Search This Blog

March 30, 2017

MemoryMonRWX: Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access



Modern malware and spyware platforms attack existing antivirus solutions and even Microsoft PatchGuard. To protect users and business systems new technologies developed by Intel and AMD CPUs may be applied. To deal with the new malware we propose monitoring and controlling access to the memory in real time using Intel VT-x with EPT. We have checked this concept by developing MemoryMonRWX, which is a bare-metal hypervisor. MemoryMonRWX is able to track and trap all types of memory access: read, write, and execute. MemoryMonRWX also has the following competitive advantages: fine-grained analysis, support of multi-core CPUs and 64-bit Windows 10. MemoryMonRWX is able to protect critical kernel memory areas even when PatchGuard has been disabled by malware. Its main innovative features are as follows: guaranteed interception of every memory access, resilience, and low performance degradation.

Details

Korkin, I., & Tanda S. (2017, May 15-16). Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access. Paper presented at the Proceedings of the 12th annual Conference on Digital Forensics, Security and Law (CDFSL), Embry-Riddle Aeronautical University, Daytona Beach, Florida, USA. Retrieved from commons.erau.edu/adfsl/2017/papers/5/

June 27, 2016

Monitoring & Controlling Kernel-Mode Events by HyperPlatform

Using VT-x with EPT technologies to provide new must-have tools for reverse-engineering


We presented a HyperPlatform, which is an advanced system monitoring platform for Windows Operating System (OS). Using Intel VT-x and Extended Page Table (EPT) technologies, this platform provides speedy monitoring of various events. HyperPlatform is hidden and resilient to modern anti-forensics techniques and can be easily extended for day-to-day reverse engineering work.

Tanda, S., & Korkin, I. (2016, June 17-19). Monitoring & controlling kernel-mode events by HyperPlatform. Paper presented at the REcon conference, Montreal, Canada. Retrieved from recon.cx/2016/talks/Monitoring-and-controlling-kernel-mode-events-by-HyperPlatform.html

Details

May 30, 2016

Acceleration of Statistical Detection of Zero-day Malware in the Memory Dump Using CUDA-enabled GPU Hardware

This paper focuses on the anticipatory enhancement of methods of detecting stealth software. Cyber security detection tools are insufficiently powerful to reveal the most recent cyber-attacks which use malware. In this paper, we will present first an idea of the highest stealth malware, as this is the most complicated scenario for detection because it combines both existing anti-forensic techniques together with their potential improvements. Second, we present new detection methods, which are resilient to this hidden prototype. To help solve this detection challenge, we have analyzed Windows memory content using a new method of Shannon Entropy calculation; methods of digital photogrammetry; the Zipf–Mandelbrot law, as well as by disassembling the memory content and analyzing the output. Finally, we present an idea and architecture of the software tool, which uses CUDA-enabled GPU hardware to speed-up memory forensics. All three ideas are currently a work in progress.

Details
  • Authors proposal in PDF - link
  • Proceeding version in PDF - link
  • Slides in PDF or in PPTX with comments - link w PDF or link w PPTX
  • Speech in DOCX - link
  • Source code on github - ASAP


Korkin, I., & Nesterow I. (2016, May 24-26). Acceleration of Statistical Detection of Zero-day Malware in the Memory Dump Using CUDA-enabled GPU Hardware. Paper presented at the Proceedings of the 11th annual Conference on Digital Forensics, Security and Law (CDFSL), Embry-Riddle Aeronautical University, Daytona Beach, Florida, USA, pp. 47-82 Retrieved from commons.erau.edu/adfsl/2016/tuesday/10

May 27, 2015

Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluctuations

Hardware virtualization technologies play a significant role in cyber security. On the one hand these technologies enhance security levels, by designing a trusted operating system. On the other hand these technologies can be taken up into modern malware which is rather hard to detect. None of the existing methods is able to efficiently detect a hypervisor in the face of countermeasures such as time cheating, temporary self-uninstalling, memory hiding etc. New hypervisor detection methods which will be described in this paper can detect a hypervisor under these countermeasures and even count several nested ones. These novel approaches rely on the new statistical analysis of time discrepancies by examination of a set of instructions, which are unconditionally intercepted by a hypervisor. Reliability was achieved through the comprehensive analysis of the collected data despite its fluctuation. These offered methods were comprehensively assessed in both Intel and AMD CPUs.

Details


Korkin, I. (2015, May 18-21). Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluctuations. Paper presented at the Proceedings of the 10th Annual Conference on Digital Forensics, Security and Law (CDFSL), 33-57, Embry-Riddle Aeronautical University, Daytona Beach, Florida, USA. Retrieved from proceedings.adfsl.org/index.php/CDFSL/article/view/128/125

Update 07/16/2015 - Best Paper Award
This paper was selected as one of the best papers of the 10th ADFSL Conference 2015 conference.adfsl.org and it will be published in the Journal of Digital Forensics, Security and Law (JDFSL)!

Korkin, I. (2015, September). Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluctuations. Journal of Digital Forensics, Security and Law, Vol 10, No 2, pp 7-38. Retrieved from ojs.jdfsl.org/index.php/jdfsl/article/view/337

July 24, 2014

Applying Memory Forensics to Rootkit Detection

Korkin, I., & Nesterov I. (2014, May 28-29). Applying Memory Forensics to Rootkit Detection. Paper presented at the Proceedings of the 9th annual Conference on Digital Forensics, Security and Law (CDFSL), 115-141, Richmond, VA, USA. Retrieved from proceedings.adfsl.org/index.php/CDFSL/article/view/34/34

Volatile memory dump and its analysis is an essential part of digital forensics. Among a number of various software and hardware approaches for memory dumping there are authors who point out that some of these approaches are not resilient to various anti-forensic techniques, and others that require a reboot or are highly platform dependent. New resilient tools have certain disadvantages such as low speed or vulnerability to rootkits which directly manipulate kernel structures e.g. page tables. A new memory forensic system – Malware Analysis System for Hidden Knotty Anomalies (MASHKA) is described in this paper. It is resilient to popular anti-forensic techniques. The system can be used for doing a wide range of memory forensics tasks. This paper describes how to apply the system for research and detection of kernel mode rootkits and also presents analysis of the most popular anti-rootkit tools.

Details