Upgrade to Pro — share decks privately, control downloads, hide ads and more …

An Introduction to Virtual Machine Introspectio...

Bryan Payne
December 09, 2014
Technology
0
610

An Introduction to Virtual Machine Introspection Using LibVMI

MMF Workshop at ACSAC 2014, December 2014. This talk will provide a brief introduction to LibVMI. LibVMI provides an API for performing memory analysis tasks on running virtual machines. We will explore how LibVMI provides a common API for interfacing with Linux and Windows VMs running on both Xen and KVM/Qemu. And we will look at the abstractions available ranging from memory access based on physical addresses, virtual addresses, or kernel symbols to event driven runtime memory analysis. Finally, we will discuss different ways of using LibVMI including as a C library, a Python library, and as a Volatility address space plugin. Along the way we will discuss how LibVMI has worked to address the performance and semantic gap concerns that often arise when programming with virtual machine introspection. LibVMI is actively maintained, and freely available on GitHub under the LGPL license (https://github.com/libvmi/libvmi). http://www.acsac.org/2014/workshops/mmf/

Bryan Payne

December 09, 2014
Tweet

More Decks by Bryan Payne

See All by Bryan Payne
Fail, Learn, Fix: Improving Security The Old-Fashioned Way
bdpayne
0
260
BLESS: Better Security and Ops for SSH Access
bdpayne
3
740
Securing Containers the Netflix Way
bdpayne
1
2.3k
PKI at Scale Using Short-Lived Certificates
bdpayne
0
870
Platform Security Jobs at Netflix
bdpayne
0
870
Improving Cloud Security with Attacker Profiling
bdpayne
2
820
Key Management in AWS: How Netflix Secures Sensitive Data Without Its Own Data Center
bdpayne
4
1.9k
Security at Different Layers of Abstractions: Application, Operating Systems, and Hardware
bdpayne
0
200
Platform Security at Netflix: Securing Microservices from the Ground Up
bdpayne
0
5.8k

Other Decks in Technology

See All in Technology
データプロダクトの定義からはじめる、データコントラクト駆動なデータ基盤
chanyou0311
2
280
OCI Vault 概要
oracle4engineer
PRO
0
9.7k
iOS/Androidで同じUI体験をネ イティブで作成する際に気をつ けたい落とし穴
fumiyasac0921
1
110
AWS Lambda のトラブルシュートをしていて思うこと
kazzpapa3
2
170
エンジニア人生の拡張性を高める 「探索型キャリア設計」の提案
tenshoku_draft
1
120
rootlessコンテナのすゝめ - 研究室サーバーでもできる安全なコンテナ管理
kitsuya0828
3
380
OCI Security サービス 概要
oracle4engineer
PRO
0
6.5k
マルチプロダクトな開発組織で 「開発生産性」に向き合うために試みたこと / Improving Multi-Product Dev Productivity
sugamasao
1
300
元旅行会社の情シス部員が教えるおすすめなre:Inventへの行き方 / What is the most efficient way to re:Invent
naospon
2
330
ノーコードデータ分析ツールで体験する時系列データ分析超入門
negi111111
0
410
dev 補講: プロダクトセキュリティ / Product security overview
wa6sn
1
2.3k
TanStack Routerに移行するのかい しないのかい、どっちなんだい! / Are you going to migrate to TanStack Router or not? Which one is it?
kaminashi
0
570

Featured

See All Featured
Keith and Marios Guide to Fast Websites
keithpitt
409
22k
Producing Creativity
orderedlist
PRO
341
39k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
42
9.2k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
364
24k
Building Your Own Lightsaber
phodgson
103
6.1k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
93
16k
Adopting Sorbet at Scale
ufuk
73
9.1k
Faster Mobile Websites
deanohume
305
30k
Rails Girls Zürich Keynote
gr2m
94
13k
Bootstrapping a Software Product
garrettdimon
PRO
305
110k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
28
9.1k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
47
5k

Transcript

  1. © 2014 Nebula, Inc. All rights reserved. (cloud) Computing for

    the Enterprise An Introduction to Virtual Machine Introspection Using LibVMI Bryan  D.  Payne   [email protected]

  2. © 2014 Nebula, Inc. All rights reserved. Virtual Machine Introspection

    Memory  Analysis  (at  runtime)   Events   -­‐ Register  changes   -­‐ Memory  read  /  write  /  execute   -­‐ Memory  mapped  I/O   -­‐ Exceptions  (e.g.,  page  faults)

  3. © 2014 Nebula, Inc. All rights reserved. Use Cases Forensics

      System-­‐level  debugging  and  analysis   Runtime  security   Timeline  or  trend  analysis   Debugging   Other  ideas?

  4. © 2014 Nebula, Inc. All rights reserved. Hard Problems Semantic

     Gap   Performance   Platform  Support

  5. © 2014 Nebula, Inc. All rights reserved. LibVMI Goal:  Make

     VMI  more  accessible  to  programmers   -­‐ Backends:  KVM/QEMU,  Xen,  Raw  snapshot  files   -­‐ Operating  Systems:  Linux,  Windows   -­‐ Architectures:  x86  (32-­‐bit,  PAE,  64-­‐bit),  ARM   -­‐ API:  read/write  memory,  memory  events,   translations,  cache  management LibVMI (C language API) KVM Xen Other VMM Memory Snapshot patch

  6. © 2014 Nebula, Inc. All rights reserved. LIBVMI INTERNALS

  7. © 2014 Nebula, Inc. All rights reserved. LibVMI Internals Initialization

     of  LibVMI   Runtime  guest  introspection   -­‐ Memory  access  (read  /  write)   -­‐ Register  access   -­‐ Memory  events   -­‐ Address  translation   -­‐ Symbol  resolution   -­‐ Cache  management   Hypervisor-­‐level  support  

  8. © 2014 Nebula, Inc. All rights reserved. LibVMI Initialization Find

     VM  (Xen,  KVM,  etc)   Read  config  file   Memory  layout  and  size   Find  kernel  base  location   Init  symbol  resolution   (exports,  debug  info,  etc)   Find  page  directory   location  (CR3  /  kpgd)   Find  kernel  process  list vmi_init(…) vmi_init_complete(…)

  9. © 2014 Nebula, Inc. All rights reserved. LibVMI Initialization Find

     VM  (Xen,  KVM,  etc)   Read  config  file   Memory  layout  and  size   Find  kernel  base  location   Init  symbol  resolution   (exports,  debug  info,  etc)   Find  page  directory   location  (CR3  /  kpgd)   Find  kernel  process  list vmi_init(…) vmi_init_complete(…) From VMM and/or OS

  10. © 2014 Nebula, Inc. All rights reserved. Config file: libvmi.conf

    winxpsp2 { ostype = "Windows"; win_tasks = 0x88; win_pdbase = 0x18; win_pid = 0x84; win_kdvb = 0x80544ce0; } win7sp1x64 { ostype = "Windows"; win_tasks = 0x188; win_pdbase = 0x28; win_pid = 0x180; win_kdvb = 0xfffff800027f10a0; }

  11. © 2014 Nebula, Inc. All rights reserved. Finding the Kernel

    1. 0x0 0x5A4D 0x00004550 0x4d7000 ... MZ Header Image NT Sig ntoskrnl.exe Export Table Name base+0x3c Scan up from physical address 0x0 2. 3.

  12. © 2014 Nebula, Inc. All rights reserved. Finding the Kernel

    1. 0x0 0x5A4D 0x00004550 0x4d7000 ... MZ Header Image NT Sig ntoskrnl.exe Export Table Name base+0x3c Scan up from physical address 0x0 0x5A4D 0x00004550 0x4d7000 MZ Header Image NT Sig ntoskrnl.exe Export Table Name base+0x3c Scan down from virtual address in IDTR IDTR 2. 3.

  13. © 2014 Nebula, Inc. All rights reserved. Finding the Kernel

    1. 0x0 0x5A4D 0x00004550 0x4d7000 ... MZ Header Image NT Sig ntoskrnl.exe Export Table Name base+0x3c Scan up from physical address 0x0 0x5A4D 0x00004550 0x4d7000 MZ Header Image NT Sig ntoskrnl.exe Export Table Name base+0x3c Scan down from virtual address in IDTR IDTR 2. 3. _KDDEBUGGER_DATA64[KernBase]

  14. © 2014 Nebula, Inc. All rights reserved. Where Is _KDDEBUGGER_DATA64?

    May  take  longer  than  just  finding  kernel  directly   Symbol  access  makes  it  all  worthwhile   -­‐ KernBase   -­‐ PsLoadedModuleList   -­‐ 125+  symbols 0x0 "\x00\xf8\xFF\xFFKDBG" 0x?????? ... KDBG Signature Scan up from physical address 0x0

  15. © 2014 Nebula, Inc. All rights reserved. LibVMI Initialization Find

     VM  (Xen,  KVM,  etc)   Read  config  file   Memory  layout  and  size   Find  kernel  base  location   Init  symbol  resolution   (exports,  debug  info,  etc)   Find  page  directory   location  (CR3  /  kpgd)   Find  kernel  process  list vmi_init(…) vmi_init_complete(…)

  16. © 2014 Nebula, Inc. All rights reserved. Symbol Resolution _KDDEBUGGER_DATA64

      Kernel  PE  Export  Table   -­‐ Start  with  kernel  base  location   -­‐ Parse  kernel  PE  header   -­‐ RVA  to  export  table  in  optional  head  data  dir

  17. © 2014 Nebula, Inc. All rights reserved. LibVMI Initialization Find

     VM  (Xen,  KVM,  etc)   Read  config  file   Memory  layout  and  size   Find  kernel  base  location   Init  symbol  resolution   (exports,  debug  info,  etc)   Find  page  directory   location  (CR3  /  kpgd)   Find  kernel  process  list vmi_init(…) vmi_init_complete(…)

  18. © 2014 Nebula, Inc. All rights reserved. Page Directory CR3,

     or  Search  for  “System”  EPROCESS  struct 0x0 0x1b0003 [dtb vaddr] base ... Header System base+0x18 Scan up from physical address 0x0 DirectoryTableBase ImageFileName base+0x174 nt!_EPROCESS +0x000 Pcb : _KPROCESS +0x000 Header : _DISPATCHER_HEADER +0x010 ProfileListHead : _LIST_ENTRY +0x018 DirectoryTableBase : [2] Uint4B +0x020 LdtDescriptor : _KGDTENTRY +0x028 Int21Descriptor : _KIDTENTRY +0x030 IopmOffset : Uint2B ... +0x000 Count : Uint4B +0x000 Ptr : Ptr32 Void +0x084 UniqueProcessId : Ptr32 Void +0x088 ActiveProcessLinks : _LIST_ENTRY +0x000 Flink : Ptr32 _LIST_ENTRY +0x004 Blink : Ptr32 _LIST_ENTRY ...

  19. © 2014 Nebula, Inc. All rights reserved. LibVMI Initialization Find

     VM  (Xen,  KVM,  etc)   Read  config  file   Memory  layout  and  size   Find  kernel  base  location   Init  symbol  resolution   (exports,  debug  info,  etc)   Find  page  directory   location  (CR3  /  kpgd)   Find  kernel  process  list vmi_init(…) vmi_init_complete(…)

  20. © 2014 Nebula, Inc. All rights reserved. LibVMI Initialization Find

     VM  (Xen,  KVM,  etc)   Read  config  file   Memory  layout  and  size   Find  kernel  base  location   Init  symbol  resolution   (exports,  debug  info,  etc)   Find  page  directory   location  (CR3  /  kpgd)   Find  kernel  process  list vmi_init(…) vmi_init_complete(…) Using symbol from _KDDEBUGGER_DATA64 (PsActiveProcessHead)

  21. © 2014 Nebula, Inc. All rights reserved. LibVMI Initialization Find

     VM  (Xen,  KVM,  etc)   Read  config  file   Memory  layout  and  size   Find  kernel  base  location   Init  symbol  resolution   (exports,  debug  info,  etc)   Find  page  directory   location  (CR3  /  kpgd)   Find  kernel  process  list vmi_init(…) vmi_init_complete(…)

  22. © 2014 Nebula, Inc. All rights reserved. LibVMI Runtime Read

     /  Write  Functions   -­‐ Starting  from  Kernel  Symbol,  Vaddr,  or  Paddr   -­‐ Specify  length  to  read   -­‐ Read  a  string  (ASCII  or  UNICODE)   Address  Translation  Functions   -­‐ Kernel  or  User  Vaddr  to  Paddr   -­‐ Kernel  symbol  to  Vaddr   Convenience  Functions   -­‐ Pause  /  Resume,  Memory  size,  CPU  Registers   -­‐ LibVMI  cache  manipulation

  23. © 2014 Nebula, Inc. All rights reserved. Read Example (vmi_read_ksym)

    resolve  symbol translate  to  paddr read  from  VMM handle  page  wraps

  24. © 2014 Nebula, Inc. All rights reserved. Page-level Cache Page

    Cache Hash Table Hash = Paddr Hash-1 Hash-2 Hash-3 Hash-n ... Handle/Buf-A Handle/Buf-B Handle/Buf-C Handle/Buf-n Memory Request Handle or Buffer Read Memory Buffer In Cache? Yes No VMI Application Hypervisor / VMM LibVMI Page Cache LRU List if (lru is full) remove 1/2 most stale Fresh Stale ... Notify

  25. © 2014 Nebula, Inc. All rights reserved. Virtual To Physical

    Cache Paddr Translate Vaddr Paddr Hash-1 Hash-2 Hash-3 Hash-n ... Handle/Buf-A Handle/Buf-B Handle/Buf-C Handle/Buf-n In Cache? V2P Cache Yes No VMI Application Hypervisor / VMM LibVMI Hash = CityHash(va << 64 | cr3) Walk Guest Page Tables Memory Reads Valid? Yes No

  26. © 2014 Nebula, Inc. All rights reserved. Cache Summary Page-­‐level

     data   Virtual  address  to  Physical  address   Process  ID  to  Directory  Table  Base   Kernel  Symbol  to  Virtual  address

  27. © 2014 Nebula, Inc. All rights reserved. Cache Performance No

    Cache Page Only Addr Only All Cache time in microseconds 1 10 100 1000 10000 6 6 6 50 6 6 123 1331 vmi_translate_ksym2v vmi_translate_kv2p System  configuration:  Xen  4.1.1,  Dual  Intel  Xeon  X5675,  24G  RAM,  Windows  XP  VM   Times  shown  are  for  cache  hits,  when  possible

  28. © 2014 Nebula, Inc. All rights reserved. Cache Performance System

     configuration:  Xen  4.1.1,  Dual  Intel  Xeon  X5675,  24G  RAM,  Windows  XP  VM   Times  shown  are  for  cache  hits,  when  possible No Cache Page Only Addr Only All Cache time in microseconds 1 10 100 4 33 5 28 5 48 6 42 vmi_read_pa (1875 x 4 bytes) vmi_read_pa (1 x 7.5k bytes)

  29. © 2014 Nebula, Inc. All rights reserved. ADDITIONAL FEATURES

  30. © 2014 Nebula, Inc. All rights reserved. Events (Xen) Pause

     guest  and  transfer  control  to  callback   function  in  your  application   Memory  r/w/x  events  on  defined  regions   Register  r/w  events  on  CR0/CR3/CR4/MSR  regs   Interrupt  events   Single  step  through  instructions

  31. © 2014 Nebula, Inc. All rights reserved. Shared Memory Snapshots

    (KVM) Requires  custom  patch  for  Qemu-­‐KVM   Transparently  creates  a  guest  snapshot   Guest  continues  running   VMI  app  gets  direct  memory  access   VMI  app  can  refresh  snapshot  at  will

  32. © 2014 Nebula, Inc. All rights reserved. Rekall Profiles (Windows)

    Use  Rekall  tool  to  generate  Windows  profiles   Profiles  replace  the  need  to  provide  offsets  in   the  libvmi.conf  file   Especially  useful  for  Windows  8,  where  KDBG  is   typically  not  accessible

  33. © 2014 Nebula, Inc. All rights reserved. USING LIBVMI

  34. © 2014 Nebula, Inc. All rights reserved.

  35. © 2014 Nebula, Inc. All rights reserved. LibVMI (C language

    API) pyvmi (Python language wrapper for LibVMI) KVM Xen Other VMM Memory Snapshot patch

  36. © 2014 Nebula, Inc. All rights reserved.

  37. © 2014 Nebula, Inc. All rights reserved. LibVMI (C language

    API) pyvmi (Python language wrapper for LibVMI) Volatility (memory analysis framework) pyvmi address space plugin plugin plugin plugin plugin plugin Runtime analysis capabilities augment Volatility's rich memory analysis. ... KVM Xen Other VMM Memory Snapshot patch

  38. © 2014 Nebula, Inc. All rights reserved. Development   https://github.com/libvmi/libvmi

      Discussion   https://groups.google.com/d/forum/vmitools

  39. © 2014 Nebula, Inc. All rights reserved. (cloud) Computing for

    the Enterprise An Introduction to Virtual Machine Introspection Using LibVMI Bryan  D.  Payne   [email protected]