1 / 22

Tracking Rootkit Footprints with Pratical Memory Analysis System

Tracking Rootkit Footprints with Pratical Memory Analysis System. Weidong Cui and Marcus Peinado ,  Microsoft Research; Zhilei Xu ,  Massachusetts Institute of Technology; Ellick Chan,  University of Illinois at Urbana-Champaign. Kernel Rootkit Footprints.

aldona
Download Presentation

Tracking Rootkit Footprints with Pratical Memory Analysis System

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Tracking Rootkit Footprints with Pratical Memory Analysis System Weidong Cui and Marcus Peinado, Microsoft Research;ZhileiXu, Massachusetts Institute of Technology;Ellick Chan, University of Illinois at Urbana-Champaign

  2. Kernel Rootkit Footprints Memory changes a kernel rootkit makes for • Hijacking code execution • Hiding its activities

  3. Kernel Rootkit in Memory • A needle in a haystack! • A typical Windows 7 • kernel has • 100+ loaded modules • 100K to 1M+ data objects • 100K+ function pointers • How to find all the data and function pointers?

  4. Memory Analysis System • MAS – a pratical memory analysis system • Identify all memory changes • Static Analysis • Identify candidate types for generic pointers • Memory Traversal • Identify dynamic data objects • Integrity Checking • Detect two kinds of violations

  5. Demand-Driven Pointer Analysis • Program Expression Graph • Assignment Edge (A): if e1=e2, then e1 ← e2 • Dereference Edge (D): *e ← e, e ← &e

  6. Demand-Driven Pointer Analysis (Cont.) • Two relations between expressions • Value Alias (V): aVb • Memory Alias (M): aMb • Context-Free Grammar • aVbAcMd→ aVbMd→ aVd→ V ::= VAM • Path from b to c with label sequence • b = c , Given

  7. Demand-Driven Pointer Analysis (Cont.) • Field Sensitivity • p+f to denote &(p→f) • *(p+f) to denote p→f • *(&a+f) to denote a.f

  8. Type Candidate Interface • Generic pointer • FOO* q; void* p; p = q, we get p’s candidate type as FOO* • A pointer field fi of void* • fi’scandidate types are the set of types of all the value aliases of the pointer field’s instances in the form of X →fi.

  9. Memory Traversal • MAS first locates static data objects in each loaded module. • Then recursively follow the pointers in these objects and in all newly identified data objects, until no new data object can be added.

  10. Pointer Uncertainty is Unavoidable • Ambiguous pointers • Generic pointers with multiple candidate types • Pointers in unions • MAS ignores all ambiguous pointers • Invalid pointers • Uninitialized pointers • Corrupted pointers

  11. Constraints for Data Objects • Size Constraint • a data object must lie completely within a memory block. • Pointer Constraint • a data object’s pointer fields must either be null or point to the kernel address range.

  12. Constraints for Data Objects (Cont.) • Enum Constraint • a data object’s enum fields must take a valid enum value which is stored in the PDB files. • Pool Tag Constraint • the type of a data object must be in the set of data types associated with the pool block in which the data object is located.

  13. Integrity Checking • Code Integrity • trusted code in memory should match with the image file on disk. • Function Pointer Integrity • function pointers should point to the trusted code. • Visibility Integrity • data objects found by MAS should be visible to system tools (e.g., those available in a debugger for listing processes and modules).

  14. Implementation • Static analysis • 12K lines of C++ code • Developed a PREfast plugin to extract information • Memory traversal and integrity checking • 24K lines of C/C++ code • Worked as a debugger extension for WinDbg

  15. Real-World Data Sets • 11 Windows Vista SP1 crash dumps • 837 Window 7 crash dumps • 154,768 memory snapshots derived from our large scale kernel malware analysis

  16. 154,768 kernel malware samples • MAS reported kernel behaviors for only 89,474 of the samples.

  17. Function Pointer Hooking • Windows Kernel and 5 drivers (ntfs, fastfat, ndis, fltmgr, null) • 191 unique function pointers • 31 different data structures

  18. Windows Vista SP1 Crash Dump • Results on eleven Windows Vista SP1

  19. Accuracy • For 10 Windows Vista SP1 crash dumps • All suspicious function pointers found by MAS are true function pointers • All true suspicious function pointers found by KOP are found by MAS • For 837 Windows 7 crash dumps • We verified that all but 24 out of 400K suspicious function pointers are true function pointers

  20. Performance

  21. Detecting Rootkits in Crash Dumps • Cannot fully automate it because of third-party drivers • Ignore suspicious function pointers to unknown modules

  22. Summary • MAS is a practical memory analysis system for detecting and analyzing kernel rootkits • Handles pointer uncertainty effectively • Applied MAS to 848 real-world crash dumps • Found 95 of them have rootkits • Large-scale study of 150K malware samples • Hooked 191 unique functions pointers in 31 data structures of 6 modules

More Related