Advanced Persistent Threat: Out-of-
band Techniques from the Past, the
Present and into the Future


• Scott Larson
– Original 13 FBI Computer forensic examiner,
former cyber crime chief, Larson Security LLC
• Shane Macaulay
– Honeynet, w00w00, ADM, IBM
Bloomberg, IOACTIVE


Win32 Buffer Overflows
(p55, 09.09.99)
dark spyrit / Barnaby Jack
One of the greatest ever


Old = New again
Larson S


Scott Larson – Cases
• Eligible Receiver 97
• Moonlight Maze / Former Soviet Union
• Loki (ICMP tunnel), evolving remote desktop


Security – Early DDoS threats


What does Cyber Security Encompass?
 External Threats
 Random malware and botnets
 Client-specific threats (e.g. Hacktivism/DDoS)
 APT & Economic espionage


Chinese hacking from 2001 Today
 External Threats – APT
RSA Blog


2004-Present Out of Band


Out of band analysis
• Out of band analysis
– Perfect knowledge
– Attacker is unprepared
• Derive understanding from reverse engineering
– Feed back to tactical cleanup/more detection
• Leveraging virtual infrastructure to increase information assurance
– Existing approaches
• Agents
• Virus Scanning
• Whitelists
• A better way


Perfect knowledge
• To find an artifact
– Malware/Virus Scanning
– Manual analysis
– Incident day 0
• Finding more
– Collect telemetry
– Signature development
• Reverse engineering


Collecting Telemetry
• Useful for improving OODA loop
– more effective decision making during an in
progress event
• Configurable
– System Center Operations Manager / “Agentless”
Exception Monitoring
– Group Policy (XP/2K3)
– Registry CorporateWerServer


Signature based scanning
• Devise a set of unique artifacts from a known
malware sample
– TimeDateStamp
– Unencrypted data
– Names of sections or exported Functions
– *wildcard*matching*


• A function that derives a score or other
threshold to determine good vs. bad
– Entropy scanning
• Detects encrypted/compressed sections
• Attempt to compress a block to determine if it’s already
– API Imports
• OpenProcess/WriteProcessMemory
• Hook use
• Low-level interfaces


Scanning Approaches
• Agent’s
– A background process which interacts with some
management infrastructure
– Understands known malware through the use of
signatures or behavioral heuristics monitoring
– Typically reports to management consoles
• Virus/Malware Scanning
– Similar to agent based techniques but in the foreground
• Agentless
– VM guest memory snapshots


White lists
• Default deny
– Similar to how firewall rules are built
• Only allow known/approved services
• Tripwire uses this technique to guard against file-
system persistence
– Off-line assurances
• Unable to definitively report for live systems
• Can we use this in memory


Recap Issues
• Significant cat&mouse type games
– Polymorphism
– Simple obfuscations
– Attacking agents directly
• Disable/cripple virus scanners
– Bootkits
• Subverted execution environments
• Performance
– Redundant scanning
– Virtual infrastructure


Memory Analysis Options
• WinDbg/Olly/IDA
– Mostly Manual
• Volatility
– Scriptable
• BlockWatch / The Memory Cruncher
– Automated data reduction and navigation support


• Works on every version
• Invasive/non-invasive debugging
• Plugin/scriptable
• Essentially Basic Debugging interface
• User space anti-debugging is very complicated
– Ntdll!*breakpoint* can be tampered with (unable to attach)
– Starting a program does not break at first module instruction
• Break on other events
• Kernel debugger (kd) not as simple to use
– Network debugger can still use windbg


Generic Unpacking issues
• Encoding/Obfuscation
– Page decoding
• Non linear execution
– Exceptions (divide by zero)
– Other Process/Threads
– Debugging self
• Detecting a debugger, VM or other analysis


Fuzzy Hashes
• DeepToad.py
• ssdeep
• Sdhash
– Some server code


Signature development
• Yara
– Lots of support
• https://yaragenerator.com/
• http://www.deependresearch.org/2013/02/yara-
• ClamAV
– Less active, some support from SourceFire
• Custom Engine


Custom Engine
• Private implementation
– Leverage public tools but developed with
information gained from incident
– May use a variety of analysis techniques
• Combine Yara/Clam/Hash/etc…
• “Perfect knowledge” of attacker


Custom Engine


• Complicated generic scanning can be slow
• Regex’s with Overlapping sub-sections may
take a long time to evaluate
– E.g. (.*A).*(.*A) -- or something similar can be a


Windows hardening
• Windows XP does not memset(0) driver .text sections
– Random slack can be executed
– Updated 2k3+
• KINTERRUPT no longer has huge code templates/glue included as part of it’s
– KINTERRUPT.DispatchCode is now 4 bytes (and always just points to a registered handler in the
module) instead of up too 106 bytes of arbitrary code
• Updated Vista+
• Page table entries secured
– Win8 no longer has executable page table entries
• Kernel 9200+ (8/2012) Kernel Pool (heap) is no longer default executable
– This is a MAJOR win!!!!!!
– No more huge degree’s of unknown executable memory to inspect


Analyzing Windows Memory
• Rootkit can shadow/move itself during dump’s
• Issues from dumping memory from a live/physical system is
problematic and has lead to an interesting arms race;
– Using cold-boot attacks
– Purpose built dumping hardware or commodity FireWire type
– Cause kernel panic to induce a dump
• Windows Kernel 9600 (Windows 8.1/2012R2)
– A snapshot from VMWare or Hyper-V
– We will ignore dump acquisition issues for now and focus on VM


X64 Kernel Virtual Address Space
Start End Size Description Notes
FFFF0800`00000000 FFFFF67F`FFFFFFFF 238TB Unused System Space WIN9600 NOW USE &
FFFFF680`00000000 FFFFF6FF`FFFFFFFF 512GB PTE Space -X used to be executable
FFFFF700`00000000 FFFFF77F`FFFFFFFF 512GB HyperSpace 8.1 seems to have cleaned
up here, 9200 had 1 +X
FFFFF780`00000000 FFFFF780`00000FFF 4K Shared System Page
FFFFF780`00001000 FFFFF7FF`FFFFFFFF 512GB-4K System Cache Working Set
FFFFF800`00000000 FFFFF87F`FFFFFFFF 512GB Initial Loader Mappings Large Page (2MB)
FFFFF880`00000000 FFFFF89F`FFFFFFFF 128GB Sys PTEs
FFFFF8a0`00000000 FFFFF8bF`FFFFFFFF 128GB Paged Pool Area
FFFFF900`00000000 FFFFF97F`FFFFFFFF 512GB Session Space
FFFFF980`00000000 FFFFFa70`FFFFFFFF 1TB Dynamic Kernel VA Space
FFFFFa80`00000000 *nt!MmNonPagedPoolStart-
6TB Max PFN Database
*nt!MmNonPagedPoolEnd 512GB Max Non-Paged Pool DEFAULT NO EXECUTE


Page Table Shellcode weird-machine
• Win7 and earlier
– Can we emit intended shellcode into PTE area?
• Perform some VirtualAlloc from user space => executable memory in
– Just reserving memory writes PTE
• Page Table shell-code is non-trivial
– Lots of gadgets!
fffff6fb`7e201ea0 63 b8 c3 2d 00 00 00 00 63 a8 13 2f 00 00 00 00 c..-....c../....
fffff6fb`7e201eb0 63 98 e3 2d 00 00 00 00 63 88 13 2f 00 00 00 00 c..-....c../....
fffff6fb`7e201ec0 63 78 63 30 00 00 00 00 63 68 d3 2e 00 00 00 00 cxc0....ch......
fffff6fb`7e201ed0 63 58 53 30 00 00 00 00 63 48 a3 2e 00 00 00 00 cXS0....cH......
fffff6fb`7e201ee0 63 38 c3 2e 00 00 00 00 63 28 83 2e 00 00 00 00 c8......c(......
contains 0000000000187063 contains 0000000134C04863 contains 0000000100512863 contains
pfn 187 ---DA--KWEV pfn 134c04 ---DA--KWEV pfn 100512 ---DA--KWEV pfn 2dc3b ---DA--KWEV


Defense: Rootkit revealing
• Default non-execute pool space helps tremendously
• Detect the presence of a rootkit by comparing results
from multiple sources/abstraction layers
– Physical (page tables)
– Logical
– SECTION’s, …


Tool evaluation
• https://blockwatch.ioactive.com
– Operates on direct physical memory dumps from VM snapshots
– Demo script that identifies KVAS physical/logical sections
– Transforms/Dumps memory / Generates hashes
– Install IronPython
• Example, from Crunch install directory
ipy64 UnLinkedRR.py C:BW_Folder VMWare.VMSS.or.VMSD d:dest-
• Future
– More well known blocks (local optimization)?
• There’s some weird looking fill patterns often sitting around as exec;
• More page table checks, CR0.WP etc…


Example VMWare ~8GB
BlockWatch Folder: t:BW_DEMO
Dumping data from : Clone of Clone of Current Win 8.1 - PRO (2)-66bb942e.vmss
Found probable kernel @ fffff800b508c000
Debug symbol being loaded for ntkrnlmp.pdb
Kernel build number 9600
Root PT Entries: 16, SubTable Entries: 778263
Unlinked entry count: 1544
UnLinked Section: System Space @: 0xffffd00020180000L, Size: 0x1000L
UnLinked Section: Loader Mappings @: 0xfffff800021d0000L, Size: 0x1000L
UnLinked Section: HAL and Loader Mappings @: 0xffffffffffd02000L, Size: 0x1000L
UnLinked Section: hal @: 0xfffff800b5000000L, Size: 0x200000L
UnLinked Section: Loader Mappings @: 0xfffff800b5800000L, Size: 0x200000L


…moving on; Attack! To the Unknown!
kd> !pte ffffd000`201a0000
VA ffffd000201a0000
contains 0000000000523863 contains 0000000000522863 contains 0000000000527863 contains 0000000000555963
pfn 523 ---DA--KWEV pfn 522 ---DA--KWEV pfn 527 ---DA--KWEV pfn 555 -G-DA—KWEV
• ffffd000201a0000 appears across Hyper-V &
VMWare, reboots
– Provides RoP gadgets
– Fixed writeable executable memory location
• Writable/Executable at a fixed address
!pool ffffd000`201a0000
Pool page ffffd000201a0000 region is Unknown
ffffd000201a0000 is not a valid large pool allocation, checking large session pool...
Unable to read large session pool table (Session data is not present in mini and kernel-only dumps)
ffffd000201a0000 is not valid pool. Checking for freed (or corrupt) pool


Can you guess what it is?
• ??
• Segoe_slboot.ttf
– Starts at offset 0x1d0
– Initial bytes some sort of heap tag ? BG*
– System boot/load time artifact
ffffd000`201a0000 21 01 a0 00 00 00 00 80 42 47 49 4b 00 00 00 80 !.......BGIK....
ffffd000`201a01d0 00 19 00 23 00 01 2e 4c 00 00 00 10 67 6c 79 66 ...#...L....glyf
ffffd000`201b2fb0 00 6e 00 74 00 65 00 6e 00 74 00 2e 00 53 00 65 .n.t.e.n.t...S.e
ffffd000`201b2fc0 00 67 00 6f 00 65 00 20 00 55 00 49 00 03 00 00 .g.o.e. .U.I....


A little more (past end of font)
ffffd000`201b3000 ffffd000201b3020 0000000100002000 ffffd000201b3020 8000000000300121
ffffd000`201b3020 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ..............
ffffd000`201b3070 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f is program canno
ffffd000`201b46b2 49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 I.n.t.e.r.n.a.l.N.a.
ffffd000`201b46c6 6d 00 65 00 00 00 62 00 6f 00 6f 00 74 00 72 00 65 00 73 00 m.e...b.o.o.t.r.e.s.
• Seems to have some basic heap structure
pointer’s/allocation sizes
– Unfortunately it’s all default executable/writable at
a fixed address across systems/rebooting
• This leaves a lot of room for RoP gadgets (MZ
is only .rsrc, why +x?)


BIOS Ranges
• Platform specific (vmware in this case)
– 2012R2 0xffffd00020500000, 8.1 0xffffd00020600000
– Fixed address across reboots (size is 241,664 - 0x3B000)
– Physical system dumps
ffffd000`206c5a50 c3 32 2e 30 00 56 4d 77 61 72 65 20 76 69 72 74 .2.0.VMware virt
ffffd000`206c5a60 75 61 6c 20 6d 61 63 68 69 6e 65 00 56 4d 77 61 ual machine.VMwa
ffffd000`206c5a70 72 65 2c 20 49 6e 63 00 56 20 4d 20 77 61 72 65 re, Inc.V M ware
ffffd000`206c5a80 2c 20 49 6e 63 2e 20 56 42 45 20 73 75 70 70 6f , Inc. VBE suppo
ffffd000`206c5a90 72 74 20 32 2e 30 00 90 c8 02 00 00 c4 5e 04 33 rt 2.0.......^.3
3: kd> !pte ffffd000`206c5a50
VA ffffd000206c5a50
PXE at FFFFF6FB7DBEDD00 PPE at FFFFF6FB7DBA0000 PDE at FFFFF6FB74000818 PTE at FFFFF6E800103628
contains 0000000000B22863 contains 0000000000B21863 contains 0000000000852863 contains 00000000000C5963
pfn b22 ---DA--KWEV pfn b21 ---DA--KWEV pfn 852 ---DA--KWEV pfn c5 -G-DA--KWEV


Other/More dynamic/Misc Areas
• Slack
• Audit MDL structures
• Session Space
• ACPI FACS -- exec
– Firmware ACPI Control Structure
– Verify ACPI with wite list
• Shim Engine (i.e. handling for drvmain.sdb)
• Bootloader artifacts
• Volume manager heap
0: kd> !pool ffffe00000420000
Pool page ffffe00000420000 region is Nonpaged pool
*ffffe00000420000 size: 90 previous size: 0 (Allocated) *VM3D
Pooltag VM3D : Volume Manager, Binary : volmgr.sys
0: kd> !pool ffffe000`00418000
Pool page ffffe00000418000 region is Nonpaged pool
*ffffe00000418000 size: 90 previous size: 0 (Allocated) *VM3D
Pooltag VM3D : Volume Manager, Binary : volmgr.sys


Other Gadget Areas
• There are other +X areas, in the region, but have
small variability in their allocation
• Windows Boot manager, network boot support code,
more font areas


Defense: RoP Detection
• Spurious Saved Return Addresses
– Sometimes RoP Gadget is just random data present
in an executable section!!!
– All existing RoP Databases or techniques target
arbitrary saved return addresses
• https://www.corelan.be/index.php/security/corelan-
– 0x77e25c1f, # POP EAX # RETN
– Saved Return should be
• Simple/Effective/Very reliable reducing gadget surface area


Spurious Saved Return Addresses
• Conceptually similar to heap back-checking logical links
except we walk the stack
– Think Heap/Pool verification
– Verify op-code preceding saved return address
– Adding into BlockWatch
• Our operation is static so performance is no big deal and we like to
be current! 
– Some performance impact if implemented at run time
– May not reduce the gadget surface area sufficiently


Comprehensive verification
• Forensics
– Reduction / Analysis aid
• APT Detection
– Diffing
– White list
• Blockwatch.ioactive.com
– Signup & use
– Less unknown’s more secure


BlockWatch Service
• Largest Hash Database on the planet
– 300+Million entries in the white list
– High degree of Windows OS’s and server software
• Run with local white list definition


BlockWatch Report


Interactive integrity checking
• Blue = Complete verified, Green = Highly
verified, Yellow < 95%, etc…


• Scott Larson scott@larsonsecurity.com
• Shane Macaulay
• http://blockwatch.ioactive.com/

