SlideShare una empresa de Scribd logo

FFR GreenKiller - Automatic kernel-mode malware analysis system

FFRI, Inc.
FFRI, Inc.
Tecnología
1 de 27
Descargar para leer sin conexión
AVAR 2009@kyoto FFR GreenKiller Automatic kernel-mode malware analysis system Junichi Murakami, murakami@fourteenforty.jp Director of Research, Fourteenforty Research Institute, Inc.
Who am I? • MURAKAMI Junichi(村上 純一) – Reverse Engineer, both Windows and Linux kernel development – BlackHat speaker at US and Japan 08 – Security & Programming Camp Instructor(2006 - ) – ITPro ホワイトハッカー道場(White Hacker Dojo) http://itpro.nikkeibp.co.jp/article/COLUMN/20070927/283156/ 2
FFR GreenKiller Analyzing malicious driver from VMM version 0.0.1 ring 0 FFR GreenKiller(based on BitVisor) Agent Kernelmalware log ring 3 Tracer Guest VMM VMCALL 3
Background Rootkits, Part1of 3: The Growing Threat(McAfee Avert Labs) http://www.mcafee.com/us/local_content/white_papers/threat_center/wp_akapoor_rootkits1_en.pdf 4
Why kernel-mode (is troublesome) ? ring 0 Kernelmalware ring 3 malware IDA Pro, etc. User-mode malware is a process, Kernel-mode malware is a part of system BSOD is very welcomed  5
FFR GreenKiller Analyzing malicious driver from VMM version 0.0.1 ring 0 FFR GreenKiller(based on BitVisor) Agent Kernelmalware log ring 3 Tracer Guest VMM VMCALL 6
BitVisor - http://www.bitvisor.org • Open-source VMM software (BSD License) • Secure VM Project (National Project in Japan) • Intel-VT and AMD-v supported • GreenKiller uses BitVisor as a VMM framework  Hardware BitVisor VMM Core Security Features Disk Encryption VPN ・・・ Guest OS device driver 7
BitVisor (cont.) BIOS NTLDR Grub BitVisor Windows 8
Initialization ring 0 FFR GreenKiller Agent Kernel ring 3 VMCALL 1. Build up kernel API database 2. Hook driver-loading API in Guest ptr_PsLoadedModuleList ptr_IopLoadDriverHookAddr 9
PsLoadedModuleList Kernel ntoskrnl.exe DriverObject win32k.sys DriverObject ... DriverObject PsLoadedModuleList 10
DriverObject kd> dt nt!_DRIVER_OBJECT +0x000 Type : Int2B +0x002 Size : Int2B +0x004 DeviceObject : Ptr32 _DEVICE_OBJECT +0x008 Flags : Uint4B +0x00c DriverStart : Ptr32 Void +0x010 DriverSize : Uint4B +0x014 DriverSection : Ptr32 Void +0x018 DriverExtension : Ptr32 _DRIVER_EXTENSION +0x01c DriverName : _UNICODE_STRING +0x024 HardwareDatabase : Ptr32 _UNICODE_STRING +0x028 FastIoDispatch : Ptr32 _FAST_IO_DISPATCH +0x02c DriverInit : Ptr32 long +0x030 DriverStartIo : Ptr32 void +0x034 DriverUnload : Ptr32 void +0x038 MajorFunction : [28] Ptr32 long MZ.... .....................................PE... ..... ntoskrnl.exe DbgPrint 0x5002e DbgPrintEx 0x50050 .... [.edata section] 11 0x804d9000 DbgPrint 0x8052902e (0x804d9000 + 0x5002e) DbgPrintEx 0x80529050 (0x804d9000 + 0x50050) ・・・ ・・・
Initialization ring 0 FFR GreenKiller Agent Kernel ring 3 VMCALL 1. Build up kernel API database 2. Hook driver-loading API in Guest ptr_PsLoadedModuleList ptr_IopLoadDriverHookAddr 12
IopLoadDriver 13 Break (switch to VMM)
Break at DriverEntry 14 FFR GreenKiller Kernel mov eax, dword ptr [guest_esp] mov edx, eax push eax call GetAddressOfEntryPoint add edx, eax mov byte ptr [edx], 0xcc malwareIopLoadDriver
Software BP vs. Hardware BP • Software BP – Replace original byte with int3(0xcc) • Processor generates an #BP when int3 is hit – No limit on number of BPs • Hardware BP – Use Debug Register(DR0-DR3) – Needless to modify original code – Only 4 BPs simultaneously 15
Code Tracing 16 DriverEntry ret call ret call DbgPrint ret sub_10031 A) Insert ‘0xcc’ into closest branch by disassembling the code from DriverEntry B) Execution is suspended on the branch Check whether execution takes the branch according to EFLAGS’s value • If true: Insert ‘0xcc’ into branched addr. • If not: Working the same as A. C) Execution is suspended on the branched addr. Check whether it is an entry of kernel API • if true: Insert ‘0xcc’ into retaddr • if not: Working the same as A.
Definition of an FSM 17 SEARCH_B EVAL_BCHECK_A Eval branch Branch not taken, find next branch Branch taken, check address checked, find next branch
That’s all? • No, we have to consider multiple context for callbacks • Driver is a plug-in for the kernel 18
Callbacks 19 Kernel malware IRP Process Management Kernel Thread Timer DriverEntry
Ex)PsSetCreateProcessNotifyRoutine 20 NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath) { … PsSetCreateProcessNotifyRoutine( CreateProcessNotifyCallback, ; NotifyRoutine FALSE ; Remove ); … } VOID CreateProcessNotifyCallback(IN HANDLE ParentId, IN HANDLE ProcessId, IN BOOLEAN Create) { DbgPrint(“Pid %d is %s¥n”, ProcessId, Create ? “created” : “exit”); }
Callbacks(cont.) • IRP Handlers • DPC Routines • Registry Callbacks • Fs/Ndis/Tdi filters • PsSetCreateProcessNotifyRoutine • PsSetLoadImageNotifyRoutine • PsCreateSystemThread • etc. 21
Lookup Kernel API 22 FFR GreenKiller Kernel malware State: CHECK_A Kernel API DB API Address DbgPrint 0x8052902e DbgPrintEx 0x80529050 … …. call 0x8052902e
Lookup Kernel API(cont.) 23 FFR GreenKiller Kernel malware call PsSetCreateProcessNotifyRoutine NTSTATUS PsSetCreateProcessNotifyRoutine( IN PCREATE_PROCESS_NOTIFY_ROUTINE NotifyRoutine, IN BOOL Remove ); ReturnAddress = [GUEST_ESP] Arg1 = [GUEST_ESP+4]; NotifyRoutine Arg2 = [GUEST_ESP+8]; Remove State: CHECK_A Break
Output [DriverEntry] 0xfd965012: DbgPrint(“DriverEntry: 0x%lx¥n”) 0xfd065054: IoCreateDevice(“¥¥Device¥m3z1”) 0xfd065067: IoCreateSymbolicLink(“¥¥Device¥m3z1”, “¥¥DosDevices¥m3z1”) 0xfd06508c: PsSetCreateProcessNotifyRoutine(CB#1) [DriverUnload] 0xfd9650c0: IoDeleteSymbolicLink(“¥¥DosDevices¥m3z1”) 0xfd9650cc: IoDeleteDevice [CB#1: PsSetCreateProcessNotityRoutine] 0xfd965134: PsGetCurrentProcessId 0xfd965140: DbgPrint(“CreateProcessCallback %d %d %d¥n”) 0xfd96710c: ExFreePool 24
Limitation • Require Intel-VT • Require an Agent in guest’s ring3 – Request for quick hack :) • Limited API support – Callback, Argument recognization 25
Related Work We can detect memory-patching by malware • Viton, Hypervisor IPS(BlackHat USA 08) – Manipulate Guest PageTable/PageTableEntry, – To protect memory patching by malicious driver JP: http://www.fourteenforty.jp/research/research_papers/bh-japan-08-Murakami.pdf EN: http://www.fourteenforty.jp/research/research_papers/bh-usa-08-Murakami.pdf 26
Q & A 27

Recomendados

Predicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group KeysPredicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group Keysvanhoefm
 
How security broken? - Android internals and malware infection possibilities
How security broken? - Android internals and malware infection possibilitiesHow security broken? - Android internals and malware infection possibilities
How security broken? - Android internals and malware infection possibilitiesFFRI, Inc.
 
ShinoBOT Suite
ShinoBOT SuiteShinoBOT Suite
ShinoBOT SuiteShota Shinogi
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Maksim Shudrak
 
A Hypervisor IPS based on Hardware Assisted Virtualization Technology
A Hypervisor IPS based on Hardware Assisted Virtualization TechnologyA Hypervisor IPS based on Hardware Assisted Virtualization Technology
A Hypervisor IPS based on Hardware Assisted Virtualization TechnologyFFRI, Inc.
 
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Maksim Shudrak
 
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CanSecWest
 
Midterm Presentation
Midterm PresentationMidterm Presentation
Midterm PresentationZhongzhi Yu
 

Recomendados

Predicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group KeysPredicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group Keysvanhoefm
 
How security broken? - Android internals and malware infection possibilities
How security broken? - Android internals and malware infection possibilitiesHow security broken? - Android internals and malware infection possibilities
How security broken? - Android internals and malware infection possibilitiesFFRI, Inc.
 
ShinoBOT Suite
ShinoBOT SuiteShinoBOT Suite
ShinoBOT SuiteShota Shinogi
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Maksim Shudrak
 
A Hypervisor IPS based on Hardware Assisted Virtualization Technology
A Hypervisor IPS based on Hardware Assisted Virtualization TechnologyA Hypervisor IPS based on Hardware Assisted Virtualization Technology
A Hypervisor IPS based on Hardware Assisted Virtualization TechnologyFFRI, Inc.
 
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Maksim Shudrak
 
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CanSecWest
 
Midterm Presentation
Midterm PresentationMidterm Presentation
Midterm PresentationZhongzhi Yu
 
Mirko Damiani - An Embedded soft real time distributed system in Go
Mirko Damiani - An Embedded soft real time distributed system in GoMirko Damiani - An Embedded soft real time distributed system in Go
Mirko Damiani - An Embedded soft real time distributed system in Golinuxlab_conf
 
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMAppearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMFFRI, Inc.
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacksJapneet Singh
 
[Usenix's WOOT'14] Attacking the Linux PRNG and Android - Weaknesses in Seedi...
[Usenix's WOOT'14] Attacking the Linux PRNG and Android - Weaknesses in Seedi...[Usenix's WOOT'14] Attacking the Linux PRNG and Android - Weaknesses in Seedi...
[Usenix's WOOT'14] Attacking the Linux PRNG and Android - Weaknesses in Seedi...srkedmi
 
Inside Winnyp
Inside WinnypInside Winnyp
Inside WinnypFFRI, Inc.
 
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...CODE BLUE
 
Auditing the Opensource Kernels
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource KernelsSilvio Cesare
 
Fuzzing python modules
Fuzzing python modulesFuzzing python modules
Fuzzing python modulesdelimitry
 
Code Injection in Windows
Code Injection in WindowsCode Injection in Windows
Code Injection in Windowsn|u - The Open Security Community
 
2016 manta raypresentation_av_scanning_disclaimer
2016 manta raypresentation_av_scanning_disclaimer2016 manta raypresentation_av_scanning_disclaimer
2016 manta raypresentation_av_scanning_disclaimerDoug Koster
 
Linux randomnumbergenerator
Linux randomnumbergeneratorLinux randomnumbergenerator
Linux randomnumbergeneratorjhonce
 
Anatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow AttackAnatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow AttackRob Gillen
 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflowEvgeni Tsonev
 
emips_overview_apr08
emips_overview_apr08emips_overview_apr08
emips_overview_apr08Neil Pittman
 
Return oriented programming
Return oriented programmingReturn oriented programming
Return oriented programminghybr1s
 
Stack-Based Buffer Overflows
Stack-Based Buffer OverflowsStack-Based Buffer Overflows
Stack-Based Buffer OverflowsDaniel Tumser
 
Dima kovalenko - Is ARMv8.3 the end of ROP?
Dima kovalenko - Is ARMv8.3 the end of ROP?Dima kovalenko - Is ARMv8.3 the end of ROP?
Dima kovalenko - Is ARMv8.3 the end of ROP?Hacken_Ecosystem
 
Kernel Recipes 2015: Greybus
Kernel Recipes 2015: GreybusKernel Recipes 2015: Greybus
Kernel Recipes 2015: GreybusAnne Nicolas
 
LMG Lightning Talks - SFO17-205
LMG Lightning Talks - SFO17-205LMG Lightning Talks - SFO17-205
LMG Lightning Talks - SFO17-205Linaro
 
Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026PacSecJP
 
Mr201304 open flow_security_jpn
Mr201304 open flow_security_jpnMr201304 open flow_security_jpn
Mr201304 open flow_security_jpnFFRI, Inc.
 
スマホセキュリティ対策キホン(2回シリーズ・2)
スマホセキュリティ対策キホン(2回シリーズ・2)スマホセキュリティ対策キホン(2回シリーズ・2)
スマホセキュリティ対策キホン(2回シリーズ・2)Noriaki Takamizawa
 

Más contenido relacionado

La actualidad más candente

Mirko Damiani - An Embedded soft real time distributed system in Go
Mirko Damiani - An Embedded soft real time distributed system in GoMirko Damiani - An Embedded soft real time distributed system in Go
Mirko Damiani - An Embedded soft real time distributed system in Golinuxlab_conf
 
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMAppearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMFFRI, Inc.
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacksJapneet Singh
 
[Usenix's WOOT'14] Attacking the Linux PRNG and Android - Weaknesses in Seedi...
[Usenix's WOOT'14] Attacking the Linux PRNG and Android - Weaknesses in Seedi...[Usenix's WOOT'14] Attacking the Linux PRNG and Android - Weaknesses in Seedi...
[Usenix's WOOT'14] Attacking the Linux PRNG and Android - Weaknesses in Seedi...srkedmi
 
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...CODE BLUE
 
Auditing the Opensource Kernels
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource KernelsSilvio Cesare
 
Fuzzing python modules
Fuzzing python modulesFuzzing python modules
Fuzzing python modulesdelimitry
 
2016 manta raypresentation_av_scanning_disclaimer
2016 manta raypresentation_av_scanning_disclaimer2016 manta raypresentation_av_scanning_disclaimer
2016 manta raypresentation_av_scanning_disclaimerDoug Koster
 
Linux randomnumbergenerator
Linux randomnumbergeneratorLinux randomnumbergenerator
Linux randomnumbergeneratorjhonce
 
Anatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow AttackAnatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow AttackRob Gillen
 
emips_overview_apr08
emips_overview_apr08emips_overview_apr08
emips_overview_apr08Neil Pittman
 
Return oriented programming
Return oriented programmingReturn oriented programming
Return oriented programminghybr1s
 
Stack-Based Buffer Overflows
Stack-Based Buffer OverflowsStack-Based Buffer Overflows
Stack-Based Buffer OverflowsDaniel Tumser
 
Dima kovalenko - Is ARMv8.3 the end of ROP?
Dima kovalenko - Is ARMv8.3 the end of ROP?Dima kovalenko - Is ARMv8.3 the end of ROP?
Dima kovalenko - Is ARMv8.3 the end of ROP?Hacken_Ecosystem
 
Kernel Recipes 2015: Greybus
Kernel Recipes 2015: GreybusKernel Recipes 2015: Greybus
Kernel Recipes 2015: GreybusAnne Nicolas
 
LMG Lightning Talks - SFO17-205
LMG Lightning Talks - SFO17-205LMG Lightning Talks - SFO17-205
LMG Lightning Talks - SFO17-205Linaro
 
Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026PacSecJP
 

La actualidad más candente (20)

Mirko Damiani - An Embedded soft real time distributed system in Go
Mirko Damiani - An Embedded soft real time distributed system in GoMirko Damiani - An Embedded soft real time distributed system in Go
Mirko Damiani - An Embedded soft real time distributed system in Go
 
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMAppearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
 
[Usenix's WOOT'14] Attacking the Linux PRNG and Android - Weaknesses in Seedi...
[Usenix's WOOT'14] Attacking the Linux PRNG and Android - Weaknesses in Seedi...[Usenix's WOOT'14] Attacking the Linux PRNG and Android - Weaknesses in Seedi...
[Usenix's WOOT'14] Attacking the Linux PRNG and Android - Weaknesses in Seedi...
 
Inside Winnyp
Inside WinnypInside Winnyp
Inside Winnyp
 
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
 
Auditing the Opensource Kernels
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource Kernels
 
Fuzzing python modules
Fuzzing python modulesFuzzing python modules
Fuzzing python modules
 
Code Injection in Windows
Code Injection in WindowsCode Injection in Windows
Code Injection in Windows
 
2016 manta raypresentation_av_scanning_disclaimer
2016 manta raypresentation_av_scanning_disclaimer2016 manta raypresentation_av_scanning_disclaimer
2016 manta raypresentation_av_scanning_disclaimer
 
Linux randomnumbergenerator
Linux randomnumbergeneratorLinux randomnumbergenerator
Linux randomnumbergenerator
 
Anatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow AttackAnatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow Attack
 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflow
 
emips_overview_apr08
emips_overview_apr08emips_overview_apr08
emips_overview_apr08
 
Return oriented programming
Return oriented programmingReturn oriented programming
Return oriented programming
 
Stack-Based Buffer Overflows
Stack-Based Buffer OverflowsStack-Based Buffer Overflows
Stack-Based Buffer Overflows
 
Dima kovalenko - Is ARMv8.3 the end of ROP?
Dima kovalenko - Is ARMv8.3 the end of ROP?Dima kovalenko - Is ARMv8.3 the end of ROP?
Dima kovalenko - Is ARMv8.3 the end of ROP?
 
Kernel Recipes 2015: Greybus
Kernel Recipes 2015: GreybusKernel Recipes 2015: Greybus
Kernel Recipes 2015: Greybus
 
LMG Lightning Talks - SFO17-205
LMG Lightning Talks - SFO17-205LMG Lightning Talks - SFO17-205
LMG Lightning Talks - SFO17-205
 
Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026
 

Destacado

Mr201304 open flow_security_jpn
Mr201304 open flow_security_jpnMr201304 open flow_security_jpn
Mr201304 open flow_security_jpnFFRI, Inc.
 
スマホセキュリティ対策キホン(2回シリーズ・2)
スマホセキュリティ対策キホン(2回シリーズ・2)スマホセキュリティ対策キホン(2回シリーズ・2)
スマホセキュリティ対策キホン(2回シリーズ・2)Noriaki Takamizawa
 
Mr201305 tizen security_eng
Mr201305 tizen security_engMr201305 tizen security_eng
Mr201305 tizen security_engFFRI, Inc.
 
Inside Android Security
Inside Android SecurityInside Android Security
Inside Android SecurityFFRI, Inc.
 
Mr201302 mitb in_android_2
Mr201302 mitb in_android_2Mr201302 mitb in_android_2
Mr201302 mitb in_android_2FFRI, Inc.
 
How security broken? - Androidの内部構造とマルウェア感染の可能性
How security broken? - Androidの内部構造とマルウェア感染の可能性How security broken? - Androidの内部構造とマルウェア感染の可能性
How security broken? - Androidの内部構造とマルウェア感染の可能性FFRI, Inc.
 
Mr201209 windows8 exploit_mitigation
Mr201209 windows8 exploit_mitigationMr201209 windows8 exploit_mitigation
Mr201209 windows8 exploit_mitigationFFRI, Inc.
 
APASEC 2013 - ROP/JIT を使わずに DEP/ASLR を回避する手法を見てみた。
APASEC 2013 - ROP/JIT を使わずに DEP/ASLR を回避する手法を見てみた。APASEC 2013 - ROP/JIT を使わずに DEP/ASLR を回避する手法を見てみた。
APASEC 2013 - ROP/JIT を使わずに DEP/ASLR を回避する手法を見てみた。Satoshi Mimura
 

Destacado (8)

Mr201304 open flow_security_jpn
Mr201304 open flow_security_jpnMr201304 open flow_security_jpn
Mr201304 open flow_security_jpn
 
スマホセキュリティ対策キホン(2回シリーズ・2)
スマホセキュリティ対策キホン(2回シリーズ・2)スマホセキュリティ対策キホン(2回シリーズ・2)
スマホセキュリティ対策キホン(2回シリーズ・2)
 
Mr201305 tizen security_eng
Mr201305 tizen security_engMr201305 tizen security_eng
Mr201305 tizen security_eng
 
Inside Android Security
Inside Android SecurityInside Android Security
Inside Android Security
 
Mr201302 mitb in_android_2
Mr201302 mitb in_android_2Mr201302 mitb in_android_2
Mr201302 mitb in_android_2
 
How security broken? - Androidの内部構造とマルウェア感染の可能性
How security broken? - Androidの内部構造とマルウェア感染の可能性How security broken? - Androidの内部構造とマルウェア感染の可能性
How security broken? - Androidの内部構造とマルウェア感染の可能性
 
Mr201209 windows8 exploit_mitigation
Mr201209 windows8 exploit_mitigationMr201209 windows8 exploit_mitigation
Mr201209 windows8 exploit_mitigation
 
APASEC 2013 - ROP/JIT を使わずに DEP/ASLR を回避する手法を見てみた。
APASEC 2013 - ROP/JIT を使わずに DEP/ASLR を回避する手法を見てみた。APASEC 2013 - ROP/JIT を使わずに DEP/ASLR を回避する手法を見てみた。
APASEC 2013 - ROP/JIT を使わずに DEP/ASLR を回避する手法を見てみた。
 

Similar a FFR GreenKiller - Automatic kernel-mode malware analysis system

Your Peripheral Has Planted Malware—An Exploit of NXP SOCs Vulnerability
Your Peripheral Has Planted Malware—An Exploit of NXP SOCs VulnerabilityYour Peripheral Has Planted Malware—An Exploit of NXP SOCs Vulnerability
Your Peripheral Has Planted Malware—An Exploit of NXP SOCs VulnerabilityPriyanka Aash
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022lior mazor
 
Non-Blocking Strategies for FFI
Non-Blocking Strategies for FFI Non-Blocking Strategies for FFI
Non-Blocking Strategies for FFIESUG
 
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Elvin Gentiles
 
Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Cysinfo Cyber Security Community
 
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...Felipe Prado
 
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CanSecWest
 
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecks
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecksKernel Recipes 2015: Solving the Linux storage scalability bottlenecks
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecksAnne Nicolas
 
OSMC 2014: Server Hardware Monitoring done right | Werner Fischer
OSMC 2014: Server Hardware Monitoring done right | Werner FischerOSMC 2014: Server Hardware Monitoring done right | Werner Fischer
OSMC 2014: Server Hardware Monitoring done right | Werner FischerNETWAYS
 
[ CNCF Q1 2024 ] Intro to Continuous Profiling and Grafana Pyroscope.pdf
[ CNCF Q1 2024 ] Intro to Continuous Profiling and Grafana Pyroscope.pdf[ CNCF Q1 2024 ] Intro to Continuous Profiling and Grafana Pyroscope.pdf
[ CNCF Q1 2024 ] Intro to Continuous Profiling and Grafana Pyroscope.pdfSteve Caron
 
Readactor-Practical Code Randomization Resilient to Memory Disclosure
Readactor-Practical Code Randomization Resilient to Memory DisclosureReadactor-Practical Code Randomization Resilient to Memory Disclosure
Readactor-Practical Code Randomization Resilient to Memory Disclosurech0psticks
 
How to Design a Program Repair Bot? Insights from the Repairnator Project
How to Design a Program Repair Bot? Insights from the Repairnator ProjectHow to Design a Program Repair Bot? Insights from the Repairnator Project
How to Design a Program Repair Bot? Insights from the Repairnator ProjectSimon Urli
 
running stable diffusion on android
running stable diffusion on androidrunning stable diffusion on android
running stable diffusion on androidKoan-Sin Tan
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNoSuchCon
 
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devicessrkedmi
 
Dynamic Instrumentation- OpenEBS Golang Meetup July 2017
Dynamic Instrumentation- OpenEBS Golang Meetup July 2017Dynamic Instrumentation- OpenEBS Golang Meetup July 2017
Dynamic Instrumentation- OpenEBS Golang Meetup July 2017OpenEBS
 
Flash security past_present_future_final_en
Flash security past_present_future_final_enFlash security past_present_future_final_en
Flash security past_present_future_final_enSunghun Kim
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsenSilo
 

Similar a FFR GreenKiller - Automatic kernel-mode malware analysis system (20)

Your Peripheral Has Planted Malware—An Exploit of NXP SOCs Vulnerability
Your Peripheral Has Planted Malware—An Exploit of NXP SOCs VulnerabilityYour Peripheral Has Planted Malware—An Exploit of NXP SOCs Vulnerability
Your Peripheral Has Planted Malware—An Exploit of NXP SOCs Vulnerability
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
 
Os lectures
Os lecturesOs lectures
Os lectures
 
Non-Blocking Strategies for FFI
Non-Blocking Strategies for FFI Non-Blocking Strategies for FFI
Non-Blocking Strategies for FFI
 
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
 
Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1
 
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
 
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
 
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecks
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecksKernel Recipes 2015: Solving the Linux storage scalability bottlenecks
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecks
 
Hacker bootcamp
Hacker bootcampHacker bootcamp
Hacker bootcamp
 
OSMC 2014: Server Hardware Monitoring done right | Werner Fischer
OSMC 2014: Server Hardware Monitoring done right | Werner FischerOSMC 2014: Server Hardware Monitoring done right | Werner Fischer
OSMC 2014: Server Hardware Monitoring done right | Werner Fischer
 
[ CNCF Q1 2024 ] Intro to Continuous Profiling and Grafana Pyroscope.pdf
[ CNCF Q1 2024 ] Intro to Continuous Profiling and Grafana Pyroscope.pdf[ CNCF Q1 2024 ] Intro to Continuous Profiling and Grafana Pyroscope.pdf
[ CNCF Q1 2024 ] Intro to Continuous Profiling and Grafana Pyroscope.pdf
 
Readactor-Practical Code Randomization Resilient to Memory Disclosure
Readactor-Practical Code Randomization Resilient to Memory DisclosureReadactor-Practical Code Randomization Resilient to Memory Disclosure
Readactor-Practical Code Randomization Resilient to Memory Disclosure
 
How to Design a Program Repair Bot? Insights from the Repairnator Project
How to Design a Program Repair Bot? Insights from the Repairnator ProjectHow to Design a Program Repair Bot? Insights from the Repairnator Project
How to Design a Program Repair Bot? Insights from the Repairnator Project
 
running stable diffusion on android
running stable diffusion on androidrunning stable diffusion on android
running stable diffusion on android
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
 
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices
 
Dynamic Instrumentation- OpenEBS Golang Meetup July 2017
Dynamic Instrumentation- OpenEBS Golang Meetup July 2017Dynamic Instrumentation- OpenEBS Golang Meetup July 2017
Dynamic Instrumentation- OpenEBS Golang Meetup July 2017
 
Flash security past_present_future_final_en
Flash security past_present_future_final_enFlash security past_present_future_final_en
Flash security past_present_future_final_en
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
 

Más de FFRI, Inc.

Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMAppearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMFFRI, Inc.
 
TrustZone use case and trend (FFRI Monthly Research Mar 2017)
TrustZone use case and trend (FFRI Monthly Research Mar 2017) TrustZone use case and trend (FFRI Monthly Research Mar 2017)
TrustZone use case and trend (FFRI Monthly Research Mar 2017) FFRI, Inc.
 
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...FFRI, Inc.
 
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017) An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017) FFRI, Inc.
 
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016) Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016) FFRI, Inc.
 
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)FFRI, Inc.
 
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...FFRI, Inc.
 
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)FFRI, Inc.
 
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)FFRI, Inc.
 
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7) About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7) FFRI, Inc.
 
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)FFRI, Inc.
 
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)FFRI, Inc.
 
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...FFRI, Inc.
 
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)FFRI, Inc.
 
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...FFRI, Inc.
 
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)FFRI, Inc.
 
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)FFRI, Inc.
 
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)FFRI, Inc.
 
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...FFRI, Inc.
 
Malwarem armed with PowerShell
Malwarem armed with PowerShellMalwarem armed with PowerShell
Malwarem armed with PowerShellFFRI, Inc.
 

Más de FFRI, Inc. (20)

Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMAppearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
 
TrustZone use case and trend (FFRI Monthly Research Mar 2017)
TrustZone use case and trend (FFRI Monthly Research Mar 2017) TrustZone use case and trend (FFRI Monthly Research Mar 2017)
TrustZone use case and trend (FFRI Monthly Research Mar 2017)
 
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
 
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017) An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
 
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016) Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
 
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
 
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
 
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
 
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
 
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7) About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
 
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
 
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
 
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
 
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
 
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
 
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
 
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
 
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
 
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
 
Malwarem armed with PowerShell
Malwarem armed with PowerShellMalwarem armed with PowerShell
Malwarem armed with PowerShell
 

Último

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 

Último (20)

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 

FFR GreenKiller - Automatic kernel-mode malware analysis system

  • 1. AVAR 2009@kyoto FFR GreenKiller Automatic kernel-mode malware analysis system Junichi Murakami, murakami@fourteenforty.jp Director of Research, Fourteenforty Research Institute, Inc.
  • 2. Who am I? • MURAKAMI Junichi(村上 純一) – Reverse Engineer, both Windows and Linux kernel development – BlackHat speaker at US and Japan 08 – Security & Programming Camp Instructor(2006 - ) – ITPro ホワイトハッカー道場(White Hacker Dojo) http://itpro.nikkeibp.co.jp/article/COLUMN/20070927/283156/ 2
  • 3. FFR GreenKiller Analyzing malicious driver from VMM version 0.0.1 ring 0 FFR GreenKiller(based on BitVisor) Agent Kernelmalware log ring 3 Tracer Guest VMM VMCALL 3
  • 4. Background Rootkits, Part1of 3: The Growing Threat(McAfee Avert Labs) http://www.mcafee.com/us/local_content/white_papers/threat_center/wp_akapoor_rootkits1_en.pdf 4
  • 5. Why kernel-mode (is troublesome) ? ring 0 Kernelmalware ring 3 malware IDA Pro, etc. User-mode malware is a process, Kernel-mode malware is a part of system BSOD is very welcomed  5
  • 6. FFR GreenKiller Analyzing malicious driver from VMM version 0.0.1 ring 0 FFR GreenKiller(based on BitVisor) Agent Kernelmalware log ring 3 Tracer Guest VMM VMCALL 6
  • 7. BitVisor - http://www.bitvisor.org • Open-source VMM software (BSD License) • Secure VM Project (National Project in Japan) • Intel-VT and AMD-v supported • GreenKiller uses BitVisor as a VMM framework  Hardware BitVisor VMM Core Security Features Disk Encryption VPN ・・・ Guest OS device driver 7
  • 8. BitVisor (cont.) BIOS NTLDR Grub BitVisor Windows 8
  • 9. Initialization ring 0 FFR GreenKiller Agent Kernel ring 3 VMCALL 1. Build up kernel API database 2. Hook driver-loading API in Guest ptr_PsLoadedModuleList ptr_IopLoadDriverHookAddr 9
  • 11. DriverObject kd> dt nt!_DRIVER_OBJECT +0x000 Type : Int2B +0x002 Size : Int2B +0x004 DeviceObject : Ptr32 _DEVICE_OBJECT +0x008 Flags : Uint4B +0x00c DriverStart : Ptr32 Void +0x010 DriverSize : Uint4B +0x014 DriverSection : Ptr32 Void +0x018 DriverExtension : Ptr32 _DRIVER_EXTENSION +0x01c DriverName : _UNICODE_STRING +0x024 HardwareDatabase : Ptr32 _UNICODE_STRING +0x028 FastIoDispatch : Ptr32 _FAST_IO_DISPATCH +0x02c DriverInit : Ptr32 long +0x030 DriverStartIo : Ptr32 void +0x034 DriverUnload : Ptr32 void +0x038 MajorFunction : [28] Ptr32 long MZ.... .....................................PE... ..... ntoskrnl.exe DbgPrint 0x5002e DbgPrintEx 0x50050 .... [.edata section] 11 0x804d9000 DbgPrint 0x8052902e (0x804d9000 + 0x5002e) DbgPrintEx 0x80529050 (0x804d9000 + 0x50050) ・・・ ・・・
  • 12. Initialization ring 0 FFR GreenKiller Agent Kernel ring 3 VMCALL 1. Build up kernel API database 2. Hook driver-loading API in Guest ptr_PsLoadedModuleList ptr_IopLoadDriverHookAddr 12
  • 14. Break at DriverEntry 14 FFR GreenKiller Kernel mov eax, dword ptr [guest_esp] mov edx, eax push eax call GetAddressOfEntryPoint add edx, eax mov byte ptr [edx], 0xcc malwareIopLoadDriver
  • 15. Software BP vs. Hardware BP • Software BP – Replace original byte with int3(0xcc) • Processor generates an #BP when int3 is hit – No limit on number of BPs • Hardware BP – Use Debug Register(DR0-DR3) – Needless to modify original code – Only 4 BPs simultaneously 15
  • 16. Code Tracing 16 DriverEntry ret call ret call DbgPrint ret sub_10031 A) Insert ‘0xcc’ into closest branch by disassembling the code from DriverEntry B) Execution is suspended on the branch Check whether execution takes the branch according to EFLAGS’s value • If true: Insert ‘0xcc’ into branched addr. • If not: Working the same as A. C) Execution is suspended on the branched addr. Check whether it is an entry of kernel API • if true: Insert ‘0xcc’ into retaddr • if not: Working the same as A.
  • 17. Definition of an FSM 17 SEARCH_B EVAL_BCHECK_A Eval branch Branch not taken, find next branch Branch taken, check address checked, find next branch
  • 18. That’s all? • No, we have to consider multiple context for callbacks • Driver is a plug-in for the kernel 18
  • 20. Ex)PsSetCreateProcessNotifyRoutine 20 NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath) { … PsSetCreateProcessNotifyRoutine( CreateProcessNotifyCallback, ; NotifyRoutine FALSE ; Remove ); … } VOID CreateProcessNotifyCallback(IN HANDLE ParentId, IN HANDLE ProcessId, IN BOOLEAN Create) { DbgPrint(“Pid %d is %s¥n”, ProcessId, Create ? “created” : “exit”); }
  • 21. Callbacks(cont.) • IRP Handlers • DPC Routines • Registry Callbacks • Fs/Ndis/Tdi filters • PsSetCreateProcessNotifyRoutine • PsSetLoadImageNotifyRoutine • PsCreateSystemThread • etc. 21
  • 22. Lookup Kernel API 22 FFR GreenKiller Kernel malware State: CHECK_A Kernel API DB API Address DbgPrint 0x8052902e DbgPrintEx 0x80529050 … …. call 0x8052902e
  • 23. Lookup Kernel API(cont.) 23 FFR GreenKiller Kernel malware call PsSetCreateProcessNotifyRoutine NTSTATUS PsSetCreateProcessNotifyRoutine( IN PCREATE_PROCESS_NOTIFY_ROUTINE NotifyRoutine, IN BOOL Remove ); ReturnAddress = [GUEST_ESP] Arg1 = [GUEST_ESP+4]; NotifyRoutine Arg2 = [GUEST_ESP+8]; Remove State: CHECK_A Break
  • 24. Output [DriverEntry] 0xfd965012: DbgPrint(“DriverEntry: 0x%lx¥n”) 0xfd065054: IoCreateDevice(“¥¥Device¥m3z1”) 0xfd065067: IoCreateSymbolicLink(“¥¥Device¥m3z1”, “¥¥DosDevices¥m3z1”) 0xfd06508c: PsSetCreateProcessNotifyRoutine(CB#1) [DriverUnload] 0xfd9650c0: IoDeleteSymbolicLink(“¥¥DosDevices¥m3z1”) 0xfd9650cc: IoDeleteDevice [CB#1: PsSetCreateProcessNotityRoutine] 0xfd965134: PsGetCurrentProcessId 0xfd965140: DbgPrint(“CreateProcessCallback %d %d %d¥n”) 0xfd96710c: ExFreePool 24
  • 25. Limitation • Require Intel-VT • Require an Agent in guest’s ring3 – Request for quick hack :) • Limited API support – Callback, Argument recognization 25
  • 26. Related Work We can detect memory-patching by malware • Viton, Hypervisor IPS(BlackHat USA 08) – Manipulate Guest PageTable/PageTableEntry, – To protect memory patching by malicious driver JP: http://www.fourteenforty.jp/research/research_papers/bh-japan-08-Murakami.pdf EN: http://www.fourteenforty.jp/research/research_papers/bh-usa-08-Murakami.pdf 26