Post on 02-Jan-2016
Tracking Rootkit Footprints with Pratical Memory Analysis System
Weidong Cui and Marcus Peinado, Microsoft Research; Zhilei Xu, Massachusetts Institute of Technology; Ellick Chan, University of Illinois at
Urbana-Champaign
Kernel Rootkit Footprints
Memory changes a kernel rootkit makes for• Hijacking code execution• Hiding its activities
Kernel Rootkit in Memory
• A needle in a haystack!– A typical Windows 7
• kernel has– 100+ loaded modules– 100K to 1M+ data objects– 100K+ function pointers
• How to find all the data and function pointers?
Memory Analysis System
• MAS – a pratical memory analysis system• Identify all memory changes– Static Analysis• Identify candidate types for generic pointers
– Memory Traversal• Identify dynamic data objects
– Integrity Checking• Detect two kinds of violations
Demand-Driven Pointer Analysis
• Program Expression Graph– Assignment Edge (A): if e1=e2, then e1 ← e2– Dereference Edge (D): *e ← e, e ← &e
Demand-Driven Pointer Analysis (Cont.)
• Two relations between expressions– Value Alias (V): aVb– Memory Alias (M): aMb
• Context-Free Grammar– aVbAcMd → aVbMd → aVd → V ::= VAM
• Path from b to c with label sequence– b = c , Given
Demand-Driven Pointer Analysis (Cont.)
• Field Sensitivity– p+f to denote &(p→f)– *(p+f) to denote p→f– *(&a+f) to denote a.f
Type Candidate Interface
• Generic pointer– FOO* q; void* p; p = q, we get p’s candidate type
as FOO*– A pointer field fi of void*
• fi’s candidate types are the set of types of all the value aliases of the pointer field’s instances in the form of X → fi.
Memory Traversal
• MAS first locates static data objects in each loaded module.
• Then recursively follow the pointers in these objects and in all newly identified data objects, until no new data object can be added.
Pointer Uncertainty is Unavoidable
• Ambiguous pointers– Generic pointers with multiple candidate types– Pointers in unions– MAS ignores all ambiguous pointers
• Invalid pointers– Uninitialized pointers– Corrupted pointers
Constraints for Data Objects
• Size Constraint– a data object must lie completely within a
memory block. • Pointer Constraint– a data object’s pointer fields must either be null or
point to the kernel address range.
Constraints for Data Objects (Cont.)
• Enum Constraint– a data object’s enum fields must take a valid enum
value which is stored in the PDB files.• Pool Tag Constraint– the type of a data object must be in the set of data
types associated with the pool block in which the data object is located.
Integrity Checking
• Code Integrity– trusted code in memory should match with the
image file on disk.• Function Pointer Integrity– function pointers should point to the trusted code.
• Visibility Integrity– data objects found by MAS should be visible to
system tools (e.g., those available in a debugger for listing processes and modules).
Implementation
• Static analysis– 12K lines of C++ code– Developed a PREfast plugin to extract information
• Memory traversal and integrity checking– 24K lines of C/C++ code– Worked as a debugger extension for WinDbg
Real-World Data Sets
• 11 Windows Vista SP1 crash dumps• 837 Window 7 crash dumps• 154,768 memory snapshots derived from our
large scale kernel malware analysis
Function Pointer Hooking
• Windows Kernel and 5 drivers (ntfs, fastfat, ndis, fltmgr, null)– 191 unique function
pointers– 31 different data
structures
Accuracy
• For 10 Windows Vista SP1 crash dumps– All suspicious function pointers found by MAS are
true function pointers– All true suspicious function pointers found by KOP
are found by MAS• For 837 Windows 7 crash dumps– We verified that all but 24 out of 400K suspicious
function pointers are true function pointers
Detecting Rootkits in Crash Dumps
• Cannot fully automate it because of third-party drivers– Ignore suspicious function pointers to unknown
modules
Summary
• MAS is a practical memory analysis system for detecting and analyzing kernel rootkits– Handles pointer uncertainty effectively
• Applied MAS to 848 real-world crash dumps– Found 95 of them have rootkits
• Large-scale study of 150K malware samples– Hooked 191 unique functions pointers in 31 data
structures of 6 modules