220 likes | 343 Views
Tracking Rootkit Footprints with Pratical Memory Analysis System. Weidong Cui and Marcus Peinado , Microsoft Research; Zhilei Xu , Massachusetts Institute of Technology; Ellick Chan, University of Illinois at Urbana-Champaign. Kernel Rootkit Footprints.
E N D
Tracking Rootkit Footprints with Pratical Memory Analysis System Weidong Cui and Marcus Peinado, Microsoft Research;ZhileiXu, Massachusetts Institute of Technology;Ellick Chan, University of Illinois at Urbana-Champaign
Kernel Rootkit Footprints Memory changes a kernel rootkit makes for • Hijacking code execution • Hiding its activities
Kernel Rootkit in Memory • A needle in a haystack! • A typical Windows 7 • kernel has • 100+ loaded modules • 100K to 1M+ data objects • 100K+ function pointers • How to find all the data and function pointers?
Memory Analysis System • MAS – a pratical memory analysis system • Identify all memory changes • Static Analysis • Identify candidate types for generic pointers • Memory Traversal • Identify dynamic data objects • Integrity Checking • Detect two kinds of violations
Demand-Driven Pointer Analysis • Program Expression Graph • Assignment Edge (A): if e1=e2, then e1 ← e2 • Dereference Edge (D): *e ← e, e ← &e
Demand-Driven Pointer Analysis (Cont.) • Two relations between expressions • Value Alias (V): aVb • Memory Alias (M): aMb • Context-Free Grammar • aVbAcMd→ aVbMd→ aVd→ V ::= VAM • Path from b to c with label sequence • b = c , Given
Demand-Driven Pointer Analysis (Cont.) • Field Sensitivity • p+f to denote &(p→f) • *(p+f) to denote p→f • *(&a+f) to denote a.f
Type Candidate Interface • Generic pointer • FOO* q; void* p; p = q, we get p’s candidate type as FOO* • A pointer field fi of void* • fi’scandidate types are the set of types of all the value aliases of the pointer field’s instances in the form of X →fi.
Memory Traversal • MAS first locates static data objects in each loaded module. • Then recursively follow the pointers in these objects and in all newly identified data objects, until no new data object can be added.
Pointer Uncertainty is Unavoidable • Ambiguous pointers • Generic pointers with multiple candidate types • Pointers in unions • MAS ignores all ambiguous pointers • Invalid pointers • Uninitialized pointers • Corrupted pointers
Constraints for Data Objects • Size Constraint • a data object must lie completely within a memory block. • Pointer Constraint • a data object’s pointer fields must either be null or point to the kernel address range.
Constraints for Data Objects (Cont.) • Enum Constraint • a data object’s enum fields must take a valid enum value which is stored in the PDB files. • Pool Tag Constraint • the type of a data object must be in the set of data types associated with the pool block in which the data object is located.
Integrity Checking • Code Integrity • trusted code in memory should match with the image file on disk. • Function Pointer Integrity • function pointers should point to the trusted code. • Visibility Integrity • data objects found by MAS should be visible to system tools (e.g., those available in a debugger for listing processes and modules).
Implementation • Static analysis • 12K lines of C++ code • Developed a PREfast plugin to extract information • Memory traversal and integrity checking • 24K lines of C/C++ code • Worked as a debugger extension for WinDbg
Real-World Data Sets • 11 Windows Vista SP1 crash dumps • 837 Window 7 crash dumps • 154,768 memory snapshots derived from our large scale kernel malware analysis
154,768 kernel malware samples • MAS reported kernel behaviors for only 89,474 of the samples.
Function Pointer Hooking • Windows Kernel and 5 drivers (ntfs, fastfat, ndis, fltmgr, null) • 191 unique function pointers • 31 different data structures
Windows Vista SP1 Crash Dump • Results on eleven Windows Vista SP1
Accuracy • For 10 Windows Vista SP1 crash dumps • All suspicious function pointers found by MAS are true function pointers • All true suspicious function pointers found by KOP are found by MAS • For 837 Windows 7 crash dumps • We verified that all but 24 out of 400K suspicious function pointers are true function pointers
Detecting Rootkits in Crash Dumps • Cannot fully automate it because of third-party drivers • Ignore suspicious function pointers to unknown modules
Summary • MAS is a practical memory analysis system for detecting and analyzing kernel rootkits • Handles pointer uncertainty effectively • Applied MAS to 848 real-world crash dumps • Found 95 of them have rootkits • Large-scale study of 150K malware samples • Hooked 191 unique functions pointers in 31 data structures of 6 modules