securimag - 2011-11 - live computer forensics - virtual...
TRANSCRIPT
SecurIMAG - 2011-11 - Live computer forensics -Virtual memory acquisition and exploitation on
Windows NT6+
Fabien Duchene 1,2
Guillaume Touron2
1Laboratoire d’Informatique de Grenoble, VASCO [email protected]
2 Grenoble Institute of Technology - Grenoble INP - [email protected]
2011-11Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 1/51 2011-11 1 / 51
Outline
1 Computer forensicsIntroductionTalk focus
2 Acquiring Windows x86 virtual memorySome methodsSome tools
3 Memory exploiting / analysisThe TrueCrypt exampleKmode explorationDKOM attacks
4 Conclusion
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 2/51 2011-11 2 / 51
Computer forensics
Outline
1 Computer forensicsIntroductionTalk focus
2 Acquiring Windows x86 virtual memorySome methodsSome tools
3 Memory exploiting / analysisThe TrueCrypt exampleKmode explorationDKOM attacks
4 Conclusion
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 3/51 2011-11 3 / 51
Computer forensics Introduction
Computer Forensics?
What?Forensic Science: answer questions of interest to a legal system.Digital forensics: digital devicesComputer forensics: “identifying, preserving, recovering, analyzing,presenting facts and opinions” about the digital information
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 4/51 2011-11 4 / 51
Computer forensics Introduction
Computer Forensics?
What?Forensic Science: answer questions of interest to a legal system.Digital forensics: digital devicesComputer forensics: “identifying, preserving, recovering, analyzing,presenting facts and opinions” about the digital information
Basically answer to the question: “What happened?”
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 4/51 2011-11 4 / 51
Computer forensics Introduction
Computer Forensics?
Types of computer forensicsstatic / dead: system dump image analysis (eg: “unplug the powercord then analyze”)live: analysis of a running systemin-between: analyze memory image of a running system
Write-blocking readerFabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 5/51 2011-11 5 / 51
Computer forensics Introduction
Forensics ... why?
Why? (forensics, live forensics?)
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 6/51 2011-11 6 / 51
Computer forensics Introduction
Forensics ... why?
Why? (forensics, live forensics?)in search of the truth!because they might still be in memory:
cryptographic keyscredentials
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 6/51 2011-11 6 / 51
Computer forensics Introduction
Live forensics
Live acquisition: acquiring data and modifying it the less possible,and being aware of the IMPACT!
the Ultimate live forensics goalGet a “complete picture shot” of the system
CPU flags, registers, cache ..storage: RAM, HDD, ..motherboard stateperipherals: NIC (buffers, own CPU andmemory state..)
→ Can we do it?
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 7/51 2011-11 7 / 51
Computer forensics Introduction
Live forensics
Live acquisition: acquiring data and modifying it the less possible,and being aware of the IMPACT!
Only he can!
the Ultimate live forensics goalGet a “complete picture shot” of the system
CPU flags, registers, cache ..storage: RAM, HDD, ..motherboard stateperipherals: NIC (buffers, own CPU andmemory state..)
→ Can we do it?
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 7/51 2011-11 7 / 51
Computer forensics Talk focus
Talk topic
Live memory acquisitionPost-mortem analysis
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 8/51 2011-11 8 / 51
Acquiring Windows x86 virtual memory
Outline
1 Computer forensicsIntroductionTalk focus
2 Acquiring Windows x86 virtual memorySome methodsSome tools
3 Memory exploiting / analysisThe TrueCrypt exampleKmode explorationDKOM attacks
4 Conclusion
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 9/51 2011-11 9 / 51
Acquiring Windows x86 virtual memory Some methods
cold boot attacks
Works on: any computer using DRAMRequires: physical accessDRAM retain their content for severalseconds after powered off
AttackFreeze themPlug them into a DRAM readerDump the content .. and enjoy!
[“Lest We Remember: Cold Boot Attacks onEncryption Keys” 2008] article findings
Bit decay increase over timePulse decay time is longer whentemperature is lower
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 10/51 2011-11 10 / 51
Acquiring Windows x86 virtual memory Some methods
virtual machine snapshots
Hypervisor examplesMicrosoft Hyper-V,Virtual-PCVMWare ESXOracle VirtualBoxParallels Desktop
VM snapshotWhat is a VM snapshot?
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 11/51 2011-11 11 / 51
Acquiring Windows x86 virtual memory Some methods
virtual machine snapshots
Hypervisor examplesMicrosoft Hyper-V,Virtual-PCVMWare ESXOracle VirtualBoxParallels Desktop
VM snapshotWhat is a VM snapshot?“photo” of the state and data of a VMat a given timebasically, the ultimate live forensics goal+ the VM power state (powered-on,off, suspended)
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 11/51 2011-11 11 / 51
Acquiring Windows x86 virtual memory Some methods
VM snapshot attack
Works on: any hypervisor having at least one virtualized computerRequires:
online:hypervisor snapshot privilege (take, apply).. or a way to subvert the hypervisor (eg: VM peripheral drivers), do itthe teach way!
offline: take snapshot and read access to the vhd file
Attacktake a snapshot
export the virtual machine on a storage medium
import it
apply the snapshot (also restores virtual DRAM content)
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 12/51 2011-11 12 / 51
Acquiring Windows x86 virtual memory Some methods
Virtual Hard Disk
[lucd 2010]
[Savill 2008]
Virtualized Hard DiskTypes:
dynamic-sized file:dynamically evolving size (sectorson which data is written)VHD file size ≤ virtual disk capacity
fixed-sized file:VHD file size ' virtual disk capacitybetter performance
differential: dynamic that only storesmodification from the parent
Snapshot operations:take onedelete onemerge several onesapply one
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 13/51 2011-11 13 / 51
Acquiring Windows x86 virtual memory Some methods
random crap about the Hyper-V and VirtualPC VHD
2010-04-17
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 14/51 2011-11 14 / 51
Acquiring Windows x86 virtual memory Some methods
DMA attacks
[“Subverting Windows 7 x64 Kernel with DMA attacks”]
Direct Memory AccessPCI specifications, for performanceany device can issue a read/write DMA requestdo you spot the problem?
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 15/51 2011-11 15 / 51
Acquiring Windows x86 virtual memory Some methods
DMA attacks[“Subverting Windows 7 x64 Kernel with DMA attacks”]
Direct Memory AccessPCI specifications, for performanceany device can issue a read/write DMA requestdo you spot the problem?bypassing CPU, thus OS
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 15/51 2011-11 15 / 51
Acquiring Windows x86 virtual memory Some methods
DMA attacks implementations
Attacks implementations (public ones..)Firewire
2004 Maximilian Dornseif (Mac OS X)2006 Adam Boileau (Windows XP)2008 Damien Aumaitre (virtual memory reconstruction)
PCI2009 - Christophe Devine and Guillaume Vissian, custom DMA engineimplemented on a FPGA card
PCMCIA / CardBus / ExpressCard:2010 Damien Aumaitre, Christophe Devigne
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 16/51 2011-11 16 / 51
Acquiring Windows x86 virtual memory Some methods
DMA attack - the PCMCIA case
PCMCIA 32-bit port thus only the 4 GB physical memory areaddressableneed to identify the structures: not working on virtual memory, butdirectly on physical one!for more good beef: [“Subverting Windows 7 x64 Kernel with DMAattacks”]
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 17/51 2011-11 17 / 51
Acquiring Windows x86 virtual memory Some methods
Hibernate file
hiberfil.sys: Hibernation fileSince Windows 2000 (NT5)Undocumented formatFile stored on the disk driveContent:
physical memory dumprelated to pagefile.sys (virtual memory control)
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 18/51 2011-11 18 / 51
Acquiring Windows x86 virtual memory Some methods
Sandman: from hibernation to physical memory dump
Convert hibernation file hiberfil.sys into a regular memory dump[Matthieu Suiche 2008]
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 19/51 2011-11 19 / 51
Acquiring Windows x86 virtual memory Some methods
Windows Crash Dump
What is a crash dump?
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 20/51 2011-11 20 / 51
Acquiring Windows x86 virtual memory Some methods
Windows Crash Dump
What is a crash dump?yep that’s it!capture of the state of an application (broad sense, includingoperating system) when a crash event does occurhandled by Kernel “emergency” functions
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 20/51 2011-11 20 / 51
Acquiring Windows x86 virtual memory Some methods
Windows Crash Dump I
[Hameed 2008]
Complete memory dump1MB headercomplete physical memory dump
Kernel memory dump1MB headerkernel R/W pageskernel non paged memory: listof running processes, loadeddevice drivers
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 21/51 2011-11 21 / 51
Acquiring Windows x86 virtual memory Some methods
Windows Crash Dump II
Small memory dump MiniDump
64KB dump (128 KB → 64-bit)stop code, parameters, list of loaded device drivers, kernel stack forthe thread that crashed, information about the current process andthreat
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 22/51 2011-11 22 / 51
Acquiring Windows x86 virtual memory Some methods
automatic execution
.. : fake ipod USB token loaded, then automatic mounter and commandsrunning in the background. demo? teensy?
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 23/51 2011-11 23 / 51
Acquiring Windows x86 virtual memory Some methods
x86 VMM
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 24/51 2011-11 24 / 51
Acquiring Windows x86 virtual memory Some methods
x64 VMM
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 25/51 2011-11 25 / 51
Acquiring Windows x86 virtual memory Some tools
Win32dd I
Win32ddMatthieu Suiche (now part of “Moonsols Memory Toolkit”)Goal: dumping physical memory using different acquisition methods
Physical memory dumping on Windows XP (NT 5)\Device \PhysicalMemory
... Windows Vista (NT6+)No longer available.Other acquisition methods:
PFN databaseMmMapIoSpace
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 26/51 2011-11 26 / 51
Acquiring Windows x86 virtual memory Some tools
PFN database
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 27/51 2011-11 27 / 51
Acquiring Windows x86 virtual memory Some tools
Win32dd I
We focus on MmMapIoSpace method
How does it work?Do some RE on Win32 driver
User/Kernel comm in WindowsPhysical memory access only in kernel mode
Win32 extracts its driver and registers itDriver creates a device
User-land program opens the device and sends ”commands”DeviceIoControl API, sends IRP to driver
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 28/51 2011-11 28 / 51
Acquiring Windows x86 virtual memory Some tools
Physical address space layout
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 29/51 2011-11 29 / 51
Acquiring Windows x86 virtual memory Some tools
Win32dd I
First:Win32dd retrieves physical memory ”runs”
”runs” are physical memory ranges actually used by the systemFor >= NT5.1:
Get MmPhysicalMemoryBlock in KDDEBUGGER DATA64Otherwise:
Use MmGetPhysicalMemoryRangesBuild MmPhysicalMemoryBlock yourself
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 30/51 2011-11 30 / 51
Acquiring Windows x86 virtual memory Some tools
Win32dd II
Second: Win32dd knows every physical runs, global algo:Iterate each runMap it with MmMapIoSpaceWrite it into your memory dump file
Repeat iterations NumberOfRuns times...
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 31/51 2011-11 31 / 51
Memory exploiting / analysis
Outline
1 Computer forensicsIntroductionTalk focus
2 Acquiring Windows x86 virtual memorySome methodsSome tools
3 Memory exploiting / analysisThe TrueCrypt exampleKmode explorationDKOM attacks
4 Conclusion
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 32/51 2011-11 32 / 51
Memory exploiting / analysis
Memory forensics
Kernel objects listingSee next slides
Extracting in-memory cryptographic key material
TrueCrypt caseUser can choose to cache its passphrase
Go through kernel structures
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 33/51 2011-11 33 / 51
Memory exploiting / analysis The TrueCrypt example
Memory forensics - TrueCrypt example I
Hypothesis: user enabled passphrase-caching
Passphrase-cachingPasssphrase is stored by TrueCrypt kernel driver
How to find this material?1: Find DRIVER OBJECT structure
Brute-force approachLook for specific structure patterns and constants
OBJECT HEADER, DISPATCH HEADER...Kernel addresses > MmSystemRangeStart (0x80000000)
List walking approach (e.g PsLoadedModuleList)KDDEBUGGER DATA64
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 34/51 2011-11 34 / 51
Memory exploiting / analysis The TrueCrypt example
Memory forensics - TrueCrypt example II
2: Find DEVICE OBJECT structureCheck DRIVER OBJECT.DeviceObject
Devices list walking: DeviceObject.NextDeviceRetrieve DeviceObject.DeviceExtension
Used by driver programmer to store device-specific dataPersistent data (non-paged pool)
DeviceExtension found, then ?Then, analyze TrueCrypt-specific structures and extract master keys
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 35/51 2011-11 35 / 51
Memory exploiting / analysis Kmode exploration
Volatility I
Volatility frameworkFramework for Windows physical memory dump exploration
Useful features:List process (PSLIST, see next slides...)Dump Windows registry...
Focus on PSLISTGoal: retrieve list of active processes when snapshot was taken
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 36/51 2011-11 36 / 51
Memory exploiting / analysis Kmode exploration
Volatility II
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 37/51 2011-11 37 / 51
Memory exploiting / analysis Kmode exploration
Volatility - PSLIST I
First goalRetrieve KPCR.ActiveProcessListHead
Problem: where is KPCR? (in phy space)We must find a Page Directory Table
Take EPROCESS.PageDirectoryTable[0] (== CR3 x86)
EACH PROCESS SHARES THE SAME KERNEL SPACE MAPPING(modulo session space, osef)
First stepFind a EPROCESS structure in memory
By recognizing some patterns
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 38/51 2011-11 38 / 51
Memory exploiting / analysis Kmode exploration
Volatility - PSLIST II
Once CR3 is found, retrieve KPCRKPCR always mapped at FS:[0] in KMODE
At fixed virtual address: 0xffdff 000We are now able to retrieve KPCR.ActiveProcessListHeadPSLISTWe can list active process and dump them (their whole vspace)
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 39/51 2011-11 39 / 51
Memory exploiting / analysis DKOM attacks
Reminders of windows security mechanisms I
[Windows Internal 5th Ed. - Vista and 2008 Server] Windows Internal 5thEd. - Vista and 2008 ServerSecurable objects
Protected with SECURITY DESCRIPTORAccess Control Lists (SIDs ; associated allowed operations on object)eg:Peripherals, Files, Jobs, Shared memory sections, Pipes, LPC ports,Events, Mutexes, Timers, Semaphores, Access tokens, Windowstations, Desktops, SMB shares, Services, Registry keys...
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 40/51 2011-11 40 / 51
Memory exploiting / analysis DKOM attacks
Reminders of windows security mechanisms II
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 41/51 2011-11 41 / 51
Memory exploiting / analysis DKOM attacks
Reminders of windows security mechanisms III
Security TokenWhen accessing an object, the Security Reference Monitor checks theTOKEN of the process:
Process owner: user SID, groups SIDsPrivileges (f(process, user SIDs))Virtualization stateSession
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 42/51 2011-11 42 / 51
Memory exploiting / analysis DKOM attacks
Reminders of windows security mechanisms IV
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 43/51 2011-11 43 / 51
Memory exploiting / analysis DKOM attacks
DKOM attacks I
DKOMDirect Kernel Object Manipulation
Example:Hibernate file retrieved with SandmanSnapshot file (virtual machine)
Or DKOM on a living machine, with a kernel drivere.g Rootkits
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 44/51 2011-11 44 / 51
Memory exploiting / analysis DKOM attacks
DKOM attacks II
FULL ACCESS to physical memory (user and kernel!)YOU CAN READ/MODIFY EVERYTHING YOU WANT
Hypothesis: you can re-inject your modifications
Get TokenTOKEN accessed from EPROCESS structure
Possible attack: privilege escalationFind approriate EPROCESS structure
e.g a process you can exploit and make exec YOUR shellcodeModify your TOKEN SID
Be r00t, take NT AUTHORITY/SYSTEM SID
Subsequent object access or process creation performed under SYSTEM
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 45/51 2011-11 45 / 51
Memory exploiting / analysis DKOM attacks
DKOM attacks III
ConclusionPowerful attack but hard to use IRLSimilar escalation process used for kernel vuln exploitation
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 46/51 2011-11 46 / 51
Memory exploiting / analysis DKOM attacks
DKOM application: unlocking Windows 7 x64 computer
Idea: modify the password validation functionmsv1 0.dll!MsvpPasswordValidate [Boileau 2006]That password validate function will comparehash(inputted password) and the stored hash(user password) thenjump to a location if they are not equal (cmp then jnz)How to modify the memory?
[“Subverting Windows 7 x64 Kernel with DMA attacks”]
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 47/51 2011-11 47 / 51
Memory exploiting / analysis DKOM attacks
DKOM application: unlocking Windows 7 x64 computer
Idea: modify the password validation functionmsv1 0.dll!MsvpPasswordValidate [Boileau 2006]That password validate function will comparehash(inputted password) and the stored hash(user password) thenjump to a location if they are not equal (cmp then jnz)How to modify the memory?jnz → jmp
[“Subverting Windows 7 x64 Kernel with DMA attacks”]Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 47/51 2011-11 47 / 51
Conclusion
Outline
1 Computer forensicsIntroductionTalk focus
2 Acquiring Windows x86 virtual memorySome methodsSome tools
3 Memory exploiting / analysisThe TrueCrypt exampleKmode explorationDKOM attacks
4 Conclusion
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 48/51 2011-11 48 / 51
Conclusion
Conclusion
many methods for acquiring memory on a live system:OS independant: cold boot, DMA, snapshotdependent: snapshot (if hypervisor evadation), dumping tools, crash
regarding exploitation:take care of keeping the kernel structure coherent (or might have aBSOD!)watch out kernel protection such as PatchGuard (basically periodicalchecks, so the trick has not to last for too long)
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 49/51 2011-11 49 / 51
Conclusion For Further Reading
Boileau, Adam (2006). “winlockpwn attack (Firewire)”. In:http://storm.net.nz/static/files/winlockpwn.Damien Aumaitre, Christophe Devine. “Subverting Windows 7 x64 Kernelwith DMA attacks”. In: Sogeti-ESEChttp://esec-lab.sogeti.com/dotclear/public/publications/10-hitbamsterdam-dmaattacks.pdf.Hameed, CC (2008). “Understanding Crash Dump Files”. In:https://blogs.technet.com/themes/blogs/generic/post.aspx?WeblogApp=askperf&y=2008&m=01&d=08&WeblogPostName=understanding-crash-dump-files&GroupKeys=.“Lest We Remember: Cold Boot Attacks on Encryption Keys” (2008). In:J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson,William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaumand Edward W. Feltenhttps://jhalderm.com/pub/papers/coldboot-sec08.pdf.
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 50/51 2011-11 50 / 51
Conclusion For Further Reading
lucd (2010). “yadr – A vdisk reporter”. In:http://www.lucd.info/2010/03/23/yadr-a-vdisk-reporter/.Mark E. Russinovich David A. Solomon, Alex Ionescu and so manymore (incl. Bernard Ourghanlian). Windows Internal 5th Ed. - Vista and2008 Server.http://technet.microsoft.com/en-us/sysinternals/bb963901.Matthieu Suiche, Nicolas Ruff (@Newsoft) (2008). “Sandman”. In:http://www.msuiche.net/2008/02/26/sandman-10080226-is-out/.Savill, John (2008). “Q. I’m deleting a Hyper-V virtual machine (VM) thathad snapshots. Why is the VM delete taking so long?” In:http://www.windowsitpro.com/article/virtualization/q-i-m-deleting-a-hyper-v-virtual-machine-vm-that-had-snapshots-why-is-the-vm-delete-taking-so-long-.
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 51/51 2011-11 51 / 51