Demigod: The Art of Emulating Kernel Rootkits

Presented at Black Hat USA 2020 Virtual, Aug. 5, 2020, 2:30 p.m. (40 minutes).

Kernel rootkit is considered the most dangerous malware that may infect computers. Operating at ring 0, the highest privilege level in the system, this super malware has unrestricted power to control the whole machine, thus can defeat all the defensive and monitoring mechanisms. Unfortunately, dynamic analysis solutions for kernel rootkits are severely lacking; indeed, most existing dynamic tools are just built for userspace code (ring 3), but not for Operating System (OS) level. This limitation forces security researchers to turn to static analysis, which however proved to be very tricky & time consuming.<br><br>This research proposes a novel approach to deal with kernel rootkits. We introduce Demigod, a framework to emulate OS environments, so kernel rootkits can be run in software emulators, all in ring 3. From this sandbox, we can safely monitor, trace, debug or perform all kinds of dynamic analysis with this advanced malware.<br><br>Emulating complicated OS such as Windows, MacOS & Linux is a challenging task. We will present all the technical issues we had to deal with, including how we built our own loader and dynamic linker, how to emulate the OS environment, essential kernel components and system APIs to allow rootkits to work.<br><br>Designed and implemented as a cross-platform-architecture engine, Demigod can emulate Windows/MacOS/Linux/BSD on X86/Arm/Aarch64/Mips. On top of Demigod, we built some advanced tools to analyze kernel rootkits, including some automated solutions, providing the malware analyst new weapons to ease their labor work.<br><br>This talk includes a series of live demos to show how we employ our superior toolset to dissect several well-known kernel rootkits of Windows, MacOS & Linux. We will also explain how to extend Demigod to handle more sophisticated malware in the future.<br><br>Demigod will be released after our presentation, with full source code.

Presenters:

  • Quynh Nguyen Anh - Dr, Nanyang Technological University, Singapore
    Dr. Nguyen Anh Quynh is a regular speaker at numerous industrial cybersecurity conferences such as Black Hat USA/Europe/Asia, DEF CON, Recon, Eusecwest, Syscan, HackInTheBox, Hack.lu, Deepsec, XCon, Confidence, Hitcon, Opcde, Shakacon, Brucon, Zeronights, Tensec, H2HC, T2, NULL, etc. He has also presented his research in academic venues such as Usenix, IEEE, ACM, LNCS. His contribution to the field lays a foundation for various innovative works in the cybersecurity industry and academia. As a passionate coder, Dr. Nguyen is the founder and maintainer of several open source reversing projects: Capstone (http://capstone-engine.org), Unicorn (http://unicorn-engine.org) & Keystone (http://keystone-engine.org).
  • Quang Nguyen Hong - Mr, Viettel Cyber Security
    Nguyen Hong Quang is a security researcher at Viettel Cyber Security. His interests and experience includes Windows systems, vulnerability research, malware research, programming languages, and low level stuff. Follow him on Twitter at @quangnh89,and his personal blog at https://develbranch.com
  • Tuan Do Minh - Mr, CyStack
    Do Minh Tuan (hardtobelieve) is a security researcher of CyStack, Vietnam. He already has five years of working experience in cybersecurity. He has some presentations at Xcon, T2, Insomni'hack and Black Hat Asia. A passionate member of BabyPhD CTF team, Tuan also enjoys exploring techniques for fuzzing and software exploitation.

Links:

Similar Presentations: