Monitoring & Controlling Kernel-Mode Events by HyperPlatform

This research has been used in the Computer Security course at the Israel Institute of Technology, Haifa, Israel. The course is here details

We presented a HyperPlatform, which is an advanced system monitoring platform for Windows Operating System. Using Intel VT-x and Extended Page Table (EPT) technologies, this platform provides speedy monitoring of various events. HyperPlatform is hidden and resilient to modern anti-forensics techniques and can be easily extended for day-to-day reverse engineering work.

The details are here:

• HyperPlatform: source code, slides.pdf, Satoshi's review, our summary
• MemoryMon: source code and demo
• GuardMon: source code and demo
• EopMon: source code

Half of credit goes to @Igorkorkin. Thanks for lots of ideas, help, suggestion and being patient with my slow work.

— Satoshi Tanda (@standa_t) March 3, 2016

Tanda, S., & Korkin, I. (2016, June 17-19). Monitoring & controlling kernel-mode events by HyperPlatform. Paper presented at the REcon conference, Montreal, Canada. Retrieved from recon.cx/2016/talks/Monitoring-and-controlling-kernel-mode-events-by-HyperPlatform.html

Even nowadays, there are no suitable tools to analyze a kernel-mode code for many of researchers. Steady growth of ring0 rootkits requires a fast, undetectable and resilient tool to monitor OS events for all protection rings. Such a tool will significantly contribute to reverse-engineering.
While existing virtualization infrastructures such as VirtualBox and VMware are handy for analysis by themselves, VT-x technology has much more potential for aiding reverse engineering. McAfee Deep Defender, for example, detects modification of system critical memory regions and registers. These tools are, however, proprietary and not available for everyone, or too complicated to extend for most of engineers.

HyperPlatform is a thin hypervisor, which has a potential to monitor the following:

• access to physical and virtual memory;
• functions calls from user- and kernel- modes;
• code execution in instruction granularity.

The hypervisor can be used to monitor memory for two typical use cases. The first one is monitoring access to specified memory regions to protect system critical data such as the service descriptor table. The second case is recording any types of memory access from a specified memory region such as a potentially malicious driver to analyze its activities.

Also, HyperPlatform is capable of monitoring a broad range of events such as interruptions, various registers and instructions. Tools based on HyperPlatform will be able to trace each instruction and provide dynamic analysis of executable code if necessary.

We will demonstrate three examples of adaptation of HyperPlatform: MemoryMon, GurdMon, and EopMon:

• The MemoryMon is able to monitor virtual memory accesses and detect dodgy kernel memory execution using EPT. It can help rootkit analysis by identifying dynamically allocated code.
• The GuardMon is able to monitor access to system registers from suspicious callers and disable Windows built-in kernel patch protection - PatchGuard. GuardMon has been successfully tested on the PatchGuard on Windows 10 x64.
• The EopMon is an elevation of privilege (EoP) detector. It can spot and terminate a process with a stolen system token by utilizing hypervisor’s ability to monitor process context-switching.

Implementing those functions used to be challenging, but now, it can be achieved easier than ever using HyperPlatform.