Tracking Rootkit Footprints with Pratical Memory Analysis System

Weidong Cui and Marcus Peinado, Microsoft Research; Zhilei Xu, Massachusetts Institute of Technology; Ellick Chan, University of Illinois at

Urbana-Champaign

Kernel Rootkit Footprints

Memory changes a kernel rootkit makes for• Hijacking code execution• Hiding its activities

Kernel Rootkit in Memory

• A needle in a haystack!– A typical Windows 7

• kernel has– 100+ loaded modules– 100K to 1M+ data objects– 100K+ function pointers

• How to find all the data and function pointers?

Memory Analysis System

• MAS – a pratical memory analysis system• Identify all memory changes– Static Analysis• Identify candidate types for generic pointers

– Memory Traversal• Identify dynamic data objects

– Integrity Checking• Detect two kinds of violations

Demand-Driven Pointer Analysis

• Program Expression Graph– Assignment Edge (A): if e1=e2, then e1 ← e2– Dereference Edge (D): *e ← e, e ← &e

Demand-Driven Pointer Analysis (Cont.)

• Two relations between expressions– Value Alias (V): aVb– Memory Alias (M): aMb

• Context-Free Grammar– aVbAcMd → aVbMd → aVd → V ::= VAM

• Path from b to c with label sequence– b = c , Given

Demand-Driven Pointer Analysis (Cont.)

• Field Sensitivity– p+f to denote &(p→f)– *(p+f) to denote p→f– *(&a+f) to denote a.f

Type Candidate Interface

• Generic pointer– FOO* q; void* p; p = q, we get p’s candidate type

as FOO*– A pointer field fi of void*

• fi’s candidate types are the set of types of all the value aliases of the pointer field’s instances in the form of X → fi.

Memory Traversal

• MAS first locates static data objects in each loaded module.

• Then recursively follow the pointers in these objects and in all newly identified data objects, until no new data object can be added.

Pointer Uncertainty is Unavoidable

• Ambiguous pointers– Generic pointers with multiple candidate types– Pointers in unions– MAS ignores all ambiguous pointers

• Invalid pointers– Uninitialized pointers– Corrupted pointers

Constraints for Data Objects

• Size Constraint– a data object must lie completely within a

memory block. • Pointer Constraint– a data object’s pointer fields must either be null or

point to the kernel address range.

Constraints for Data Objects (Cont.)

• Enum Constraint– a data object’s enum fields must take a valid enum

value which is stored in the PDB files.• Pool Tag Constraint– the type of a data object must be in the set of data

types associated with the pool block in which the data object is located.

Integrity Checking

• Code Integrity– trusted code in memory should match with the

image file on disk.• Function Pointer Integrity– function pointers should point to the trusted code.

• Visibility Integrity– data objects found by MAS should be visible to

system tools (e.g., those available in a debugger for listing processes and modules).

Implementation

• Static analysis– 12K lines of C++ code– Developed a PREfast plugin to extract information

• Memory traversal and integrity checking– 24K lines of C/C++ code– Worked as a debugger extension for WinDbg

Real-World Data Sets

• 11 Windows Vista SP1 crash dumps• 837 Window 7 crash dumps• 154,768 memory snapshots derived from our

large scale kernel malware analysis

154,768 kernel malware samples

• MAS reported kernel behaviors for only 89,474 of the samples.

Function Pointer Hooking

• Windows Kernel and 5 drivers (ntfs, fastfat, ndis, fltmgr, null)– 191 unique function

pointers– 31 different data

structures

Windows Vista SP1 Crash Dump

• Results on eleven Windows Vista SP1

Accuracy

• For 10 Windows Vista SP1 crash dumps– All suspicious function pointers found by MAS are

true function pointers– All true suspicious function pointers found by KOP

are found by MAS• For 837 Windows 7 crash dumps– We verified that all but 24 out of 400K suspicious

function pointers are true function pointers

Performance

Detecting Rootkits in Crash Dumps

• Cannot fully automate it because of third-party drivers– Ignore suspicious function pointers to unknown

modules

Summary

• MAS is a practical memory analysis system for detecting and analyzing kernel rootkits– Handles pointer uncertainty effectively

• Applied MAS to 848 real-world crash dumps– Found 95 of them have rootkits

• Large-scale study of 150K malware samples– Hooked 191 unique functions pointers in 31 data

structures of 6 modules