trapfedora16

Chapter21RULE-BASEDINTEGRITYCHECKINGOFINTERRUPTDESCRIPTORTABLESINCLOUDENVIRONMENTSIrfanAhmed,AleksandarZoranic,SalmanJavaid,GoldenRichardIIIandVassilRoussevAbstractAninterruptdescriptortable(IDT)isusedbyaprocessortotransfertheexecutionofaprogramtosoftwareroutinesthathandleinterruptsraisedduringthenormalcourseofoperationortosignalanexceptionalconditionsuchasahardwarefailure.
AttackersfrequentlymodifyIDTpointerstoexecutemaliciouscode.
ThispaperdescribestheIDTcheckertool,whichusesarule-basedapproachtochecktheintegrityoftheIDTandthecorrespondinginterrupthandlingcodebasedonacommonsce-narioencounteredincloudenvironments.
Inthisscenario,multiplevir-tualmachines(VMs)runthesameversionofanoperatingsystemkernel,whichimpliesthatIDT-relatedcodeshouldalsobeidenticalacrossthepoolofVMs.
IDTcheckerleveragesthisscenariotocomparetheIDTsandthecorrespondinginterrupthandlersacrosstheVMsforinconsis-tenciesbasedonapre-denedsetofrules.
ExperimentalresultsrelatedtotheeectivenessandruntimeperformanceofIDTcheckerarepre-sented.
TheresultsdemonstratethatIDTcheckercandetectIDTandinterrupthandlingcodemodicationswithoutmuchimpactonguestVMresources.
Keywords:Cloudforensics,interruptdescriptortable,integritychecking1.
IntroductionMemoryforensicsinvolvestheextractionofdigitalartifactsfromthephysicalmemoryofacomputersystem.
Theinterruptdescriptortable(IDT)isavaluableartifact,moresobecauseitisawell-knowntargetformalware(especiallyrootkits).
TheIDTprovidesanecientwaytotransfercontrolfromaprogramtoaninterrupthandler,aspecialsoftwareroutinethathandlesexceptionalconditionsoccurringwithinG.
PetersonandS.
Shenoi(Eds.
):AdvancesinDigitalForensicsIX,IFIPAICT410,pp.
305–328,2013.
cIFIPInternationalFederationforInformationProcessing2013306ADVANCESINDIGITALFORENSICSIXthesystem,processororexecutingprogram.
(AhardwarefailureanddivisionbyzeroareexamplesofunusualconditionsthatarehandledbyanIDT.
)MalwareoftenmanipulatesanIDTtochangethesystemcontrolowandrunmaliciouscode.
ThechangemayoccureithertoapointerintheIDTorintheinterrupthandleritself,whichthenredirectsexecutiontomaliciouscodethathasbeeninjectedintothesystem.
PatchGuard[6,18]checksIDTintegritybykeepingavalidstateofthetableandcomparingitwiththecurrenttablestate.
Microsoftincludeskernelpatchprotection(PatchGuard)[18]in64-bitWindowssystemstodetectmodicationstokernelcodeandcriticaldatastructuressuchastheIDT.
PatchGuardcachesthelegitimatecopyandthechecksumoftheIDT,andcomparesthemwiththecurrentIDTinmemorytocheckformodications.
Anothertool,CheckIDT[6],examinesIDTintegritybystoringtheentiretableinalesothatitcanbecomparedlaterwiththecurrentstateofthetableinmemory.
Whilethesetoolsareapplicabletodierentoperatingsystems,theysuerfromatleasttwomajorlimitations.
Bothtoolsrequireaninitial-izationphase,whereitisassumedthattheIDTisnotinfectedatthetimethatthevalidstateoftheIDTisobtained.
Thismaynotbethecaseiftheinterrupthandlerispatchedinthekernelleondiskbecause,whenthesystemrestartsandtheIDTiscreated,theIDTpointstothemaliciousinterrupthandlerbeforethevalidstateoftheIDTcanbeob-tained.
ThepointersintheIDTmaychangeafterthesystembootsifthekernelorkernelmodulesareloadedatdierentmemorylocations.
Thus,everytimethesystemrestarts,thetoolsneedtorecordthevalidstateofthetable.
Currentsolutionsdonotspecicallyconsidertheinterrupthandlercodeforintegritychecking.
Althoughtheydochecktheintegrityofthekernelcodeandmodulesthatincludeinterrupthandlercode,theydonotensurethatthepointerintheIDTpointstoavalidinterrupthandler.
Astate-of-the-artsolutionforcheckingtheintegrityofkernelcode(andmodules)requiresthemaintenanceofadictionaryofcrypto-graphichashesoftrustedcode[9,14]inordertocomparethehashofthecurrentcodewiththehashstoredinthedictionary.
Suchanap-proachrequiresmaintainingthedictionaryacrosseverykernelupdatetoimplementeectiveintegritychecking.
ThispaperdescribestheIDTcheckertool,whichprovidesacompre-hensive,rule-basedapproachtocheckIDTintegrityinrealtimewith-outrequiringaninitializationphase,a"known-good"copyoftheIDToradictionaryofhashes.
IDTcheckerworksinavirtualizedenviron-mentwhereapoolofvirtualmachines(VMs)runidenticalguestoper-atingsystemswiththesamekernelversion–atypicalscenarioincloudAhmed,etal.
307servers.
Thepoolsofvirtualmachinessimplifythemaintenanceprocesstofacilitatetheautomationofpatchapplicationsandsystemupgrades.
IDTcheckerworksbyretrievingtheIDTanditscorrespondinginterrupthandlercodefromthephysicalmemoryofaguestVMandcompar-ingitacrosstheVMsinthepool.
Thetoolusesapre-denedsetofrulestoperformcomprehensiveintegritychecking.
Itrunsonaprivi-legedvirtualmachinewhereithasaccesstoguestVMphysicalmemorythroughvirtualmachineintrospection(VMI).
NoneofthecomponentsofIDTcheckerruninsidetheguestVMs,whichmakesIDTcheckermoreresistanttotamperingbymalware.
IDTcheckerwasevaluatedextensivelyinordertoassessitseective-nessandeciency.
Eectivenesstestingusedreal-worldmalwareandpopularIDTexploitationtechniquestomodifytheIDTandinterrupthandlercode.
EciencytestinganalyzedtheruntimeperformanceofIDTcheckerunderthebestcaseandworstcasescenarios.
TheresultsdemonstratethatIDTcheckerdoesnothaveanysignicantimpactonguestVMresourcesbecausenoneofitscomponentsruninsidetheVMs.
Itsmemoryfootprintis10to15MB,whichisquitenegligiblecomparedwiththeamountofphysicalmemorytypicallyfoundinacloudserver(tenstohundredsofgigabytes).
2.
RelatedWorkThissectiondiscussesresearchrelatedtoIDTintegritychecking.
CheckIDT[6]isaLinux-basedtoolthatdetectsIDTmodicationsbystoringtheIDTdescriptorvaluesinaleandlatercomparingthemwiththecurrentvaluesoftheIDTinmemory.
Ifadiscrepancybetweenthetwotablesisdetected,CheckIDTrestoresthetableinmemorybycopyingtheIDTvaluesfromthesavedle,assumingthattheintegrityofthelehasbeenmaintained.
CheckIDTusesthetechniquedescribedin[16]toaccessthetablefromuserspacewithoutusingaLinuxkernelmodule.
KernelPatchProtection[18](orPatchGuard)checkstheintegrityofkernelcode(includingmodules)andimportantdatastructuressuchastheIDT,globaldescriptortable(GDT)andsystemservicedescrip-tortable(SSDT).
Itiscurrentlyimplementedin64-bitWindowsop-eratingsystems.
PatchGuardstoreslegitimateknown-goodcopiesandchecksumsofkernelcodeanddatastructures,andcomparesthemwiththecurrentstateofthecodeandthedatastructuresatrandomtimes.
PatchGuardisimplementedasasetofroutinesthatareprotectedbyus-inganonymizationtechniquessuchasmisdirection,misnamedfunctionsandgeneralcodeobfuscation.
308ADVANCESINDIGITALFORENSICSIXVolatility[21]hasaplugin[22]thatcheckstheintegrityofIDTpoint-erstointerrupthandlers.
ItwalksthrougheachIDTentryandchecksifthepointerintheentryiswithintheaddressrangeofthekernelcode(includingmodules).
Volatilityensuresthatthepointersdonotpointtounusuallocationsinmemory.
However,itcannotdetectattacks[6,10]thatdirectlypatchinterrupthandlercodeanddonotmodifypointersinthetable.
IDTGuard[19]isaWindows-basedtoolthatcheckstheintegrityofIDTpointers.
ThetoolseparatelycomputesanIDTpointervaluebyndingtheosetoftheinterrupthandlerinthekernelle(suchasntoskrnl.
exe)andaddingittothebaseaddressofthekernelinmem-ory.
ThecomputedIDTpointervaluesarethenmatchedwiththepoint-ersintheIDTtabletoverifytheirintegrity.
However,IDTGuardcannotchecktheintegrityofpointerscorrespondingtokernelmoduleswherethepointerspointtoKinterruptdatastructuresinsteadofinterrupthandlersinthekernelcode.
3.
IDTIntegrityCheckingVirtualizationprovidesanopportunityforecientresourceutiliza-tionofaphysicalmachinebyconcurrentlyrunningseveralVMsoveravirtualmachinemonitor(VMM)orhypervisor–anadditionallayerbe-tweenthehardwareandthehostedguestoperatingsystems.
TheVMMalsoallowsaprivilegedVMtomonitortheruntimeresourcesofother(guest)VMs(e.
g.
,memoryandI/O)throughvirtualmachineintrospec-tion.
IDTcheckerusesintrospectionwhilerunningonaprivilegedVMtoaccessthephysicalmemoryofguestVMs.
ItretrievestheIDTsandtheircorrespondinginterrupthandlersandmatchesthemaccordingtopre-denedrulesinordertocheckforinconsistencies.
3.
1OverviewInterruptsandexceptionsaresystemeventsthatindicatethatacon-ditionoraneventrequirestheattentionoftheprocessor[5].
InterruptscanbegeneratedinresponsetohardwaresignalssuchashardwarefailureorbysoftwarethroughtheINTninstruction.
Exceptionsaregeneratedwhentheprocessordetectsanerrorduringtheexecutionofaninstruc-tionsuchasdividebyzero.
Eachconditionindicatedbyaninterruptorexceptionrequiresspecialhandlingbytheprocessorand,thus,isrepre-sentedusingauniqueidenticationnumberreferredtoasaninterruptvector.
Inthispaper,thedierencebetweeninterruptsandexceptionsisnotimportantand,thus,botharereferredtoasinterrupts.
Whenanin-Ahmed,etal.
309terruptoccurs,theexecutionofaprogramissuspendedandthecontrolowisredirectedtoaninterrupthandlerroutinethroughanIDT.
AnIDTisanarrayofinterruptvectors,eachvectorprovidinganen-trypointtoaninterrupthandler.
Therecanbeatmost256interruptvectors.
Eachvectoriseightbyteslongandcontainsinformationabouttheindextoalocal/globaldescriptortable,request/descriptorprivilegelevels,osettointerrupthandler,etc.
Thereareuptothreetypesofinterrupt(vector)descriptorsinanIDT:interruptgate,trapgateandtaskgate.
Interruptandtrapgatedescriptorsaresimilar,buttheydif-ferinfunctionalityandinthetypeeldinthedescriptorthatidentiesthegate.
Unlikethesituationfortrapgates,whenhandlinganinter-ruptgate,theprocessorclearstheIFagintheEFLAGSregistertopreventotherinterruptsfrominterferingwiththecurrentinterrupthan-dler.
Taskgatedescriptors,ontheotherhand,havenoosetvaluestotheinterrupthandler.
Instead,theinterrupthandlerisreachedthroughthesegmentselectoreldinthedescriptor.
Theglobaldescriptortable(GDT)isutilizedwhentheinterrupthan-dlerhastobeaccessedinprotectedmode(whereaprotectionring[5]isenforced).
Anentryinthetableiscalledasegmentdescriptor.
Eachdescriptordescribesthebaseaddressandthesizeofamemorysegmentalongwithinformationrelatedtotheaccessrightsofthesegment.
Eachdescriptorisalsoassociatedwithasegmentselectorthatprovidesinfor-mationabouttheindextothedescriptor,accessrightsandaagthatdeterminesiftheindexpointstoanentryoftheglobaldescriptortable.
Eachinterruptvectorhasasegmentselectorthatisusedtondthebaseaddressofthesegment.
Inacaseofinterruptandtrapgates,thebaseaddressoftheinterruptisobtainedbyaddingthebaseaddressofthesegmenttotheosetinthevector.
3.
2AssumptionsWeassumethepresenceofafully-virtualizedenvironmentwheretheVMMsupportsmemoryintrospectionofguestVMs.
Also,weassumethatdierentpoolsofVMsarepresent,whereeachpoolrunsanidenticalguestoperatingsystemwiththesamekernelversion.
ThisprovidesanopportunityforIDTcheckertoprobeandcomparetheIDTsandinterrupthandlerswithineachpool.
3.
3IDTcheckerArchitectureIDTcheckerisdesignedtoobtaintheIDTsandcorrespondinginter-rupthandlercodefromapoolofVMsandperformacomprehensiveintegritycheckbasedonapre-denedsetofrules.
Toachievethis310ADVANCESINDIGITALFORENSICSIXtask,IDTcheckeremploysfourmodulestoimplementthevariousfunc-tionsneededtoperformintegritychecking.
Thefourcomponentsare:(i)Table-Extractor;(ii)Code-Extractor;(iii)Info-Extractor;and(iv)Integrity-Checker.
Table-ExtractorandCode-Extractor:IDTcheckerincorpo-ratesseparatemodules(Table-ExtractorandCode-Extractor)forextractingtablesandinterruptrelatedcodebecausetheIDTandGDTstructuresaredependentontheprocessor,whiletheor-ganizationoftheinterrupt-relatedcodeismostlydependentontheoperatingsystem.
Forinstance,MicrosoftWindowsusesaKinterruptstructuretostoretheinformationaboutaninterrupthandlerthatisprovidedbykerneldrivers.
Separatingtheextrac-tionofcodeandtablesintotwomodulesincreasestheportabilityofIDTchecker.
Moreover,Code-ExtractorreceivestheinterruptvectordescriptorvaluesfromTable-Extractorafterthedescrip-torsareparsed.
ThisdataisusedbyCode-ExtractortolocatetheindexofaGDTsegmentandtheosetofaninterrupthandler(ifthedescriptortypeisnotataskgate).
Info-Extractor:TheInfo-Extractormodulefetchesanyaddi-tionalinformationrequiredbyarulefrommemory,suchastheaddressrangeofkernelmodules.
Integrity-Checker:TheIntegrity-Checkermoduleappliesapre-denedsetofrulestothedataobtainedfromtheTable-Extractor,Code-ExtractorandInfo-Extractormodulesinordertocompre-hensivelycheckIDTintegrity.
Unliketheotherthreemodules,Integrity-CheckerdoesnotneedtoaccessthememoryofguestVMs.
Thisisbecausealltheneededdataismadeavailablebytheothermodules.
Figure1presentstheoverallarchitectureofIDTchecker.
ThegureshowsmultiplepoolsofguestVMs,eachpoolrunningthesameversionofaguestoperatingsystem.
TheVMsrunontopofaVMMandtheVMIfacilityisavailableforaprivilegedVMtointrospectguestVMresources.
NotethatIDTcheckeronlyneedstoperformread-onlyoperationsonguestVMphysicalmemoryandnoIDTcheckercomponentrunsinsideaguestVM.
BycomparingIDTsandtheircorrespondinginterrupthandlercodeacrossVMs,IDTcheckerisabletodetectIDTinconsistenciesbetweentheVMs.
AmajorityvotealgorithmisusedtoidentifyaninfectedVM.
Ofcourse,themajorityvotestrategyiseectiveonlyifthemajorityofVMshaveuninfectedIDTs.
Inthiscase,IDTcheckerismoreeectiveAhmed,etal.
311Table-ExtractorCode-Extractor(Rule-Based)Integrity-CheckerIDTcheckerPrivilegedVMVirtualMachineMonitorHardwareInfo-ExtractorVirtualMachineIntrospectionWindowsXP(SP2)RedHatWindows7PoolsofGuestVMsFigure1.
IDTcheckerarchitecture.
atdetectingtherstsignofinfection,whichcanthenbeusedtotriggerathoroughforensicinvestigationtondtherootcauseoftheinfection.
ItisalsoworthdiscussingiftheIDTshouldalwaysbeidenticalacrossVMswhenidenticalkernelcode(includingmodules)isexecuting.
Theinitial32interruptvectors(0to31)arepre-dened.
TheseinterruptvectorsalwaysremainidenticalacrossVMs.
However,otherinterruptvectors(32to255)areuser-denedandmayvaryacrossVMsinthatthesameinterruptentryordescriptorcanbeassociatedwithdierentinterruptvectorsacrossVMs.
Thus,one-to-onematchingofinterruptentriesmaynotbefeasibleatalltimes.
AmorerobustapproachistondtheequivalentinterruptvectorentrythatisbeingmatchedinotherIDTtablesacrossVMsbeforetherulesareappliedtothem.
ThecurrentversionofIDTcheckerperformsone-to-onematchingandcanbeenhancedusingthisapproach.
3.
4IntegrityCheckingRulesIDTcheckercurrentlyusesfourrulestoperformintegritycheckingacrossVMsandwithineachVM:Rule1:AllthevaluesineachinterruptvectorshouldbethesameacrossVMs(excludingtheinterrupthandleroseteld,whichis312ADVANCESINDIGITALFORENSICSIXcheckedforintegritybythesubsequentrules).
ThisruleensuresthatalltheeldsintheIDTareoriginal.
Rule2:TheinterrupthandlercodeshouldbeconsistentacrossVMs.
Thisruledetectsmodicationstothecode.
TheruleiseectiveunlessidenticalmodicationsaremadetothecodeinalltheVMs.
Rule3:Theinterrupthandlerislocatedinbasickernelcodeorinakernelmodule.
Thismeansthatthebaseaddressoftheinterrupthandlershouldbewithintheaddressrangeofthebasickernelcodeorwithintheaddressrangeofthecodeofamodule.
Thisruleensuresthatthebaseaddressdoesnotpointtoanunusuallocation.
Rule4:Giventhatthebaseaddressofaninterrupthandleriswithintheaddressrangeofthekernelcodeorofamodule,theosetofthebaseaddressoftheinterrupthandlerfromthestartingaddressofitscorrespondingdriverorbasickernelcodeshouldbethesameacrossallVMs.
Thisruledetectsinstancesofrandominjectionsofmaliciouscodewithinthebasickernelcodeorwithinadriver.
4.
IDTcheckerImplementationTheIDTcheckerdesignissimpleinthatallitscomponentsresidelo-callyonaprivilegedVM,whichcanbeimplementedonanyVMMthathasmemoryintrospectionsupport(e.
g.
,Xen,KVMorVMwareESX)withoutrequiringmodicationstotheVMMitself.
Fortheproofofconcept,wedevelopedIDTcheckeronXen[23]withtheMicrosoftWin-dows(ServicePack2)XPguestoperatingsystem.
WeusedtheLibVMIintrospectionlibrary[20]andtheOpdisdisassemblerlibrary[12];cryp-tographichasheswerecomputedusingOpenSSL[13].
Theremainderofthissectiondescribesthelow-levelimplementationdetailsoftheIDTcheckercomponents.
4.
1Table-ExtractorTheIDTandGDTarecreatedeachtimeasystemstarts.
Thepro-cessorstorestheirbaseaddressesandsizesinIDTRandGDTRregistersforprotectedmodeoperations.
Ineachregister,thebaseaddressspeci-esthelinearaddressofbyte0ofthetable,whilethesizespeciesthenumberofbytesinthetable.
Table-ExtractorobtainsthisinformationfromtheregistersintheguestVMandextractstheIDTandGDTta-blesfromtheguestVMmemory.
ItfurtherinterpretstherawbytesofAhmed,etal.
313thetablesastableentriesandtheirrespectiveelds,andforwardsthemtoCode-Extractor.
4.
2Code-ExtractorCode-ExtractorreceivesthetablesfromTable-ExtractorandretrievesthecodecorrespondingtoeachIDTentry.
Code-Extractorhandleseachinterruptvectortype(interruptgate,taskgateandtrapgate)dierently.
SincenotrapgateentriesarefoundinWindowsXPVMs,onlytheinterruptandtaskgateextractionarediscussedbelow.
4.
2.
1InterruptGate.
EachinterruptgateentryintheIDThasasegmentselectorassociatedwiththeGDT.
Italsohasaninter-rupthandlerosetthatcanbeaddedtothebaseaddressofthesegmentdescribedintheGDTtoformthebaseaddressptroftheinterrupthan-dler.
Theinterrupthandlercanbelocatedinthebasickernelcode(i.
e.
,ntoskrnl.
exeforWindowsXP)orinakernelmodule.
Iftheinterrupthandlerisinakernelmodule,thenptrpointstotheKinterruptdatastructure,whichisakernelcontrolobjectthatallowsdevicedriverstoregisteraninterrupthandlerfortheirdevices.
Thedatastructurecon-tainsinformationthatthekernelneedstoassociatetheinterrupthandlerwithaparticularinterrupt(e.
g.
,thebaseaddressoftheinterrupthan-dlerinthemoduleandthevectornumberoftheIDTentry).
Inordertodetermineifthehandlercodeisinakernelmodule,thevectornumberintheKinterruptstructureismatchedwiththevectornumberoftheIDTentry.
Ifthetwovaluesmatch,thehandlercodeisinthekernelmodule,otherwiseitisinthebasickernel.
Atthisstage,Code-Extractorneedstondthebaseaddressesandsizesofalltheinterrupthandlingcodesegmentsinordertomakeacleanextractionofthecode.
Figure2showstheextractionprocess.
NotethattheIDTandGDTdescriptorformatsinthegureareadjustedforillustrativepurposes.
FindingtheBaseAddress:Whenthecodeislocatedinthebasickernel,ptrcontainsthebaseaddressoftheinterrupthandler,whichistheonlycodeneededforintegritychecking.
Whenthecodeisinamodule,ptrpointstoDispatchCode,whichexecutesandatsomepointjumpstoothercode(InterruptDispatcher).
Thiscodeexecutesandatsomepointcallstheinterrupthandlerfromthedevicedriver.
Inthiscase,threechunksofcodehavetobeextracted.
ThebaseaddressesofthethreepiecesofcodeareintheKinterruptstructure,whichCode-Extractorprocessestoobtaintheaddresses.
314ADVANCESINDIGITALFORENSICSIX.
.
.
Maximumentries:256.
.
.
Vectornumber:012InterruptDescriptorTablePDPLTYPE000RESERVEDSEGMENTSELECTORINTERRUPTHANDLEROFFSET.
.
.
Maximumentries:8191.
.
.
012GlobalDescriptorTable3SIZEBASEADDRESSGDTRregisterSIZEBASEADDRESSIDTRregister3+ptrIf==vectornumberptrNoSegmentiret/ret------HandlerCodeptrYes---------JmpDispatchAddress.
.
.
ServiceRoutine.
.
.
DispatchAddressVector.
.
.
DispatchCodeKinterruptntoskrnl.
exeiret/ret---CallServiceRoutine---HandlerCodeKernelModuleiret/ret------HandlerCodeACCESSBYTESEGMENTLIMITBASEADDRESS00GSHandlerCode=ptr+Figure2.
Codeextractionofaninterruptgate.
FindingtheCodeSize:Code-Extractorndsthesizeofthecodebydisassemblingitstartingfromthebaseaddressofthecode,assumingthattherstoccurrenceofareturninstructionpointstotheendofthecode.
Thisassumptionisvalidbasedonthefunctionprologueandepilogueconvention,whichisfollowedbyassemblylanguageprogrammersandhigh-levellanguagecompilers.
Thefunctionprologueandepiloguearesmallamountsofcodeplacedatthestartandendofafunction,respectively;theprologuestoresthestateofthestackandregisterswhenthefunctioniscalledandtheepiloguerestoresthemwhenthefunctionreturns.
Thus,areturninstructionisrequiredattheendofafunctioninordertoensurethattherestorationcodeexecutesbeforefunctionreturns.
Wehavenotencounteredasituationwhereareturnininterrupthandlercodeoccursbeforetheendofthehandler.
Also,weper-formedanexperimenttoseeiftheWindowsDriverModel(WDM)compilerfollowsthefunctionprologueandepilogueconvention.
Weplacedafewreturninstructionsbetweentheif-elsestatementsintheinterrupthandlercodeofahello-worlddriver.
Aftercom-pilingthecode,wediscoveredthatthereturninstructionswereAhmed,etal.
315replacedwithjumpinstructionspointingtoreturninstructionsplacedattheendofthecode.
ThisshowsthattheWDMcompilerfollowstheconventionuponwhichourheuristicrelies.
4.
2.
2TaskGate.
EachtaskgateentryintheIDThasnointerrupthandlerosetand,therefore,thereisnodirectpointertoahandlerorcode.
Instead,thesegmentselectorintheentryistheindexofaGDTentry.
TheGDTentryisataskstatesegment(TSS)descriptorthatprovidesinformationaboutthebaseaddressandsize(i.
e.
,segmentlimit)ofaTSS.
TheTSSstorestheprocessorstateinformation(e.
g.
,segmentregistersandgeneralpurposeregisters)thatisrequiredtoexe-cutethetask.
TheTSSalsocontainsthecodesegment(CS)thatpointstooneofthedescriptorsintheGDTthatdenesasegmentwheretheinterrupthandlercodeislocated.
Additionally,theTSScontainsthein-structionpointer(EIP)value.
Whenataskisdispatchedforexecution,theinformationintheTSSisloadedintotheprocessorandtaskexecu-tionbeginswiththeinstructionpointer(EIP)value,whichprovidesthebaseaddressoftheinterrupthandler.
Afterlocatingthebaseaddressoftheinterrupthandler,theprocessfordeterminingthecodesizeisthesameasthatusedforinterruptgates.
Figure3showstheextractionprocess.
NotethattheIDTandGDTdescriptorformatsinthegureareadjustedforillustrativepurposes.
4.
3Info-ExtractorTheInfo-ExtractormoduleisusedtoobtainadditionalinformationassociatedwiththeIDTanditscodeandmakeitavailabletoIntegrity-Checker.
Inaddition,themoduleobtainstheaddressrangeofthebasickernelanditsassociatedmodulesthatIntegrity-CheckerrequiresforRules3and4.
Info-Extractoralsotakesintoconsiderationtheothermodulesthatarealreadyloadedinmemory.
WindowsXPmaintainsadoubly-linkedlist(Figure4)correspondingtothelocationsofthebasickernelcodeandmodules,whereeachelementinthelistisaLDRDATATABLEENTRYdatastructurethatcontainsthebaseaddressDllBaseandthesizeofthemoduleSizeOfImage.
WindowsXPalsostoresthepointertotherstelementofthelistinasystemvariablePsLoadedModuleList,whichInfo-Extractorusestoreachthelist,browseeachelementandstoreitinalocalbuer.
ThepointertothebueristhenforwardedtoIntegrity-Checker.
316ADVANCESINDIGITALFORENSICSIXMaximumentries:256.
.
.
.
.
.
Vectornumber:012InterruptDescriptorTable.
.
.
Maximumentries:8191.
.
.
012GlobalDescriptorTable.
.
.
SIZEBASEADDRESSGDTRregisterSIZEBASEADDRESSIDTRregister3Segmentiret/ret------HandlerCodeACCESSBYTESEGMENTLIMITBASEADDRESS0AG0PDPLTYPE000RESERVEDSEGMENTSELECTORINTERRUPTHANDLEROFFSETACCESSBYTESEGMENTLIMITBASEADDRESS0AG0TSSCSEIP---------Figure3.
Codeextractionofataskgate.
Figure4.
Doubly-linkedlistofkernelmodulesLDR_DATA_TABLE_ENTRYInLoadOrderLinksInLoadOrderLinksFLINKFLINKFLINKBLINKBLINKBLINKInLoadOrderLinksLDR_DATA_TABLE_ENTRYPsLoadedModuleListLDR_DATA_TABLE_ENTRYDllBaseSizeOfImage---------DllBaseSizeOfImage---------DllBaseSizeOfImage---------Ahmed,etal.
3174.
4Integrity-CheckerIntegrity-Checkerappliestherulestothedataobtainedfromtheotherthreemodules.
However,Integrity-Checkersometimesneedstoalsoma-nipulatethedatainordertoapplytherules.
WediscussesboththeseaspectsofIntegrity-Checkerwithregardtoeachrule.
Rule1:ThisrulecomparesIDTsacrossVMs.
Integrity-CheckerdoesthisbycomparingeachvalueofeveryIDTentryacrossVMs.
However,thisdoesnotincludeinterrupthandlerosets.
Rule2:ThisrulecomparestheinterrupthandlercodeacrossVMs.
Integrity-CheckerusestheinterrupthandlercodeobtainedbyCode-Extractor.
However,becausethecodehasbeenextractedfromthememoryofdierentVMs,itmaynotalwaysmatch.
Thereasonisthatthecodeofthebasickernelanditsmodulesintheleshaverelativevirtualaddresses(RVAs)orosets.
Whenamoduleisloadedintomemory,theloaderreplacestheRVAswithabsoluteaddressesbyaddingthebaseaddressofthemodule(i.
e.
,thepointertothezerothbyteofthemoduleinmemory)totheRVAs.
IfthesamemoduleisloadedatdierentlocationsacrossVMs,thekernel/modulecode(includingtheinterrupthandlerinthecode)willhavedierentabsoluteaddressesand,asaresult,willnotbeconsistentandwillnotmatch.
Integrity-Checkerreversesthischangebysubtractingthebaseaddressesofthemodulesfromtheabsoluteaddressesinthecode.
Thisbringstheabsolutead-dressesbacktoRVAs,whichrepresentthevaluesinlesandshouldbethesameacrossVMs.
Figure5illustratestheRVAmodicationoftheinterrupthandleri8042prt!
I8042KeyboardInterruptServiceassociatedwithin-terruptvector0x31.
The32-bitbaseaddressesofthemoduleforvirtualmachinesVM1andVM2areF87BA495andF87DA495,respectively.
ThegureshowsthesameinterrupthandlercodeextractedfromthephysicalmemoryofthetwoVMs.
Integrity-Checkerassumesthatthedierencesofbytesinthecoderepresenttheabsoluteaddresses.
ThisassumptionisvaliduntilthecodeinoneoftheVMsismodiedbecausethebaseaddressofthemodulecontainingthehandlerisdierentforthetwoVMs.
Ideally,thereshouldbeadierenceoffourbytesfora32-bitmachine.
However,dependingonwherethedierenceofbytesstartsinthebasead-dressofthemoduleinthetwoVMs,thismaynotalwaysbethecase.
318ADVANCESINDIGITALFORENSICSIX00000000|6a1868a8d77df8e8ff0000008b7d0c8bj.
h.
00000010|7728837e30010f854f010000a100d97dw(.
~0.
.
.
O.
.
.
.
.
.
}00000020|f8ffb0a4000000ff150cd97df88845dfE.
00000030|242133db3c010f85f31900008d45e350$!
3.
E.
P00000040|6a01e818ffffff8d864a0100008a0888j.
.
.
.
.
.
.
.
J.
.
.
.
.
.
.
.
.
.
.
.
00000210|0f85ed000000e9b10000008b088b91f400000220|0100008950088b.
.
.
.
P.
.
MD5:fcd7298fa2a2f3f606c997ecd8c90392(a)VM1beforeRVAmodication.
00000000|6a1868a8d77bf8e8ff0000008b7d0c8bj.
h.
00000010|7728837e30010f854f010000a100d97bw(.
~0.
.
.
O.
.
.
.
.
.
{00000020|f8ffb0a4000000ff150cd97bf88845dfE.
00000030|242133db3c010f85f31900008d45e350$!
3.
E.
P00000040|6a01e818ffffff8d864a0100008a0888j.
.
.
.
.
.
.
.
J.
.
.
.
.
.
.
.
.
.
.
.
00000210|0f85ed000000e9b10000008b088b91f400000220|0100008950088b.
.
.
.
P.
.
MD5:5e87703b1a42456c4928b6cc60b8ea96(b)VM2beforeRVAmodication.
00000000|6a186813330000e8ff0000008b7d0c8bj.
h.
00000010|7728837e30010f854f010000a16b3400w(.
~0.
.
.
O.
.
.
.
.
.
}00000020|00ffb0a4000000ff15773400008845dfE.
00000030|242133db3c010f85f31900008d45e350$!
3.
E.
P00000040|6a01e818ffffff8d864a0100008a0888j.
.
.
.
.
.
.
.
J.
.
.
.
.
.
.
.
.
.
.
.
00000210|0f85ed000000e9b10000008b088b91f400000220|0100008950088b.
.
.
.
P.
.
MD5:3925130249749612de2cbd3fc8a6182b(c)VM1afterRVAmodication.
00000000|6a186813330000e8ff0000008b7d0c8bj.
h.
00000010|7728837e30010f854f010000a16b3400w(.
~0.
.
.
O.
.
.
.
.
.
}00000020|00ffb0a4000000ff15773400008845dfE.
00000030|242133db3c010f85f31900008d45e350$!
3.
E.
P00000040|6a01e818ffffff8d864a0100008a0888j.
.
.
.
.
.
.
.
J.
.
.
.
.
.
.
.
.
.
.
.
00000210|0f85ed000000e9b10000008b088b91f400000220|0100008950088b.
.
.
.
P.
.
MD5:3925130249749612de2cbd3fc8a6182b(d)VM2afterRVAmodication.
Figure5.
VM1andVM2beforeandafterRVAmodication.
Currently,Integrity-Checkerconsidersonlytheinterrupthandlercodeforintegritychecking,whichissucientunlesstheroutinescalledbythehandlerarepatchedwithmaliciouscode.
Inthiscase,IDTintegrityisviolatedalthoughtheIDTtableanditsrelatedinterrupthandlercodearestillintact.
Insteadofndingsuchroutinesandcheckingtheirintegrity,itismoreecienttochecktheintegrityoftheentiremodulewherethehandlercodeislocated.
Ahmed,etal.
319Thismayalsoincludetheroutinesthatarenotbeingcalled,butthisapproachcanreducethetimerequiredtosearchforthecallingfunctions.
Severaltechniqueshavebeenproposedforcheckingtheintegrityofentiremodules(see,e.
g.
,[1,4,7–9,15,17]).
Rules3and4:Rules3and4checkthebaseaddressoftheinter-rupthandlercodeintheaddressrangeofthekernelmodulesandchecktheosetofthehandlerbaseaddressfromthebaseaddressofitsrespectivemodule.
Integrity-Checkerhasthelistofkernelmodulesandtheiraddressranges(wheretheaddressrangesareexclusiveanddonotoverlap).
Integrity-Checkersearchesthebaseaddressofinterrupthandlertocheckifitiswithintheaddressrangeofamodule.
Itusesabinarysearchthatrequiresthelistas-sociatedwithamoduletobesortedaccordingtothebaseaddress.
Whenthehandlerbaseaddressisfoundintheaddressrangeofamodule,themoduleisconsideredtobeaholderoftheinterrupthandler.
Themodulebaseaddressisalsousedtocomputetheosetbetweenthebaseaddressesofthemoduleandthehandler,whichisthenmatchedacrossVMs.
5.
EvaluationThissectionpresentstheresultsofseveralexperimentsthatevaluatedtheeectivenessandeciencyofIDTchecker.
5.
1ExperimentalSetupWebuiltasmall-scalecloudserverfortheexperiments.
TheserverranXen4.
1.
3onanIntelCore2Quad(4*2.
83GHzcores)with8GBRAM.
WecreatedsevenVMs(i.
e.
,DomUs)usingXen.
EachVMhad1GBRAM,a10GBharddiskandranWindowsXP(ServicePack2)usinghardware-assistedvirtualization.
TheprivilegedVM(i.
e.
,Dom0)ranFedora16withthe3.
4.
9-2.
fc16.
x8664kernel.
5.
2IntegrityCheckingIDTcheckerisdesignedtodetectintegrityviolationsintheIDTanditscorrespondinginterrupthandlers.
ThissectionpresentstheresultsofexperimentsthatviolatedIDTintegrityinvariousways.
Theexperi-mentsemployedreal-worldmalwaretomanipulatetheIDTandexecutemaliciouscode.
5.
2.
1HookinganInterrupt.
EachIDTdescriptorhasa32-bitpointerthatpointstoaninterrupthandlerortheKinterrupt320ADVANCESINDIGITALFORENSICSIXstructure.
Eachpointerisformedfromthetwo16-biteldsinthede-scriptor,whicharethelowerandhigher16bitsofthepointeraddress.
Techniquesareavailabletoexploitthispointertoredirectcontrolowtomaliciouscode[6].
ThisexperimentmodiedtheIDTpointerandtestedifIDTcheckercoulddetectthemodication.
AnimplicitmalfunctioningbehavioroftheIDTGuardtool[19]wasusedtoeectthemodication.
AsdiscussedinSection2,thistoolisdesignedtocheckIDTintegritybyseparatelycomputingthepointervaluesandcomparingthemwiththevaluesintheIDT.
However,thecomputationisonlypossiblewhentheinterrupthandlersarelocatedinthekernelcode(i.
e.
,ntoskrnl.
exe).
WhenIDTGuardcomputesthevalueofthepointertoKinterrupt(becausetheinterrupthandlerisinkernelmodule),itcomputesapointervalueofarandomlocationinakernelcode.
Thus,weusedIDTGuardtoreplacetheoriginalpointervalueintheIDTwiththerandompointervalue.
IDTcheckerwasabletodetectthemodicationbyshowingthatthecodepointedtobythepointerwasdierentfromthecodepointedtobythepointersintheotherVMs.
5.
2.
2HookinganInterruptHandler.
Aninterrupthan-dlercanalsobepatchedinordertorunmaliciouscode[6].
ThischangewouldnotmodifythepointerintheIDT,buttheactualcodethatisexe-cutedtohandleaninterrupt.
ThisexperimentusedacustomizeddriverforaprogrammedI/Odevice[11]withaninterrupthandler.
Whenthedriverwasloaded,theinterrupthandlerwasregisteredwithaninter-ruptvector.
WeusedanIDTentry(0x3e)thatwasoriginallyregisteredwiththeatapi!
IdePortInterrupthandler.
Next,wedisabledtheIDEchanneltofreesystemresourcestoholdtheprogrammedI/Odevice[11].
Wetheninstalledthedriverforthisdevice,whichalsoregisteredthein-terrupthandlerwithvector0x3e.
IDTcheckerdetectedthemodicationbycomparingtheIDTsacrosstheotherVMsandshowingthattheinter-rupthandlercodeforvector0x3ewasdierentfromthecorrespondingcodeintheotherVMs.
5.
2.
3IDTManipulationviaMalware.
Real-worldmalwareandIDTexploitationtechniquescanmodifyIDTpointersandinterrupthandlercodeinordertorunmaliciouscode.
ThreeexperimentswereconductedtotesttheperformanceofIDTcheckerinthefaceofIDTmanipulationviamalware.
SubvertingtheWindowsKernel:AsdiscussedbySkape[18],rootkitsthatdirectlyreplaceIDTentriesleavemanytracesandare,therefore,notstealthy.
RootkitsthatarelargelyundetectableAhmed,etal.
321bycommonscannersrelyonoverwritinganinterrupthandlersuchastheKiInterruptTemplateroutinepointedtobytheinterruptvector.
mxatoneandivanlef0u[10]havedemonstratedhowtoat-tachkeyloggingorpacketsningcodeviaIDThooking.
Theirtechniquesearchesforthecode"movedi,;jmpedi;"andmodiesthepointerinKiInterruptTemplatetopointtothemaliciouslycraftedKinterruptstructurethatcontainscallstothekernelroutinesthatcangatherkeyboardstrokesornet-workpackets.
TheoriginalinterrupthandlerwillstillexecuteafterthemaliciousinterrupthandlerbecausethemaliciouscodereturnstothelegitimateKinterruptstructure.
AftermodicationsweremadetotheKinterruptstructure,IDTcheckerwasabletodetectthecodeinjectionbyKinterruptTemplatepointermodication.
DirectKernelHooking:Aproof-of-conceptmalware[2]regis-tersadummydriverthathooksinterruptvectors0x01and0x03tofunctionsthatrepresentaUSBstoragedeviceasaregulardiskdrive.
ThisisdonebycapturingcallstoIoCreateDevice()thattakeapointertotheDRIVEROBJECTofthenewly-addeddeviceandreplacestheMajorFunction(IRPMJDEVICECONTROL)withthemaliciousfunctionsittinginthedummydriver.
Asaresult,everysystemcalltotheUSBdevicedriverUSBSTORcanbein-terceptedandmonitored.
Inordertodoso,themalwarehooksIoCreateDevice()byinsertinginstructionsintotheexecutablecode.
AnIDThookingfunctioncontainedwithinthedummydriveriscalleddirectlyfromthedummydriver.
ThehookIDT()callingfunctionpreservestheoldinterrupts(0x01and0x03)thataretobehooked.
AftertheoriginalIDThasbeenpreserved,thehookingmechanismcanbeunleashed,whichhooksthedebugginginterrupts0x01and0x03.
Afterthisisdone,theoriginalIDTisrestoredandtheaddressesofnewly-createdhooksareaddedtothelistofhookedIDTentries.
IDTcheckerranacomparativeanalysisoftwoVMs,whereoneoftheVMs(VM1)hadregisteredthemaliciousdriver.
IDTcheckerdetectedthechangesmadetotheinterrupthandlercodefor0x01and0x03byidentifyingthatthedispatchercodesizewasmis-matched.
Furthermore,IDTcheckerdetectedthattheosetofthestartaddressofthehandlerfromthedriverbaseaddressintheinfectedVM1hadavalueofF7C477C0.
Sincethemaximumad-dressrangeforthekernelfunctionswasF7C3A000,theaddressdetectedwasoutsidetheaddressrangeofthekernelcodeand,fur-thermore,didnotmatchthevalue8053d4E4inVM2,whichwas322ADVANCESINDIGITALFORENSICSIXFigure6.
IDTandinterrupthandlerdumps.
insidetheaddressrangeofthekernelcode.
FurtherexaminationoftheassemblydumpprovidedbytheIDTcheckerrevealedthattheexpectedassemblyinstructionswereoverwrittenbytheinterrupthooking.
STraceFuzenInterruptHooking:ThisexperimentusedtheSTraceFuzen[3]malware,whichhookstheIDTonthesystemservicedescriptortable(SSDT)interruptvector0x2E.
WhenanapplicationneedstheassistanceoftheoperatingsystemviaSSDT,NTDLL.
DLLissuesinterrupt0x2Etotransferfromuserspacetoker-nelspace.
Themalwaresavestheaddressoftheoriginalinterrupthandlerandchangesittotheaddressofitsowncode.
WhenanapplicationmakesarequestviatheSSDT,thehookiscalledbeforethekernelfunctionintheSSDT.
WeusedtwoidenticalVMsthatranWindowsXP(SP2).
Themal-warewasexecutedononemachineandthechangeswereobservedusingtheWinDbgWindowsdebugger;thechangeswerethencom-paredwiththoseintheuninfectedmachine.
Figure6showstheIDTandinterrupthandlerdumpsinWinDbgbeforeandaftertheSTraceFuzenmalwareinfection.
Notethatthepointerforthe0x2Evectorandtheinterrupthandlercodeintheinfectedma-chineweremodied.
IDTcheckersuccessfullydetectedboththemodications.
5.
3RuntimePerformanceThissectiondiscussestheruntimeperformanceofIDTcheckerforguestVMsthatwereidleandforVMsthatwereexhaustivelyusingtheirresources.
ItalsodiscussestheimpactofIDTcheckeronguestAhmed,etal.
323VMresourcesalongwiththememoryoverheadofIDTcheckerintheprivilegedVM.
5.
3.
1BestCaseandWorstCaseScenarios.
ThebestandworstrunningtimesforIDTcheckerwereidentiedbytestsusingidleandfully-loadedVMs.
Forthebestcasescenario,theguestVMsremainedidlesothatIDTcheckerwouldhavealltheavailablesystemresources.
Intheworstcasescenario,theguestVMsexecutedresource-intensiveprocessesthatconsumedmostofthesystemresources(CPU,RAMandI/O),leavingIDTcheckerverylimitedphysicalresourcesforexecution.
Figures7and8showtheexecutiontimesofIDTcheckeranditscom-ponentsfordierentnumbersofidleVMsandfully-loadedVMs,respec-tively.
TheguresshowsimilarruntimepatternsforIDTcheckercom-ponents,withCode-Extractorconsumingmostoftheresources.
Thisisbecause,unlikeTable-ExtractorandInfo-Extractor,Code-ExtractorhastoaccessguestVMmemoryseveraltimesinordertoretrievedif-ferentchunksofmemorycorrespondingtointerruptvectorsintheIDT.
Forinstance,ifthereare100interruptgatesintheIDT,thenCode-Extractorhastoaccessmemory300times,onceforeachofthethreeassociatedmemoryelementsperinterruptgate.
Ontheotherhand,Table-Extractorhastoaccessmemoryonlytwice:oncetoaccesstheIDTandthesecondtimetoaccesstheGDT.
LineargrowthisobservedintheexecutiontimeofIDTcheckerasthenumberofVMsisincreased.
ThisisbecauseIDTcheckeraccessestheVMssequentially,readingthememoryofoneVMatatime.
ThisisalsothereasonwhyCode-ExtractorshowsthesamebehaviorasIDTchecker.
Ontheotherhand,theexecutiontimeofIntegrity-CheckerremainsconstantasthenumberofVMsisincreased.
ThisisbecauseIntegrity-CheckerdoesnotaccesstheguestVMmemory,andonlyneedstoapplythefourrulestotheprocessedVMdata.
5.
3.
2ImpactonGuestVMResources.
Becausethecom-ponentsofIDTcheckerexecuteoutsideaguestVM,thereshouldbeaminimalperformanceimpactontheguestVMresources.
Figures9and10showtheprocessorandmemoryusageforanalmostidleguestVM.
Theboxesintheguresshowzoomed-inportionsfromtheoriginalgraphswhenIDTcheckerwasaccessingguestVMmemory.
TheslightsignofdisturbanceiscausedbythemonitoringofsystemresourceusagefromwithintheVM.
TheboxescorrespondtothetimeframeswhenIDTcheckerwasrunningontheguestVMandextractingthetablesandmemorychunksfromthephysicalmemoryoftheVM.
Thegraphsshow324ADVANCESINDIGITALFORENSICSIXFigure7.
ExecutiontimesofIDTcheckeranditscomponentsforanidleVM.
Integrity-Checker32.
521.
510.
50234567NumberofVirtualMachinesFigure8.
ExecutiontimesofIDTcheckeranditscomponentsforafully-loadedVM.
thatnosignicantperturbationsareinducedbyIDTcheckeronthepro-cessorandmemoryresourcesoftheguestVM.
Thus,wecanconcludethatIDTcheckerdoesnothaveasignicantimpactonguestVMre-sources.
5.
3.
3MemoryOverhead.
Figure11showsthememoryover-headofIDTcheckeronaprivilegedVMrunningFedora16.
TheboxescorrespondtothetimeframeswhenIDTcheckerwasrunningontheVM,andtheyshowzoomed-inportionsfromtheoriginalgraphs.
Approxi-mately500MBRAMwasavailabletoIDTcheckerbecausetheothersevenguestVMsoccupied7GBofmemoryandtheFedoraoperatingsystemoccupied500MB.
Duringthetests,themachinewasidlewithAhmed,etal.
325Figure9.
IDTcheckerCPUusage.
02040608010005101520253035Runtime(seconds)PhysicalmemoryVirtualmemory758187931001415161775818793100283032Figure10.
IDTcheckermemoryusage.
theexceptionoftheusagemonitoringprocess.
A10to15MBper-turbationinmemoryusagewascausedbyIDTchecker–thisisjust2to3%ofthetotalavailablememory.
Nousageofvirtualmemorywasobserved.
TheboxesinFigure11showthezoomed-inportionsoftheperturbationsrelatedtophysicalmemoryusage.
6.
ConclusionsTheIDTcheckertoolisdesignedtochecktheintegrityofIDTsandthecorrespondinginterrupthandlingcodeinguestVMsrunningincloudenvironments.
IDTcheckerprovidesalertswhenaVMiscompromisedusingamajorityvotebasedontheoutputsofasetofpre-denedrules.
However,IDTcheckercannotidentifyexactlywhichVMiscompromised.
326ADVANCESINDIGITALFORENSICSIX02040608010001020304050Runtime(seconds)PhysicalmemoryVirtualmemory1619222528262728161922252841424344Figure11.
IDTcheckermemoryoverheadforaprivilegedVM.
Thus,thetoolisbestusedtodetecttherstsignsofcompromise,whichcanthentriggeraresource-intensiveforensicinvestigationtondtherootcauseoftheproblem.
ExperimentsdemonstratethatIDTcheckeriseectiveatdetectingmodicationstopointervaluesandinterrupthandlercode.
RuntimeperformancetestingofIDTcheckershowslineargrowthinexecutiontimeasthenumberofVMsisincreased.
Also,IDTcheckerhasaminimalimpactonguestVMresourcessuchasprocessorandmemory.
AcknowledgementThisresearchwassupportedbyNSFGrantNo.
CNS1016807.
References[1]I.
Ahmed,A.
Zoranic,S.
JavaidandG.
RichardIII,ModChecker:Kernelmoduleintegritycheckinginthecloudenvironment,Proceed-ingsoftheForty-FirstInternationalConferenceonParallelPro-cessingWorkshops,pp.
306–313,2012.
[2]A.
Bassov,Hookingthekerneldirectly(www.
codeproject.
com/Articles/13677/Hooking-the-kernel-directly),2006.
[3]J.
ButlerandG.
Hoglund,Rootkits:SubvertingtheWindowsKernel,Addison-Wesley,Boston,Massachusetts,2005.
[4]T.
GarnkelandM.
Rosenblum,Avirtualmachineintrospectionbasedarchitectureforintrusiondetection,ProceedingsoftheNet-workandDistributedSystemSecuritySymposium,pp.
191–206,2003.
Ahmed,etal.
327[5]Intel,Intel64andIA-32ArchitecturesSoftwareDeveloper'sMan-uals,SantaClara,California(www.
intel.
com/content/www/us/en/processors/architectures-software-developer-manuals.
html),2013.
[6]Kad,Handlingtheinterruptdescriptortableforfunandprot,Phrack,vol.
0x0b(0x3b),2002.
[7]G.
Kroah-Hartman,Signedkernelmodules,LinuxJournal,vol.
2004(117),articleno.
4,2004.
[8]P.
Loscocco,P.
Wilson,J.
PendergrassandC.
McDonell,Linuxker-nelintegritymeasurementusingcontextualinspection,ProceedingsoftheSecondACMWorkshoponScalableTrustedComputing,pp.
21–29,2007.
[9]Microsoft,DigitalSignaturesforKernelModulesonWindows,Redmond,Washington(msdn.
microsoft.
com/en-us/library/windows/hardware/gg487332.
aspx),2007.
[10]mxatoneandivanlef0u,Stealthhooking:AnotherwaytosubverttheWindowskernel,Phrack,vol.
0x0c(0x41),2008.
[11]W.
Oney,ProgrammingtheMicrosoftWindowsDriverModel,Mi-crosoftPress,Redmond,Washington,2002.
[12]OpdisProject,Opdis(mkfs.
github.
com/content/opdis).
[13]OpenSSLCoreandDevelopmentTeam,OpenSSLCryptographyandSSL/TLSToolkit(www.
openssl.
org),2009.
[14]pragmatic,(Nearly)completeLinuxloadablekernelmodules:Thedenitiveguideforhackers,viruscodersandsystemadministrators(newdata.
box.
sk/raven/lkm.
html),1999.
[15]J.
Rutkowska,Systemvirginityverier:DeningtheroadmapformalwaredetectioninWindowssystems,presentedattheHackintheBoxConference,2005.
[16]sdanddevik,Linuxon-the-ykernelpatchingwithoutLKM,Phrack,vol.
0x0b(0x3a),2001.
[17]A.
Seshadri,M.
Luk,E.
Shi,A.
Perrig,L.
vanDoornandP.
Khosla,Pioneer:Verifyingcodeintegrityandenforcinguntamperedcodeexecutiononlegacysystems,ProceedingsoftheTwentiethACMSymposiumonOperatingSystemsPrinciples,pp.
1–16,2005.
[18]S.
Skape,BypassingPatchGuardonWindowsx64(uninformed.
org/v=3&a=3&t=sumry),2005.
[19]M.
Suiche,IDTGuardv0.
1December2005Build(www.
msuiche.
net/2006/12/10/idtguard-v01-december-2005-build),2005.
[20]VMIToolsProject,LibVMI(code.
google.
com/p/vmitools).
328ADVANCESINDIGITALFORENSICSIX[21]VolatilityProject,TheVolatilityFramework(code.
google.
com/p/volatility).
[22]VolatilityProject,VolatilityPlugin(code.
google.
com/p/volatility/source/browse/trunk/volatility/plugins/linux/check_idt.
pyspec=svn2273&r=2273).
[23]XenProject,Xen,Cambridge,UnitedKingdom(www.
xenproject.
org).