(Un) Fucking Forensics - DEF CON CON 25/DEF CON 25... · Un F’d Memory Forensics – Remove the...
19
(Un) Fucking Forensics Ac#ve/Passive memory hacking/debugging K2 / Director @IOACTIVE hBps://github.com/K2
Transcript of (Un) Fucking Forensics - DEF CON CON 25/DEF CON 25... · Un F’d Memory Forensics – Remove the...
(Un) Fucking Forensics Ac#ve/Passivememoryhacking/debugging
K2/Director@IOACTIVE
hBps://github.com/K2
About me?
• Hackerforawhile
• inVtero.net• MemoryanalysisframeworkforWindows
• Superfast/GBPSthroughput• MemoryintegritycheckingofVM’s/CrashDumps/Memory
• Typeawarememoryhackingtool
• EhTrace• Binarytracetool
• Useshook/patch-lesstechniqueforin-processdebugging
• Lotsofotherstuff
Outline / areas
• Howtoforensic,howtoFuckforensicsandhowtounfuckit.
• Intx80AFtechniqueonheaderwipe/non-residentcode/trim()
• Howtodealwiththat
• RoPbackground,howit’susedinaBacks• GargoyleaBacks&howtoprotectagainstthem
• CloudLeech–twistonUlfFriskDMAaBacks/PCILeech
• Demoofopensourcememoryintegritypla_ormforWindows!
Can you even forensic?
• Ingeneral:Determinewhathappened.
Makea!melineofknownevents.
• “Ar!facts”disk&memory(ocenincomplete/
fragmented)usedtobuild#meline.
• Howgoodcanwedo?Howdoweknowifweredone?
Ar>fact sources
How
aAestable are they?
• Timestampsfromallsourcestoderive!meline(eventlogs/syslog/firewall/filesystem#me,etc…)
• Wevtu!l-WindowsEventsCommandLineU#lity.
Configuremorethan1189eventlogsources
• SysMon(fromSysInternals/MarkRussinovich)/neat
config:
hBps://github.com/SwicOnSecurity/sysmon-config
• Linux(osqueryhBps://github.com/facebook/osquery)
Handling memory
• ForensicsmeetsReverseEngineering
• Dump/disassembledeterminewhattheextentofcapabilitythea8ackerpossesses• Iwanttoatleastclearthisguyout&findouthowmuchdamagehedid
• Vola#lity/Rekallpythonforensicengines
• StephenRidley’sREmemoryhackingtool:hBps://github.com/s7ephen/SandKit
• Paper:Escapingthesandbox
• GAMEHACKING!J
• Let’slookatwhatpeopledotocheatsome#me?
How to F’it?
• Hidereallywell• Wipe/Destroylogging/leaveno
trace/Stenography/Encrypt
• Misdirect
• Flood/Annoy/Makeanalysisso
costly$$$/Obfuscate/Spoof/
• DirectABack• DefCon15:BreakingForensicsSocware:WeaknessesinCri#cal
EvidenceCollec#onChrisPalmer,
AlexStamos
An#-forensics:Furtheringdigitalforensicsciencethroughanewextended,
granulartaxonomy:
Foreshadowing: normalize you’re opera>ons
• Agreatwaytooperateundetectedistoensureyouarenotananomaly.
• Usetheresourcesofyou’retargettoconductyou’reopera#ons.
• “Configura#on”aBacks• EnableIPV6tunneling&VPNaccess• ABackerhastrustedCAcapability(addedtheirprivkeytotrustedlist)
• Themore“normal”themethodwillbeveryhardtodigup
Int0x80’s AF counter
ABackagainstatool:
Rekall
• Preventdumpingforworking
Morewaystogetit;
• UseVAD(kernelsource)• UsePageTable(ABI)• UseinVtero.net• dump.py-VADDump(VAD)or
Dump(PageTable)
RoP: More normal
• RoPisanocendiscussedtopicusedmostlyforexploita#on
• RoPusestheCPUstackseman#cstoexecuteasifitwereareallylargesetofreturn
statements.
• Thisusesthecodethat’salreadyonthesystemmore“normalized”thanifyouhadtoinject
anexecutablepayloadthatdidnotoriginatefromthetarget
• RoPisusedbyGargoyle(JoshLospinoso)asanexampleofapersistence
techniquethatevadesmemoryanalysissystems
• Thereishope,wecandetectRoPaBacksthroughcallchainevalua#on
RoP is not perfect
hBps://www.cs.columbia.edu/~angelos/Papers/theses/vpappas_thesis.pdf
Gargoyle persistence
• Leveragesa#merandblocking
waitthatmovesitintothe“ac#ve
state”
• Onceac#ve,stagespageprotec#on+X
• Thenusesthispagetoinvokeit’sprimarypayload
• Itthenmask’sthe+Xbitbackoff
andgoesinac#ve
Tools too defend against RoP aAack?
• Analysis:ROPEMU:AFrameworkfortheAnalysisofComplexCode-
ReuseABacks
• DumpacomplexRoPexecu#ontraceintoanELF!!Wow!
• Detec#on:inVtero.netcanperformastackcheckingfunc#onagainst
thememorydump.
• SimilartoolsformonitoringRoPatrun#me(EhTrace,RoPGuard,etc…)
• FromtheinVterooutput,youreallydoNOTwanttoseetheGargoylegadget,
oranythingthatlookslikeastackpivot
Injec>on techniques
• Manyvariega#onstoachievethesamegoal;
• 10ProcessInjec#onTechniques(AshkanHosseini/Endgame)
• LoadLibrary,Hallowing,Threadhijacking,WindowsHooks,Registry
keys,APC,SetWindowLong,Shims&IATshims
• FlamewasasortofhallowingaBack
• “hid”insideofntdll,remainedundetectedforyears
Enter DMA with PCILeech
• UlfFriskDirect-Memory-ABack-the-Kernel:
• PCILeechaBacksandu#lityforforensics(memory)collec#on
• Usesavarietyof(verycool)techniquestoexecutepayloads
• Oneofthesimplestisthe“unlock”func#onality
• It’saninlinepatchhowever• Hardtodetectw/omanualreversing
Integrity valida>on
• Fullvalida#onatanypointin#memustbeabletobeconducted
• Systemstateshould/mustbesta#c
• CPUexecu#onwillallowaBackerstoplaygames/evaderead’s
• RDMA
• LiveMigra#on/Snapshowng
Tie it together
UnF’dMemoryForensics–Removetheguesswork
• Leveragewiderangeofinforma#onsources
• Haveacomprehensiveglobalviewofthedataset
• AppropriatecountermeasuresformostaBackers(RoP)
• Integritycheckingofmemory(inlinepatchprotec#on)
• Symbolsandcontextforanalysisofpointers
• Pointertrackingbecomesmoresignificantaswecanqualifytheiraddress/vector
Demo’s & Thank you
• Checkoutthetools
Github.com/K2
![DEF CON 25 Hacker Conference - DefCon Media Server CON 25/DEF CON 25 presentations/DEF… · functionality = self.checklist["Functionality"] ... Manually add ancillary data (pentest/other](https://static.fdocuments.in/doc/165x107/5af786007f8b9a744490ddf3/def-con-25-hacker-conference-defcon-media-server-con-25def-con-25-presentationsdeffunctionality.jpg)
