Upload
chepimanca
View
217
Download
0
Embed Size (px)
Citation preview
8/9/2019 2008 Hack.lu Aumaitre
1/46
Memory basicsHow to access physical memory
RWX
A little journey inside Windows memory
Damien AUMAITREdamien(at)security-labs.org
damien.aumaitre(at)sogeti.com
D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 1 / 32
http://find/http://goback/8/9/2019 2008 Hack.lu Aumaitre
2/46
Memory basicsHow to access physical memory
RWX
Segmentation / paginationVirtual memory reconstruction
Agenda
1 Memory basics
2 How to access physical memory
3 RWX
D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 2 / 32
http://find/http://goback/8/9/2019 2008 Hack.lu Aumaitre
3/46
Memory basicsHow to access physical memory
RWX
Segmentation / paginationVirtual memory reconstruction
Agenda
1 Memory basicsSegmentation / pagination
Virtual memory reconstruction
2 How to access physical memory
3 RWX
D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 3 / 32
http://find/http://goback/8/9/2019 2008 Hack.lu Aumaitre
4/46
Memory basicsHow to access physical memory
RWX
Segmentation / paginationVirtual memory reconstruction
Virtual address?
Process A Process B
Kernel space
Physical memory
User space
Kernel space
0x00000000
0x7fffffff
0x80000000
0xffffffff
User space
D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 4 / 32
M b i
http://find/http://goback/8/9/2019 2008 Hack.lu Aumaitre
5/46
Memory basicsHow to access physical memory
RWX
Segmentation / paginationVirtual memory reconstruction
Virtual address?
Directory Entry
cr3
Page-Table Entry
Physical Address
Directory Table Offset
10 bits 10 bits 12 bits
Linear Address
Page Directory
Page Table
4-KB Page
1024 pointers
1024 pointers
D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 4 / 32
http://find/http://goback/8/9/2019 2008 Hack.lu Aumaitre
6/46
Memory basics
8/9/2019 2008 Hack.lu Aumaitre
7/46
Memory basicsHow to access physical memory
RWX
Segmentation / paginationVirtual memory reconstruction
Why use physical memory?
Pros
Only interpret data, so independent of OS API.
Short-circuit security measures implemented by the processor
or the kernel.Many ways to access physical memory.
Cons
Need to reconstruct the virtual space since the OS and theprocessor manipulate virtual addresses.
Need to understand OS specific structures in order to emulateOS API.
D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 6 / 32
Memory basics
http://find/http://goback/8/9/2019 2008 Hack.lu Aumaitre
8/46
Memory basicsHow to access physical memory
RWX
Segmentation / paginationVirtual memory reconstruction
cr3 ?
Indispensable for address translation.
Allows you to fully obtain the process virtual space.
Stored in KPROCESS structure (field DirectoryTableBase).
t y p e d e f s t r u c t KPROCESS // 2 9 e l e m e n t s , 0x6C b y t e s ( s i z e o f ){/0 x000/ s t r u c t DISPATCHER HEADER Head er ; // 6 e l e m e n t s , 0 x 10 b y t e s ( s i z e o f )/0 x010/ s t r u c t LIST ENTRY P r o f i l e L i s t H e a d ; // 2 e l e m e n t s , 0 x8 b y t es ( s i z e o f )/0 x018/ ULONG32 D i r ec t o ry T ab l e Ba s e [ 2 ] ; //
8/9/2019 2008 Hack.lu Aumaitre
9/46
Memory basicsHow to access physical memory
RWX
Segmentation / paginationVirtual memory reconstruction
How can we find a KPROCESS structure?
Each KPROCESS begins with a DISPATCHER HEADER structure.ty pe de f s tr u ct DISPATCHER HEADER // 6 elem en t s , 0 x 10 b y t e s ( s i z e o f ){/0 x000/ UINT8 Type ; //
8/9/2019 2008 Hack.lu Aumaitre
10/46
Memory basicsHow to access physical memory
RWX
Segmentation / paginationVirtual memory reconstruction
How can we find a KPROCESS structure?
Method proposed by Andreas Schuster
PrincipleScan physical memory in order to localize aDISPATCHER HEADER structure.
Validate candidate by checking consistency of the structure.
D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 9 / 32
Memory basicsS t ti / i ti
http://find/http://goback/8/9/2019 2008 Hack.lu Aumaitre
11/46
o y s csHow to access physical memory
RWX
Segmentation / paginationVirtual memory reconstruction
Processes list
Processes are represented by EPROCESS structures.Which begin with a KPROCESS structure.
And belong to a doubly-linked list located in kernelspace.
D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 10 / 32
Memory basicsSegmentation / pagination
http://find/http://goback/8/9/2019 2008 Hack.lu Aumaitre
12/46
yHow to access physical memory
RWX
Segmentation / paginationVirtual memory reconstruction
Virtual spaces reconstruction
struct _EPROCESS @ 0x80eed020
+0x000 Pcb : struct _KPROCESS
[...]
+0x088 ActiveProcessLinks : struct _LIST_ENTRY
[...] struct _KPROCESS @ 0x80eed020
+0x000 Header : struct _DISPATCHER_HEADER
[...]
+0x018 DirectoryTableBase : [2] Uint4B
[...]struct _EPROCESS @ 0xffbb8550
+0x000 Pcb : struct _KPROCESS
[...]
+0x088 ActiveProcessLinks : struct _LIST_ENTRY
[...]
struct _EPROCESS @ 0x80dc8c90
+0x000 Pcb : struct _KPROCESS
[...]
+0x088 ActiveProcessLinks : struct _LIST_ENTRY
[...]
cr3 value
Kernel space
D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 11 / 32
Memory basicsSegmentation / pagination
http://find/http://goback/8/9/2019 2008 Hack.lu Aumaitre
13/46
How to access physical memoryRWX
Segmentation / paginationVirtual memory reconstruction
Conclusion
ResultsVirtual space translation of all processes.
Equivalence between physical memory and virtual memory.
D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 12 / 32
Memory basicsSeveral ways
http://find/http://goback/8/9/2019 2008 Hack.lu Aumaitre
14/46
How to access physical memoryRWX
Several waysZoom on FireWire
Agenda
1 Memory basics
2 How to access physical memory
3 RWX
D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 13 / 32
Memory basicsH h i l
Several ways
http://find/http://goback/8/9/2019 2008 Hack.lu Aumaitre
15/46
How to access physical memoryRWX
Several waysZoom on FireWire
Agenda
1 Memory basics
2 How to access physical memorySeveral waysZoom on FireWire
3 RWX
D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 14 / 32
Memory basicsH t h i l
Several ways
http://find/http://goback/8/9/2019 2008 Hack.lu Aumaitre
16/46
How to access physical memoryRWX
S yZoom on FireWire
How to access physical memory?
Several ways:
DMA (FireWire, PCMCIA, ExpressCard, PCI, etc.)
VMWare
Hibernation files with Sandman
Coldboot attacks
Memory dumps with forensics tools, etc.
D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 15 / 32
Memory basicsHow to access physical memory
Several ways
http://find/http://goback/8/9/2019 2008 Hack.lu Aumaitre
17/46
How to access physical memoryRWX
yZoom on FireWire
Agenda
1 Memory basics
2 How to access physical memorySeveral waysZoom on FireWire
3 RWX
D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 16 / 32
Memory basicsHow to access physical memory
Several ways
http://find/http://goback/8/9/2019 2008 Hack.lu Aumaitre
18/46
How to access physical memoryRWX
Zoom on FireWire
Zoom on FireWire
FireWire ?
Developed by Apple in the 80s and standardized by IEEE in1995.
Allow access to physical memory by using DMA (DirectMemory Access).
D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 17 / 32
Memory basicsHow to access physical memory
Several ways
http://find/http://goback/8/9/2019 2008 Hack.lu Aumaitre
19/46
How to access physical memoryRWX
Zoom on FireWire
Zoom on FireWire
Memory access
Memory access is configurated by 2 registers of the FireWirecontroller
Disabled by default on Windows.
Except for peripherals that need it.
For example mass-storage peripherals, like an iPod
D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 17 / 32
Memory basicsHow to access physical memory
Several waysZ Fi Wi
http://find/http://goback/8/9/2019 2008 Hack.lu Aumaitre
20/46
How to access physical memoryRWX
Zoom on FireWire
iPod transformation
OHCI 1394 specification
Each FireWire node has an identity card
Which can be modified. . .
libraw1394 library
Userland library to manipulate FireWire bus.
With the raw1394 update config rom function, we can alterour node identity.
D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 18 / 32
Memory basicsHow to access physical memory
Several waysZ Fi Wi
http://find/http://goback/8/9/2019 2008 Hack.lu Aumaitre
21/46
p y yRWX
Zoom on FireWire
iPod transformation
Method
Dump the ROM of a connected iPod
Replace the laptop FireWire ROM with the iPod one
D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 18 / 32
Memory basicsHow to access physical memory
Several waysZoom on FireWire
http://find/http://goback/8/9/2019 2008 Hack.lu Aumaitre
22/46
p y yRWX
Zoom on FireWire
iPod transformation
Before
Laptop running Linux.
00000000 04 04 0d ef 31 33 39 34 e0 64 a2 32 42 4f c0 00 |....1394.d.2BO..|
00000010 3c c4 44 50 00 03 03 5d 03 42 4f c0 81 00 00 02 |
8/9/2019 2008 Hack.lu Aumaitre
23/46
RWXZoom on FireWire
iPod transformation
After
An iPod :)
00000000 04 04 72 86 31 33 39 34 00 ff a0 12 00 0a 27 00 |..r.1394.......|00000010 02 aa 6b a7 00 04 f9 3c 0c 00 83 c0 03 00 0a 27 |..k.....L.|
00000040 38 00 60 9e 39 01 04 d8 3b 00 00 00 3c 0a 27 00 |8..9.......
8/9/2019 2008 Hack.lu Aumaitre
24/46
RWXZoom on FireWire
iPod transformation
Conclusion
Since Windows believes an iPod is connected, it authorizes physicalmemory read/write access.
For more details
Adam Boileaus website : http://storm.net.nz/projects/16
D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 18 / 32
Memory basicsHow to access physical memory
RWX
Read: gather informationWrite: everything is authorized
X W l P di
http://storm.net.nz/projects/16http://storm.net.nz/projects/16http://find/http://goback/8/9/2019 2008 Hack.lu Aumaitre
25/46
RWX eXecute: Welcome to Paradise
Agenda
1 Memory basics
2 How to access physical memory
3 RWX
D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 19 / 32
Memory basicsHow to access physical memory
RWX
Read: gather informationWrite: everything is authorized
X t W l t P di
http://find/http://goback/8/9/2019 2008 Hack.lu Aumaitre
26/46
RWX eXecute: Welcome to Paradise
Agenda
1 Memory basics
2 How to access physical memory
3 RWXRead: gather informationWrite: everything is authorized
eXecute: Welcome to Paradise
D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 20 / 32
Memory basicsHow to access physical memory
RWX
Read: gather informationWrite: everything is authorizedeXecute: Welcome to Paradise
http://find/http://goback/8/9/2019 2008 Hack.lu Aumaitre
27/46
RWX eXecute: Welcome to Paradise
Process Explorer 101
Context
Read-only access
PurposeGather and show information relative to each process.
What is needed?
Processes and threads lists.Opened handles, loaded libraries.
D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 21 / 32
Memory basicsHow to access physical memory
RWX
Read: gather informationWrite: everything is authorizedeXecute: Welcome to Paradise
http://find/http://goback/8/9/2019 2008 Hack.lu Aumaitre
28/46
RWX eXecute: Welcome to Paradise
Process Explorer 101
struct _EPROCESS
+0x000 Pcb : struct _KPROCESS
[...]
+0x0c4 ObjectTable : Ptr32 to struct _HANDLE_TABLE
[...]
+0x190 ThreadListHead : struct _LIST_ENTRY
[...]
+0x1b0 Peb : Ptr32 to struct _PEB
[...]
struct _HANDLE_TABLE
+0x000 TableCode : Ptr32 to void
[...]
struct _HANDLE_TABLE_ENTRY
struct _HANDLE_TABLE_ENTRY
struct _HANDLE_TABLE_ENTRY
struct _HANDLE_TABLE_ENTRY
struct _ETHREAD
[...]
+0x22C ThreadListEntry : struct _LIST_ENTRY
[...]
struct _ETHREAD
[...]
+0x22C ThreadListEntry : struct _LIST_ENTRY
[...]
struct _ETHREAD
[...]
+0x22C ThreadListEntry : struct _LIST_ENTRY
[...]
struct _PEB
[...]+0x00c Ldr : Ptr32 to _PEB_LDR_DATA
[...]
struct _PEB_LDR_DATA
[...]
+0x00c InLoadOrderModuleList : struct _LIST_ENTRY
[...]
struct _LDR_DATA_TABLE_ENTRY
+0x000 InLoadOrderModuleList : struct _LIST_ENTRY[...]
struct _LDR_DATA_TABLE_ENTRY
+0x000 InLoadOrderModuleList : struct _LIST_ENTRY
[...]
Dlls
Threads
Handles
D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 21 / 32
Memory basicsHow to access physical memory
RWX
Read: gather informationWrite: everything is authorizedeXecute: Welcome to Paradise
http://find/http://goback/8/9/2019 2008 Hack.lu Aumaitre
29/46
RWX eXecute: Welcome to Paradise
Process Explorer 101
DEMO
D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 21 / 32
Memory basicsHow to access physical memory
RWX
Read: gather informationWrite: everything is authorizedeXecute: Welcome to Paradise
http://find/http://goback/8/9/2019 2008 Hack.lu Aumaitre
30/46
RWX eXecute: Welcome to Paradise
Regedit 101
Context
Same as Process Explorer 101.
Purpose
Clone regedit.
What is needed?
Hives and registry keys.
D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 22 / 32
Memory basicsHow to access physical memory
RWX
Read: gather informationWrite: everything is authorizedeXecute: Welcome to Paradise
http://find/http://goback/8/9/2019 2008 Hack.lu Aumaitre
31/46
Regedit 101
struct _CM_KEY_BODY[...]
+0x004 KeyControlBlock : Ptr32 to struct _CM_KEY_CONTROL_BLOCK
[...]
struct _CM_KEY_CONTROL_BLOCK
[...]
+0x010 KeyHive : Ptr32 to struct _HHIVE
+0x014 KeyCell : Uint4B
[...]
struct _HHIVE
[...]
+0x058 Storage : [2] struct _DUAL
[...]
struct _DUAL
[...]
+0x004 Map : Ptr32 to struct _HMAP_DIRECTORY
[...]
Ptr32 to struct
_HMAP_TABLEstruct _HMAP_ENTRY
Directory Table Offset
10 bits
Cell Index
struct _HMAP_DIRECTORY struct _HMAP_TABLE
1024 pointers 512 struct _HMAP_ENTRY
1 bit 9 bits 12 bits
struct _HMAP_ENTRY
+0x000 BlockAddress : Uint4B
[...]
struct _CELL_DATA
D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 22 / 32
Memory basicsHow to access physical memory
RWX
Read: gather informationWrite: everything is authorizedeXecute: Welcome to Paradise
http://find/http://goback/8/9/2019 2008 Hack.lu Aumaitre
32/46
Regedit 101
DEMO
D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 22 / 32
Memory basicsHow to access physical memory
RWX
Read: gather informationWrite: everything is authorizedeXecute: Welcome to Paradise
http://find/http://goback/8/9/2019 2008 Hack.lu Aumaitre
33/46
Agenda
1 Memory basics
2 How to access physical memory
3 RWXRead: gather informationWrite: everything is authorized
eXecute: Welcome to Paradise
D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 23 / 32
Memory basicsHow to access physical memory
RWX
Read: gather informationWrite: everything is authorizedeXecute: Welcome to Paradise
http://find/http://goback/8/9/2019 2008 Hack.lu Aumaitre
34/46
Login without password?
Context
Read/write access
Several ways:
Adam Boileaus winlockpwn or...
2-bytes patch in registry :)
D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 24 / 32
Memory basicsHow to access physical memoryRWX
Read: gather informationWrite: everything is authorizedeXecute: Welcome to Paradise
http://find/http://goback/8/9/2019 2008 Hack.lu Aumaitre
35/46
Login without password?
DEMO
D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 24 / 32
Memory basicsHow to access physical memoryRWX
Read: gather informationWrite: everything is authorizedeXecute: Welcome to Paradise
http://find/http://goback/8/9/2019 2008 Hack.lu Aumaitre
36/46
Privilege escalation
Each process owns a security token.
Security token belongs to kernel memory.
But we can access kernel memory :)
D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 25 / 32
Memory basicsHow to access physical memoryRWX
Read: gather informationWrite: everything is authorizedeXecute: Welcome to Paradise
http://find/http://goback/8/9/2019 2008 Hack.lu Aumaitre
37/46
Privilege escalation
DEMO
D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 25 / 32
Memory basicsHow to access physical memoryRWX
Read: gather informationWrite: everything is authorizedeXecute: Welcome to Paradise
http://find/http://goback/8/9/2019 2008 Hack.lu Aumaitre
38/46
Agenda
1 Memory basics
2 How to access physical memory
3 RWXRead: gather informationWrite: everything is authorized
eXecute: Welcome to Paradise
D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 26 / 32
Memory basicsHow to access physical memoryRWX
Read: gather informationWrite: everything is authorizedeXecute: Welcome to Paradise
http://find/http://goback/8/9/2019 2008 Hack.lu Aumaitre
39/46
Arbitrary code execution
Context
Read/write access
But no execute access. . .
A solution
Functions pointers hooking
D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 27 / 32
Memory basicsHow to access physical memoryRWX
Read: gather informationWrite: everything is authorizedeXecute: Welcome to Paradise
http://find/http://goback/8/9/2019 2008 Hack.lu Aumaitre
40/46
Arbitrary code execution
Which pointers?
KUSER SHARED DATA structure
SystemCall field
Called before each system call
Where to store the payload?
The KUSER SHARED DATA structure occupies only 334 bytes
on a 4K-page...
D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 27 / 32
Memory basicsHow to access physical memoryRWX
Read: gather informationWrite: everything is authorizedeXecute: Welcome to Paradise
http://find/http://goback/8/9/2019 2008 Hack.lu Aumaitre
41/46
Arbitrary code execution
DEMO
D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 27 / 32
Memory basicsHow to access physical memoryRWX
Read: gather informationWrite: everything is authorizedeXecute: Welcome to Paradise
http://find/http://goback/8/9/2019 2008 Hack.lu Aumaitre
42/46
Arbitrary code execution
How it works ?
Each process belongs to a desktop.
Only one desktop can interact with a user.
For an interactive user, 3 desktops Default, Disconnect etWinlogon
With CreateProcess, we can specify the desktop
We can spawn a cmd in Winlogon desktop.
Thus we have a pre-authentication SYSTEM shell :)
D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 28 / 32
Memory basicsHow to access physical memoryRWX
Read: gather informationWrite: everything is authorizedeXecute: Welcome to Paradise
Wh f DEP bl d?
http://find/http://goback/8/9/2019 2008 Hack.lu Aumaitre
43/46
What if DEP is enabled?
KUSER SHARED DATA is not executable.
Per process DEP control with KEXECUTE OPTIONS.
Stored inside the KPROCESS structure.
ty pe de f s t r u c t KEXECUTE OPTIONS // 7 e l e m e n t s , 0 x1 b y t es ( s i z e o f ){/0 x000/ UINT8 E x e c u t e D i s a b l e : 1 ; // 0 B i t P o s i t i o n/0 x000/ UINT8 E x e c u t e E n a b l e : 1 ; // 1 B i t P o s i t i o n/0 x000/ UINT8 D i s a b l eT h u n k E m u l at io n : 1 ; // 2 B i t P o s i t i o n/0 x000/ UINT8 Permanent : 1 ; // 3 B i t P o s i t i o n/0 x000/ UINT8 E xe cu t eD i sp at ch En a bl e : 1 ; // 4 B i t P o s i t i o n/0 x000/ UINT8 I m a g eDi sp a t c h E n a bl e : 1 ; // 5 B i t P o s i t i o n/0 x000/ UINT8 Spa re : 2 ; // 6 B i t P o s i t i o n}KEXECUTE OPTIONS , PKEXECUTE OPTIONS ;
D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 29 / 32
Memory basicsHow to access physical memoryRWX
Read: gather informationWrite: everything is authorizedeXecute: Welcome to Paradise
C l i
http://find/http://goback/8/9/2019 2008 Hack.lu Aumaitre
44/46
Conclusion
iPod 101
Physical access = root
We can reconstruct a high-level view of the operating systemwith only physical memory.
Many applications: forensics, debug, intrusion.
D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 30 / 32
Memory basicsHow to access physical memoryRWX
Read: gather informationWrite: everything is authorizedeXecute: Welcome to Paradise
Q i ?
http://find/http://goback/8/9/2019 2008 Hack.lu Aumaitre
45/46
Questions ?
Thanks for your attentionQuestions ?
D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 31 / 32
Memory basicsHow to access physical memoryRWX
Read: gather informationWrite: everything is authorizedeXecute: Welcome to Paradise
Bibli h
http://find/http://goback/8/9/2019 2008 Hack.lu Aumaitre
46/46
Bibliography
Adam Boileau: http://storm.net.nz/projects/16
Andreas Schuster:http://computer.forensikblog.de/en/
Sandman: http://sandman.msuiche.net/
Coldboot attacks: http://citp.princeton.edu/memory/
D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 32 / 32
http://storm.net.nz/projects/16http://computer.forensikblog.de/en/http://sandman.msuiche.net/http://citp.princeton.edu/memory/http://citp.princeton.edu/memory/http://sandman.msuiche.net/http://computer.forensikblog.de/en/http://storm.net.nz/projects/16http://find/http://goback/