Proactive BinaryCentric Hook Detection Heng Yin Pongsin Poosankam Steve Hanna and Dawn Song What is hook SSDT System Service Descriptor Table NewZwOpenKey ZwOpenKey Install the address of NewZwOpenKey ID: 577532
Download Presentation The PPT/PDF document "HookScout:" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
HookScout: Proactive Binary-Centric Hook Detection
Heng
Yin,
Pongsin
Poosankam
, Steve Hanna,
and Dawn SongSlide2
What is hook?
SSDT (System Service Descriptor Table)
NewZwOpenKey
ZwOpenKey
Install the address of NewZwOpenKey
Execution is redirected
Malware registers its own function (i.e. hook) into the target location
Later, data in the hook site is loaded into EIP, and the execution is redirected into malware’s own function.
an
example of SSDT hookingSlide3
Hooking is an important attack vector
malware
often needs to install hooks to implement illicit functionalities
Rootkits
want to intercept and tamper with critical system statesNetwork sniffers and stealth backdoors
intercept network stackSpyware, keyloggers and password thieves
need to know when sensitive info arrives Slide4
Hooking Techniques Are EvolvingOld Technique: SSDT, IDT, IAT, EAT, etc.
Defeated by many existing hook detection tools
New trend: function pointers in kernel data structures
IO completion routines
APC queuesThreads saved contextProtocol Characteristics StructuresDriver Object callback pointersTimersDPC kernel objects
DPC scheduled from ISRIP Filter driver hookException handlersData buffer callback routinesTLS callback routines
Plug and play notificationsAll kinds of WDM driver stuffMany more, …Slide5
Advantages of Function Pointer HookingAttack space is vast
~20,000 function pointers in Windows kernel
Hard to locate and validate
~7,000 in dynamically allocated memory regions
Many of them in polymorphic data structuresA polymorphic hash table in Windows kernelSlide6
Example: A polymorphic linked list
head
open
head
state
ioctl
head
open
ObjListHead
FILE_OBJ
FILE_OBJ
DEVICE_OBJSlide7
Our GoalGiven the binary distribution
of an OS kernel, automatically generate a hook detection policy
Locate function pointers
Deal with polymorphic data structures
Validate function pointersonly 3% ever change in their lifetimeSimple policy: check if constant function pointers ever changeSlide8
System OverviewSlide9
Monitor Engine
Goal: determine concrete memory layout
For each static/dynamic memory object, determine primitive types for each memory word
Primitive types: NULL, FP, CFP, DATA
Solution:Monitor memory objectsTrack function pointers
CFP
NULL
FP
DATA
DATA
Addr
=e0012340hSize = 20Slide10
Monitor Engine: Monitor Memory Objects
Run the guest OS within TEMU
TEMU: a
whole-system binary analysis
platform, based on QEMUFor dynamic objects: Hook memory allocation/deallocation routinesExAllocatePoolWithTag, ExFreePool
RtlAllocateHeap, RtlFreeHeapFor static objects: Hook module loading routineMmLoadSystemImage
Addr
=e0012340h
Size = 20Slide11
CreateFile()
{
FILE_OBJ *f =
malloc(sizeof
(FILE_OBJ)); …
f->open = MyFileCreate;
InsertListTail
(&f->link, &ObjListHead);
…
}
804d7200: call malloc
…804d7230:
mov [ebp-50h], 805d5141h…
Addr=e0012340Size = 40Caller=804d7200
CFP
NULLFP
DATA
DATA
DATA
Addr
=e0012340
Size = 40
Caller=804d7200
Monitor Engine: Track Function Pointers
Appear in relocation table
Point to a function entrySlide12
Inference Engine
Goal
: Infer abstract memory layout
Approach: context-sensitive
abstractionNotion: Object creation context is the execution context where an object is created (e.g., caller of malloc)
Binary point of view: return addresses on the call stackRationale: Objects created under the same context have the same type
Solution: Merge concrete layouts with the same context into an abstract layoutSlide13
Inference Engine: Context-Sensitive Type Inference
Addr
=e0012340
Size = 40
Caller=804d7200Addr=e0032380Size = 40Caller=804d7200
+
=Generalized Layout
caller=804d7200
CFP
NULL
FP
DATA
DATA
DATA
CFP
CFP
CFP
DATA
DATA
NULL
CFP
CFP
FP
DATA
DATA
DATASlide14
Detection EngineGoal:
Enforce the hook detection policy on user’s machine
Solution:
Monitor memory objects
Hook the same set of functionsApply the abstract layoutUse the return addresses as the key to the abstract layoutImplementation:Kernel module vs. HypervisorSlide15
Detection Engine: go back to the example
head
open
head
state
ioctl
head
open
ObjListHead
Abstract Layout
(caller=804d7200)
DATA
CFP
DATA
DATA
DATA
Abstract Layout
(
caller=80500000)
DATA
DATA
DATA
DATA
DATA
CFP
FILE_OBJ
FILE_OBJ
DEVICE_OBJSlide16
Experimental EvaluationAspects to EvaluateAttack Space
Analysis subsystem: policy coverage
Detection subsystem:
realworld
rootkits/performance/false alarmsExperimental SetupHost machine: 3.0GHz CPU 4 GB RAM Ubuntu Guest machine: 512MB RAM Windows XP SP2Slide17
Evaluation: Attack SpaceSlide18
Evaluation: Function Pointer Lifetime DistributionSlide19
Evaluation: Policy GenerationSlide20
Evaluation: Realworld Rootkit DetectionSlide21
Evaluation: Performance of Detection SubsystemSlide22
ConclusionFunction pointer hooking is a new trendLarge attack space
Hard to detect
Without OS source code, even harder
We developed HookScout
Binary-centric: deal with OS binary codeContext-sensitive: deal with type polymorphsimProactive: detect attacks in advance