Download   Report
  1. No category

A Fistful of Red-Pills

A Fistful of Red-Pills
How to Automatically Generate Procedures to Detect CPU Emulators
Roberto Paleari1 Lorenzo Martignoni2
Giampaolo Fresi Roglia1 Danilo Bruschi1
1
Universit`
a degli Studi di Milano
Universit`
a degli Studi di Udine
2
3rd USENIX Workshop on Offensive Technologies (WOOT ’09)
The ideal malware
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
2
The ideal malware
Who lasts longer earns the most...
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
2
Long lasting malware
I
Spread/replicate fast
I
Hide the presence on the system
Complicate the analysis
I
I
I
Obfuscate the code
Detect and block dynamic analysis attempts
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
3
Long lasting malware
I
Spread/replicate fast
I
Hide the presence on the system
Complicate the analysis
I
I
I
Obfuscate the code
Detect and block dynamic analysis attempts
The easiest way to detect and block dynamic analysis
attempts is to detect the presence of a virtual execution
environment and to alter the behavior
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
3
A red-pill enhanced malware
void main() {
redpill = "\x08\x7c\xe3\x04...";
if (((void (*)())redpill)()) {
// Executed on a physical CPU
return CPU;
} else {
// Executed on an emulated CPU
return EMU;
}
}
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
4
A red-pill enhanced malware
void main() {
redpill = "\x08\x7c\xe3\x04...";
if (((void (*)())redpill)()) {
// Low risk of dynamic analysis
...
} else {
// High risk of dynamic analysis
...
}
}
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
4
Our contribution
So far red-pills have been found manually
or using rudimentary techniques
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
5
Our contribution
We propose a fully automatic technique to generate red-pills for
detecting when programs are executed in CPU emulators
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
5
Why CPU emulators?
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
6
Why CPU emulators?
I
Powerful tools for monitoring and controlling the execution of a
program:
I
I
Enable very sophisticated and low-level analysis
Allow to control actively the execution of programs
I
CPU emulators are widely used form malware analysis
I
Other virtual execution environments (e.g., virtual machines)
are not as powerful
I
CPU emulator are vulnerable to detection
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
6
Automatic red-pills generation
Untested red-pills
Candidate red-pills
Reliable red-pills
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
7
Automatic red-pills generation
Untested red-pills
A sequence of bytes (encoding a valid or
an invalid instruction) that is fed to CPU
Candidate red-pills
Reliable red-pills
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
7
Automatic red-pills generation
Untested red-pills
Candidate red-pills
A pill that triggers different observable
behaviors in the CPU and in the emulator
Reliable red-pills
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
7
Automatic red-pills generation
Untested red-pills
Candidate red-pills
Reliable red-pills
A pill that triggers the same observable behavior in any CPU
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
7
Automatic red-pills generation
Untested red-pills
Candidate red-pills
Reliable red-pills
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
7
A simple abstraction of the CPU
s = h pc, r , m, e i
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
8
A simple abstraction of the CPU
s = h pc, r , m, e i
EAX
EBX
ECX
...
EFLAGS
0x782721e
0x0000001
0x832eab1
...
0x13278478
45252cedd36723232795
9648c5dfb7aed5acfd2b
5acfd2b24f675a464657
6c53be8c09de48d9449e
64bb0bde
760bc264bb0bde4e7782
5620f81f8f7131ab0f03
b576db404e97e8acabb2
270f8b79288ad8cf7b22
....................
{⊥, UD, GPF , ...}
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
8
A simple abstraction of the CPU
s = h pc, r , m, e i
EAX
EBX
ECX
...
EFLAGS
0x782721e
0x0000001
0x832eab1
...
0x13278478
45252cedd36723232795
9648c5dfb7aed5acfd2b
5acfd2b24f675a464657
6c53be8c09de48d9449e
64bb0bde
760bc264bb0bde4e7782
5620f81f8f7131ab0f03
b576db404e97e8acabb2
270f8b79288ad8cf7b22
....................
{⊥, UD, GPF , ...}
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
8
A simple abstraction of the CPU
s = h pc, r , m, e i
EAX
EBX
ECX
...
EFLAGS
0x782721e
0x0000001
0x832eab1
...
0x13278478
45252cedd36723232795
9648c5dfb7aed5acfd2b
5acfd2b24f675a464657
6c53be8c09de48d9449e
64bb0bde
760bc264bb0bde4e7782
5620f81f8f7131ab0f03
b576db404e97e8acabb2
270f8b79288ad8cf7b22
....................
{⊥, UD, GPF , ...}
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
8
A simple abstraction of the CPU
s = h pc, r , m, e i
EAX
EBX
ECX
...
EFLAGS
0x782721e
0x0000001
0x832eab1
...
0x13278478
45252cedd36723232795
9648c5dfb7aed5acfd2b
5acfd2b24f675a464657
6c53be8c09de48d9449e
64bb0bde
760bc264bb0bde4e7782
5620f81f8f7131ab0f03
b576db404e97e8acabb2
270f8b79288ad8cf7b22
....................
{⊥, UD, GPF , ...}
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
8
A simple abstraction of the CPU
s = h pc, r , m, e i
EAX
EBX
ECX
...
EFLAGS
0x782721e
0x0000001
0x832eab1
...
0x13278478
45252cedd36723232795
9648c5dfb7aed5acfd2b
5acfd2b24f675a464657
6c53be8c09de48d9449e
64bb0bde
760bc264bb0bde4e7782
5620f81f8f7131ab0f03
b576db404e97e8acabb2
270f8b79288ad8cf7b22
....................
{⊥, UD, GPF , ...}
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
8
A simple abstraction of the CPU
s = h pc, r , m, e i
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
8
A simple abstraction of the CPU
s = h pc, r , m, e i
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
8
A simple abstraction of the CPU
s = h pc, r , m, e i
s 0 = h pc 0, r 0, m0, e 0 i
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
8
Candidate red-pills
s
=s
= hpc, r , m, ⊥i
6=
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
9
Candidate red-pills
s
=s
= hpc, r , m, ⊥i
6=
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
9
Candidate red-pills
s
=s
= hpc, r , m, ⊥i
6=
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
9
Candidate red-pills
s
s0
=s
= hpc, r , m, ⊥i
6=
s0
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
9
Candidate red-pills
s
=s
=
6
s0
and
s
= hpc, r , m, ⊥i
=s
s0
produce the same output state
is not a candidate red-pill
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
9
Candidate red-pills
s
s0
=s
= hpc, r , m, ⊥i
6=
s0
Because of an artifact in the emulator s 0 6= s 0
s
=s
is a candidate red-pill
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
9
Candidate red-pills: from CPU states to programs
s
s0
=s
s0
6=
We have a state s
=s
but...
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
10
Candidate red-pills: from CPU states to programs
CPU
EMU
...we need a program that can detect where it is being executed
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
10
Candidate red-pills: from CPU states to programs
I
s
=s
I
s0
I
s0
I
s 0 6= s 0
= hpc, r , m, ⊥i
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
11
Candidate red-pills: from CPU states to programs
Initializes the state
of the CPU to s
I
s
=s
I
s0
I
s0
I
s 0 6= s 0
= hpc, r , m, ⊥i
Executes the instruction pointed by pc
Compares the state resulting
from the execution with s 0
Returns CPU is the comparison
succeeds or EMU otherwise
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
11
Candidate red-pills: from CPU states to programs
Initializes the state
of the CPU to s
I
s
=s
I
s0
I
s0
I
s 0 6= s 0
= hpc, r , m, ⊥i
Executes the instruction pointed by pc
Compares the state resulting
from the execution with s 0
Returns CPU is the comparison
succeeds or EMU otherwise
All non meaningful state information can be omitted
We can generate very small C programs (∼94 LOC on average)
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
11
Automatic red-pills generation
Untested red-pills
Candidate red-pills
Reliable red-pills
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
12
(Un)reliable red-pills
CPU
The pill can distinguish between
EMU
and
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
13
(Un)reliable red-pills
CPU
What about
EMU
,
, and
?
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
13
(Un)reliable red-pills
CPU
EMU
EMU
and
produce different output states
The pill is not a reliable
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
13
(Un)reliable red-pills
CPU
CPU
EMU
and
produce the same output state
The pill is reliable
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
13
Causes of unreliability
I
Different CPU features (CPUID)
I
MMX/XMM
Streaming SIMD Extensions:
I
I
I
I
I
SSE
SSE2
SSE3
Changes in the code of the emulator (e.g., bug fixes)
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
14
Discarding unreliable red-pills
Test reliability with multiple CPUs and multiple emulators
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
15
Discarding unreliable red-pills
CPU
CPU
EMU
CPU
EMU
EMU
EMU
disagrees on the output; the pill is discarded
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
15
Discarding unreliable red-pills
CPU
CPU
CPU
CPU
EMU
EMU
CPU
disagrees on the output; the pill is discarded
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
15
Discarding unreliable red-pills
CPU
CPU
CPU
CPU
EMU
EMU
EMU
All CPUs return CPU and all emulators return EMU
The pill is reliable
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
15
Large scale red-pills generation
Untested red-pills
Candidate red-pills
Reliable red-pills
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
16
Generating inputs for candidate red-pills detection
I
I
Random data and algorithmically generated code
Use the CPU to explore the instruction set:
I
I
I
Detect strings representing valid instructions
Infer the format of instructions
Generate few instruction instances for each opcode found
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
17
Evaluation
Evaluated the technique with QEMU & BOCHS
Detected 875 unique
for QEMU and 171 for BOCHS
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
18
Evaluation
Evaluated the technique with QEMU & BOCHS
Detected 875 unique
for QEMU and 171 for BOCHS
I
Generated ∼2M
I
Tested reliability of
and then selected 50K
found using:
I
I
I
5 different versions of QEMU
4 different versions of BOCHS
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
18
Evaluation
Evaluated the technique with QEMU & BOCHS
Detected 875 unique
for QEMU and 171 for BOCHS
I
Generated ∼2M
I
Tested reliability of
and then selected 50K
found using:
I
I
I
5 different versions of QEMU
4 different versions of BOCHS
Evaluation took ∼2 hours
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
18
Evaluation
Emulator
QEMU
BOCHS
#
21713
4671
#
20728
2973
# unique
875
171
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
19
Evaluation
Emulator
QEMU
BOCHS
Emulator
QEMU
BOCHS
#
21713
4671
Registers
55
1
#
20728
2973
# unique
875
171
breakdown
Memory FPU Exceptions
24
660
235
0
3
171
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
19
Evaluation
Emulator
QEMU
BOCHS
Emulator
QEMU
BOCHS
#
21713
4671
Registers
55
1
#
20728
2973
# unique
875
171
breakdown
Memory FPU Exceptions
24
660
235
0
3
171
QEMU
bsf -0xc(%esp),%edi
Produces differences in some status flags
(ambiguity in the X86 specification)
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
19
Evaluation
Emulator
QEMU
BOCHS
Emulator
QEMU
BOCHS
#
21713
4671
Registers
55
1
#
20728
2973
# unique
875
171
breakdown
Memory FPU Exceptions
24
660
235
0
3
171
BOCHS
mulps -0x4(%esp),%xmm1
Does not raise a general protection fault exception if the source
operand is not aligned (minor bug in the emulator)
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
19
Evaluation
Emulator
QEMU
BOCHS
Emulator
QEMU
BOCHS
#
21713
4671
Registers
55
1
#
20728
2973
# unique
875
171
breakdown
Memory FPU Exceptions
24
660
235
0
3
171
Tested some of our red-pills against ANUBIS and RENOVO
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
19
Evaluation
Emulator
QEMU
BOCHS
Emulator
QEMU
BOCHS
#
21713
4671
Registers
55
1
#
20728
2973
# unique
875
171
breakdown
Memory FPU Exceptions
24
660
235
0
3
171
Tested some of our red-pills against ANUBIS and RENOVO
The report of the analysis demonstrated that our red-pills
always detected the analysis environments
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
19
Conclusions
I
A new technique to generate red-pills for detecting CPU
emulators:
I
I
I
Dynamic
Fully automatic
Independent from the emulator
I
Prototype implementation of the technique
I
Discover of hundreds of new red-pills for QEMU and BOCHS
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
20
A Fistful of Red-Pills
How to Automatically Generate Procedures to Detect CPU Emulators
Thank you!
Any questions?
Lorenzo Martignoni
[email protected]
R. Paleari, L. Martignoni, et al. A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators
21
Debian HOW-TO : CPU power management

Debian HOW-TO : CPU power management

How to Build a PC Chris Pontes [Type text]

How to Build a PC Chris Pontes [Type text]

Roskilde Country & Western Club

Roskilde Country & Western Club

Overclocking Sandy Bridge Intro and disclaimer Gigabyte Sandy Bridge Overclocking Guide

Overclocking Sandy Bridge Intro and disclaimer Gigabyte Sandy Bridge Overclocking Guide

Building Your Own Custom Computer System

Building Your Own Custom Computer System

SQL Server® Fast Track Data Warehouse 2.0 for DELL

SQL Server® Fast Track Data Warehouse 2.0 for DELL

A Gaming PC How To Build Simon Slangen simonslangen.com

A Gaming PC How To Build Simon Slangen simonslangen.com

Nintendo DS game console Tran-Tõnissoo

Nintendo DS game console Tran-Tõnissoo

Improving Computer Performance How can we make computers faster ?

Improving Computer Performance How can we make computers faster ?

How To Assemble A Desktop PC by Wikibooks contributors Created on Wikibooks,

How To Assemble A Desktop PC by Wikibooks contributors Created on Wikibooks,

CLE and How to  S Y A

CLE and How to  S Y A

abcdocz.com

© Copyright 2024