Upgrade to Pro — share decks privately, control downloads, hide ads and more …

An Introduction to Virtual Machine Introspection Using LibVMI

Bryan Payne
December 09, 2014
Technology
0
520

An Introduction to Virtual Machine Introspection Using LibVMI

MMF Workshop at ACSAC 2014, December 2014. This talk will provide a brief introduction to LibVMI. LibVMI provides an API for performing memory analysis tasks on running virtual machines. We will explore how LibVMI provides a common API for interfacing with Linux and Windows VMs running on both Xen and KVM/Qemu. And we will look at the abstractions available ranging from memory access based on physical addresses, virtual addresses, or kernel symbols to event driven runtime memory analysis. Finally, we will discuss different ways of using LibVMI including as a C library, a Python library, and as a Volatility address space plugin. Along the way we will discuss how LibVMI has worked to address the performance and semantic gap concerns that often arise when programming with virtual machine introspection. LibVMI is actively maintained, and freely available on GitHub under the LGPL license (https://github.com/libvmi/libvmi). http://www.acsac.org/2014/workshops/mmf/

Bryan Payne

December 09, 2014
Tweet

More Decks by Bryan Payne

See All by Bryan Payne
Fail, Learn, Fix: Improving Security The Old-Fashioned Way
bdpayne
0
240
BLESS: Better Security and Ops for SSH Access
bdpayne
3
720
Securing Containers the Netflix Way
bdpayne
1
2.3k
PKI at Scale Using Short-Lived Certificates
bdpayne
0
840
Platform Security Jobs at Netflix
bdpayne
0
860
Improving Cloud Security with Attacker Profiling
bdpayne
2
810
Key Management in AWS: How Netflix Secures Sensitive Data Without Its Own Data Center
bdpayne
4
1.8k
Security at Different Layers of Abstractions: Application, Operating Systems, and Hardware
bdpayne
0
200
Platform Security at Netflix: Securing Microservices from the Ground Up
bdpayne
0
5.7k

Other Decks in Technology

See All in Technology
ChatworkのSRE部って実は 半分くらいPlatform Engineering部かもしれない
saramune
0
160
TechFeed Experts Night#27 〜 フロントエンドフレームワーク最前線 (Svelte)
baseballyama
1
370
自己改善からチームを動かす! 「セルフエンジニアリングマネージャー」のすゝめ
shoota
6
310
ゼロから始めるVue.jsコミュニティ貢献 / first-vuejs-community-contribution-link-and-motivation
lmi
1
120
Oracle Cloud Infrastructure:2024年4月度サービス・アップデート
oracle4engineer
PRO
1
190
日本におけるデータエンジニアリングのこれまでとこれから
foursue
16
4.2k
Google Cloud の AI を支える裏側のインフラを垣間見る!
maroon1st
0
340
web-application-security
matsuihidetoshi
0
140
継続的な改善 x ⾮連続的な進化
sansantech
PRO
3
150
最近たまに見かけるTiDBってなんだ? - Findy
pingcap0315
2
770
GraphQL 成熟度モデルの紹介と、プロダクトに当てはめた事例 / GraphQL maturity model
mh4gf
7
1.3k
家族アルバム みてねにおけるGrafana活用術 / Grafana Meetup Japan Vol.1 LT
isaoshimizu
1
430

Featured

See All Featured
How GitHub Uses GitHub to Build GitHub
holman
468
290k
The Straight Up "How To Draw Better" Workshop
denniskardys
227
130k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
227
16k
Code Reviewing Like a Champion
maltzj
514
39k
Six Lessons from altMBA
skipperchong
21
3k
Making the Leap to Tech Lead
cromwellryan
124
8.5k
Optimising Largest Contentful Paint
csswizardry
8
2.4k
The Illustrated Children's Guide to Kubernetes
chrisshort
31
46k
The Invisible Customer
myddelton
114
12k
Practical Orchestrator
shlominoach
182
9.7k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
2
1.3k
It's Worth the Effort
3n
180
27k

Transcript

  1. © 2014 Nebula, Inc. All rights reserved. (cloud) Computing for

    the Enterprise An Introduction to Virtual Machine Introspection Using LibVMI Bryan  D.  Payne   [email protected]

  2. © 2014 Nebula, Inc. All rights reserved. Virtual Machine Introspection

    Memory  Analysis  (at  runtime)   Events   -­‐ Register  changes   -­‐ Memory  read  /  write  /  execute   -­‐ Memory  mapped  I/O   -­‐ Exceptions  (e.g.,  page  faults)

  3. © 2014 Nebula, Inc. All rights reserved. Use Cases Forensics

      System-­‐level  debugging  and  analysis   Runtime  security   Timeline  or  trend  analysis   Debugging   Other  ideas?

  4. © 2014 Nebula, Inc. All rights reserved. Hard Problems Semantic

     Gap   Performance   Platform  Support

  5. © 2014 Nebula, Inc. All rights reserved. LibVMI Goal:  Make

     VMI  more  accessible  to  programmers   -­‐ Backends:  KVM/QEMU,  Xen,  Raw  snapshot  files   -­‐ Operating  Systems:  Linux,  Windows   -­‐ Architectures:  x86  (32-­‐bit,  PAE,  64-­‐bit),  ARM   -­‐ API:  read/write  memory,  memory  events,   translations,  cache  management LibVMI (C language API) KVM Xen Other VMM Memory Snapshot patch

  6. © 2014 Nebula, Inc. All rights reserved. LIBVMI INTERNALS

  7. © 2014 Nebula, Inc. All rights reserved. LibVMI Internals Initialization

     of  LibVMI   Runtime  guest  introspection   -­‐ Memory  access  (read  /  write)   -­‐ Register  access   -­‐ Memory  events   -­‐ Address  translation   -­‐ Symbol  resolution   -­‐ Cache  management   Hypervisor-­‐level  support  

  8. © 2014 Nebula, Inc. All rights reserved. LibVMI Initialization Find

     VM  (Xen,  KVM,  etc)   Read  config  file   Memory  layout  and  size   Find  kernel  base  location   Init  symbol  resolution   (exports,  debug  info,  etc)   Find  page  directory   location  (CR3  /  kpgd)   Find  kernel  process  list vmi_init(…) vmi_init_complete(…)

  9. © 2014 Nebula, Inc. All rights reserved. LibVMI Initialization Find

     VM  (Xen,  KVM,  etc)   Read  config  file   Memory  layout  and  size   Find  kernel  base  location   Init  symbol  resolution   (exports,  debug  info,  etc)   Find  page  directory   location  (CR3  /  kpgd)   Find  kernel  process  list vmi_init(…) vmi_init_complete(…) From VMM and/or OS

  10. © 2014 Nebula, Inc. All rights reserved. Config file: libvmi.conf

    winxpsp2 { ostype = "Windows"; win_tasks = 0x88; win_pdbase = 0x18; win_pid = 0x84; win_kdvb = 0x80544ce0; } win7sp1x64 { ostype = "Windows"; win_tasks = 0x188; win_pdbase = 0x28; win_pid = 0x180; win_kdvb = 0xfffff800027f10a0; }

  11. © 2014 Nebula, Inc. All rights reserved. Finding the Kernel

    1. 0x0 0x5A4D 0x00004550 0x4d7000 ... MZ Header Image NT Sig ntoskrnl.exe Export Table Name base+0x3c Scan up from physical address 0x0 2. 3.

  12. © 2014 Nebula, Inc. All rights reserved. Finding the Kernel

    1. 0x0 0x5A4D 0x00004550 0x4d7000 ... MZ Header Image NT Sig ntoskrnl.exe Export Table Name base+0x3c Scan up from physical address 0x0 0x5A4D 0x00004550 0x4d7000 MZ Header Image NT Sig ntoskrnl.exe Export Table Name base+0x3c Scan down from virtual address in IDTR IDTR 2. 3.

  13. © 2014 Nebula, Inc. All rights reserved. Finding the Kernel

    1. 0x0 0x5A4D 0x00004550 0x4d7000 ... MZ Header Image NT Sig ntoskrnl.exe Export Table Name base+0x3c Scan up from physical address 0x0 0x5A4D 0x00004550 0x4d7000 MZ Header Image NT Sig ntoskrnl.exe Export Table Name base+0x3c Scan down from virtual address in IDTR IDTR 2. 3. _KDDEBUGGER_DATA64[KernBase]

  14. © 2014 Nebula, Inc. All rights reserved. Where Is _KDDEBUGGER_DATA64?

    May  take  longer  than  just  finding  kernel  directly   Symbol  access  makes  it  all  worthwhile   -­‐ KernBase   -­‐ PsLoadedModuleList   -­‐ 125+  symbols 0x0 "\x00\xf8\xFF\xFFKDBG" 0x?????? ... KDBG Signature Scan up from physical address 0x0

  15. © 2014 Nebula, Inc. All rights reserved. LibVMI Initialization Find

     VM  (Xen,  KVM,  etc)   Read  config  file   Memory  layout  and  size   Find  kernel  base  location   Init  symbol  resolution   (exports,  debug  info,  etc)   Find  page  directory   location  (CR3  /  kpgd)   Find  kernel  process  list vmi_init(…) vmi_init_complete(…)

  16. © 2014 Nebula, Inc. All rights reserved. Symbol Resolution _KDDEBUGGER_DATA64

      Kernel  PE  Export  Table   -­‐ Start  with  kernel  base  location   -­‐ Parse  kernel  PE  header   -­‐ RVA  to  export  table  in  optional  head  data  dir

  17. © 2014 Nebula, Inc. All rights reserved. LibVMI Initialization Find

     VM  (Xen,  KVM,  etc)   Read  config  file   Memory  layout  and  size   Find  kernel  base  location   Init  symbol  resolution   (exports,  debug  info,  etc)   Find  page  directory   location  (CR3  /  kpgd)   Find  kernel  process  list vmi_init(…) vmi_init_complete(…)

  18. © 2014 Nebula, Inc. All rights reserved. Page Directory CR3,

     or  Search  for  “System”  EPROCESS  struct 0x0 0x1b0003 [dtb vaddr] base ... Header System base+0x18 Scan up from physical address 0x0 DirectoryTableBase ImageFileName base+0x174 nt!_EPROCESS +0x000 Pcb : _KPROCESS +0x000 Header : _DISPATCHER_HEADER +0x010 ProfileListHead : _LIST_ENTRY +0x018 DirectoryTableBase : [2] Uint4B +0x020 LdtDescriptor : _KGDTENTRY +0x028 Int21Descriptor : _KIDTENTRY +0x030 IopmOffset : Uint2B ... +0x000 Count : Uint4B +0x000 Ptr : Ptr32 Void +0x084 UniqueProcessId : Ptr32 Void +0x088 ActiveProcessLinks : _LIST_ENTRY +0x000 Flink : Ptr32 _LIST_ENTRY +0x004 Blink : Ptr32 _LIST_ENTRY ...

  19. © 2014 Nebula, Inc. All rights reserved. LibVMI Initialization Find

     VM  (Xen,  KVM,  etc)   Read  config  file   Memory  layout  and  size   Find  kernel  base  location   Init  symbol  resolution   (exports,  debug  info,  etc)   Find  page  directory   location  (CR3  /  kpgd)   Find  kernel  process  list vmi_init(…) vmi_init_complete(…)

  20. © 2014 Nebula, Inc. All rights reserved. LibVMI Initialization Find

     VM  (Xen,  KVM,  etc)   Read  config  file   Memory  layout  and  size   Find  kernel  base  location   Init  symbol  resolution   (exports,  debug  info,  etc)   Find  page  directory   location  (CR3  /  kpgd)   Find  kernel  process  list vmi_init(…) vmi_init_complete(…) Using symbol from _KDDEBUGGER_DATA64 (PsActiveProcessHead)

  21. © 2014 Nebula, Inc. All rights reserved. LibVMI Initialization Find

     VM  (Xen,  KVM,  etc)   Read  config  file   Memory  layout  and  size   Find  kernel  base  location   Init  symbol  resolution   (exports,  debug  info,  etc)   Find  page  directory   location  (CR3  /  kpgd)   Find  kernel  process  list vmi_init(…) vmi_init_complete(…)

  22. © 2014 Nebula, Inc. All rights reserved. LibVMI Runtime Read

     /  Write  Functions   -­‐ Starting  from  Kernel  Symbol,  Vaddr,  or  Paddr   -­‐ Specify  length  to  read   -­‐ Read  a  string  (ASCII  or  UNICODE)   Address  Translation  Functions   -­‐ Kernel  or  User  Vaddr  to  Paddr   -­‐ Kernel  symbol  to  Vaddr   Convenience  Functions   -­‐ Pause  /  Resume,  Memory  size,  CPU  Registers   -­‐ LibVMI  cache  manipulation

  23. © 2014 Nebula, Inc. All rights reserved. Read Example (vmi_read_ksym)

    resolve  symbol translate  to  paddr read  from  VMM handle  page  wraps

  24. © 2014 Nebula, Inc. All rights reserved. Page-level Cache Page

    Cache Hash Table Hash = Paddr Hash-1 Hash-2 Hash-3 Hash-n ... Handle/Buf-A Handle/Buf-B Handle/Buf-C Handle/Buf-n Memory Request Handle or Buffer Read Memory Buffer In Cache? Yes No VMI Application Hypervisor / VMM LibVMI Page Cache LRU List if (lru is full) remove 1/2 most stale Fresh Stale ... Notify

  25. © 2014 Nebula, Inc. All rights reserved. Virtual To Physical

    Cache Paddr Translate Vaddr Paddr Hash-1 Hash-2 Hash-3 Hash-n ... Handle/Buf-A Handle/Buf-B Handle/Buf-C Handle/Buf-n In Cache? V2P Cache Yes No VMI Application Hypervisor / VMM LibVMI Hash = CityHash(va << 64 | cr3) Walk Guest Page Tables Memory Reads Valid? Yes No

  26. © 2014 Nebula, Inc. All rights reserved. Cache Summary Page-­‐level

     data   Virtual  address  to  Physical  address   Process  ID  to  Directory  Table  Base   Kernel  Symbol  to  Virtual  address

  27. © 2014 Nebula, Inc. All rights reserved. Cache Performance No

    Cache Page Only Addr Only All Cache time in microseconds 1 10 100 1000 10000 6 6 6 50 6 6 123 1331 vmi_translate_ksym2v vmi_translate_kv2p System  configuration:  Xen  4.1.1,  Dual  Intel  Xeon  X5675,  24G  RAM,  Windows  XP  VM   Times  shown  are  for  cache  hits,  when  possible

  28. © 2014 Nebula, Inc. All rights reserved. Cache Performance System

     configuration:  Xen  4.1.1,  Dual  Intel  Xeon  X5675,  24G  RAM,  Windows  XP  VM   Times  shown  are  for  cache  hits,  when  possible No Cache Page Only Addr Only All Cache time in microseconds 1 10 100 4 33 5 28 5 48 6 42 vmi_read_pa (1875 x 4 bytes) vmi_read_pa (1 x 7.5k bytes)

  29. © 2014 Nebula, Inc. All rights reserved. ADDITIONAL FEATURES

  30. © 2014 Nebula, Inc. All rights reserved. Events (Xen) Pause

     guest  and  transfer  control  to  callback   function  in  your  application   Memory  r/w/x  events  on  defined  regions   Register  r/w  events  on  CR0/CR3/CR4/MSR  regs   Interrupt  events   Single  step  through  instructions

  31. © 2014 Nebula, Inc. All rights reserved. Shared Memory Snapshots

    (KVM) Requires  custom  patch  for  Qemu-­‐KVM   Transparently  creates  a  guest  snapshot   Guest  continues  running   VMI  app  gets  direct  memory  access   VMI  app  can  refresh  snapshot  at  will

  32. © 2014 Nebula, Inc. All rights reserved. Rekall Profiles (Windows)

    Use  Rekall  tool  to  generate  Windows  profiles   Profiles  replace  the  need  to  provide  offsets  in   the  libvmi.conf  file   Especially  useful  for  Windows  8,  where  KDBG  is   typically  not  accessible

  33. © 2014 Nebula, Inc. All rights reserved. USING LIBVMI

  34. © 2014 Nebula, Inc. All rights reserved.

  35. © 2014 Nebula, Inc. All rights reserved. LibVMI (C language

    API) pyvmi (Python language wrapper for LibVMI) KVM Xen Other VMM Memory Snapshot patch

  36. © 2014 Nebula, Inc. All rights reserved.

  37. © 2014 Nebula, Inc. All rights reserved. LibVMI (C language

    API) pyvmi (Python language wrapper for LibVMI) Volatility (memory analysis framework) pyvmi address space plugin plugin plugin plugin plugin plugin Runtime analysis capabilities augment Volatility's rich memory analysis. ... KVM Xen Other VMM Memory Snapshot patch

  38. © 2014 Nebula, Inc. All rights reserved. Development   https://github.com/libvmi/libvmi

      Discussion   https://groups.google.com/d/forum/vmitools

  39. © 2014 Nebula, Inc. All rights reserved. (cloud) Computing for

    the Enterprise An Introduction to Virtual Machine Introspection Using LibVMI Bryan  D.  Payne   [email protected]