SlideShare ist ein Scribd-Unternehmen logo

Lack of System Registers and two simple anti-forensic attacks - AVTokyo 2009

Tsukasa Oi
Tsukasa Oi
TechnologieBusiness
1 von 22
Downloaden Sie, um offline zu lesen
Lack of System Registers and two simple anti-forensic attacks Tsukasa Ooi <li@livegrid.org> Lead Analyst, Livegrid Incorporated
Related Topics • Live Memory Forensics • Anti-forensics • Rootkits
What is “anti-forensics”? • The way to prevent forensics • Not only attackers! – Anti-forensics is also useful for bad guys to prevent OWN MACHINE to be forensically analyzed • But forget it. – I’m not talking about this…
I will be Taking at: • PacSec 2009 Stealthy Rootkit – How bad guy fools live memory forensics?
Live Memory Forensics/Imaging • Forensics based on memory of running machine • Done by Memory Acquisition Tools – EnCase – dd –…
What Physical Memory Acquisition Tools Do? • Acquire contents of Physical Memory • Acquire System Registers (optional) Really, “optional”?
What rootkits can do? • Can fake forensics software without acquiring contents of System Registers.
Really? • Many software does! – EnCase – (RAW) dd – Memoryze – WinEN – FastDump – …
Way to attack – part one (1) • Modify CR3 Registers (Pointer to Paging Structure)
Way to attack – part one (2) CR3 that forensic software recognized Kernel Kernel Kernel (unmodified) (malicious) real CR3
Way to attack – part one (3) • If System Registers are missing, forensic software finds signatures of system. • But these mechanism are very easy to fool.
Way to attack – part one (4) • Keep system (physical) memory range unmodified • Create backup region • Copy part of kernel and patch backup • Change CR3 to rootkit’s one
Way to attack – part one (5) CR3 that forensic software recognized Kernel Kernel Kernel (unmodified) (malicious) real CR3
Way to attack – part one (6) • But this attack is a bit difficult because rootkit must manage its own page table. • There is one more way that is very easy!
Way to attack – part two (1) IDTR/IA32_SYSENTER_EIP recognized Kernel Kernel Rootkit (unmodified) Code real IDTR/IA32_SYSENTER_EIP
Way to attack – part two (2) • IDTR is a system register managing interrupts and exceptions – Including page faults • IA32_SYSENTER_EIP MSR / LSTAR_MSR is a pointer to system call entry – Can hook/modify system calls
Way to attack – part two (3) • Way to implement: <Begin> Change these registers <End> Very easy right? • These are widely used by current rootkits but also useful for anti-forensics – If attacker hide rootkit somewhere in the memory, there are no general ways to detect these attacks!
Way to prevent these attacks (1) • Acquire these system registers – CR3 – IDTR – IA32_SYSENTER_EIP MSR – LSTAR_MSR • (If rootkit use CR3/IDTR) Check physical and logical memory layout
Way to prevent these attacks (2) • Interrupt Descriptor Table layout and Page Table layout are easy to detect • So… – Find these tables – Check if these tables are “malicious”
Conclusion • Acquire system registers as possible • New approach for forensics is needed
Have any questions? THANK YOU Tsukasa Ooi <li@livegrid.org> Livegrid Incorporated, Lead Analyst
Technical Articles and Sources • … will be available December, 2009 • at http://a4lg.com/

Empfohlen

Secure Proactive Recovery- a Hardware Based Mission Assurance Scheme
Secure Proactive Recovery- a Hardware Based Mission Assurance SchemeSecure Proactive Recovery- a Hardware Based Mission Assurance Scheme
Secure Proactive Recovery- a Hardware Based Mission Assurance SchemeRuchika Mehresh
 
MNSEC 2018 - Windows forensics
MNSEC 2018 - Windows forensicsMNSEC 2018 - Windows forensics
MNSEC 2018 - Windows forensicsMNCERT
 
Os introduction
Os introductionOs introduction
Os introductionKanika Garg
 
Os introduction
Os introductionOs introduction
Os introductionRavi Ramchandani
 
Introduction to forensic imaging
Introduction to forensic imagingIntroduction to forensic imaging
Introduction to forensic imagingMarco Alamanni
 
Live Forensics
Live ForensicsLive Forensics
Live ForensicsCTIN
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012Rian Yulian
 
Forensic imaging
Forensic imagingForensic imaging
Forensic imagingDINESH KAMBLE
 

Empfohlen

Secure Proactive Recovery- a Hardware Based Mission Assurance Scheme
Secure Proactive Recovery- a Hardware Based Mission Assurance SchemeSecure Proactive Recovery- a Hardware Based Mission Assurance Scheme
Secure Proactive Recovery- a Hardware Based Mission Assurance SchemeRuchika Mehresh
 
MNSEC 2018 - Windows forensics
MNSEC 2018 - Windows forensicsMNSEC 2018 - Windows forensics
MNSEC 2018 - Windows forensicsMNCERT
 
Os introduction
Os introductionOs introduction
Os introductionKanika Garg
 
Os introduction
Os introductionOs introduction
Os introductionRavi Ramchandani
 
Introduction to forensic imaging
Introduction to forensic imagingIntroduction to forensic imaging
Introduction to forensic imagingMarco Alamanni
 
Live Forensics
Live ForensicsLive Forensics
Live ForensicsCTIN
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012Rian Yulian
 
Forensic imaging
Forensic imagingForensic imaging
Forensic imagingDINESH KAMBLE
 
システムレジスタの不足と2つのシンプルなアンチフォレンジック攻撃 - AVTokyo 2009
システムレジスタの不足と2つのシンプルなアンチフォレンジック攻撃 - AVTokyo 2009システムレジスタの不足と2つのシンプルなアンチフォレンジック攻撃 - AVTokyo 2009
システムレジスタの不足と2つのシンプルなアンチフォレンジック攻撃 - AVTokyo 2009Tsukasa Oi
 
A New Tracer for Reverse Engineering - PacSec 2010
A New Tracer for Reverse Engineering - PacSec 2010A New Tracer for Reverse Engineering - PacSec 2010
A New Tracer for Reverse Engineering - PacSec 2010Tsukasa Oi
 
Mr201309 automated on-execute test using virtualbox jpn
Mr201309 automated on-execute test using virtualbox jpnMr201309 automated on-execute test using virtualbox jpn
Mr201309 automated on-execute test using virtualbox jpnFFRI, Inc.
 
Windows をより安全にする SafeSEH on MinGW
Windows をより安全にする SafeSEH on MinGWWindows をより安全にする SafeSEH on MinGW
Windows をより安全にする SafeSEH on MinGWTsukasa Oi
 
PHPにないセキュリティ機能
PHPにないセキュリティ機能PHPにないセキュリティ機能
PHPにないセキュリティ機能Yasuo Ohgaki
 
さらば、Stagefright 脆弱性
さらば、Stagefright 脆弱性さらば、Stagefright 脆弱性
さらば、Stagefright 脆弱性Tsukasa Oi
 
セキュアVMの構築 (IntelとAMDの比較、あともうひとつ...) - AVTokyo 2009
セキュアVMの構築 (IntelとAMDの比較、あともうひとつ...) - AVTokyo 2009セキュアVMの構築 (IntelとAMDの比較、あともうひとつ...) - AVTokyo 2009
セキュアVMの構築 (IntelとAMDの比較、あともうひとつ...) - AVTokyo 2009Tsukasa Oi
 
Unity Solution Conference 2015 Asset Touch and Try List
Unity Solution Conference 2015 Asset Touch and Try ListUnity Solution Conference 2015 Asset Touch and Try List
Unity Solution Conference 2015 Asset Touch and Try ListTakashi Jona
 
Stealthy Rootkit : How bad guy fools live memory forensics? - PacSec 2009
Stealthy Rootkit : How bad guy fools live memory forensics? - PacSec 2009Stealthy Rootkit : How bad guy fools live memory forensics? - PacSec 2009
Stealthy Rootkit : How bad guy fools live memory forensics? - PacSec 2009Tsukasa Oi
 
Hacking Question and Answer
Hacking Question and Answer Hacking Question and Answer
Hacking Question and Answer Greater Noida Institute Of Technology
 
You suck at Memory Analysis
You suck at Memory AnalysisYou suck at Memory Analysis
You suck at Memory AnalysisFrancisco Ribeiro
 
Oleksyk applied-anti-forensics
Oleksyk applied-anti-forensicsOleksyk applied-anti-forensics
Oleksyk applied-anti-forensicsDefconRussia
 
Disk forensics
Disk forensicsDisk forensics
Disk forensicsChiawei Wang
 
Automated defense from rootkit attacks
Automated defense from rootkit attacksAutomated defense from rootkit attacks
Automated defense from rootkit attacksUltraUploader
 
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kuniyasu Suzaki
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxLecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxsmile790243
 
Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devicesNikos Gkogkos
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Lastline, Inc.
 
A Hypervisor IPS based on Hardware Assisted Virtualization Technology
A Hypervisor IPS based on Hardware Assisted Virtualization TechnologyA Hypervisor IPS based on Hardware Assisted Virtualization Technology
A Hypervisor IPS based on Hardware Assisted Virtualization TechnologyFFRI, Inc.
 
Monolithic kernel
Monolithic kernelMonolithic kernel
Monolithic kernelARAVIND18MCS1004
 
AOS Lab 5: System calls
AOS Lab 5: System callsAOS Lab 5: System calls
AOS Lab 5: System callsZubair Nabi
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022lior mazor
 

Weitere ähnliche Inhalte

Andere mochten auch

システムレジスタの不足と2つのシンプルなアンチフォレンジック攻撃 - AVTokyo 2009
システムレジスタの不足と2つのシンプルなアンチフォレンジック攻撃 - AVTokyo 2009システムレジスタの不足と2つのシンプルなアンチフォレンジック攻撃 - AVTokyo 2009
システムレジスタの不足と2つのシンプルなアンチフォレンジック攻撃 - AVTokyo 2009Tsukasa Oi
 
A New Tracer for Reverse Engineering - PacSec 2010
A New Tracer for Reverse Engineering - PacSec 2010A New Tracer for Reverse Engineering - PacSec 2010
A New Tracer for Reverse Engineering - PacSec 2010Tsukasa Oi
 
Mr201309 automated on-execute test using virtualbox jpn
Mr201309 automated on-execute test using virtualbox jpnMr201309 automated on-execute test using virtualbox jpn
Mr201309 automated on-execute test using virtualbox jpnFFRI, Inc.
 
Windows をより安全にする SafeSEH on MinGW
Windows をより安全にする SafeSEH on MinGWWindows をより安全にする SafeSEH on MinGW
Windows をより安全にする SafeSEH on MinGWTsukasa Oi
 
PHPにないセキュリティ機能
PHPにないセキュリティ機能PHPにないセキュリティ機能
PHPにないセキュリティ機能Yasuo Ohgaki
 
さらば、Stagefright 脆弱性
さらば、Stagefright 脆弱性さらば、Stagefright 脆弱性
さらば、Stagefright 脆弱性Tsukasa Oi
 
セキュアVMの構築 (IntelとAMDの比較、あともうひとつ...) - AVTokyo 2009
セキュアVMの構築 (IntelとAMDの比較、あともうひとつ...) - AVTokyo 2009セキュアVMの構築 (IntelとAMDの比較、あともうひとつ...) - AVTokyo 2009
セキュアVMの構築 (IntelとAMDの比較、あともうひとつ...) - AVTokyo 2009Tsukasa Oi
 
Unity Solution Conference 2015 Asset Touch and Try List
Unity Solution Conference 2015 Asset Touch and Try ListUnity Solution Conference 2015 Asset Touch and Try List
Unity Solution Conference 2015 Asset Touch and Try ListTakashi Jona
 

Andere mochten auch (8)

システムレジスタの不足と2つのシンプルなアンチフォレンジック攻撃 - AVTokyo 2009
システムレジスタの不足と2つのシンプルなアンチフォレンジック攻撃 - AVTokyo 2009システムレジスタの不足と2つのシンプルなアンチフォレンジック攻撃 - AVTokyo 2009
システムレジスタの不足と2つのシンプルなアンチフォレンジック攻撃 - AVTokyo 2009
 
A New Tracer for Reverse Engineering - PacSec 2010
A New Tracer for Reverse Engineering - PacSec 2010A New Tracer for Reverse Engineering - PacSec 2010
A New Tracer for Reverse Engineering - PacSec 2010
 
Mr201309 automated on-execute test using virtualbox jpn
Mr201309 automated on-execute test using virtualbox jpnMr201309 automated on-execute test using virtualbox jpn
Mr201309 automated on-execute test using virtualbox jpn
 
Windows をより安全にする SafeSEH on MinGW
Windows をより安全にする SafeSEH on MinGWWindows をより安全にする SafeSEH on MinGW
Windows をより安全にする SafeSEH on MinGW
 
PHPにないセキュリティ機能
PHPにないセキュリティ機能PHPにないセキュリティ機能
PHPにないセキュリティ機能
 
さらば、Stagefright 脆弱性
さらば、Stagefright 脆弱性さらば、Stagefright 脆弱性
さらば、Stagefright 脆弱性
 
セキュアVMの構築 (IntelとAMDの比較、あともうひとつ...) - AVTokyo 2009
セキュアVMの構築 (IntelとAMDの比較、あともうひとつ...) - AVTokyo 2009セキュアVMの構築 (IntelとAMDの比較、あともうひとつ...) - AVTokyo 2009
セキュアVMの構築 (IntelとAMDの比較、あともうひとつ...) - AVTokyo 2009
 
Unity Solution Conference 2015 Asset Touch and Try List
Unity Solution Conference 2015 Asset Touch and Try ListUnity Solution Conference 2015 Asset Touch and Try List
Unity Solution Conference 2015 Asset Touch and Try List
 

Ähnlich wie Lack of System Registers and two simple anti-forensic attacks - AVTokyo 2009

Stealthy Rootkit : How bad guy fools live memory forensics? - PacSec 2009
Stealthy Rootkit : How bad guy fools live memory forensics? - PacSec 2009Stealthy Rootkit : How bad guy fools live memory forensics? - PacSec 2009
Stealthy Rootkit : How bad guy fools live memory forensics? - PacSec 2009Tsukasa Oi
 
Oleksyk applied-anti-forensics
Oleksyk applied-anti-forensicsOleksyk applied-anti-forensics
Oleksyk applied-anti-forensicsDefconRussia
 
Automated defense from rootkit attacks
Automated defense from rootkit attacksAutomated defense from rootkit attacks
Automated defense from rootkit attacksUltraUploader
 
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kuniyasu Suzaki
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxLecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxsmile790243
 
Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devicesNikos Gkogkos
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Lastline, Inc.
 
A Hypervisor IPS based on Hardware Assisted Virtualization Technology
A Hypervisor IPS based on Hardware Assisted Virtualization TechnologyA Hypervisor IPS based on Hardware Assisted Virtualization Technology
A Hypervisor IPS based on Hardware Assisted Virtualization TechnologyFFRI, Inc.
 
AOS Lab 5: System calls
AOS Lab 5: System callsAOS Lab 5: System calls
AOS Lab 5: System callsZubair Nabi
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022lior mazor
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsTakahiro Haruyama
 
Android App Security Fundamentals
Android App Security FundamentalsAndroid App Security Fundamentals
Android App Security FundamentalsAndreaCioccarelli
 
One-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisOne-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisTakahiro Haruyama
 
A methodology to detect and characterize kernel level rootkit exploits involv...
A methodology to detect and characterize kernel level rootkit exploits involv...A methodology to detect and characterize kernel level rootkit exploits involv...
A methodology to detect and characterize kernel level rootkit exploits involv...UltraUploader
 
CarolinaCon 2008 Rootkits Then and Now
CarolinaCon 2008 Rootkits Then and NowCarolinaCon 2008 Rootkits Then and Now
CarolinaCon 2008 Rootkits Then and NowTyler Shields
 

Ähnlich wie Lack of System Registers and two simple anti-forensic attacks - AVTokyo 2009 (20)

Stealthy Rootkit : How bad guy fools live memory forensics? - PacSec 2009
Stealthy Rootkit : How bad guy fools live memory forensics? - PacSec 2009Stealthy Rootkit : How bad guy fools live memory forensics? - PacSec 2009
Stealthy Rootkit : How bad guy fools live memory forensics? - PacSec 2009
 
Hacking Question and Answer
Hacking Question and Answer Hacking Question and Answer
Hacking Question and Answer
 
You suck at Memory Analysis
You suck at Memory AnalysisYou suck at Memory Analysis
You suck at Memory Analysis
 
Oleksyk applied-anti-forensics
Oleksyk applied-anti-forensicsOleksyk applied-anti-forensics
Oleksyk applied-anti-forensics
 
Disk forensics
Disk forensicsDisk forensics
Disk forensics
 
Automated defense from rootkit attacks
Automated defense from rootkit attacksAutomated defense from rootkit attacks
Automated defense from rootkit attacks
 
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxLecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
 
Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devices
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
 
A Hypervisor IPS based on Hardware Assisted Virtualization Technology
A Hypervisor IPS based on Hardware Assisted Virtualization TechnologyA Hypervisor IPS based on Hardware Assisted Virtualization Technology
A Hypervisor IPS based on Hardware Assisted Virtualization Technology
 
Monolithic kernel
Monolithic kernelMonolithic kernel
Monolithic kernel
 
AOS Lab 5: System calls
AOS Lab 5: System callsAOS Lab 5: System calls
AOS Lab 5: System calls
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensics
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
 
Android App Security Fundamentals
Android App Security FundamentalsAndroid App Security Fundamentals
Android App Security Fundamentals
 
One-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisOne-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic Analysis
 
A methodology to detect and characterize kernel level rootkit exploits involv...
A methodology to detect and characterize kernel level rootkit exploits involv...A methodology to detect and characterize kernel level rootkit exploits involv...
A methodology to detect and characterize kernel level rootkit exploits involv...
 
CarolinaCon 2008 Rootkits Then and Now
CarolinaCon 2008 Rootkits Then and NowCarolinaCon 2008 Rootkits Then and Now
CarolinaCon 2008 Rootkits Then and Now
 

Kürzlich hochgeladen

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 

Kürzlich hochgeladen (20)

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 

Lack of System Registers and two simple anti-forensic attacks - AVTokyo 2009

  • 1. Lack of System Registers and two simple anti-forensic attacks Tsukasa Ooi <li@livegrid.org> Lead Analyst, Livegrid Incorporated
  • 2. Related Topics • Live Memory Forensics • Anti-forensics • Rootkits
  • 3. What is “anti-forensics”? • The way to prevent forensics • Not only attackers! – Anti-forensics is also useful for bad guys to prevent OWN MACHINE to be forensically analyzed • But forget it. – I’m not talking about this…
  • 4. I will be Taking at: • PacSec 2009 Stealthy Rootkit – How bad guy fools live memory forensics?
  • 5. Live Memory Forensics/Imaging • Forensics based on memory of running machine • Done by Memory Acquisition Tools – EnCase – dd –…
  • 6. What Physical Memory Acquisition Tools Do? • Acquire contents of Physical Memory • Acquire System Registers (optional) Really, “optional”?
  • 7. What rootkits can do? • Can fake forensics software without acquiring contents of System Registers.
  • 8. Really? • Many software does! – EnCase – (RAW) dd – Memoryze – WinEN – FastDump – …
  • 9. Way to attack – part one (1) • Modify CR3 Registers (Pointer to Paging Structure)
  • 10. Way to attack – part one (2) CR3 that forensic software recognized Kernel Kernel Kernel (unmodified) (malicious) real CR3
  • 11. Way to attack – part one (3) • If System Registers are missing, forensic software finds signatures of system. • But these mechanism are very easy to fool.
  • 12. Way to attack – part one (4) • Keep system (physical) memory range unmodified • Create backup region • Copy part of kernel and patch backup • Change CR3 to rootkit’s one
  • 13. Way to attack – part one (5) CR3 that forensic software recognized Kernel Kernel Kernel (unmodified) (malicious) real CR3
  • 14. Way to attack – part one (6) • But this attack is a bit difficult because rootkit must manage its own page table. • There is one more way that is very easy!
  • 15. Way to attack – part two (1) IDTR/IA32_SYSENTER_EIP recognized Kernel Kernel Rootkit (unmodified) Code real IDTR/IA32_SYSENTER_EIP
  • 16. Way to attack – part two (2) • IDTR is a system register managing interrupts and exceptions – Including page faults • IA32_SYSENTER_EIP MSR / LSTAR_MSR is a pointer to system call entry – Can hook/modify system calls
  • 17. Way to attack – part two (3) • Way to implement: <Begin> Change these registers <End> Very easy right? • These are widely used by current rootkits but also useful for anti-forensics – If attacker hide rootkit somewhere in the memory, there are no general ways to detect these attacks!
  • 18. Way to prevent these attacks (1) • Acquire these system registers – CR3 – IDTR – IA32_SYSENTER_EIP MSR – LSTAR_MSR • (If rootkit use CR3/IDTR) Check physical and logical memory layout
  • 19. Way to prevent these attacks (2) • Interrupt Descriptor Table layout and Page Table layout are easy to detect • So… – Find these tables – Check if these tables are “malicious”
  • 20. Conclusion • Acquire system registers as possible • New approach for forensics is needed
  • 21. Have any questions? THANK YOU Tsukasa Ooi <li@livegrid.org> Livegrid Incorporated, Lead Analyst
  • 22. Technical Articles and Sources • … will be available December, 2009 • at http://a4lg.com/