Download - Csw2016 macaulay eh_trace-rop_hooks
Introduction• K2/[email protected]
Intro/Outline• Hooking/Tracing
• Whatisabinarydoing?
• Canwemodify/detour
• Frustrations/Hurdles
• Friendlyinputs• Symbolsupport
TOOLS/Open/Github/CODE• Github.com/K2
• inVtero.net• EvolutionfromCSW14(processdetection)
• Crossplatform(Windows,*BSD,Linux)memoryanalysis
• Crossmicro-architechture(sandybridge,skylake,…)
• Crosshypervisor(basedonauto-magicVMCS/EPTPextraction)• Includesnestedsupport
• EhTrace(pronounced“ATrace”)• Whatweregoingtocoverthistime@CSW!J
• LetmeknowifImissedanycodeinthecheck-in!!
EhTrace• Aboottimeforatraceeh?
• UsesVEHunderthecovers• Needtobealittlecareful• Don’twanttoalterorchange
behaviorofwhatwerelookingat
Hookingexecution• Detours
• Requiresaninstructionlengthdecoder• Rewritesfunctionprologintoaspecializedfunctionwhichperformslogging,analysis
etc…
• Usuallystatic,canbedynamic/jitter,• mayjmptoaleaflikedetourwhichcanworkwithoutknowingthefunctionprototype/
stackrequirements
• Mostofthetimeyouwillneedsymbolsorreallygoodlogicinthehookertonotbreakexecution
What’stheproblemagain?• Debuggersareslow
• Secondprocesscontextswitchingisfairlyexpensive
• Logicforconditionalbreakpointsisexponentiallymoreexpensive
• Checksums• Maliciousbinariesoftenchecksumtheircodetovalidatetheyarenotbeinganalyzed
• Highlysecureenvironmentsmaychecksumtheirbinariestomakesuretheyarenottamperedwith
Ret2code• Originallibcwork,Solardesigner
• http://seclists.org/bugtraq/1997/Aug/63
• Handysincemostoverflowscontainapointertousefuladdresses• Yourinput• Systemlibraries
• Stillusedtothisday(RoP)
StackHooking• Attemptedtouseasalternativetowhatwewoundupusing
• Fromasecond“manager”thread• LoadfromaRoPchainpool(memoryareawithRoPgagets)
• Borrowmemoryfromtheexecutingstackfromabovethestacktop• Usuallysomesparememorythere
• Notverygreat• Onlypostconditionhooking
• Havetofindawaytogetnotificationonnewcalls• Dosomesortofshadowstack/memoryprotectiontrickery
• Tendstobefairlyfragile
RET
RET
EhTrace–howitworks
• Remarkablyeasytotriggerbranchsteppingofabinary• IntheVEHhandlerset3bitsandreturn.
• THAT’SIT• TRAPFLAG• OTHERFLAGS:D
LONGWINAPIvEhTracer(PEXCEPTION_POINTERSExceptionInfo){ //singlestepExceptionInfo->ContextRecord->EFlags|=0x100;//setupbranchtracingExceptionInfo->ContextRecord->Dr7|=0x300;
EhTrace–RoPHooks• RegisteraVEHhandlerCreateRemoteThread(…&VeH_RoP,..);
• VeH_RoP–useaRoPgadgetfinder(therearemany)
• Handleronlyneedstosetthe3bitsthenexitwithcontinuestatus
• Usingtheexceptiondispatcherwereabletonowgetthepreconditionswemissedwiththestack/shadowmodel
• Debuggerfunctionalityw/oadebugger• i.e.passesallchecksfromhttps://github.com/Trietptm-on-Security/DebugDetector
• Mayintroduceaplugintoallowwindbgtouseourengineasasideloadedinprocdebugger
Whatelseisitgoodfor?• Branchsteppingisprettysweet!
• Alotmorethandetoursonfunctions
• Basicblockanalysis• Codecoverages• CanweputthisintoaDBI(DynamicBinaryInstrumentation)framework?
• Doweneedtoemulate?Isn’tthatslow?• Ifweredealingwithamaliciousbinarywehaveseveralthingstoconsider.
• Ofcourseweneedtoalsowatchoutforanotherwisenon-malbinarydoingsomethingthatmightdisruptourtrace
Maintainingcontrol• Maybeusepageprotectiontoforceanexceptiononexecution(don’twanttoplaceanint3obviously)• Whenpageisattemptedtobeexecutedwechecktoseewhatemulationisneeded
• IfsomebodytriestotakeoverVEH
• Whataboutintra-blockstuff?• Can’ttheyjustwriteoverourVEHhandlerinmemory?
• Sure,mayberegister2!AlsosetuptheVEHcontinuehandler
Blockfightingwithahooker• BlockFighterhastobesmart,fastandintotalcontrol!
• MuchlikeaStreetFighterIIchamp!
BlockFighting
BlockFighting
• Simplifiedanalysis• Usingcapstonewe&thebranchstep• Atthepointofanyjmp/ret/callcontroltransferwecanstopourfightuntilthenextround• Round2FIGHT!• Actuallyweresogoodwealways“givesecondround”!• Thatmeansreallythatifthere’saconditionalweneedtofollowthroughaconditional
• Jne–wefollowthenon-jumptoensurewecompletethecontextuntilaret/jmp/call
BlockFighting• Watchtheeflags&DRanymanipulationwillcauseproblemsforus
• DEBUG_MSR?
• Lotsofthingsprobably
• Overallhoweverwehaveaplatformtobuildprimitivesonthatcaneventuallydobattleinastructuredway• Maybecombineblockfighterwithstackinjectiontoensurewehaveadditionalpost-
conditionchecksonourflag/branch-step/vehstate
Coverage• Canyouhearmenow?
• Flamegraph• CurrentminimalstateincludesRIP,LAST_RIP,TID,FLAGSandESP
• Thisissufficienttobuildanycodegraph!Intra-procedural,callgraphorfulltrace
• FLAMINGBlockFighter!• http://www.brendangregg.com/FlameGraphs
CPUFLAMEGRAPH• CLICKHERE
• Origfromhere->http://www.brendangregg.com/FlameGraphs/cpu-bash-flamegraph.svg
(PowerPointdoesn’tdoSVG’z)
Wehaveallthedatarequiredforgeneratingthese,howeverit’saTODO
Upcomingstuff…• MSAGLgraphmaps–fun/interactivemeshgraph,sortoflookslikeanexpandablespiderweb!
• SVGbuilder(withoutthe.plscriptsfromBrendan)
• TighterSymbols(graphsandimagesnotasfunwithoutEnglisheh?)
• Strace/ltrace/*traceforWindows(autoinject&logtoconsole)
Upcomingstuff:Blockfighters• AFlagfighter
• Rflagschecks
• APageFighter• Pageprotectionmonitor
• E.g.protecttheentrypointCreateRemoteThreadcall’sbeforeitcallsthespecified&funcargumenttodetectremotethreadsbeforetheDLLthreadnotificationrun’s• Usetrickslikethistoensureyournotbeingtrickedyourself
• EmuFighter• Emulateanoperationthatwouldotherwisedetectus
Privateimplementationsdiffer!
• Yourfighterswillbevarious• i.e.ifyournotusinganysystem/runtimeAPIyoudon’tneedtoworryaboutlockingas
much(obviously)
Notepad.exeBasicBlocksexecution
Withdisassembly
FlameGraph–nosymbolsyet
Questions?• Feedback,bugs&Featurerequestsplease
• https://github.com/K2• Keepwatchingforupdates
Thankyou•