slide1 n.
Download
Skip this Video
Download Presentation
Matthieu Suiche | < matt@msuiche > | msuiche

Loading in 2 Seconds...

play fullscreen
1 / 21

Matthieu Suiche | < matt@msuiche > | msuiche - PowerPoint PPT Presentation


  • 125 Views
  • Uploaded on

Kernel Security. Matthieu Suiche | < matt@msuiche.net > | www.msuiche.net. Who am I?. High school student Website/Blog: www.msuiche.net Microsoft Student Partner (MSP) Security Fanatics ! Reverse Engineering Vulnerabilities Analyse Malicious Binary Research

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Matthieu Suiche | < matt@msuiche > | msuiche' - guinevere-ashley


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

Kernel Security

Matthieu Suiche | < matt@msuiche.net > | www.msuiche.net

who am i
Who am I?
  • High school student
  • Website/Blog: www.msuiche.net
  • Microsoft Student Partner (MSP)
  • Security Fanatics !
    • Reverse Engineering
    • Vulnerabilities Analyse
    • Malicious Binary Research
    • Security Tools Programming
    • Core System Security Research
  • TinyKRNL Project
    • Kernel Developer (ATAPI)
agenda
Agenda
  • Kernel Hooking, why ?
  • Patchguard
  • Code Integrity
  • Signed Drivers
  • Windows Vista (32 bits Kernel)
    • SSDT
    • KIDT
    • MSR
  • Windows Vista (64 bits Kernel)
    • SSDT
    • KIDT
    • MSR
kernel hooking why
Kernel Hooking, Why ?
  • Mainly from rootkits !
    • Modification of system table like SDT
      • Functions NtCreateProcess, NtSystemInformation, ...
    • Modification of internal stuctures
      • PsLoadedModuleList
    • Modification of IDT to manage external debugger
    • Modification of the 0x2E interrupt to hook syscalls (Win2K)
    • Modification of MSR registers to hook syscalls (WinXP, Win2k3, WinVista)
    • Modification of system functions prolog
patchguard
Patchguard
  • Authors : Windows Core Team
  • First implementation in Windows XP x64
    • Cf. Analysis of Matt Miller & Ken Johnson (Win2k3)
  • Checking of system tables and critical sections.
        • Functions
        • IDT
        • GDT
        • SDT
        • Processus list
        • MSRs
  • 25, Octobre 2006 – Authentium
  • 8, Novembre 2006 – Windows Vista RTM
code integrity ci dll
Code Integrity (CI.DLL)
  • Authors : Windows DRM Team
  • Windows Vista Innovation
  • Numerous steps
    • A bootloader checks the ntoskrnl, HAL, and boot drivers authenticity.
    • Checks the ntoskrnl import table
    • Deleting or patching of CI.DLL => Cannot boot !
    • Note : WINLOAD.EXE checks NTOSKRNL.EXE authenticity while booting
  • Enabled before patchguard
  • Can be disabled by user while booting.
signed drivers kmd
Signed Drivers (KMD)
  • Goal : Prevent from rootkits and malicious drivers.
  • Mandatory on Windows Vista 64bits
  • Signed by a certificate
  • Can be disabled by user while booting (BOOT.INI)
  • July 2006 – J. Rutkowska / BlackHat
    • Three steps attack
      • Eat the full physical memory
      • Access granted to the pagination file (pagefile.sys) from a direct access to the HDD (\\.\PHYSICALDRIVE0)
      • Modify a loaded driver (e.g. NULL.sys)
    • Another step using hardware virtualization.
      • Pacifica (AMD SVM extensions) / Vanderpool (Vt-x)
  • Pagefile attack fixed with Windows Vista RC2
system service descriptor table
System Service Descriptor Table
  • Goal : Find the SSDT
  • The public method from "90210" still be usable.
    • KeServiceDescriptorTable still be exportable
    • KiServiceTable initialized in KiInitSystem()
      • mov ds:_KeServiceDescriptorTable, offset _KiServiceTable
    • Import ntoskrnl as a dll
    • Import KeServiceDescriptorTable
    • List all references to find its xref
    • Check these opcodes to be "mov [mem32], imm32"
    • Then we get a pointer like the following schemePVOID KiServiceTable[KiServiceLimit]
interrupt descriptor table
Interrupt Descriptor Table
  • Goal : Find the IDT
  • Still to be the same thing
    • Proof of concept : IDTGuard 0.1
      • Release on December 10 2006
    • Look for the exported function KiSystemStartup()
    • GetMachineBootPointers() function returns pointer to IDT, GDT and LDT
    • NTOSKRNL set up instructions
      • Adding of pointer to IDT in KPCR.IDT (+0x38)
      • Copy theorical address from INIT section.
        • mov edi, [ebp+IdtEntry]
        • mov esi, offset INIT.IdtRawOffset
        • mov ecx, 2048
        • shr ecx, 2
        • rep movsd
    • Some of these instructions are modified by HAL.DLL (KPCR), and some others are pointers to KINTERRUPT structure.
memento sysenter

Memento : Sysenter !

KiFastSystemCall proc near

mov edx, esp

sysenter

KiFastSystemCall endp

model specific registers
Model Specific Registers
  • Opcodes : SYSENTER / SYSRET
  • Three MSRs Initialization:
    • IA32_SYSENTER_ESP
      • Kernel-land stack pointer
    • IA32_SYSENTER_CS
      • CS register data for kernel land
    • IA32_SYSENTER_EIP
      • Kernel-land entrypoint
  • KiLoadFastSyscallMachineSpecificRegisters()
      • WRMSR(IA32_SYSENTER_CS, 0x08, NULL);
      • WRMSR(IA32_SYSENTER_EIP, KiFastCallEntry, NULL);
      • WRMSR(IA32_SYSENTER_ESP, Unknow.u1988, NULL);
  • A signature for find these opcodes can be easy builded.
    • We have a serie of three WRMSR FUNCTION calls.
conclusion 32 bits
Conclusion 32 bits
  • Same internal scheme as previous Windows version. (Windows 2000, XP, 2003)
  • Previous rootkit prevention tools should continue to work.
    • T. Chew Keong - SDTRestore v0.2
    • M. Suiche – IDTGuard v0.1 (without \dev\(k)mem trick)
    • M. Russinovich – Rootkit Revealer v1.71
    • J. Rutkowska - System Virginity Verifier (SVV) v2.3
system service descriptor table1
System Service Descriptor Table
  • KeServiceDescriptorTable where are you?
    • Doesn’t exported but still present in ALMOSTRO section
    • INIT.KiInitSystem()
      • lea rax, KiServiceTable
      • mov cs:KeServiceDescriptorTable, rax
    • KiServiceTable still present in ".text section
    • A bigger signature is needed
    • Manual location of KiInitSystem() is needed
      • Be Rather to use a 64 bits LDE
      • (LDE = Length Disassembly Engine)
interrupt descriptor table1
Interrupt Descriptor Table
  • KiSystemStartup()
    • GS Segment register initialization (GS_BASE)
    • Copy of IDT Base into [GsBase+0x38]
    • KiInitializeBootStructures()
      • xor r10, r10
      • lea r12, (INIT.KiInterruptInitTable+8)
      • lea r9, KxUnexpectedInterrupt0
    • Copy interrupts from NTOSKRNL
      • 0 to 19 and some others
    • Easier to find than SSDT
      • Can become a critical target for rootkit
memento syscall

Memento : Syscall !

Ntxxxxxxxxxxxxx proc near

mov r10, rcx ; Ntxxxxxxxxxxxxx

mov eax, FunctionID

syscall

retn

Ntxxxxxxxxxxxxx endp

syscall sysexit
Syscall / Sysexit
  • IA32_LSTAR (0xC0000082)
    • KiSystemCall64
  • IA32_CSTAR (0xC0000083)
    • KiSystemCall32
  • KiInitializeBootStructures()
    • lea rax, KiSystemCall32
    • mov ecx, 0C0000083h
    • mov rdx, rax ; CSTAR
    • shr rdx, 20h
    • wrmsr
    • lea rax, KiSystemCall64
    • mov ecx, 0C0000082h ; LSTAR
    • mov rdx, rax
    • shr rdx, 20h
    • wrmsr
  • Conclusion : MSRs Initialization is very easy to locate cause of the wrmsr opcode.
  • This is a macro used by MS Programmers and not a function like in the 32bits version.
conclusion 64 bits
Conclusion 64 bits
  • A Non Microsoft Patchguard for 64bits?
    • Any research about it
    • Am writting an article about this one.
  • Note :
    • WoW (Windows-on-Windows) emulation continues to use 0x2E interrupt (ntdll.dll)
r f rences
Références
  • Matthew Conover (2006), Windows Vista Kernel Mode Security
    • http://www.symantec.com/avcenter/reference/Windows_Vista_Kernel_Mode_Security.pdf
  • Matthieu Suiche (Décembre 2006) IDTGuard v0.1 PublicBuild
    • http://www.msuiche.net/?p=9
  • Joanna Rutkowska (Juillet/Aout 2006), Subverting Vista Kernel
    • http://invisiblethings.org/papers/joanna%20rutkowska%20-%20subverting%20vista%20kernel.ppt
  • Mark Russinovich (Novembre 2006), RootkitRevealer 1.7.1
    • http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx
  • Joanna Rutkowska (2006) “System Virginity Verifier”
    • http://www.invisiblethings.org/papers/rutkowska_bhfederal2006.ppt
  • Authentium (Octobre 2006), Microsoft Patchguard
    • http://blogs.authentium.com/sharp/?p=12
  • Matt Miller, Ken Johnson (Décembre, 2005) Bypassing Patchguard on Windows x64
    • http://www.uninformed.org/?v=3&a=3
  • Protected-Mode Exceptions and Interrupts (5-3)
    • IA-32 Intel Architecture Software Developer's Manual. System Programming Guide
  • Microsoft (Janvier 2006), “Digital Signatures for Kernel Modules on x64-based Systems Running Windows Vista”
    • http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/x64KMSigning.doc
  • Microsoft (Avril 2005), “Benefits of Microsoft Windows x64 Editions”
    • http://download.microsoft.com/download/D/A/A/DAA7245D-E01D-46A4-AB70-3A95ED3F6934/Windowsx64BenefitsWP.doc
  • M. Conover (Mars 2006), “Analysis of the Windows Vista Security Model”
    • http://www.symantec.com/avcenter/reference/Windows_Vista_Security_Model_Analysis.pdf
ad