We will present a HyperPlatform, which is an advanced system monitoring platform for Windows Operating System (OS). Using Intel VT-x and Extended Page Table (EPT) technologies, this platform provides speedy monitoring of various events. HyperPlatform is hidden and resilient to modern anti-forensics techniques and can be easily extended for day-to-day reverse engineering work.
Even nowadays, there are no suitable tools to analyze a kernel-mode code for many of researchers. Steady growth of ring0 rootkits requires a fast, undetectable and resilient tool to monitor OS events for all protection rings. Such a tool will significantly contribute to reverse-engineering.
While existing virtualization infrastructures such as VirtualBox and VMware are handy for analysis by themselves, VT-x technology has much more potential for aiding reverse engineering. McAfee Deep Defender, for example, detects modification of system critical memory regions and registers. These tools are, however, proprietary and not available for everyone, or too complicated to extend for most of the engineers.
HyperPlatform is a thin hypervisor, which has a potential to monitor the following: access to physical and virtual memory; functions calls from user- and kernel-modes; code execution in instruction granularity.
The hypervisor can be used to monitor memory for two typical use cases. The first one is monitoring access to specified memory regions to protect system critical data such as the service descriptor table. The second case is recording any types of memory access from a specified memory region such as a potentially malicious driver to analyze its activities.
Also, HyperPlatform is capable of monitoring a broad range of events such as interruptions, various registers and instructions. Tools based on HyperPlatform will be able to trace each instruction and provide dynamic analysis of executable code if necessary.
We will demonstrate two examples of adaptation of HyperPlatform: MemoryMon and EopMon. The MemoryMon is able to monitor virtual memory accesses and detect dodgy kernel memory execution using EPT. It can help rootkit analysis by identifying dynamically allocated code. The EopMon is an elevation of privilege (EoP) detector. It can spot and terminate a process with a stolen system token by utilizing hypervisor’s ability to monitor process context-switching. Implementing those functions used to be challenging, but now, it can be achieved easier than ever using HyperPlatform.
Slides