1 BitVisor [3] Alkanet[1] Alkanet (DLL) DLL 2 Alkanet 3 4 5 6 7 2 Alkanet Alkanet VMM VMM Alkanet Windows [2] マルウェア 観 測 用 VM SystemCall Windows System



Similar documents
Alkanet[1, 2] Alkanet CPU CPU 2 Alkanet Alkanet (VMM) VMM Alkanet Windows Alkanet 1 Alkanet VMM BitVisor[3] BitVisor OS ユーザモード カーネルモード マルウェア観測用 PC VM

Computer Security Symposium October ,a) API API API Alkanet IDA MWS API Proposal of static analysis assistance method utilizi

( 億 種 ) マルウェアが 急 速 に 増 加! 短 時 間 で 解 析 し, マルウェアの 意 図 や 概 略 を 把 握 したい マルウェアを 実 行 し, 挙 動 を 観 測 することで 解 析 する 動 的 解 析 が 有 効 しかし, マルウェアの 巧 妙 化 により, 観 測 自 体

大月勇人, 若林大晃, 瀧本栄二, 齋藤彰一, 毛利公一 立命館大学 名古屋工業大学

今週の進捗

29 jjencode JavaScript

& Vol.5 No (Oct. 2015) TV 1,2,a) , Augmented TV TV AR Augmented Reality 3DCG TV Estimation of TV Screen Position and Ro

Web Web Web Web Web, i

1 Fig. 1 Extraction of motion,.,,, 4,,, 3., 1, 2. 2.,. CHLAC,. 2.1,. (256 ).,., CHLAC. CHLAC, HLAC. 2.3 (HLAC ) r,.,. HLAC. N. 2 HLAC Fig. 2

28 Docker Design and Implementation of Program Evaluation System Using Docker Virtualized Environment

23 Fig. 2: hwmodulev2 3. Reconfigurable HPC 3.1 hw/sw hw/sw hw/sw FPGA PC FPGA PC FPGA HPC FPGA FPGA hw/sw hw/sw hw- Module FPGA hwmodule hw/sw FPGA h

3D UbiCode (Ubiquitous+Code) RFID ResBe (Remote entertainment space Behavior evaluation) 2 UbiCode Fig. 2 UbiCode 2. UbiCode 2. 1 UbiCode UbiCode 2. 2

IPSJ SIG Technical Report Vol.2014-EIP-63 No /2/21 1,a) Wi-Fi Probe Request MAC MAC Probe Request MAC A dynamic ads control based on tra

第62巻 第1号 平成24年4月/石こうを用いた木材ペレット

258 5) GPS 1 GPS 6) GPS DP 7) 8) 10) GPS GPS ) GPS Global Positioning System

MAC root Linux 1 OS Linux 2.6 Linux Security Modules LSM [1] Security-Enhanced Linux SELinux [2] AppArmor[3] OS OS OS LSM LSM Performance Monitor LSMP

1 Web [2] Web [3] [4] [5], [6] [7] [8] S.W. [9] 3. MeetingShelf Web MeetingShelf MeetingShelf (1) (2) (3) (4) (5) Web MeetingShelf

2). 3) 4) 1.2 NICTNICT DCRA Dihedral Corner Reflector micro-arraysdcra DCRA DCRA DCRA 3D DCRA PC USB PC PC ON / OFF Velleman K8055 K8055 K8055

1: ( 1) 3 : 1 2 4

1 3DCG [2] 3DCG CG 3DCG [3] 3DCG 3 3 API 2 3DCG 3 (1) Saito [4] (a) 1920x1080 (b) 1280x720 (c) 640x360 (d) 320x G-Buffer Decaudin[5] G-Buffer D

IPSJ SIG Technical Report Vol.2011-EC-19 No /3/ ,.,., Peg-Scope Viewer,,.,,,,. Utilization of Watching Logs for Support of Multi-

ActionScript Flash Player 8 ActionScript3.0 ActionScript Flash Video ActionScript.swf swf FlashPlayer AVM(Actionscript Virtual Machine) Windows

1. [1, 2, 3] (PDF ) [4] API API [5] ( ) PDF Web Web Annotate[6] Digital Library for Earth System Education(DLESE)[7] Web PDF Text, Link, FreeTe

IPSJ SIG Technical Report Vol.2016-CE-137 No /12/ e β /α α β β / α A judgment method of difficulty of task for a learner using simple

VMware VirtualCenter: Virtual Infrastructure Management Software

IPSJ SIG Technical Report Vol.2009-DPS-141 No.20 Vol.2009-GN-73 No.20 Vol.2009-EIP-46 No /11/27 1. MIERUKEN 1 2 MIERUKEN MIERUKEN MIERUKEN: Spe

( )

Firefox Firefox Mozilla addons.mozilla.org (AMO) AMO Firefox Mozilla AMO Firefox Firefox Mozilla Firefox Firefox Firefox 年間登録数

dews2004-final.dvi

fiš„v8.dvi

2 [2] Flow Visualizer 1 DbD 2. DbD [4] Web (PV) Web Web Web 3 ( 1) ( 1 ) Web ( 2 ) Web Web ( 3 ) Web DbD DbD () DbD DbD DbD 2.1 DbD DbD URL URL Google

fiš„v5.dvi

Vol. 44 No. SIG 12(TOD 19) Sep MF MF MF Content Protection Mechanism Based on Media Framework and an Implementation for Autonomous Information C

Vol.55 No (Jan. 2014) saccess 6 saccess 7 saccess 2. [3] p.33 * B (A) (B) (C) (D) (E) (F) *1 [3], [4] Web PDF a m

IPSJ SIG Technical Report Vol.2010-GN-74 No /1/ , 3 Disaster Training Supporting System Based on Electronic Triage HIROAKI KOJIMA, 1 KU

27 YouTube YouTube UGC User Generated Content CDN Content Delivery Networks LRU Least Recently Used UGC YouTube CGM Consumer Generated Media CGM CGM U

IPSJ SIG Technical Report Vol.2014-DBS-159 No.6 Vol.2014-IFAT-115 No /8/1 1,a) 1 1 1,, 1. ([1]) ([2], [3]) A B 1 ([4]) 1 Graduate School of Info

7,, i

6 2. AUTOSAR 2.1 AUTOSAR AUTOSAR ECU OSEK/VDX 3) OSEK/VDX OS AUTOSAR AUTOSAR ECU AUTOSAR 1 AUTOSAR BSW (Basic Software) (Runtime Environment) Applicat

& Vol.2 No (Mar. 2012) 1,a) , Bluetooth A Health Management Service by Cell Phones and Its Us

Introduction Purpose This training course demonstrates the use of the High-performance Embedded Workshop (HEW), a key tool for developing software for

Microsoft Word - deim2011_new-ichinose doc

, IT.,.,..,.. i

1., 1 COOKPAD 2, Web.,,,,,,.,, [1]., 5.,, [2].,,.,.,, 5, [3].,,,.,, [4], 33,.,,.,,.. 2.,, 3.., 4., 5., ,. 1.,,., 2.,. 1,,

IPSJ SIG Technical Report Vol.2011-IOT-12 No /3/ , 6 Construction and Operation of Large Scale Web Contents Distribution Platfo

Vol. 23 No. 4 Oct Kitchen of the Future 1 Kitchen of the Future 1 1 Kitchen of the Future LCD [7], [8] (Kitchen of the Future ) WWW [7], [3

10_細川直史.indd

パナソニック技報

Fig. 3 Flow diagram of image processing. Black rectangle in the photo indicates the processing area (128 x 32 pixels).

GPGPU

橡最新卒論

/ p p

IPSJ SIG Technical Report Vol.2017-CLE-21 No /3/21 e 1,2 1,2 1 1,2 1 Sakai e e e Sakai e Current Status and Challenges on e-learning T

HASC2012corpus HASC Challenge 2010,2011 HASC2011corpus( 116, 4898), HASC2012corpus( 136, 7668) HASC2012corpus HASC2012corpus

,,,,., C Java,,.,,.,., ,,.,, i

2. CABAC CABAC CABAC 1 1 CABAC Figure 1 Overview of CABAC 2 DCT 2 0/ /1 CABAC [3] 3. 2 値化部 コンテキスト計算部 2 値算術符号化部 CABAC CABAC

ODA NGO NGO JICA JICA NGO JICA JBIC SCP

[2] 2. [3 5] 3D [6 8] Morishima [9] N n 24 24FPS k k = 1, 2,..., N i i = 1, 2,..., n Algorithm 1 N io user-specified number of inbetween omis

Transcription:

Computer Security Symposium 2013 21-23 October 2013 Alkanet 525-8577 1-1-1 yotuki@asl.cs.ritsumei.ac.jp, {takimoto, mouri}@cs.ritsumei.ac.jp 466-8555 shoichi@nitech.ac.jp BitVisor Alkanet API DLL A Method for Identifying System Call Invoker in Dynamic Link Library Yuto Otsuki Eiji Takimoto Shoichi Saito Koichi Mouri Ritsumeikan University 1-1-1 Nojihigashi, Kusatsu, Shiga 525-8577 Japan yotuki@asl.cs.ritsumei.ac.jp, {takimoto, mouri}@cs.ritsumei.ac.jp Nagoya Institute of Technology Gokiso-cho, Showa-ku, Nagoya, Aichi, 466-8555 Japan shoichi@nitech.ac.jp Abstract Recently, malware has become a major security threat to computers. Responding to threats from malware requires malware analysis and understanding malware behavior. We are developing Alkanet, a system call tracer for malware analysis that uses a virtual machine monitor based on BitVisor. In this paper, we describe a method for identifying system call invoker in dynamic link library by using stack tracing. The method make it possible to identify the system call invoker in dynamic link library or memory area. It is effective to analyze malware such as executable codes generated in runtime, or malicious libraries mapped in a legitimate application. - 753 -

1 BitVisor [3] Alkanet[1] Alkanet (DLL) DLL 2 Alkanet 3 4 5 6 7 2 Alkanet Alkanet VMM VMM Alkanet Windows [2] マルウェア 観 測 用 VM SystemCall Windows SystemCall Analyzer Log Alkanet BitVisor 1: Alkanet ロギング 用 LogAnalyzer ログ 分 析 挙 動 抽 出 保 存 Logger Alkanet 1 Alkanet VMM BitVisor[3] BitVisor OS VMM Intel CPU Intel VT (Intel Virtualization Technology) Windows OS 32bit Windows XP Service Pack 3 sysenter sysexit Alkanet PC IEEE 1394 3 3.1 DLL - 754 -

Windows API stdcall[4] FPO (Frame-Pointer Omission) EBP 4 4 Windows XP Service Pack 2 Windows DLL FPO [5] FPO Windows API API 関 数 (2) ー A 関 数 (1) ー (3) B (5) (4) スタブへの 戻 りアドレス 関 数 Aへの 戻 りアドレス システムコールへの 第 1 引 数 システムコールへの 第 2 引 数 システムコールへの 最 後 の 引 数 関 数 Aのローカル 変 数 ベースポインタ 関 数 Bへの 戻 りアドレス 関 数 Aへの 第 1 引 数 関 数 Aへの 最 後 の 引 数 ベースポインタ 関 数 Cへの 戻 りアドレス スタックの 先 頭 アドレス sysenter 時 : EDX sysexit 時 : ECX EBP (7) 成 長 方 向 2: (6) A ( 2 (2)) ( 2 (3)) call A ( 2 (4)) EAX KiFastSystemCall call ( 2 (5))KiFastSystemCall EDX ESP sysenter sysenter KiFastSystemCall 3.2 2 Windows ntdll.dll ntdll.dll KiFastSystem- Call 2 C B A KiFastSystemCall B ( 2 (1)) 3.3 Alkanet KiFast- SystemCall ESP EDX sysexit ECX ESP sysenter EDXsysexit - 755 -

ECX ( 2 (6)) 3.2 2 ( 2 (5)) A ( 2 (4)) 2 (3) AB sysenter sysexit EBP EBP EBP A ( 2 (7))EBP B B, C Windows Windows VAD PTE VAD VAD VAD VAD DLL API 4 3 VAD () (PTE) DLL 4.1 Windows VAD (Virual Address Descriptor) [6]VAD VAD 4.2 NtAllocateVirtualMemory VAD NtProtectVirtualMemory VAD VAD PTE NtProtect- VirtualMemory PTE PTE - 756 -

Windows Writable (1 ) Dirty (6 ) NtProtectVirtualMemory Alkanet 5 5.1 3 5.2 Conficker.dll No. Note [2] Stack- Trace No. Time CPU Cid ID ID Name Type sysenter sysexit Ret (sysexit ) SNo. Note StackTrace StackTrace 1 SP StackBase StackLimit TIB (Thread Information Block) 2 [] 3 EBP [00] [01] 4 API API API - Writable Dirty VAD VAD VAD 3 StackTrace 23 [00] 0x7c94d6dc 0x7ed40 0x7c940000 0x7c9dc000 VAD (ImageMap: 1) \WINDOWS\system32\ntdll.dll ntdll.dll NtProtectVirtualMemory API +0xc 5.2 Conficker CCC Dataset 2013[7] DLL - 757 -

No. : 14335 Time: 516777148 Type: sysexit Ret : 0 (STATUS_SUCCESS) SNo.: 89 (NtProtectVirtualMemory) Cid : 1a4.1a8 Name: rundll32.exe Note: Pid: 1a4, Name: rundll32.exe NewProtect: PAGE_EXECUTE_READWRITE, OldProtect: PAGE_READWRITE BaseAddress: 992000, AllocationSize: 0xe000 (Range: 992000--9a0000) StackTrace: SP: 7ed40, StackBase: 80000, StackLimit: 74000 [00]7c94d6dc (API: NtProtectVirtualMemory+0xc, Writable: 0, Dirty: 0, VAD:{7c940000--7c9dc000, ImageMap: 1, File: "\WINDOWS\system32\ntdll.dll"}), SP: 7ed40 [01]7c801a81 (API: VirtualProtectEx+0x20, Writable: 0, Dirty: 0, VAD:{7c800000--7c933000, ImageMap: 1, File: "\WINDOWS\system32\kernel32.dll"}), SP: 7ed44 [02]7c801aec (API: VirtualProtect+0x18, Writable: 0, Dirty: 0, VAD:{7c800000--7c933000, ImageMap: 1, File: "\WINDOWS\system32\kernel32.dll"}), BP: 7ed64 [03]1000220e (API: -, Writable: 0, Dirty: 0, VAD:{10000000--10018000, ImageMap: 1, File: "\...\My Documents\Conficker.dll"}), BP: 7ed80 [04]1000401b (API: -, Writable: 0, Dirty: 0, VAD:{10000000--10018000, ImageMap: 1, File: "\...\My Documents\Conficker.dll"}), BP: 7f184 [05]7c94118a (API: LdrpCallInitRoutine+0x14, Writable: 0, Dirty: 0, VAD:{7c940000--7c9dc000, ImageMap: 1, File: "\WINDOWS\system32\ntdll.dll"}), BP: 7f1a4... [10]7c80aeec (API: LoadLibraryW+0x11, Writable: 0, Dirty: 0, VAD:{7c800000--7c933000, ImageMap: 1, File: "\WINDOWS\system32\kernel32.dll"}), BP: 7f888 [11]1001792 (API: -, Writable: 0, Dirty: 0, VAD:{1000000--100b000, ImageMap: 1, File: "\WINDOWS\system32\rundll32.exe"}), BP: 7f89c... 3: Conficker.dll Conficker.dll rundll32.exe Conficker.dll rundll32.exe Conficker.dll NtLoadDriver Alkanet NtLoadDriver 3 rundll32.exe NtProtectVirtualMemory 0x992000 0x9a0000 PAGE EXECUTE READWRITE Alkanet Stack- Trace Conficker.dll Conficker.dll rundll32.exe StackTrace rundll32.exe Conficker.dll LoadLibraryW ( 3 [10][11])Conficker.dll ( 3 [05] ) DLL DLL 4 rundll32.exe NtCreateThread svchost.exe ID 1a8 4 [08][14] Conficker.dll rundll32.exe Conficker.dll [05] 3 VAD (ImageMap: 0) (Writable: 1) (Dirty: 1) [02][04] 4 Conficker.dll - 758 -

No. : 14509 Time: 516811998 Type: sysexit Ret : 0 (STATUS_SUCCESS) SNo.: 35 (NtCreateThread) Cid : 1a4.1a8 Name: rundll32.exe Note: Cid: 434.1b0, Name: svchost.exe, EIP: 0x7c8106e9, Suspended: 0x1 StackTrace: SP: 7e640, StackBase: 80000, StackLimit: 74000 [00]7c94d19c (API: NtCreateThread+0xc, Writable: 0, Dirty: 0, VAD:{7c940000--7c9dc000, ImageMap: 1, File: "\WINDOWS\system32\ntdll.dll"}), SP: 7e640 [01]7c810585 (API: CreateRemoteThread+0xc9, Writable: 0, Dirty: 0, VAD:{7c800000--7c933000, ImageMap: 1, File: "\WINDOWS\system32\kernel32.dll"}), SP: 7e644 [02]98bd46 (API: -, Writable: 1, Dirty: 1, VAD:{980000--9a1000, ImageMap: 0}), BP: 7ea94 [03]987500 (API: -, Writable: 1, Dirty: 1, VAD:{980000--9a1000, ImageMap: 0}), BP: 7eb00 [04]987c5f (API: -, Writable: 1, Dirty: 1, VAD:{980000--9a1000, ImageMap: 0}), BP: 7ed38 [05]99721c (API: -, Writable: 1, Dirty: 1, VAD:{980000--9a1000, ImageMap: 0}), BP: 7ed64 [06]10002639 (API: -, Writable: 0, Dirty: 0, VAD:{10000000--10018000, ImageMap: 1, File: "\...\My Documents\Conficker.dll"}), BP: 7ed84 [07]1000401b (API: -, Writable: 0, Dirty: 0, VAD:{10000000--10018000, ImageMap: 1, File: "\...\My Documents\Conficker.dll"}), BP: 7f184 [08]7c94118a (API: LdrpCallInitRoutine+0x14, Writable: 0, Dirty: 0, VAD:{7c940000--7c9dc000, ImageMap: 1, File: "\WINDOWS\system32\ntdll.dll"}), BP: 7f1a4... [13]7c80aeec (API: LoadLibraryW+0x11, Writable: 0, Dirty: 0, VAD:{7c800000--7c933000, ImageMap: 1, File: "\WINDOWS\system32\kernel32.dll"}), BP: 7f888 [14]1001792 (API: -, Writable: 0, Dirty: 0, VAD:{1000000--100b000, ImageMap: 1, File: "\WINDOWS\system32\rundll32.exe"}), BP: 7f89c... 4: 5.3 PDF D3M Dataset 2013[7] PDF Alkanet PDF 5 PDF AcroRd32.exe Nt- ProtectVirtualMemory StackBase StackLimit [03] [03] NtProtectVirtualMemory PAGE EXECUTE READWRITE. 0x4270000 0x4271000 PDF AcroRd32.exe 6 VAD PEB LDR DATA[8] Volatility Framework[9] dlllist API VAD Alkanet VAD MAT (Module-based Analysis Tool) [10] DLL MAT Windows - 759 -

No. : 39277 Time: 1195072803 Type: sysexit Ret : 0 (STATUS_SUCCESS) SNo.: 89 (NtProtectVirtualMemory) Cid : 220.510 Name: AcroRd32.exe Note: Pid: 564, Name: AcroRd32.exe NewProtect: PAGE_EXECUTE_READWRITE, OldProtect: PAGE_EXECUTE_READWRITE BaseAddress: 4270000, AllocationSize: 0x1000 (Range: 4270000--4271000) StackTrace;: SP: f601ff8, StackBase: 130000, StackLimit: 11d000 [00] 7c94d6dc (API: NtProtectVirtualMemory+0xc, Writable: 0, Dirty: 0, VAD:{7c940000--7c9dc000, ImageMap: 1, File: "\WINDOWS\system32\ntdll.dll"}), SP: f601ff8 [01] 7c801a81 (API: VirtualProtectEx+0x20, Writable: 0, Dirty: 0, VAD: {7c800000--7c933000, ImageMap: 1, File: "\WINDOWS\system32\kernel32.dll"}), SP: f601ffc [02] 7c801aec (API: VirtualProtect+0x18, Writable: 0, Dirty: 0, VAD:{7c800000--7c933000, ImageMap: 1, File: "\WINDOWS\system32\kernel32.dll"}), BP: f60201c [03] 42700c7 (API: -, Writable: 1, Dirty: 1, VAD:{4270000--4271000, ImageMap: 0}), BP: f602038 5: PDF Alkanet Windows VMM MAT Alkanet 7 API DLL [11] [1] Y. Otsuki at el.: Alkanet: A Dynamic Malware Analyzer based on Virtual Machine Monitor, In World Congress on Engineering and Computer Science 2012 (WCECS 2012), Vol. 1, pp. 36 44 (2012). [2] :, 2011, 2011, pp. 95 100 (2011). [3] T. Shinagawa at el.: BitVisor: a thin hypervisor for enforcing i/o device security, In Proceedings of the 2009 ACM SIGPLAN/SIGOPS international conference on Virtual execution environments, pp. 121 130 (2009) [4] Microsoft: stdcall, http://msdn. microsoft.com/en-us/library/zxk0tw93. aspx (2013). [5] A. Glaister:, http://msdn.microsoft.com/ja-jp/ library/bb694540(v=vs.85).aspx (2007). [6] B. Dolan-Gavitt: The VAD tree: A processeye view of physical memory, Digital Investigation, Vol. 4, pp. 62 64 (2007). [7] : MWS Datasets 2013, 2013 (MWS2013) (2013). [8] Microsoft: PEB LDR DATA structure (Windows), http://msdn.microsoft. com/en-us/library/windows/desktop/ aa813708(v=vs.85).aspx (2013). [9] volatility - An advanced memory forensics framework - Google Project Hosting, https: //code.google.com/p/volatility/ (2013). [10] F. Jianming at el.: Malware Behavior Capturing Based on Taint Propagation and Stack Backtracing, In Trust, Security and Privacy in Computing and Communications (TrustCom), 2011 IEEE 10th International Conference on, pp. 328 335 (2011). [11] J. Butler at el.: Bypassing 3rd Party Windows Buffer Overflow Protection, Phrack 62, Volume 0x0b, Issue 0x3e, Phile #0x05 of 0x10, http://www.phrack.org/issues. html?issue=62&id=5#article (2004). - 760 -

2026 © docsplayer.net プライバシー | 利用規約 | フィードバック