacking Hypervisors via Firmware and Hardware

UNIT 4 Software Development Flow

Knut Omang Ifi/Oracle 19 Oct, 2015

Detecting the Presence of Virtual Machines Using the Local Data Table

Melde- und Analysestelle Informationssicherung MELANI Torpig/Mebroot Reverse Code Engineering (RCE)

Plug and Play for Windows 2000

Using a Patched Vulnerability to Bypass Windows 8 x64 Driver Signature Enforcement. MJ0011 th_decoder@126.com

Bypassing Browser Memory Protections in Windows Vista

FRONT FLYLEAF PAGE. This page has been intentionally left blank

Systems Software. Introduction to Information System Components. Chapter 1 Part 2 of 4 CA M S Mehta, FCA

System Structures. Services Interface Structure

Hardware Backdooring is practical. Jonathan Brossard (Toucan System) Florentin Demetrescu (Cassidian)

Analysis of advanced issues in mobile security in android operating system

Chapter 3: Operating-System Structures. System Components Operating System Services System Calls System Programs System Structure Virtual Machines

Microprocessor & Assembly Language

Chapter 6, The Operating System Machine Level

Lecture 6: Operating Systems and Utility Programs

Kernel Types System Calls. Operating Systems. Autumn 2013 CS4023

Chapter 3: Operating-System Structures. Common System Components

USB 2.0 Flash Drive User Manual

That Point of Sale is a PoS

Hypervisors and Virtual Machines

IOMMU: A Detailed view

WinDriver 5.22 User s Guide. Jungo Ltd

An Introduction to the ARM 7 Architecture

USB Portable Storage Device: Security Problem Definition Summary

Running Windows on a Mac. Why?

Process Description and Control william stallings, maurizio pizzonia - sistemi operativi

Phoenix SecureCore TM Setup Utility

LASTLINE WHITEPAPER. In-Depth Analysis of Malware

I/O. Input/Output. Types of devices. Interface. Computer hardware

Compromise-as-a-Service

OPERATING SYSTEMS Software in the Background. Chapter 2

Von der Hardware zur Software in FPGAs mit Embedded Prozessoren. Alexander Hahn Senior Field Application Engineer Lattice Semiconductor

Eugene Tsyrklevich. Ozone HIPS: Unbreakable Windows

Getting started guide 3G Turbo Stick. 3G Novatel Wireless U760 USB modem

Example of Standard API

Programming PCI-Devices under Linux

Analysis of the Linux Audit System 1

Developing an Application on Core8051s IP-Based Embedded Processor System Using Firmware Catalog Drivers. User s Guide

VMWare Workstation 11 Installation MICROSOFT WINDOWS SERVER 2008 R2 STANDARD ENTERPRISE ED.

Digitale Signalverarbeitung mit FPGA (DSF) Soft Core Prozessor NIOS II Stand Mai Jens Onno Krah

ReactOS is (not) Windows. Windows internals and why ReactOS couldn t just use a Linux kernel

Virtualization in Linux KVM + QEMU

Lesson Objectives. To provide a grand tour of the major operating systems components To provide coverage of basic computer system organization

Chapter 8: Installing Linux The Complete Guide To Linux System Administration Modified by M. L. Malone, 11/05

Inside Windows Rootkits

Optimizing Windows Security Features to Block Malware and Hack Tools on USB Storage Devices

Transcription:

Subverting Windows 7 x64 Kernel with DMA attacks Damien Aumaitre Christophe Devine

. Aumaitre, C.Devine Subverting Windows 7 x64 Kernel with DMA attacks 2/44 Roadmap School case Direct Memory Access 1 School case Direct Memory Access 2 3

. Aumaitre, C.Devine Subverting Windows 7 x64 Kernel with DMA attacks 3/44 Roadmap School case Direct Memory Access 1 School case Direct Memory Access 2 3

School case : 2004, financial fraud School case Direct Memory Access Context London office of the Sumitomo Mitsui bank Three criminals : two IT guys, and a guard working at the bank How it happened The guard installs keylogging software on several key PCs IT guys come, on a week-end night, to obtain the passwords They initiate money transfers for a total of 242 million EUR D. Aumaitre, C.Devine Subverting Windows 7 x64 Kernel with DMA attacks 4/44

School case : 2004, financial fraud School case Direct Memory Access Why they failed Entry errors in the money transfer order made the operation fail (PEBKAC) The guard forgot to deactivate the video-surveillance systems, didn t clean up the evidence End of the story Arrested late 2004, trial in progress. Aumaitre, C.Devine Subverting Windows 7 x64 Kernel with DMA attacks 5/44

School case Direct Memory Access Compromising the security of a workstation The why To obtain passwords : email, windows session,... To install malicious code and maintain further access To set up a target (put various compromising files) Many more possibilities The how Hardware keyloggers Network device (openwrt router...) in bridge mode Removable device with autorun : CD-ROM, U3 USB drive Offline modification of the boot sequence (MBR) Online modification of the physical memory (DMA) D. Aumaitre, C.Devine Subverting Windows 7 x64 Kernel with DMA attacks 6/44

. Aumaitre, C.Devine Subverting Windows 7 x64 Kernel with DMA attacks 7/44 Roadmap School case Direct Memory Access 1 School case Direct Memory Access 2 3

D. Aumaitre, C.Devine Subverting Windows 7 x64 Kernel with DMA attacks 8/44 DMA attacks School case Direct Memory Access Theory Historically, all I/O came through the CPU. It s slow. DMA instead goes through a fast memory controller Implemented as part of the PCI specification Any device on the PCI / PCI Express bus can issue a read/write DMA A flawed idea? The CPU and thus OS are entirely bypassed, cannot prevent malicious DMA requests

D. Aumaitre, C.Devine Subverting Windows 7 x64 Kernel with DMA attacks 9/44 DMA attacks School case Direct Memory Access Consequences Any device may read/write the physical memory Operating system s code and internal data can be modified Security mechanisms rendered useless Example DMA access :

D. Aumaitre, C.Devine Subverting Windows 7 x64 Kernel with DMA attacks 10/44 DMA attacks School case Direct Memory Access Practice FireWire : install Linux on an ipod, then issue DMA requests PCI/PCI-Express : requires creation of a custom DMA engine Previous works Based on FireWire : 2004 Maximillian Dornseif (Mac OS X) 2006 Adam Boileau (Windows XP) 2008 Damien Aumaitre (virtual memory reconstruction) Based on PCI : 2009 - Christophe Devine and Guillaume Vissian, custom DMA engine implemented on a FPGA card

D. Aumaitre, C.Devine Subverting Windows 7 x64 Kernel with DMA attacks 11/44 DMA attacks School case Direct Memory Access Some applications Unlock the computer Automatic installation of malicious code Difficulties Code is executed in virtual memory, but we only see physical memory Method 1 : use signatures, for simple payloads Method 2 : reconstruct the translation layer between physical and virtual memory Complex payload depends on the system s internal structures, impacts portability

. Aumaitre, C.Devine Subverting Windows 7 x64 Kernel with DMA attacks 12/44 Roadmap 1 2 3

PCMCIA? Aka Cardbus or ExpressCard, only interested by the physical interface Widely deployed : each laptop has an Cardbus/ExpressCard slot Small, portable, we can use it for social engineering FPGA? Give us low level access and control Can issue custom DMA requests D. Aumaitre, C.Devine Subverting Windows 7 x64 Kernel with DMA attacks 13/44

Previous works (2009) SSTIC (C. Devine & G. Vissian) : First proof-of-concept of DMA access from the CardBus port Creation of an home-made CPU Problems encountered Required writing payloads in assembly (long, tiresome) DMA reads not reliable due to incorrect implementation of the PCI standard Buggy identification of the device by the OS, could lead to blue screens D. Aumaitre, C.Devine Subverting Windows 7 x64 Kernel with DMA attacks 14/44

The state of the art (2010) Rewrite from scratch Stabilization of DMA reads access A master which is target terminated with Retry must unconditionally repeat the same request until it completes Correct implementation of the PCI standard Keeping PCMCIA driver loaded with two tricks : Dummy read every 1000 cycles no sleep Random subsystem id new peripheral detected upon card insertion, DMA always on The gory internals We used the VHDL code of a public-domain CPU ( plasma ) MIPS processor synthetized on the FPGA Allows easy programmation (with C!) of the DMA accesses D. Aumaitre, C.Devine Subverting Windows 7 x64 Kernel with DMA attacks 15/44

D. Aumaitre, C.Devine Subverting Windows 7 x64 Kernel with DMA attacks 16/44 How it works

Example : D. Aumaitre, C.Devine Subverting Windows 7 x64 Kernel with DMA attacks 17/44

. Aumaitre, C.Devine Subverting Windows 7 x64 Kernel with DMA attacks 18/44 Roadmap 1 2 3

Unlocking a laptop under Windows 7 x64 Principle Modification of the password validation function : msv1 0.dll!MsvpPasswordValidate (winlockpwn attack, Adam Boileau, 2006) D. Aumaitre, C.Devine Subverting Windows 7 x64 Kernel with DMA attacks 19/44

Unlocking a laptop under Windows 7 x64 Programming the FPGA, a basic example Looks for the signature in all physical memory pages The code below is compiled for MIPS and stored in the bitstream for( i = PHYS_MEM_START; i < PHYS_MEM_SIZE; i += 0x1000 ) { DMA_PAUSE l = (unsigned char *)( i + 0x290 ); if( *(unsigned int *) l == 0x850fc63b ) { DMA_PAUSE if( *(unsigned int *)( l + 4 ) == 0xb8c0 ) { DMA_PAUSE *(unsigned int *) l = 0x840fc63b; for(;;); } } } D. Aumaitre, C.Devine Subverting Windows 7 x64 Kernel with DMA attacks 20/44

D. Aumaitre, C.Devine Subverting Windows 7 x64 Kernel with DMA attacks 21/44 Demo DEMO

What have we learned? We can modify what we want Much better if we can execute what we want :) D. Aumaitre, C.Devine Subverting Windows 7 x64 Kernel with DMA attacks 22/44

. Aumaitre, C.Devine Subverting Windows 7 x64 Kernel with DMA attacks 23/44 Roadmap 1 2 3

What do we want? (kernel or user) Need to be fast (a few seconds) Must work under Windows x64 with full protection (PatchGuard, signed drivers,... ) Easy to use (payload developed with WDK) Constraints Embedded code (32ko for MIPS code, stack and payload) D. Aumaitre, C.Devine Subverting Windows 7 x64 Kernel with DMA attacks 24/44

What do we need? Reconstruct virtual space mapping Finding a pointer to overwrite without triggering PatchGuard Space for storing our payload Difficulties Signed drivers PatchGuard D. Aumaitre, C.Devine Subverting Windows 7 x64 Kernel with DMA attacks 25/44

x64 Virtual address translation D. Aumaitre, C.Devine Subverting Windows 7 x64 Kernel with DMA attacks 26/44

D. Aumaitre, C.Devine Subverting Windows 7 x64 Kernel with DMA attacks 27/44 Finding cr3 Classic method Searching for the beginning of an EPROCESS structure Use backup copy of cr3 in DirectoryTableBase field Quicker method Searching for kernel beginning and particularly the INITKDBG section We find the KPCR for the first logical processor here With the processor block and all control registers included cr3

D. Aumaitre, C.Devine Subverting Windows 7 x64 Kernel with DMA attacks 28/44 Finding cr3

D. Aumaitre, C.Devine Subverting Windows 7 x64 Kernel with DMA attacks 29/44 What pointer? We can t touch IDT or SSDT or kernel code due to PatchGuard We need something stealthier, often called and not checked by PatchGuard Must read Skape and Skywing, A catalog of Windows Local Kernel-mode Backdoor Techniques, 2007, Uninformed Vol. 8

NT object model Windows NT Kernel uses object-oriented approach to representing resources such as files, drivers, devices, processes, threads,... Each object categorized by an object type represented by a OBJECT TYPE structure 30+ objects on Windows 7 Each object preceded with a header (OBJECT HEADER) indicate an index in the object type array ObTypeIndexTable D. Aumaitre, C.Devine Subverting Windows 7 x64 Kernel with DMA attacks 30/44

NT object model D. Aumaitre, C.Devine Subverting Windows 7 x64 Kernel with DMA attacks 31/44

Object Type Initializers OBJECT TYPE structure contains a nested structure named OBJECT TYPE INITIALIZER Several fields are functions pointers struct _OBJECT_TYPE_INITIALIZER, 25 elements, 0x70 bytes... +0x030 DumpProcedure : Ptr64 to void +0x038 OpenProcedure : Ptr64 to long +0x040 CloseProcedure : Ptr64 to void +0x048 DeleteProcedure : Ptr64 to void +0x050 ParseProcedure : Ptr64 to long +0x058 SecurityProcedure : Ptr64 to long +0x060 QueryNameProcedure : Ptr64 to long +0x068 OkayToCloseProcedure : Ptr64 to unsigned char For example, OpenProcedure will point to nt!pspopenprocess for a Process D. Aumaitre, C.Devine Subverting Windows 7 x64 Kernel with DMA attacks 32/44

D. Aumaitre, C.Devine Subverting Windows 7 x64 Kernel with DMA attacks 33/44 Payload First stage Allocate space for driver code, stored in unused memory (for example, first memory page of a already loaded driver) Second stage Kernel code for getting third stage using WSK (Windows Kernel Sockets), Implemented with a driver Third stage Real payload (arbitrary size, just limited by our imagination) For the purpose of the demo, no third stage

D. Aumaitre, C.Devine Subverting Windows 7 x64 Kernel with DMA attacks 34/44 Payload Replacing NT driver loader Mapping driver section by section Resolving imports and relocations Signed drivers Effectively bypassing signed driver mechanism PatchGuard Hooks only in effect for a short time, even if PatchGuard is watching, it s too quick

Payload : General picture D. Aumaitre, C.Devine Subverting Windows 7 x64 Kernel with DMA attacks 35/44

D. Aumaitre, C.Devine Subverting Windows 7 x64 Kernel with DMA attacks 36/44 Demo DEMO

Other application Virtdbg ring -1 debugger Use VMX extensions Can debug Windows 7 x64 on the fly (i.e. without booting with /DEBUG) D. Aumaitre, C.Devine Subverting Windows 7 x64 Kernel with DMA attacks 37/44

D. Aumaitre, C.Devine Subverting Windows 7 x64 Kernel with DMA attacks 38/44 Virtdbg Internals 2 FPGA : COM-1300 for Cardbus and COM-1400 for USB COM-1400 needed for giving orders to the debugger Uses Analyze hardware specific software like DRM Malware analysis Windows internals : PatchGuard Can debug interruption handlers

D. Aumaitre, C.Devine Subverting Windows 7 x64 Kernel with DMA attacks 39/44 Virtdbg

. Aumaitre, C.Devine Subverting Windows 7 x64 Kernel with DMA attacks 40/44 Roadmap 1 2 3

D. Aumaitre, C.Devine Subverting Windows 7 x64 Kernel with DMA attacks 41/44 DMA attacks Well known since 2004 But always effective and efficient Perfect for targeted attacks Limitations Proof-of-concept for now limited to the PCMCIA port Cardbus is 32-bit : limited to first 4 GB of memory Solution : use of the ExpressCard port (WIP) Protection Deactivate the PCMCIA/CardBus driver IOMMU (but unused by Windows 7 / Linux / OSX) glue ;-)

D. Aumaitre, C.Devine Subverting Windows 7 x64 Kernel with DMA attacks 42/44 An old saying Physical access = root still holds Protection Remain attentive of your surroundings! Physical protection of the premises Deactivate unused features : FireWire, PCMCIA,...

D. Aumaitre, C.Devine Subverting Windows 7 x64 Kernel with DMA attacks 43/44 Q&A Thank you for your attention! Questions?

D. Aumaitre, C.Devine Subverting Windows 7 x64 Kernel with DMA attacks 44/44 Contacts Laboratoire Sogeti-ESEC 6-8 rue Duret 75016 Paris - France damien.aumaitre@sogeti.com christophe.devine@sogeti.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information