Using VT-x with EPT technologies to provide new must-have tools for reverse-engineering
Tanda, S., & Korkin, I. (2016, June 17-19). Monitoring & controlling kernel-mode events by HyperPlatform. Paper presented at the REcon conference, Montreal, Canada. Retrieved from recon.cx/2016/talks/Monitoring-and-controlling-kernel-mode-events-by-HyperPlatform.html
- Extended proposal - see below
- Slides from REcon - PDF
- Video from REcon - youtube.com/watch?v=G-X6g4zkNtE
- HyperPlatform review - tandasat.github.io/HyperPlatform
- HyperPlatform source code - github.com/tandasat/HyperPlatform
- MemoryMon source code - github.com/tandasat/MemoryMon
- MemoryMon demo - youtube.com/watch?v=O5_ocsplrfA
- GuardMon source code - github.com/tandasat/GuardMon
- GuardMon demo - youtube.com/watch?v=PUcBtd0fZeA
- EopMon source code - github.com/tandasat/EopMon
Even nowadays, there are no suitable tools to analyze a kernel-mode code for many of researchers. Steady growth of ring0 rootkits requires a fast, undetectable and resilient tool to monitor OS events for all protection rings. Such a tool will significantly contribute to reverse-engineering.
While existing virtualization infrastructures such as VirtualBox and VMware are handy for analysis by themselves, VT-x technology has much more potential for aiding reverse engineering. McAfee Deep Defender, for example, detects modification of system critical memory regions and registers. These tools are, however, proprietary and not available for everyone, or too complicated to extend for most of engineers.
HyperPlatform is a thin hypervisor, which has a potential to monitor the following:
- access to physical and virtual memory;
- functions calls from user- and kernel- modes;
- code execution in instruction granularity.
The hypervisor can be used to monitor memory for two typical use cases. The first one is monitoring access to specified memory regions to protect system critical data such as the service descriptor table. The second case is recording any types of memory access from a specified memory region such as a potentially malicious driver to analyze its activities.
Also, HyperPlatform is capable of monitoring a broad range of events such as interruptions, various registers and instructions. Tools based on HyperPlatform will be able to trace each instruction and provide dynamic analysis of executable code if necessary.
We will demonstrate three examples of adaptation of HyperPlatform: MemoryMon, GurdMon, and EopMon.
The MemoryMon is able to monitor virtual memory accesses and detect dodgy kernel memory execution using EPT. It can help rootkit analysis by identifying dynamically allocated code.
The GuardMon is able to monitor access to system registers from suspicious callers and disable Windows built-in kernel patch protection - PatchGuard. GuardMon has been successfully tested on the PatchGuard on Windows 10 x64.
The EopMon is an elevation of privilege (EoP) detector. It can spot and terminate a process with a stolen system token by utilizing hypervisor’s ability to monitor process context-switching.
Implementing those functions used to be challenging, but now, it can be achieved easier than ever using HyperPlatform.