using memory management to
play

Using Memory Management to Detect and Extract Illegitimate Code - PowerPoint PPT Presentation

Mar 10, 2024 •253 likes •718 views

Using Memory Management to Detect and Extract Illegitimate Code [21.9.2012 12:11:24] [ 24] to 0x77c15ed5 msvcrt._pi_by_2_to_61+0x12db [21.9.2012 12:11:24] [ 23] from 0x80541fc7 ntkrnlpa.Kei386EoiHelper+0xab for Malware Analysis

  1. Using Memory Management to Detect and Extract Illegitimate Code [21.9.2012 12:11:24] [ 24] to 0x77c15ed5 msvcrt._pi_by_2_to_61+0x12db [21.9.2012 12:11:24] [ 23] from 0x80541fc7 ntkrnlpa.Kei386EoiHelper+0xab for Malware Analysis [21.9.2012 12:11:24] [ 23] to 0x77c15ed5 msvcrt._pi_by_2_to_61+0x12db [21.9.2012 12:11:24] [ 22] from 0x77c15ed6 msvcrt._pi_by_2_to_61+0x12dc [21.9.2012 12:11:24] ROP-RET #################### ACSAC 28 | December 3-7, 2012 [21.9.2012 12:11:24] [ 22] to 0x77c29e29 msvcrt._aligned_offset_malloc+0x7a [21.9.2012 12:11:24] [ 21] from 0x77c29e2d msvcrt._aligned_offset_malloc+0x7e Carsten Willems 1 , Felix C. Freiling 2 , Thorsten Holz 1 [21.9.2012 12:11:24] ROP-RET #################### [21.9.2012 12:11:24] [ 21] to 0x77c22666 msvcrt.type_info::name+0x96 [21.9.2012 12:11:24] [ 20] from 0x80541fc7 ntkrnlpa.Kei386EoiHelper+0xab 1 Horst Görtz Institute for IT-Security, Chair for Systems Security 2 Friedrich-Alexander-Universität Erlangen-Nürnberg, Department Informatik [21.9.2012 12:11:24] [ 20] to 0x77c22666 msvcrt.type_info::name+0x96 [21.9.2012 12:11:24] [ 19] from 0x77c22667 msvcrt.type_info::name+0x97 [21.9.2012 12:11:24] ROP-RET #################### [21.9.2012 12:11:24] [ 19] to 0x77c3ed6e msvcrt._flsbuf+0x111 [21.9.2012 12:11:24] [ 18] from 0x77c3ed77 msvcrt._flsbuf+0x11a [21.9.2012 12:11:24] ROP-RET #################### [21.9.2012 12:11:24] [ 18] to 0x77c244c6 msvcrt.UnDecorator::getVCallThunkType+0x37 [21.9.2012 12:11:24] [ 17] from 0x80541fc7 ntkrnlpa.Kei386EoiHelper+0xab [21.9.2012 12:11:24] [ 17] to 0x77c244c6 msvcrt.UnDecorator::getVCallThunkType+0x37 [21.9.2012 12:11:24] [ 16] from 0x77c244c7 msvcrt.UnDecorator::getVCallThunkType+0x38 [21.9.2012 12:11:24] RET -------------------- [21.9.2012 12:11:24] [ 16] to 0x77c244c3 msvcrt.UnDecorator::getVCallThunkType+0x34 [21.9.2012 12:11:24] [ 15] from 0x77c244c7 msvcrt.UnDecorator::getVCallThunkType+0x38 [21.9.2012 12:11:24] ROP-RET ####################

  2. Motivation • Attackers use illegitimate code (ILC) when exploiting systems – e.g. shellcode in network packets, malicious documents, .. • NX+ASLR is a hurdle, but not a barrier – implementation flaws, information leakage, unrandomized modules, legacy systems , … • Insight into shellcode helps to protect systems • Amount of malware demands automation Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis | ACSAC 2012 | Orlando | December 3-7, 2012 2

  3. Overview of the Talk 1. Motivation 2. General Approach 3. Prototype Implementation 4. Evaluation 5. Discussion Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis | ACSAC 2012 | Orlando | December 3-7, 2012 3

  4. Approach General Idea • Build a generic tool that – hooks into a system – detects the execution of ILC – automatically dumps ILC for later analysis – continues operation until all ILC has been dumped • Not meant for protection , but only for analysis Analysis system with appropriate viewer application, e.g. Adobe Acrobat Reader, Microsoft Word , … Malicious data ILC that contains ILC dumpfiles Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis | ACSAC 2012 | Orlando | December 3-7, 2012 4

  5. Approach Implementation Idea • Partition memory into regions that contain – legitimate code (LC) – and (possibly) illegitimate code (ILC) • Instrument memory related system calls – force ILC memory to be always non-executable • Instrument page fault handler – attempt to execute NX memory  page-fault  ILC detected • How to decide which code is legitimate? Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis | ACSAC 2012 | Orlando | December 3-7, 2012 5

  6. Approach LC vs ILC memory Userspace Memory Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis | ACSAC 2012 | Orlando | December 3-7, 2012 6

  7. Approach LC vs ILC memory regions containing legitimate code … Userspace Memory Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis | ACSAC 2012 | Orlando | December 3-7, 2012 7

  8. Approach LC vs ILC memory regions containing legitimate code … allowed to reside in executable memory Userspace Memory Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis | ACSAC 2012 | Orlando | December 3-7, 2012 8

  9. Approach LC vs ILC memory regions regions containing that may contain legitimate illegitimate … code … code allowed to reside in executable memory Userspace Memory Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis | ACSAC 2012 | Orlando | December 3-7, 2012 9

  10. Approach LC vs ILC memory regions regions containing that may contain legitimate illegitimate … code … code forced to allowed to reside in reside in executable non-executable memory memory Userspace Memory Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis | ACSAC 2012 | Orlando | December 3-7, 2012 10

  11. Approach Memory Regions • Memory regions are either – Mapped files, e.g. • applications • shared libraries • data files – or dynamically allocated, e.g. • heaps • thread stacks • control blocks • JIT code Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis | ACSAC 2012 | Orlando | December 3-7, 2012 11

  12. How to decide if code is illegitimate Memory Mapped Files • Divide memory-mapped files into – Trusted files • belong to the OS or the analyzed benign application • results in LC memory – Untrusted files • unknown source • results in ILC memory • Use simple heuristic: trust only files that – already existed before the analysis – and have not been modified since then Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis | ACSAC 2012 | Orlando | December 3-7, 2012 12

  13. How to decide if code is illegitimate Dynamically Allocated Memory • Is dynamically allocated memory LC or ILC? – initial approach: only memory allocated by trusted files is LC • But: programmers make mistakes – only very few functions from all trusted files really need privileges to create executable memory • e.g. loader functions or JIT compiler – identify those functions and name them trusted callers – better approach: only memory allocated by a trusted caller is LC Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis | ACSAC 2012 | Orlando | December 3-7, 2012 13

  14. How to decide if code is illegitimate Dynamically Allocated Memory Example Userspace Memory Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis | ACSAC 2012 | Orlando | December 3-7, 2012 14

  15. How to decide if code is illegitimate Dynamically Allocated Memory Example trusted files  mapped into X memory Userspace Memory Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis | ACSAC 2012 | Orlando | December 3-7, 2012 15

  16. How to decide if code is illegitimate Dynamically Allocated Memory Example trusted callers in some trusted files Userspace Memory Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis | ACSAC 2012 | Orlando | December 3-7, 2012 16

  17. How to decide if code is illegitimate Dynamically Allocated Memory Example untrusted files  mapped into NX memory Userspace Memory Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis | ACSAC 2012 | Orlando | December 3-7, 2012 17

  18. How to decide if code is illegitimate Dynamically Allocated Memory Example Userspace Memory Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis | ACSAC 2012 | Orlando | December 3-7, 2012 18

  19. How to decide if code is illegitimate Dynamically Allocated Memory Example trusted caller tries to allocate X memory Userspace Memory Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis | ACSAC 2012 | Orlando | December 3-7, 2012 19

  20. How to decide if code is illegitimate Dynamically Allocated Memory Example trusted caller OK tries to allocate X memory Userspace Memory Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis | ACSAC 2012 | Orlando | December 3-7, 2012 20

  21. How to decide if code is illegitimate Dynamically Allocated Memory Example trusted caller OK tries to allocate X memory Userspace Memory Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis | ACSAC 2012 | Orlando | December 3-7, 2012 21

  22. How to decide if code is illegitimate Dynamically Allocated Memory Example Userspace Memory Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis | ACSAC 2012 | Orlando | December 3-7, 2012 22

  23. How to decide if code is illegitimate Dynamically Allocated Memory Example untrusted file tries to allocate X memory Userspace Memory Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis | ACSAC 2012 | Orlando | December 3-7, 2012 23

Recommend

Memory Management Memory Management 5A. Memory Management and Address Spaces 1. allocate/assign

Memory Management Memory Management 5A. Memory Management and Address Spaces 1. allocate/assign

4/14/2018 Memory Management Memory Management 5A. Memory Management and Address Spaces 1. allocate/assign physical memory to processes 5B. Memory Allocation explicit requests: malloc (sbrk) implicit: program loading, stack extension

555 views • 9 slides
Memory Management Memory Management 5A. Memory Management and Address Spaces 1. allocate/assign

Memory Management Memory Management 5A. Memory Management and Address Spaces 1. allocate/assign

4/12/2017 Memory Management Memory Management 5A. Memory Management and Address Spaces 1. allocate/assign physical memory to processes 5B. Simple Memory Allocation explicit requests: malloc (sbrk) implicit: program loading, stack

205 views • 8 slides
Lecture 5: Memory Management 1 / 54 Memory Management Administrivia Assignment 1 is due on

Lecture 5: Memory Management 1 / 54 Memory Management Administrivia Assignment 1 is due on

Memory Management Lecture 5: Memory Management 1 / 54 Memory Management Administrivia Assignment 1 is due on September 7th @ 11:59pm 2 / 54 Memory Management Poll https: // www.strawpoll.me / 20863490 3 / 54 Memory Management Recap

952 views • 54 slides
28.05.04 09:50 Memory Management The computer memory is a limited resource so the Memory

28.05.04 09:50 Memory Management The computer memory is a limited resource so the Memory

28.05.04 09:50 Memory Management The computer memory is a limited resource so the Memory Management memory use of programs has to be managed in some way. Memory Management The memory management is usually performed by a runtime system

782 views • 13 slides
Memory Management Memory Management Memory a linear array of bits, bytes, words, pages ... -

Memory Management Memory Management Memory a linear array of bits, bytes, words, pages ... -

CS510 Operating System Foundations Jonathan Walpole Memory Management Memory Management Memory a linear array of bits, bytes, words, pages ... - Each byte is named by a unique memory address - Holds instructions and data for OS and user

761 views • 56 slides
Kernel level memory management 1. The very base on boot vs memory management 2. Memory Nodes

Kernel level memory management 1. The very base on boot vs memory management 2. Memory Nodes

Advanced Operating Systems MS degree in Computer Engineering University of Rome Tor Vergata Lecturer: Francesco Quaglia Kernel level memory management 1. The very base on boot vs memory management 2. Memory Nodes (UMA vs NUMA) 3. x86

1.17k views • 115 slides
Kernel level memory management 1. The very base on boot vs memory management 2. Memory Nodes

Kernel level memory management 1. The very base on boot vs memory management 2. Memory Nodes

Advanced Operating Systems MS degree in Computer Engineering University of Rome Tor Vergata Lecturer: Francesco Quaglia Kernel level memory management 1. The very base on boot vs memory management 2. Memory Nodes (UMA vs NUMA) 3. x86

1.18k views • 114 slides
Kernel level memory management 1. The very base on boot vs memory management 2. Memory Nodes

Kernel level memory management 1. The very base on boot vs memory management 2. Memory Nodes

Advanced Operating Systems MS degree in Computer Engineering University of Rome Tor Vergata Lecturer: Francesco Quaglia Kernel level memory management 1. The very base on boot vs memory management 2. Memory Nodes (UMA vs NUMA) 3. x86

1.42k views • 117 slides
CS333 Intro to Operating Systems Jonathan Walpole Memory Management Memory Management Memory

CS333 Intro to Operating Systems Jonathan Walpole Memory Management Memory Management Memory

CS333 Intro to Operating Systems Jonathan Walpole Memory Management Memory Management Memory a linear array of bytes - Holds O.S. and programs (processes) - Each cell (byte) is named by a unique memory address Recall, processes are

576 views • 55 slides
Memory Management Outline Processes (done) Memory Management Basic (done)

Memory Management Outline Processes (done) Memory Management Basic (done)

Memory Management Outline Processes (done) Memory Management Basic (done) Paging (done) Operating Systems Virtual memory Virtual Memory (Chapter 9) Motivation Demand Paging Logical address space larger

347 views • 9 slides
Chapter 4: Memory Management Part 1: Mechanisms for Managing Memory Memory management n Basic

Chapter 4: Memory Management Part 1: Mechanisms for Managing Memory Memory management n Basic

Chapter 4: Memory Management Part 1: Mechanisms for Managing Memory Memory management n Basic memory management n Swapping n Virtual memory n Page replacement algorithms n Modeling page replacement algorithms n Design issues for paging systems n

817 views • 35 slides
Memory Management Ideally programmers want memory that is large fast non

Memory Management Ideally programmers want memory that is large fast non

Memory Management Virtual Memory Background; key issues Memory allocation schemes Virtual memory Memory management design and implementation issues 1 Memory Management Ideally programmers want memory that is large fast non

410 views • 30 slides
Memory Management 1 Overview Basic memory management Address Spaces Virtual

Memory Management 1 Overview Basic memory management Address Spaces Virtual

Memory Management 1 Overview Basic memory management Address Spaces Virtual memory Page replacement algorithms Design issues for paging systems Implementation issues Segmentation 2 1 Memory Management

530 views • 39 slides
Dynamic Memory Management 333 Dynamic Memory Management Process Memory Layout Process Memory

Dynamic Memory Management 333 Dynamic Memory Management Process Memory Layout Process Memory

Dynamic Memory Management Dynamic Memory Management 333 Dynamic Memory Management Process Memory Layout Process Memory Layout (1) Each Linux process runs within its own virtual address space tables and the MMU (if available) security due to

1.25k views • 68 slides
Memory Management 5A. Memory Management and Address Spaces 5B. Allocation Algorithms Operating

Memory Management 5A. Memory Management and Address Spaces 5B. Allocation Algorithms Operating

4/10/2016 Memory Management 5A. Memory Management and Address Spaces 5B. Allocation Algorithms Operating Systems Principles 5C. Advanced Allocation Techniques Memory Management 5D. Segment Relocation 5E. Garbage Collection Mark Kampe

711 views • 9 slides
Chapter 4: Memory Management Part 1: Mechanisms for Managing Memory Memory management Basic

Chapter 4: Memory Management Part 1: Mechanisms for Managing Memory Memory management Basic

Chapter 4: Memory Management Part 1: Mechanisms for Managing Memory Memory management Basic memory management Swapping Virtual memory Page replacement algorithms Modeling page replacement algorithms Design issues for paging

950 views • 69 slides
Memory Management Chapter 7 1 Memory Management Subdividing memory to accommodate multiple

Memory Management Chapter 7 1 Memory Management Subdividing memory to accommodate multiple

Memory Management Chapter 7 1 Memory Management Subdividing memory to accommodate multiple processes Memory needs to be allocated (and de- allocated) to ensure a reasonable supply of ready processes to consume available processor

406 views • 24 slides
Garbage collection Strategies for automatic memory management Memory management Explicit

Garbage collection Strategies for automatic memory management Memory management Explicit

Garbage collection Strategies for automatic memory management Memory management Explicit memory management: i.e., malloc(..) and free(..) are both explicit. A dangerous source of bugs (dangling pointers, leaks). Performance still

364 views • 18 slides
Memory Management 54 Memory Management Programs expand to fill the memory that holds them.

Memory Management 54 Memory Management Programs expand to fill the memory that holds them.

Memory Management 54 Memory Management Programs expand to fill the memory that holds them. Preparing a program for execution Development of programs Source program Compilation/Assembly Object program Linking / Linkage

575 views • 21 slides
Memory Management Outline Processes (done) Memory Management Basic (done)

Memory Management Outline Processes (done) Memory Management Basic (done)

Memory Management Outline Processes (done) Memory Management Basic (done) Paging (done) Operating Systems Virtual memory Virtual Memory (Chapter 4.3) Motivation Paging Implementation Validation

362 views • 8 slides
Memory management programs use a lot of memory over their lifetime, but not all of it at the same

Memory management programs use a lot of memory over their lifetime, but not all of it at the same

Memory management The memory of a computer is a finite resource. Typical Memory management programs use a lot of memory over their lifetime, but not all of it at the same time. The aim of memory management is to use that finite resource as

473 views • 15 slides
Memory Management Memory Manager Requirements Minimize primary memory access time

Memory Management Memory Manager Requirements Minimize primary memory access time

Memory Management Memory Manager Requirements Minimize primary memory access time Maximize primary memory size Primary memory must be cost-effective Todays memory manager: Allocates primary memory to processes Maps

637 views • 27 slides
Last class: Memory Management Today: Paging Memory Management Basics Allocation

Last class: Memory Management Today: Paging Memory Management Basics Allocation

Last class: Memory Management Today: Paging Memory Management Basics Allocation Previously Allocate arbitrary-sized chunks (e.g., in old days, a process; now the heap) Challenges Fragmentation and performance

360 views • 31 slides
Last Class: Memory Management Allocating memory to processes Limited physical memory,

Last Class: Memory Management Allocating memory to processes Limited physical memory,

Last Class: Memory Management Allocating memory to processes Limited physical memory, internal and external fragmentation Paging and segmentation Address translation, efficiency Hardware support (e.g., TLB) Page

513 views • 13 slides

More recommend