1 / 21

Matthieu Suiche | < matt@msuiche > | msuiche

Kernel Security. Matthieu Suiche | < matt@msuiche.net > | www.msuiche.net. Who am I?. High school student Website/Blog: www.msuiche.net Microsoft Student Partner (MSP) Security Fanatics ! Reverse Engineering Vulnerabilities Analyse Malicious Binary Research

Download Presentation

Matthieu Suiche | < matt@msuiche > | msuiche

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Kernel Security Matthieu Suiche | < matt@msuiche.net > | www.msuiche.net

  2. Who am I? • High school student • Website/Blog: www.msuiche.net • Microsoft Student Partner (MSP) • Security Fanatics ! • Reverse Engineering • Vulnerabilities Analyse • Malicious Binary Research • Security Tools Programming • Core System Security Research • TinyKRNL Project • Kernel Developer (ATAPI)

  3. Agenda • Kernel Hooking, why ? • Patchguard • Code Integrity • Signed Drivers • Windows Vista (32 bits Kernel) • SSDT • KIDT • MSR • Windows Vista (64 bits Kernel) • SSDT • KIDT • MSR

  4. Kernel Hooking, Why ? • Mainly from rootkits ! • Modification of system table like SDT • Functions NtCreateProcess, NtSystemInformation, ... • Modification of internal stuctures • PsLoadedModuleList • Modification of IDT to manage external debugger • Modification of the 0x2E interrupt to hook syscalls (Win2K) • Modification of MSR registers to hook syscalls (WinXP, Win2k3, WinVista) • Modification of system functions prolog

  5. Patchguard • Authors : Windows Core Team • First implementation in Windows XP x64 • Cf. Analysis of Matt Miller & Ken Johnson (Win2k3) • Checking of system tables and critical sections. • Functions • IDT • GDT • SDT • Processus list • MSRs • 25, Octobre 2006 – Authentium • 8, Novembre 2006 – Windows Vista RTM

  6. Code Integrity (CI.DLL) • Authors : Windows DRM Team • Windows Vista Innovation • Numerous steps • A bootloader checks the ntoskrnl, HAL, and boot drivers authenticity. • Checks the ntoskrnl import table • Deleting or patching of CI.DLL => Cannot boot ! • Note : WINLOAD.EXE checks NTOSKRNL.EXE authenticity while booting • Enabled before patchguard • Can be disabled by user while booting.

  7. Signed Drivers (KMD) • Goal : Prevent from rootkits and malicious drivers. • Mandatory on Windows Vista 64bits • Signed by a certificate • Can be disabled by user while booting (BOOT.INI) • July 2006 – J. Rutkowska / BlackHat • Three steps attack • Eat the full physical memory • Access granted to the pagination file (pagefile.sys) from a direct access to the HDD (\\.\PHYSICALDRIVE0) • Modify a loaded driver (e.g. NULL.sys) • Another step using hardware virtualization. • Pacifica (AMD SVM extensions) / Vanderpool (Vt-x) • Pagefile attack fixed with Windows Vista RC2

  8. Kernel must go on !Kernel must go on !Inside my brain is breaking, ... Windows Vista 32 bits

  9. System Service Descriptor Table • Goal : Find the SSDT • The public method from "90210" still be usable. • KeServiceDescriptorTable still be exportable • KiServiceTable initialized in KiInitSystem() • mov ds:_KeServiceDescriptorTable, offset _KiServiceTable • Import ntoskrnl as a dll • Import KeServiceDescriptorTable • List all references to find its xref • Check these opcodes to be "mov [mem32], imm32" • Then we get a pointer like the following schemePVOID KiServiceTable[KiServiceLimit]

  10. Interrupt Descriptor Table • Goal : Find the IDT • Still to be the same thing • Proof of concept : IDTGuard 0.1 • Release on December 10 2006 • Look for the exported function KiSystemStartup() • GetMachineBootPointers() function returns pointer to IDT, GDT and LDT • NTOSKRNL set up instructions • Adding of pointer to IDT in KPCR.IDT (+0x38) • Copy theorical address from INIT section. • mov edi, [ebp+IdtEntry] • mov esi, offset INIT.IdtRawOffset • mov ecx, 2048 • shr ecx, 2 • rep movsd • Some of these instructions are modified by HAL.DLL (KPCR), and some others are pointers to KINTERRUPT structure.

  11. Memento : Sysenter ! KiFastSystemCall proc near mov edx, esp sysenter KiFastSystemCall endp

  12. Model Specific Registers • Opcodes : SYSENTER / SYSRET • Three MSRs Initialization: • IA32_SYSENTER_ESP • Kernel-land stack pointer • IA32_SYSENTER_CS • CS register data for kernel land • IA32_SYSENTER_EIP • Kernel-land entrypoint • KiLoadFastSyscallMachineSpecificRegisters() • WRMSR(IA32_SYSENTER_CS, 0x08, NULL); • WRMSR(IA32_SYSENTER_EIP, KiFastCallEntry, NULL); • WRMSR(IA32_SYSENTER_ESP, Unknow.u1988, NULL); • A signature for find these opcodes can be easy builded. • We have a serie of three WRMSR FUNCTION calls.

  13. Conclusion 32 bits • Same internal scheme as previous Windows version. (Windows 2000, XP, 2003) • Previous rootkit prevention tools should continue to work. • T. Chew Keong - SDTRestore v0.2 • M. Suiche – IDTGuard v0.1 (without \dev\(k)mem trick) • M. Russinovich – Rootkit Revealer v1.71 • J. Rutkowska - System Virginity Verifier (SVV) v2.3

  14. Another one bites the dustHey, I’m gonna get you too Windows Vista 64 bits

  15. System Service Descriptor Table • KeServiceDescriptorTable where are you? • Doesn’t exported but still present in ALMOSTRO section • INIT.KiInitSystem() • lea rax, KiServiceTable • mov cs:KeServiceDescriptorTable, rax • KiServiceTable still present in ".text section • A bigger signature is needed • Manual location of KiInitSystem() is needed • Be Rather to use a 64 bits LDE • (LDE = Length Disassembly Engine)

  16. Interrupt Descriptor Table • KiSystemStartup() • GS Segment register initialization (GS_BASE) • Copy of IDT Base into [GsBase+0x38] • KiInitializeBootStructures() • xor r10, r10 • lea r12, (INIT.KiInterruptInitTable+8) • lea r9, KxUnexpectedInterrupt0 • Copy interrupts from NTOSKRNL • 0 to 19 and some others • Easier to find than SSDT • Can become a critical target for rootkit

  17. Memento : Syscall ! Ntxxxxxxxxxxxxx proc near mov r10, rcx ; Ntxxxxxxxxxxxxx mov eax, FunctionID syscall retn Ntxxxxxxxxxxxxx endp

  18. Syscall / Sysexit • IA32_LSTAR (0xC0000082) • KiSystemCall64 • IA32_CSTAR (0xC0000083) • KiSystemCall32 • KiInitializeBootStructures() • lea rax, KiSystemCall32 • mov ecx, 0C0000083h • mov rdx, rax ; CSTAR • shr rdx, 20h • wrmsr • lea rax, KiSystemCall64 • mov ecx, 0C0000082h ; LSTAR • mov rdx, rax • shr rdx, 20h • wrmsr • Conclusion : MSRs Initialization is very easy to locate cause of the wrmsr opcode. • This is a macro used by MS Programmers and not a function like in the 32bits version.

  19. Conclusion 64 bits • A Non Microsoft Patchguard for 64bits? • Any research about it • Am writting an article about this one. • Note : • WoW (Windows-on-Windows) emulation continues to use 0x2E interrupt (ntdll.dll)

  20. Références • Matthew Conover (2006), Windows Vista Kernel Mode Security • http://www.symantec.com/avcenter/reference/Windows_Vista_Kernel_Mode_Security.pdf • Matthieu Suiche (Décembre 2006) IDTGuard v0.1 PublicBuild • http://www.msuiche.net/?p=9 • Joanna Rutkowska (Juillet/Aout 2006), Subverting Vista Kernel • http://invisiblethings.org/papers/joanna%20rutkowska%20-%20subverting%20vista%20kernel.ppt • Mark Russinovich (Novembre 2006), RootkitRevealer 1.7.1 • http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx • Joanna Rutkowska (2006) “System Virginity Verifier” • http://www.invisiblethings.org/papers/rutkowska_bhfederal2006.ppt • Authentium (Octobre 2006), Microsoft Patchguard • http://blogs.authentium.com/sharp/?p=12 • Matt Miller, Ken Johnson (Décembre, 2005) Bypassing Patchguard on Windows x64 • http://www.uninformed.org/?v=3&a=3 • Protected-Mode Exceptions and Interrupts (5-3) • IA-32 Intel Architecture Software Developer's Manual. System Programming Guide • Microsoft (Janvier 2006), “Digital Signatures for Kernel Modules on x64-based Systems Running Windows Vista” • http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/x64KMSigning.doc • Microsoft (Avril 2005), “Benefits of Microsoft Windows x64 Editions” • http://download.microsoft.com/download/D/A/A/DAA7245D-E01D-46A4-AB70-3A95ED3F6934/Windowsx64BenefitsWP.doc • M. Conover (Mars 2006), “Analysis of the Windows Vista Security Model” • http://www.symantec.com/avcenter/reference/Windows_Vista_Security_Model_Analysis.pdf

  21. Questions and Answers

More Related