less is moreExploring code/process-less techniques and other weird-machine methods to hide

code (and how to detect them).

Slide URL: http://1drv.ms/1dJX2HI

Major ReferencesWin32 Buffer Overflows (p55, 09.09.99)dark spyrit / Barnaby Jack

One of the greatest everRIP

09.09.99

Major References• Exploitation and state machines

• Thomas Dullien / Halvar Flake• Sergey Bratus, TAOSSA (http://www.azimuthsecurity.com/)

• Windows Kernel-mode Payload Fundamentals & A Catalog of Windows Local Kernel-mode Backdoor Techniques • Skape (mmiller@hick.org) (both) & Bugcheck (chris@bugcheck.org) & Skywing (

Skywing@valhallalegends.com)

• The page-fault weird machine: lessons in instruction-less computation• Julian Bangert, Sergey Bratus, Rebecca Shapiro, Sean W. Smith from WOOT'13 Proceedings of the 7th

USENIX conference on Offensive Technologies

• Volatility Framework• AAron Walters and open source contributors.

Windows hardening• Windows XP does not memset(0) driver .text sections

• Random slack can be executed• Updated 2k3+

• KINTERRUPT no longer has huge code templates/glue included as part of it’s structure• KINTERRUPT.DispatchCode is now 4 bytes (and always just points to a registered handler in the module) instead of up

too 106 bytes of arbitrary code• Updated Vista+

• Page table entries secured• Win8 no longer has executable page table entries

• Kernel 9200+ (8/2012) Kernel Pool (heap) is no longer default executable• This is a MAJOR win!!!!!!• No more huge degree’s of unknown executable memory to inspect

Our target• Rootkit can shadow/move itself during dump’s

• Issues from dumping memory from a live/physical system is problematic and has lead to an interesting arms race;• Using cold-boot attacks• Purpose built dumping hardware or commodity FireWire type inputs• Cause kernel panic to induce a dump

• Windows Kernel 9600 (Windows 8.1/2012R2)• A snapshot from VMWare or Hyper-V• We will ignore dump acquisition issues for now and focus on VM snapshots

X64 Kernel Virtual Address Spacehttp://www.codemachine.com/article_x64kvas.htmlStart End Size Description NotesFFFF0800`00000000 FFFFF67F`FFFFFFFF 238TB Unused System Space WIN9600 NOW USE & CAN

CONTAIN +X AREASFFFFF680`00000000 FFFFF6FF`FFFFFFFF 512GB PTE Space -X used to be executable Win7FFFFF700`00000000 FFFFF77F`FFFFFFFF 512GB HyperSpace 8.1 seems to have cleaned up

here, 9200 had 1 +X pageFFFFF780`00000000 FFFFF780`00000FFF 4K Shared System PageFFFFF780`00001000 FFFFF7FF`FFFFFFFF 512GB-4K System Cache Working SetFFFFF800`00000000 FFFFF87F`FFFFFFFF 512GB Initial Loader Mappings Large Page (2MB) allocationsFFFFF880`00000000 FFFFF89F`FFFFFFFF 128GB Sys PTEsFFFFF8a0`00000000 FFFFF8bF`FFFFFFFF 128GB Paged Pool AreaFFFFF900`00000000 FFFFF97F`FFFFFFFF 512GB Session SpaceFFFFF980`00000000 FFFFFa70`FFFFFFFF 1TB Dynamic Kernel VA SpaceFFFFFa80`00000000 *nt!MmNonPagedPoolStart-1 6TB Max PFN Database*nt!MmNonPagedPoolStart *nt!MmNonPagedPoolEnd 512GB Max Non-Paged Pool DEFAULT NO EXECUTEFFFFFFFF`FFc00000 FFFFFFFF`FFFFFFFF 4MB HAL and Loader Mappings

Page Table Shellcode weird-machine• Win7 and earlier• Can we emit intended shellcode into PTE area?

• Perform some VirtualAlloc from user space => executable memory in kernel • Just reserving memory writes PTE

• Page Table shell-code is non-trivial• Lots of gadgets!

fffff6fb`7e201ea0 63 b8 c3 2d 00 00 00 00 63 a8 13 2f 00 00 00 00 c..-....c../....fffff6fb`7e201eb0 63 98 e3 2d 00 00 00 00 63 88 13 2f 00 00 00 00 c..-....c../....fffff6fb`7e201ec0 63 78 63 30 00 00 00 00 63 68 d3 2e 00 00 00 00 cxc0....ch......fffff6fb`7e201ed0 63 58 53 30 00 00 00 00 63 48 a3 2e 00 00 00 00 cXS0....cH......fffff6fb`7e201ee0 63 38 c3 2e 00 00 00 00 63 28 83 2e 00 00 00 00 c8......c(......

PXE at FFFFF6FB7DBEDF68 PPE at FFFFF6FB7DBEDF88 PDE at FFFFF6FB7DBF1008 PTE at FFFFF6FB7E201EA0contains 0000000000187063 contains 0000000134C04863 contains 0000000100512863 contains 000000002DC3B863pfn 187 ---DA--KWEV pfn 134c04 ---DA--KWEV pfn 100512 ---DA--KWEV pfn 2dc3b ---DA--KWEV

Win8 PT Shellcode attempting to run

Child-SP RetAddr Call Siteffffd000`2b34ecf8 fffff800`16066ee1 nt!LOCK_WORKING_SETffffd000`2b34ed00 fffff800`1603f5ad nt!MiSystemFault+0x911ffffd000`2b34eda0 fffff800`1615af2f nt!MmAccessFault+0x7edffffd000`2b34eee0 fffff6fb`77fde37a nt!KiPageFault+0x12fffffd000`2b34f078 fffff800`01e423fe 0xfffff6fb`77fde37affffd000`2b34f080 fffff800`163ae3e5 SIoctl!SioctlDeviceControl+0x27effffd000`2b34f9b0 fffff800`163aed7a nt!IopXxxControlFile+0x845ffffd000`2b34fb60 fffff800`1615c4b3 nt!NtDeviceIoControlFile+0x56ffffd000`2b34fbd0 00007ff9`c1b265ea nt!KiSystemServiceCopyEnd+0x130000003a`ba9bf8f8 00007ff9`bef92c83 ntdll!NtDeviceIoControlFile+0xa

• Seemingly cleanly return• No double fault or bug check

• We keep entering KiPageFault after returning from KiPageFault…

Defense: Rootkit revealing• Default non-execute pool space helps tremendously

• Detect the presence of a rootkit by comparing results from multiple sources/abstraction layers

• Physical (page tables)

• Logical• Driver LIST_ENTRY• VAD

• SECTION’s, …

Tool evaluation• Implemented in .NET

• Operates on direct physical memory dumps from VM snapshots

• Demo script that identifies KVAS physical/logical sections

• Transforms/Dumps memory / Generates hashes

• Future• More well known blocks (local optimization)?

• There’s some weird looking fill patterns often sitting around as exec;More page table checks, CR0.WP etc…

Example VMWare ~8GB BlockWatch Folder: t:\BW_DEMO

Dumping data from : Clone of Clone of Current Win 8.1 - PRO (2)-66bb942e.vmss

Found probable kernel @ fffff800b508c000

Debug symbol being loaded for ntkrnlmp.pdb

Kernel build number 9600

Root PT Entries: 16, SubTable Entries: 778263

Unlinked entry count: 1544

UnLinked Section: System Space @: 0xffffd00020180000L, Size: 0x1000L

UnLinked Section: Loader Mappings @: 0xfffff800021d0000L, Size: 0x1000L

UnLinked Section: HAL and Loader Mappings @: 0xffffffffffd02000L, Size: 0x1000L

UnLinked Section: hal @: 0xfffff800b5000000L, Size: 0x200000L

UnLinked Section: Loader Mappings @: 0xfffff800b5800000L, Size: 0x200000L

…moving on; Attack! To the Unknown!

kd> !pte ffffd000`201a0000 VA ffffd000201a0000PXE at FFFFF6FB7DBEDD00 PPE at FFFFF6FB7DBA0000 PDE at FFFFF6FB74000800 PTE at FFFFF6E800100D00contains 0000000000523863 contains 0000000000522863 contains 0000000000527863 contains 0000000000555963pfn 523 ---DA--KWEV pfn 522 ---DA--KWEV pfn 527 ---DA--KWEV pfn 555 -G-DA—KWEV

• ffffd000201a0000 appears across Hyper-V & VMWare, reboots• Provides RoP gadgets• Fixed writeable executable memory location

• Writable/Executable at a fixed address

!pool ffffd000`201a0000Pool page ffffd000201a0000 region is Unknownffffd000201a0000 is not a valid large pool allocation, checking large session pool...Unable to read large session pool table (Session data is not present in mini and kernel-only dumps)ffffd000201a0000 is not valid pool. Checking for freed (or corrupt) pool

Can you guess what it is?• ??

• Segoe_slboot.ttf• Starts at offset 0x1d0• Initial bytes some sort of heap tag ? BG*• System boot/load time artifact

ffffd000`201a0000 21 01 a0 00 00 00 00 80 42 47 49 4b 00 00 00 80 !.......BGIK....

ffffd000`201a01d0 00 19 00 23 00 01 2e 4c 00 00 00 10 67 6c 79 66 ...#...L....glyf

ffffd000`201b2fb0 00 6e 00 74 00 65 00 6e 00 74 00 2e 00 53 00 65 .n.t.e.n.t...S.e

ffffd000`201b2fc0 00 67 00 6f 00 65 00 20 00 55 00 49 00 03 00 00 .g.o.e. .U.I....

A little more (past end of font)

ffffd000`201b3000 ffffd000201b3020 0000000100002000 ffffd000201b3020 8000000000300121…ffffd000`201b3020 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ..............ffffd000`201b3070 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f is program canno…ffffd000`201b46b2 49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 I.n.t.e.r.n.a.l.N.a.ffffd000`201b46c6 6d 00 65 00 00 00 62 00 6f 00 6f 00 74 00 72 00 65 00 73 00 m.e...b.o.o.t.r.e.s.…

• Seems to have some basic heap structure pointer’s/allocation sizes• Unfortunately it’s all default executable/writable at a fixed address across

systems/rebooting

• This leaves a lot of room for RoP gadgets (MZ is only .rsrc, why +x?)

BIOS Ranges• Platform specific (vmware in this case)• 2012R2 0xffffd00020500000, 8.1 0xffffd00020600000• Fixed address across reboots (size is 241,664 - 0x3B000)• Physical system dumps

ffffd000`206c5a50 c3 32 2e 30 00 56 4d 77 61 72 65 20 76 69 72 74 .2.0.VMware virtffffd000`206c5a60 75 61 6c 20 6d 61 63 68 69 6e 65 00 56 4d 77 61 ual machine.VMwaffffd000`206c5a70 72 65 2c 20 49 6e 63 00 56 20 4d 20 77 61 72 65 re, Inc.V M wareffffd000`206c5a80 2c 20 49 6e 63 2e 20 56 42 45 20 73 75 70 70 6f , Inc. VBE suppoffffd000`206c5a90 72 74 20 32 2e 30 00 90 c8 02 00 00 c4 5e 04 33 rt 2.0.......^.33: kd> !pte ffffd000`206c5a50 VA ffffd000206c5a50PXE at FFFFF6FB7DBEDD00 PPE at FFFFF6FB7DBA0000 PDE at FFFFF6FB74000818 PTE at FFFFF6E800103628contains 0000000000B22863 contains 0000000000B21863 contains 0000000000852863 contains 00000000000C5963pfn b22 ---DA--KWEV pfn b21 ---DA--KWEV pfn 852 ---DA--KWEV pfn c5 -G-DA--KWEV

Other/More dynamic/Misc Areas• Slack• Audit MDL structures• Session Space• ACPI FACS -- exec

• Firmware ACPI Control Structure• Verify ACPI with wite list

• Shim Engine (i.e. handling for drvmain.sdb)• Bootloader artifacts• Volume manager heap

0: kd> !pool ffffe00000420000Pool page ffffe00000420000 region is Nonpaged pool*ffffe00000420000 size: 90 previous size: 0 (Allocated) *VM3D

Pooltag VM3D : Volume Manager, Binary : volmgr.sys

0: kd> !pool ffffe000`00418000Pool page ffffe00000418000 region is Nonpaged pool*ffffe00000418000 size: 90 previous size: 0 (Allocated) *VM3D

Pooltag VM3D : Volume Manager, Binary : volmgr.sys

Related topics• White list extracted bootmgr.exe• Well-known pages• NULL, all set, GUARD• Interesting/weird fill patterns

• 2007, ######• Iiiiii (0x69;)

• Make sure their not gadget’able…

Other Gadget Areas• There are other +X areas, in the region, but have small variability in

their allocation

• Windows Boot manager, network boot support code, more font areas

Defense: RoP Detection• Spurious Saved Return Addresses

• Sometimes RoP Gadget is just random data present in an executable section!!!• All existing RoP Databases or techniques target arbitrary saved return addresses

• https://www.corelan.be/index.php/security/corelan-ropdb/#advapi32dll_8211_5126005755• 0x77e25c1f, # POP EAX # RETN

• Saved Return should be• Simple/Effective/Very reliable reducing gadget surface area

Spurious Saved Return Addresses Validation• Conceptually similar to heap back-checking logical links except we walk the

stack • Think Heap/Pool verification • Verify op-code preceding saved return address

• Adding into BlockWatch • Our operation is static so performance is no big deal and we like to be current!

• Some performance impact if implemented at run time

• May not reduce the gadget surface area sufficiently

Attack: RoP Compiler•Gadget surface area is reduced by SSRAV

• Use a gadget compiler from verifiable gadgets only

• Work done from Codeless Pagefaulting;• … a “A one Instruction Computer” with

A move-branch-if-zero-or-decrement instruction,short movdbz....It has been proven that … is Turing-complete…

Defense: Finally • RoP compiler’s are neat, but with adequate surface area reduction of

dependable RoP gadgets• Remove EXECUTE from unneeded areas• Decommit/wipe unused

• RoP chain will be really huge and will have fairly obvious looking characteristics• Even on AMD64 max stack is 4GB; “the maximum size of a segment (ss).”

• Detecting codeless-pagefaulting• Specifically; Scan/Verify GDT and TSS • Generally; Performance drain, counters, clock skew, context switches, accounting, …

So What?• Page table verifier identifies hidden areas

• White list as much as possible• High 99%

• Defend RoP attacks with SSRA checking

Comprehensive verification• Forensics

• Reduction / Analysis aid

• APT Detection• Diffing• White list

Dependencies?• Require NX • SMEP Reccomended

What about script hosts?• Instrument / Profile scripts to generate white lists• Doable for .NET• More difficult for PHP and company?

Demo