securimag - 2011-11 - live computer forensics - virtual...

SecurIMAG - 2011-11 - Live computer forensics -Virtual memory acquisition and exploitation on

Windows NT6+

Fabien Duchene 1,2

Guillaume Touron2

1Laboratoire d’Informatique de Grenoble, VASCO [email protected]

2 Grenoble Institute of Technology - Grenoble INP - [email protected]

2011-11Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 1/51 2011-11 1 / 51

http://www.liglab.fr

http://grenoble-inp.fr

Outline

1 Computer forensicsIntroductionTalk focus

2 Acquiring Windows x86 virtual memorySome methodsSome tools

3 Memory exploiting / analysisThe TrueCrypt exampleKmode explorationDKOM attacks

4 Conclusion

Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 2/51 2011-11 2 / 51

Computer forensics

Outline




4 Conclusion


Computer forensics Introduction

Computer Forensics?

What?Forensic Science: answer questions of interest to a legal system.Digital forensics: digital devicesComputer forensics: “identifying, preserving, recovering, analyzing,presenting facts and opinions” about the digital information



Computer Forensics?

What?Forensic Science: answer questions of interest to a legal system.Digital forensics: digital devicesComputer forensics: “identifying, preserving, recovering, analyzing,presenting facts and opinions” about the digital information

Basically answer to the question: “What happened?”



Computer Forensics?

Types of computer forensicsstatic / dead: system dump image analysis (eg: “unplug the powercord then analyze”)live: analysis of a running systemin-between: analyze memory image of a running system

Write-blocking readerFabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 5/51 2011-11 5 / 51


Forensics ... why?

Why? (forensics, live forensics?)



Forensics ... why?

Why? (forensics, live forensics?)in search of the truth!because they might still be in memory:

cryptographic keyscredentials



Live forensics

Live acquisition: acquiring data and modifying it the less possible,and being aware of the IMPACT!

the Ultimate live forensics goalGet a “complete picture shot” of the system

CPU flags, registers, cache ..storage: RAM, HDD, ..motherboard stateperipherals: NIC (buffers, own CPU andmemory state..)

→ Can we do it?



Live forensics

Live acquisition: acquiring data and modifying it the less possible,and being aware of the IMPACT!

Only he can!

the Ultimate live forensics goalGet a “complete picture shot” of the system

CPU flags, registers, cache ..storage: RAM, HDD, ..motherboard stateperipherals: NIC (buffers, own CPU andmemory state..)

→ Can we do it?


Computer forensics Talk focus

Talk topic

Live memory acquisitionPost-mortem analysis


Acquiring Windows x86 virtual memory

Outline




4 Conclusion


Acquiring Windows x86 virtual memory Some methods

cold boot attacks

Works on: any computer using DRAMRequires: physical accessDRAM retain their content for severalseconds after powered off

AttackFreeze themPlug them into a DRAM readerDump the content .. and enjoy!

[“Lest We Remember: Cold Boot Attacks onEncryption Keys” 2008] article findings

Bit decay increase over timePulse decay time is longer whentemperature is lower



virtual machine snapshots

Hypervisor examplesMicrosoft Hyper-V,Virtual-PCVMWare ESXOracle VirtualBoxParallels Desktop

VM snapshotWhat is a VM snapshot?



virtual machine snapshots

Hypervisor examplesMicrosoft Hyper-V,Virtual-PCVMWare ESXOracle VirtualBoxParallels Desktop

VM snapshotWhat is a VM snapshot?“photo” of the state and data of a VMat a given timebasically, the ultimate live forensics goal+ the VM power state (powered-on,off, suspended)



VM snapshot attack

Works on: any hypervisor having at least one virtualized computerRequires:

online:hypervisor snapshot privilege (take, apply).. or a way to subvert the hypervisor (eg: VM peripheral drivers), do itthe teach way!

offline: take snapshot and read access to the vhd file

Attacktake a snapshot

export the virtual machine on a storage medium

import it

apply the snapshot (also restores virtual DRAM content)



Virtual Hard Disk

[lucd 2010]

[Savill 2008]

Virtualized Hard DiskTypes:

dynamic-sized file:dynamically evolving size (sectorson which data is written)VHD file size ≤ virtual disk capacity

fixed-sized file:VHD file size ' virtual disk capacitybetter performance

differential: dynamic that only storesmodification from the parent

Snapshot operations:take onedelete onemerge several onesapply one



random crap about the Hyper-V and VirtualPC VHD

2010-04-17



DMA attacks

[“Subverting Windows 7 x64 Kernel with DMA attacks”]

Direct Memory AccessPCI specifications, for performanceany device can issue a read/write DMA requestdo you spot the problem?



DMA attacks[“Subverting Windows 7 x64 Kernel with DMA attacks”]

Direct Memory AccessPCI specifications, for performanceany device can issue a read/write DMA requestdo you spot the problem?bypassing CPU, thus OS



DMA attacks implementations

Attacks implementations (public ones..)Firewire

2004 Maximilian Dornseif (Mac OS X)2006 Adam Boileau (Windows XP)2008 Damien Aumaitre (virtual memory reconstruction)

PCI2009 - Christophe Devine and Guillaume Vissian, custom DMA engineimplemented on a FPGA card

PCMCIA / CardBus / ExpressCard:2010 Damien Aumaitre, Christophe Devigne



DMA attack - the PCMCIA case

PCMCIA 32-bit port thus only the 4 GB physical memory areaddressableneed to identify the structures: not working on virtual memory, butdirectly on physical one!for more good beef: [“Subverting Windows 7 x64 Kernel with DMAattacks”]



Hibernate file

hiberfil.sys: Hibernation fileSince Windows 2000 (NT5)Undocumented formatFile stored on the disk driveContent:

physical memory dumprelated to pagefile.sys (virtual memory control)



Sandman: from hibernation to physical memory dump

Convert hibernation file hiberfil.sys into a regular memory dump[Matthieu Suiche 2008]



Windows Crash Dump

What is a crash dump?



Windows Crash Dump

What is a crash dump?yep that’s it!capture of the state of an application (broad sense, includingoperating system) when a crash event does occurhandled by Kernel “emergency” functions



Windows Crash Dump I

[Hameed 2008]

Complete memory dump1MB headercomplete physical memory dump

Kernel memory dump1MB headerkernel R/W pageskernel non paged memory: listof running processes, loadeddevice drivers



Windows Crash Dump II

Small memory dump MiniDump

64KB dump (128 KB → 64-bit)stop code, parameters, list of loaded device drivers, kernel stack forthe thread that crashed, information about the current process andthreat



automatic execution

.. : fake ipod USB token loaded, then automatic mounter and commandsrunning in the background. demo? teensy?



x86 VMM



x64 VMM


Acquiring Windows x86 virtual memory Some tools

Win32dd I

Win32ddMatthieu Suiche (now part of “Moonsols Memory Toolkit”)Goal: dumping physical memory using different acquisition methods

Physical memory dumping on Windows XP (NT 5)\Device \PhysicalMemory

... Windows Vista (NT6+)No longer available.Other acquisition methods:

PFN databaseMmMapIoSpace



PFN database



Win32dd I

We focus on MmMapIoSpace method

How does it work?Do some RE on Win32 driver

User/Kernel comm in WindowsPhysical memory access only in kernel mode

Win32 extracts its driver and registers itDriver creates a device

User-land program opens the device and sends ”commands”DeviceIoControl API, sends IRP to driver



Physical address space layout



Win32dd I

First:Win32dd retrieves physical memory ”runs”

”runs” are physical memory ranges actually used by the systemFor >= NT5.1:

Get MmPhysicalMemoryBlock in KDDEBUGGER DATA64Otherwise:

Use MmGetPhysicalMemoryRangesBuild MmPhysicalMemoryBlock yourself



Win32dd II

Second: Win32dd knows every physical runs, global algo:Iterate each runMap it with MmMapIoSpaceWrite it into your memory dump file

Repeat iterations NumberOfRuns times...


Memory exploiting / analysis

Outline




4 Conclusion


Memory exploiting / analysis

Memory forensics

Kernel objects listingSee next slides

Extracting in-memory cryptographic key material

TrueCrypt caseUser can choose to cache its passphrase

Go through kernel structures


Memory exploiting / analysis The TrueCrypt example

Memory forensics - TrueCrypt example I

Hypothesis: user enabled passphrase-caching

Passphrase-cachingPasssphrase is stored by TrueCrypt kernel driver

How to find this material?1: Find DRIVER OBJECT structure

Brute-force approachLook for specific structure patterns and constants

OBJECT HEADER, DISPATCH HEADER...Kernel addresses > MmSystemRangeStart (0x80000000)

List walking approach (e.g PsLoadedModuleList)KDDEBUGGER DATA64


Memory exploiting / analysis The TrueCrypt example

Memory forensics - TrueCrypt example II

2: Find DEVICE OBJECT structureCheck DRIVER OBJECT.DeviceObject

Devices list walking: DeviceObject.NextDeviceRetrieve DeviceObject.DeviceExtension

Used by driver programmer to store device-specific dataPersistent data (non-paged pool)

DeviceExtension found, then ?Then, analyze TrueCrypt-specific structures and extract master keys


Memory exploiting / analysis Kmode exploration

Volatility I

Volatility frameworkFramework for Windows physical memory dump exploration

Useful features:List process (PSLIST, see next slides...)Dump Windows registry...

Focus on PSLISTGoal: retrieve list of active processes when snapshot was taken



Volatility II



Volatility - PSLIST I

First goalRetrieve KPCR.ActiveProcessListHead

Problem: where is KPCR? (in phy space)We must find a Page Directory Table

Take EPROCESS.PageDirectoryTable[0] (== CR3 x86)

EACH PROCESS SHARES THE SAME KERNEL SPACE MAPPING(modulo session space, osef)

First stepFind a EPROCESS structure in memory

By recognizing some patterns



Volatility - PSLIST II

Once CR3 is found, retrieve KPCRKPCR always mapped at FS:[0] in KMODE

At fixed virtual address: 0xffdff 000We are now able to retrieve KPCR.ActiveProcessListHeadPSLISTWe can list active process and dump them (their whole vspace)


Memory exploiting / analysis DKOM attacks

Reminders of windows security mechanisms I

[Windows Internal 5th Ed. - Vista and 2008 Server] Windows Internal 5thEd. - Vista and 2008 ServerSecurable objects

Protected with SECURITY DESCRIPTORAccess Control Lists (SIDs ; associated allowed operations on object)eg:Peripherals, Files, Jobs, Shared memory sections, Pipes, LPC ports,Events, Mutexes, Timers, Semaphores, Access tokens, Windowstations, Desktops, SMB shares, Services, Registry keys...



Reminders of windows security mechanisms II



Reminders of windows security mechanisms III

Security TokenWhen accessing an object, the Security Reference Monitor checks theTOKEN of the process:

Process owner: user SID, groups SIDsPrivileges (f(process, user SIDs))Virtualization stateSession



Reminders of windows security mechanisms IV



DKOM attacks I

DKOMDirect Kernel Object Manipulation

Example:Hibernate file retrieved with SandmanSnapshot file (virtual machine)

Or DKOM on a living machine, with a kernel drivere.g Rootkits



DKOM attacks II

FULL ACCESS to physical memory (user and kernel!)YOU CAN READ/MODIFY EVERYTHING YOU WANT

Hypothesis: you can re-inject your modifications

Get TokenTOKEN accessed from EPROCESS structure

Possible attack: privilege escalationFind approriate EPROCESS structure

e.g a process you can exploit and make exec YOUR shellcodeModify your TOKEN SID

Be r00t, take NT AUTHORITY/SYSTEM SID

Subsequent object access or process creation performed under SYSTEM



DKOM attacks III

ConclusionPowerful attack but hard to use IRLSimilar escalation process used for kernel vuln exploitation



DKOM application: unlocking Windows 7 x64 computer

Idea: modify the password validation functionmsv1 0.dll!MsvpPasswordValidate [Boileau 2006]That password validate function will comparehash(inputted password) and the stored hash(user password) thenjump to a location if they are not equal (cmp then jnz)How to modify the memory?

[“Subverting Windows 7 x64 Kernel with DMA attacks”]



DKOM application: unlocking Windows 7 x64 computer

Idea: modify the password validation functionmsv1 0.dll!MsvpPasswordValidate [Boileau 2006]That password validate function will comparehash(inputted password) and the stored hash(user password) thenjump to a location if they are not equal (cmp then jnz)How to modify the memory?jnz → jmp

[“Subverting Windows 7 x64 Kernel with DMA attacks”]Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 47/51 2011-11 47 / 51

Conclusion

Outline




4 Conclusion


Conclusion

Conclusion

many methods for acquiring memory on a live system:OS independant: cold boot, DMA, snapshotdependent: snapshot (if hypervisor evadation), dumping tools, crash

regarding exploitation:take care of keeping the kernel structure coherent (or might have aBSOD!)watch out kernel protection such as PatchGuard (basically periodicalchecks, so the trick has not to last for too long)


Conclusion For Further Reading

Boileau, Adam (2006). “winlockpwn attack (Firewire)”. In:http://storm.net.nz/static/files/winlockpwn.Damien Aumaitre, Christophe Devine. “Subverting Windows 7 x64 Kernelwith DMA attacks”. In: Sogeti-ESEChttp://esec-lab.sogeti.com/dotclear/public/publications/10-hitbamsterdam-dmaattacks.pdf.Hameed, CC (2008). “Understanding Crash Dump Files”. In:https://blogs.technet.com/themes/blogs/generic/post.aspx?WeblogApp=askperf&y=2008&m=01&d=08&WeblogPostName=understanding-crash-dump-files&GroupKeys=.“Lest We Remember: Cold Boot Attacks on Encryption Keys” (2008). In:J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson,William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaumand Edward W. Feltenhttps://jhalderm.com/pub/papers/coldboot-sec08.pdf.


http://storm.net.nz/static/files/winlockpwn

http://esec-lab.sogeti.com/dotclear/public/publications/10-hitbamsterdam-dmaattacks.pdf

http://esec-lab.sogeti.com/dotclear/public/publications/10-hitbamsterdam-dmaattacks.pdf

https://blogs.technet.com/themes/blogs/generic/post.aspx?WeblogApp=askperf&y=2008&m=01&d=08&WeblogPostName=understanding-crash-dump-files&GroupKeys=



https://jhalderm.com/pub/papers/coldboot-sec08.pdf

Conclusion For Further Reading

lucd (2010). “yadr – A vdisk reporter”. In:http://www.lucd.info/2010/03/23/yadr-a-vdisk-reporter/.Mark E. Russinovich David A. Solomon, Alex Ionescu and so manymore (incl. Bernard Ourghanlian). Windows Internal 5th Ed. - Vista and2008 Server.http://technet.microsoft.com/en-us/sysinternals/bb963901.Matthieu Suiche, Nicolas Ruff (@Newsoft) (2008). “Sandman”. In:http://www.msuiche.net/2008/02/26/sandman-10080226-is-out/.Savill, John (2008). “Q. I’m deleting a Hyper-V virtual machine (VM) thathad snapshots. Why is the VM delete taking so long?” In:http://www.windowsitpro.com/article/virtualization/q-i-m-deleting-a-hyper-v-virtual-machine-vm-that-had-snapshots-why-is-the-vm-delete-taking-so-long-.


http://www.lucd.info/2010/03/23/yadr-a-vdisk-reporter/

http://technet.microsoft.com/en-us/sysinternals/bb963901

http://www.msuiche.net/2008/02/26/sandman-10080226-is-out/

http://www.windowsitpro.com/article/virtualization/q-i-m-deleting-a-hyper-v-virtual-machine-vm-that-had-snapshots-why-is-the-vm-delete-taking-so-long-



securimag - 2011-11 - live computer forensics - virtual...

Documents