2008 Hack - Lu Aumaitre

Memory basics
How to access physical memory

RWX
A little journey inside Windows memory
Damien AUMAITRE
damien(at)security-labs.org
damien.aumaitre(at)sogeti.com
D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 1 / 32

Memory basics
Segmentation / pagination
Virtual memory reconstruction
RWX
Agenda
1 Memory basics
2 How to access physical memory
3 RWX

Memory basics
RWX
Agenda
1 Memory basics
3 RWX

Memory basics
RWX
Virtual address?
Process A Process B
Physical memory
0x00000000
User space User space
0x7fffffff
0x80000000
Kernel space Kernel space
0xffffffff

Memory basics
RWX
Virtual address?
Linear Address
10 bits 10 bits 12 bits
Directory Table Offset
4-KB Page
Page Table
Physical Address
Page Directory
Page-Table Entry
Directory Entry
1024 pointers
cr3 1024 pointers

Memory basics
RWX
Agenda
1 Memory basics
3 RWX

Memory basics
RWX
Why use physical memory?
Pros
Only interpret data, so independent of OS API.
Short-circuit security measures implemented by the processor
or the kernel.
Many ways to access physical memory.
Cons
Need to reconstruct the virtual space since the OS and the
processor manipulate virtual addresses.
Need to understand OS specific structures in order to emulate
OS API.

Memory basics
RWX
cr3 ?
Indispensable for address translation.

Allows you to fully obtain the process virtual space.
Stored in KPROCESS structure (field DirectoryTableBase).
t y p e d e f s t r u c t KPROCESS // 29 e l e m e n t s , 0x6C b y t e s ( s i z e o f )
{
/∗0 x000 ∗/ s t r u c t DISPATCHER HEADER Header ; // 6 e l e m e n t s , 0 x10 b y t e s ( s i z e o f )
/∗0 x010 ∗/ s t r u c t LIST ENTRY P r o f i l e L i s t H e a d ; // 2 e l e m e n t s , 0 x8 b y t e s ( s i z e o f )
/∗0 x018 ∗/ ULONG32 DirectoryTableBase [ 2 ] ; // <−−− t h e CR3
[...]
}KPROCESS, ∗PKPROCESS ;

Memory basics
RWX
How can we find a KPROCESS structure?

Each KPROCESS begins with a DISPATCHER HEADER structure.
t y p e d e f s t r u c t DISPATCHER HEADER // 6 e l e m e n t s , 0 x10 b y t e s ( s i z e o f )
{
/∗0 x000 ∗/ UINT8 Type ; // <−−−− i n t e r e s t i n g f o r us
/∗0 x001 ∗/ UINT8 Absolute ;
/∗0 x002 ∗/ UINT8 Size ; // <−−−− i n t e r e s t i n g f o r us
/∗0 x003 ∗/ UINT8 Inserted ;
/∗0 x004 ∗/ LONG32 SignalState ;
/∗0 x008 ∗/ s t r u c t LIST ENTRY W a i t L i s t H e a d ; // 2 e l e m e n t s , 0 x8 b y t e s ( s i z e o f )
}DISPATCHER HEADER , ∗PDISPATCHER HEADER ;
Field Type and Size have fixed values accross OS versions.

For example, for Windows XP SP2, Type = 0x3 and Size =
0x1b.
Result
We have a signature to retrieve a DISPATCHER HEADER structure
inside the physical memory.

Memory basics
RWX
How can we find a KPROCESS structure?
Method proposed by Andreas Schuster

Principle
Scan physical memory in order to localize a
DISPATCHER HEADER structure.
Validate candidate by checking consistency of the structure.

Memory basics
RWX
Processes list
Processes are represented by EPROCESS structures.

Which begin with a KPROCESS structure.
And belong to a doubly-linked list located in kernelspace.

Memory basics
RWX
Virtual spaces reconstruction
Kernel space
struct _EPROCESS @ 0x80eed020

+0x000 Pcb : struct _KPROCESS
[...]
+0x088 ActiveProcessLinks : struct _LIST_ENTRY
[...] struct _KPROCESS @ 0x80eed020
+0x000 Header : struct _DISPATCHER_HEADER
[...]
+0x018 DirectoryTableBase : [2] Uint4B
struct _EPROCESS @ 0xffbb8550 [...]
[...]
[...]
struct _EPROCESS @ 0x80dc8c90 cr3 value

[...]
[...]

Memory basics
RWX
Conclusion
Results
Virtual space translation of all processes.
Equivalence between physical memory and virtual memory.

Memory basics
Several ways
Zoom on FireWire
RWX
Agenda
1 Memory basics
3 RWX

Memory basics
Several ways
Zoom on FireWire
RWX
Agenda
1 Memory basics

Several ways
Zoom on FireWire
3 RWX

Memory basics
Several ways
Zoom on FireWire
RWX
How to access physical memory?
Several ways:
DMA (FireWire, PCMCIA, ExpressCard, PCI, etc.)
VMWare
Hibernation files with Sandman
Coldboot attacks
Memory dumps with forensics tools, etc.

Memory basics
Several ways
Zoom on FireWire
RWX
Agenda
1 Memory basics

Several ways
Zoom on FireWire
3 RWX

Memory basics
Several ways
Zoom on FireWire
RWX
Zoom on FireWire
FireWire ?
Developed by Apple in the 80’s and standardized by IEEE in
1995.
Allow access to physical memory by using DMA (Direct
Memory Access).

Memory basics
Several ways
Zoom on FireWire
RWX
Zoom on FireWire
Memory access
Memory access is configurated by 2 registers of the FireWire
controller
Disabled by default on Windows.
Except for peripherals that need it.
For example mass-storage peripherals, like an iPod

Memory basics
Several ways
Zoom on FireWire
RWX
iPod transformation
OHCI 1394 specification

Each FireWire node has an “identity card”
Which can be modified. . .
libraw1394 library
Userland library to manipulate FireWire bus.
With the raw1394 update config rom function, we can alter
our node identity.

Memory basics
Several ways
Zoom on FireWire
RWX
iPod transformation
Method
Dump the ROM of a connected iPod
Replace the laptop FireWire ROM with the iPod one

Memory basics
Several ways
Zoom on FireWire
RWX
iPod transformation
Before
Laptop running Linux.
00000000 04 04 0d ef 31 33 39 34 e0 64 a2 32 42 4f c0 00 |....1394.d.2BO..|
00000010 3c c4 44 50 00 03 03 5d 03 42 4f c0 81 00 00 02 |<.DP.....BO.....|
00000020 0c 00 83 c0 00 06 2c 2a 00 00 00 00 00 00 00 00 |......,*........|
00000030 4c 69 6e 75 78 20 2d 20 6f 68 63 69 31 33 39 34 |Linux - ohci1394|

Memory basics
Several ways
Zoom on FireWire
RWX
iPod transformation
After
An iPod :)
00000000 04 04 72 86 31 33 39 34 00 ff a0 12 00 0a 27 00 |..r.1394......’.|
00000010 02 aa 6b a7 00 04 f9 3c 0c 00 83 c0 03 00 0a 27 |..k....<.......’|
00000020 81 00 00 11 d1 00 00 01 00 0e e5 a0 12 00 60 9e |..............‘.|
00000030 13 01 04 83 21 00 00 01 3a 00 0a 08 3e 00 4c 10 |............>.L.|
00000040 38 00 60 9e 39 01 04 d8 3b 00 00 00 3c 0a 27 00 |8.‘.9.......<.’.|
00000050 54 00 40 00 3d 00 00 03 14 0e 00 00 17 00 00 21 |T.@.............|
00000060 81 00 00 0a 00 08 96 bc 00 00 00 00 00 00 00 00 |................|
00000070 41 70 70 6c 65 20 43 6f 6d 70 75 74 65 72 2c 20 |Apple Computer,.|
00000080 49 6e 63 2e 00 00 00 00 00 04 34 e7 00 00 00 00 |Inc.......4.....|
00000090 00 00 00 00 69 50 6f 64 00 00 00 00 00 00 00 00 |....iPod........|

Memory basics
Several ways
Zoom on FireWire
RWX
iPod transformation
Conclusion
Since Windows believes an iPod is connected, it authorizes physical
memory read/write access.
For more details

Adam Boileau’s website : http://storm.net.nz/projects/16

Memory basics Read: gather information
How to access physical memory Write: everything is authorized
RWX eXecute: Welcome to Paradise
Agenda
1 Memory basics
3 RWX

Agenda
1 Memory basics
3 RWX
Read: gather information
Write: everything is authorized
eXecute: Welcome to Paradise

Process Explorer 101
Context
Read-only access
Purpose
Gather and show information relative to each process.
What is needed?
Processes and threads lists.
Opened handles, loaded libraries.


Handles
struct _EPROCESS struct _HANDLE_TABLE struct _HANDLE_TABLE_ENTRY

+0x000 Pcb : struct _KPROCESS +0x000 TableCode : Ptr32 to void
[...] [...] struct _HANDLE_TABLE_ENTRY
+0x0c4 ObjectTable : Ptr32 to struct _HANDLE_TABLE
[...] struct _HANDLE_TABLE_ENTRY
+0x190 ThreadListHead : struct _LIST_ENTRY
[...]
+0x1b0 Peb : Ptr32 to struct _PEB
[...]
struct _HANDLE_TABLE_ENTRY
struct _PEB Threads

[...]
+0x00c Ldr : Ptr32 to _PEB_LDR_DATA
[...] struct _ETHREAD
[...]
Dlls +0x22C ThreadListEntry : struct _LIST_ENTRY
[...]
struct _PEB_LDR_DATA
[...]
+0x00c InLoadOrderModuleList : struct _LIST_ENTRY struct _ETHREAD
[...] [...]
+0x22C ThreadListEntry : struct _LIST_ENTRY
[...]
struct _LDR_DATA_TABLE_ENTRY
+0x000 InLoadOrderModuleList : struct _LIST_ENTRY
[...] struct _ETHREAD
[...]
+0x22C ThreadListEntry : struct _LIST_ENTRY
[...]
struct _LDR_DATA_TABLE_ENTRY
+0x000 InLoadOrderModuleList : struct _LIST_ENTRY
[...]

DEMO

Regedit 101
Context
Same as Process Explorer 101.
Purpose
Clone regedit.
What is needed?
Hives and registry keys.

Regedit 101
struct _CM_KEY_BODY
struct _CM_KEY_CONTROL_BLOCK
[...]
[...]
+0x004 KeyControlBlock : Ptr32 to struct _CM_KEY_CONTROL_BLOCK
+0x010 KeyHive : Ptr32 to struct _HHIVE
[...]
+0x014 KeyCell : Uint4B
[...]
struct _HHIVE
[...]
+0x058 Storage : [2] struct _DUAL
[...] Cell Index
1 bit 10 bits 9 bits 12 bits
Directory Table Offset

struct _DUAL
[...]
+0x004 Map : Ptr32 to struct _HMAP_DIRECTORY
[...]
struct _HMAP_DIRECTORY struct _HMAP_TABLE
struct _CELL_DATA
Ptr32 to struct
struct _HMAP_ENTRY
_HMAP_TABLE
struct _HMAP_ENTRY
+0x000 BlockAddress : Uint4B
[...]
1024 pointers 512 struct _HMAP_ENTRY

Regedit 101
DEMO

Agenda
1 Memory basics
3 RWX

Login without password?
Context
Read/write access
Several ways:
Adam Boileau’s winlockpwn or. . .
2-bytes patch in registry :)

Login without password?
DEMO

Privilege escalation
Each process owns a security token.

Security token belongs to kernel memory.
But we can access kernel memory :)

Privilege escalation
DEMO

Agenda
1 Memory basics
3 RWX

Arbitrary code execution
Context
Read/write access
But no execute access. . .
A solution
Functions pointers hooking

Which pointers?
KUSER SHARED DATA structure
SystemCall field
Called before each system call
Where to store the payload?

The KUSER SHARED DATA structure occupies only 334 bytes
on a 4K-page. . .

DEMO

How it works ?
Each process belongs to a desktop.
Only one desktop can interact with a user.
For an interactive user, 3 desktops Default, Disconnect et
Winlogon
With CreateProcess, we can specify the desktop
We can spawn a cmd in Winlogon desktop.
Thus we have a pre-authentication SYSTEM shell :)

What if DEP is enabled?
KUSER SHARED DATA is not executable.

Per process DEP control with KEXECUTE OPTIONS.
Stored inside the KPROCESS structure.
t y p e d e f s t r u c t KEXECUTE OPTIONS // 7 e l e m e n t s , 0 x1 b y t e s ( s i z e o f )
{
/∗0 x000 ∗/ UINT8 ExecuteDisable : 1; // 0 B i t P o s i t i o n
/∗0 x000 ∗/ UINT8 ExecuteEnable : 1 ; // 1 B i t P o s i t i o n
/∗0 x000 ∗/ UINT8 D i s a b l e T h u n k E m u l a t i o n : 1 ; // 2 B i t P o s i t i o n
/∗0 x000 ∗/ UINT8 Permanent : 1 ; // 3 B i t P o s i t i o n
/∗0 x000 ∗/ UINT8 E x e c u t e D i s p a t c h E n a b l e : 1 ; // 4 B i t P o s i t i o n
/∗0 x000 ∗/ UINT8 ImageDispatchEnable : 1 ; // 5 B i t P o s i t i o n
/∗0 x000 ∗/ UINT8 Spare : 2 ; // 6 B i t P o s i t i o n
}KEXECUTE OPTIONS , ∗PKEXECUTE OPTIONS ;

Conclusion
iPod 101
Physical access = root
We can reconstruct a high-level view of the operating system

with only physical memory.
Many applications: forensics, debug, intrusion.

Questions ?
Thanks for your attention

Questions ?

Bibliography
Adam Boileau: http://storm.net.nz/projects/16

Andreas Schuster:
http://computer.forensikblog.de/en/
Sandman: http://sandman.msuiche.net/
Coldboot attacks: http://citp.princeton.edu/memory/

2008 Hack - Lu Aumaitre

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

2008 Hack - Lu Aumaitre

Загружено:

Авторское право:

Доступные форматы

Memory basics

How to access physical memory

A little journey inside Windows memory

D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 1 / 32

2 How to access physical memory

D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 2 / 32

2 How to access physical memory

D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 3 / 32

User space User space

Kernel space Kernel space

D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 4 / 32

Directory Table Offset

cr3 1024 pointers

D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 4 / 32

2 How to access physical memory

D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 5 / 32

Why use physical memory?

D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 6 / 32

Indispensable for address translation.

D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 7 / 32

How can we find a KPROCESS structure?

Field Type and Size have fixed values accross OS versions.

D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 8 / 32

How can we find a KPROCESS structure?

Method proposed by Andreas Schuster

D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 9 / 32

Processes are represented by EPROCESS structures.

D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 10 / 32

Virtual spaces reconstruction

struct _EPROCESS @ 0x80eed020

struct _EPROCESS @ 0x80dc8c90 cr3 value

D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 11 / 32

D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 12 / 32

2 How to access physical memory

D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 13 / 32

2 How to access physical memory

D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 14 / 32

How to access physical memory?

D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 15 / 32

2 How to access physical memory

D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 16 / 32

D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 17 / 32

D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 17 / 32

OHCI 1394 specification

D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 18 / 32

D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 18 / 32

D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 18 / 32

D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 18 / 32

For more details

D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 18 / 32

2 How to access physical memory

D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 19 / 32

2 How to access physical memory

D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 20 / 32

Process Explorer 101

D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 21 / 32

Process Explorer 101

struct _EPROCESS struct _HANDLE_TABLE struct _HANDLE_TABLE_ENTRY

struct _PEB Threads

D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 21 / 32

Process Explorer 101

D.Aumaitre - SOGETI/ESEC A little journey inside Windows memory 21 / 32