EopMon
Introduction
EopMon is a hypervisor-based elevation of privilege (EoP) detector. It can spots a process with a stolen system token and terminate it by utilizing hypervisor's ability to monitor process context-swiching.
While EopMon is tested against multiple EoP exploits carried out by in the wild malware (*1), it is rather meant to be an educational tool to demonstrate a potential use case of a hypervisor for security research and not aimed for comprehensive exploit prevention.
EopMon is implemented on the top of HyperPlatform. See a project page for more details of HyperPlatform:
*1: Tested samples
- 2183be234b52ea2c5102fbc966de40476eef77c7, Necurs (CVE-2015-0057)
- 4fe035b4359242f62248f44e65fda580d89459af, Gozi (CVE-2015-2387)
Installation and Uninstallation
Clone full source code from Github with a below command and compile it on Visual Studio.
$ git clone --recursive https://github.com/tandasat/EopMon.git
On the x64 platform, you have to enable test signing to install the driver. To do that, open the command prompt with the administrator privilege and type the following command, and then restart the system to activate the change:
>bcdedit /set testsigning on
To install and uninstall the driver, use the 'sc' command. For installation:
>sc create EopMon type= kernel binPath= C:\Users\user\Desktop\EopMon.sys
>sc start EopMon
For uninstallation:
>sc stop EopMon
>sc delete EopMon
>bcdedit /deletevalue testsigning
Note that the system must support the Intel VT-x and EPT technology to successfully install the driver.
To install the driver on a virtual machine on VMware Workstation, see an "Using VMware Workstation" section in the HyperPlatform User Document.
Output
All logs are printed out to DbgView and saved in C:\Windows\EopMon.log.
Source Navigation
All code specific to EopMon is in eopmon.cpp.
When the EopMon is loaded, EopmonInitializaion() enumerates all processes and remembers system process tokens first. Then, once processors are virtualized, EopmonCheckCurrentProcessToken() gets called when CR3 is being updated and checks if the current process has any of the system tokens but not its original owner process. If so, EopMon schedules EopmonpTerminateProcessWorkerRoutine() to terminate the process and it child processes as soon as possible.
Caveats
EopMon is meant to be an educational tool and not robust, production quality software which is able to handle various edge cases. For example, EopMon is unable to detect direct shellcode execution in user address space through replacing a function pointer in the kernel, or _TOKEN::_SEP_TOKEN_PRIVILEGES manipulation[1] enabling privileges without copying a token itself. For this reason, researchers are encouraged to use this project only as a reference to examine and develop ideas of using a hypervisor.
- [1] Easy local Windows Kernel exploitation - https://media.blackhat.com/bh-us-12/Briefings/Cerrudo/BH_US_12_Cerrudo_Windows_Kernel_WP.pdf
Supported Platforms
- x86 and x64 Windows 7, 8.1 and 10
- The system must support the Intel VT-x and EPT technology
License
This software is released under the MIT License, see LICENSE.