Применение виртуализации для динамического анализа

Very Mighty eXtension
for debugging
Artem Shishkin

Debugging prerequisites
― Ability to pause program execution
• Any asynchronous event is suitable (exception or interrupt)
― Ability to examine program CPU context (registers state)
― Ability to examine program memory
• Memory is shared (so as any hardware)

Debugging capabilities
― INT 3 (#BP)
• 0xCC opcode
• Involves memory modification
Original code
What you see in a debugger
What is really happening

― INT 1 (#DB)
• Single stepping
—Through setting TF in eflags register
• Debug registers
—Through modifying DR0-DR7 registers
—Up to 4 linear address breakpoints (Reads, Writes, Executes)
• Involves register modification

― INT 0x0E (#PF)
• Memory access trapping
• Trapping page access (Reads, Writes, Executes)
• Involves page table modification (Bits P, RW, XD)

OS debugging integration
― Modifies OS structures
• PEB. BeingDebugged
• nt!KdDebuggerEnabled
― Modifies control-flow
• Event suppressing
― Exposes information about debugging session
• ProcessDebugPort info class
― Refer to “The Ultimate Anti-Debugging Reference”
by Peter Ferrie

Debugging impact
― Execution is paused, but time is not
• GetTickCount
• rdtsc, rdtscp
• Performance monitoring
• OS specific (KdpTimeSlipDpc)

Virtual Machine Extensions
― Different processor execution mode
― Mode switching between Host (VMM) and Guest (OS)

VMCS
– Virtual Machine Control Structure
• Guest state
• Host state
• Virtual machine settings
• Can be dynamically switched

EPT
― Second Level Address Translation (SLAT)
― Extended Page Table
• Guest physical address to host physical address
mappings
• Page-level access control for guest physical addresses
(reads, writes, executes)
GVA
Guest CR3
GPA
VMCS EPTP
HPA

VM Exits
― Events that cause guest mode switch to host mode
• Interrupts and exceptions
• EPT violations
• Certain instructions execution
• Special periodic timer ticks
• Instruction fetches under certain conditions
• System state related changes
and more…

VMX and debugger similarities
― Guest is paused when Host executes
― Full CPU context access
― Full memory access

Debugging events
― VM Exits can be treated like debugging events
― A simple debugger needs nothing more
VM Exit Debugging event
Any VM Exit Debugger break-in
Any VM Resume Debugger continue
Monitor Trap Flag Single-step event
VM Exit Instruction Execution Breakpoint
EPT violation Page fault

Additional events
― Address space switching
• Used for switching between processes
― Special interrupts
• Gives an ability to trace processor bootstrap code
― System structures modification
• Used for debugging OS startup code
― Hardware access through IO ports and MMIO
• Used for debugging hardware

Guest isolation benefits
― Stealth debugging
• Breakpoints hiding through EPT modification
• Hardware filtering through EPT modification, IO ports
interception, VT-d, MSR access interception
― Time control
• Ability to conceal host execution time
― Blue-pilling
• Ability to convert your machine into virtual one on-the-fly at
any time (well, at any time that you are able to gain execution
control)

Full hardware access
― Full memory control
• Disregarding address space
• Disregarding privilege level
― Full context control
― Full MSR control

Analyzing the execution environment
― Perform in-place memory forensics
• Extended with CPU state
― Full hardware access provides full information about
software
• Current module can be detected using module header
• Current kernel can be detected using CPU state
• Symbol information can be used to restore high-level OS
data structures

Virtualized memory is physical memory
― OS memory manager relies on virtual memory
• Memory pages can be not mapped (on-demand paging)
• Memory pages can be trimmed
• Memory pages can be moved
• Memory manager can interpret non-present pages however it
wants

Virtual machine monitor robustness
― VMX Guest operation is different from ordinary operation
• VMM has to emulate a set of instructions
― Stealthness is not free of charge
• All detection vectors have to be inspected and tested with
care
• Some anti-detection tricks are highly difficult to implement
― Host mode operation is also not free of charge
• VMM has to be fast in order the Guest to operate smoothly

User interaction
― Debuggee is a remote machine
• Difficult to share the hardware between host and guest
― Communication is done via a set of transports
• Windows KD as an example
― Debugger is small and stupid
• Heavy analysis is performed by a debugging client
― Minimize data exchange
• Transport can be slow (like serial)
• Offload client features to the VMM if possible

Breakpoints
― Ordinary int 3
― Hide through EPT (allow execution only)
• Can be emulated on read or write
• Can be single-stepped on read or write
― Global
• Filter using CR3, VA and GPA

Debugging hints
― Maximize memory pages presence
• Disable swap
• DisablePagingExecutive (for Windows)
• Learn OS memory manager – absent pages can be mapped
elsewhere
― Suppress interrupts
• Modify IF bit in eflags
• Modify guest interruptibility state

Questions?
• https://twitter.com/honorary_bot
• https://github.com/honorarybot
• https://github.com/ptresearch
• https://www.ptsecurity.com/products/#multiscanner

Thank you!
Artem Shishkin
ashishkin@ptsecurity.com

Применение виртуализации для динамического анализа

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Применение виртуализации для динамического анализа (20)

More from Positive Hack Days (20)

Recently uploaded (20)

Применение виртуализации для динамического анализа