tandasat/MemoryMon tandasat/MemoryMon

  • Stars
    star
    252
  • Rank 161,312 (Top 4 %)
  • Language
    C++
  • License
    MIT License
  • Created over 8 years ago
  • Updated over 6 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
tandasat/MemoryMon
github

tandasat

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Detecting execution of kernel memory where is not backed by any image file

MemoryMon

Introduction

MemoryMon is able to detect execution of kernel memory where is not backed by any image file (kernel modules) using extended page table (EPT). It can help researchers analyze kernel mode code installs and runs code outside of an image file.

A demo video using MemoryMon against Turla rootkit can be found in Youtube:

MemoryMon is implemented on the top of HyperPlatform. See a project page for more details of HyperPlatform:

Installation and Uninstallation

Clone full source code from Github with a below command and compile it on Visual Studio.

$ git clone --recursive https://github.com/tandasat/MemoryMon.git

On the x64 platform, you have to enable test signing to install the driver. To do that, open the command prompt with the administrator privilege and type the following command, and then restart the system to activate the change:

>bcdedit /set testsigning on

To install and uninstall the driver, use the 'sc' command. For installation:

>sc create MemoryMon type= kernel binPath= C:\Users\user\Desktop\MemoryMon.sys
>sc start MemoryMon

For uninstallation:

>sc stop MemoryMon
>sc delete MemoryMon
>bcdedit /deletevalue testsigning

Note that the system must support the Intel VT-x and EPT technology to successfully install the driver.

To install the driver on a virtual machine on VMware Workstation, see an "Using VMware Workstation" section in the HyperPlatform User Document.

Output

All logs are printed out to DbgView and saved in C:\Windows\MemoryMon.log.

On a 64bit Windows, activities of PatchGuard are usually observed. The following are those logs seen on Windows 7 system.

08:47:07.276	INF	#0	    4	    0	System         	[EXEC] *** VA = FFFFFA800194A468, PA = 000000007fe89468, Return = FFFFF80002AD8C1C, ReturnBase = FFFFF80002A5A000
08:47:07.276	INF	#0	    4	    0	System         	[EXEC] *** VA = FFFFFA8003D46007, PA = 000000007db46007, Return = FFFFFA800194A4AD, ReturnBase = 0000000000000000
08:47:07.276	INF	#0	    4	    0	System         	[EXEC] *** VA = FFFFFA8003D47580, PA = 000000007db47580, Return = FFFFFA8003D460B0, ReturnBase = 0000000000000000
08:47:07.291	INF	#0	    4	   64	System         	[EXEC] *** VA = FFFFFA8003D4AE1C, PA = 000000007db4ae1c, Return = FFFFF80002AD7B69, ReturnBase = FFFFF80002A5A000
08:47:07.291	INF	#0	    4	   64	System         	[EXEC] *** VA = FFFFFA8003D4856B, PA = 000000007db4856b, Return = 0000000000000004, ReturnBase = 0000000000000000

The first line indicates that a virtual address FFFFFA800194A468 is executed and its potential return address is FFFFF80002AD8C1C. Since execution of a non-image region is not always triggered by the CALL instruction, a reported return address can be wrong. For instance, the last line reports return address 0000000000000004.

Note that symbols names can be resolved with hyperplatform_log_parser. The above logs are parsed as followings, for example:

08:47:07.276     4:    0 executed fffffa800194a468, will return to fffff80002ad8c1c nt!KiRetireDpcList+0x1bc
08:47:07.276     4:    0 executed fffffa8003d46007, will return to fffffa800194a4ad
08:47:07.276     4:    0 executed fffffa8003d47580, will return to fffffa8003d460b0
08:47:07.291     4:   64 executed fffffa8003d4ae1c, will return to fffff80002ad7b69 nt!ExpWorkerThread+0x111
08:45:07.265     4:   64 executed fffffa8002626629, will return to                4

See a project page for more details.

Supported Platforms

  • x86 and x64 Windows 7, 8.1 and 10
  • The system must support the Intel VT-x and EPT technology

License

This software is released under the MIT License, see LICENSE.

More Repositories

1

HyperPlatform

Intel VT-x based hypervisor aiming to provide a thin VM-exit filtering platform on Windows.
C++
1,519
star
2

DdiMon

Monitoring and controlling kernel API calls with stealth hook using EPT
C++
1,146
star
3

Hypervisor-101-in-Rust

The materials of "Hypervisor 101 in Rust", a one-day long course, to quickly learn hardware-assisted virtualization technology and its application for high-performance fuzzing on Intel/AMD processors.
Rust
981
star
4

MiniVisorPkg

The research UEFI hypervisor that supports booting an operating system.
C
546
star
5

SimpleSvmHook

SimpleSvmHook is a research purpose hypervisor for Windows on AMD processors.
C++
351
star
6

SimpleSvm

A minimalistic educational hypervisor for Windows on AMD processors.
C++
317
star
7

PgResarch

PatchGuard Research
C++
288
star
8

ExploitCapcom

This is a standalone exploit for a vulnerable feature in Capcom.sys
C++
280
star
9

DotNetHooking

Sample use cases of the .NET native code hooking technique
C#
201
star
10

barevisor

A bare minimum hypervisor on AMD and Intel processors for learners.
Rust
189
star
11

scripts_for_RE

Python scripts for reverse engineering.
Python
178
star
12

GuardMon

Hypervisor based tool for monitoring system register accesses.
C++
140
star
13

UefiVarMonitor

The runtime DXE driver monitoring access to the UEFI variables by hooking the runtime service table.
C
136
star
14

SmmExploit

The report and the exploit of CVE-2021-26943, the kernel-to-SMM local privilege escalation vulnerability in ASUS UX360CA BIOS version 303.
133
star
15

hvext

The Windbg extension that implements commands helpful to study Hyper-V on Intel processors.
JavaScript
126
star
16

EopMon

Elevation of privilege detector based on HyperPlatform
C++
117
star
17

Sushi

a Japanese food keeps you sane
C++
117
star
18

findpg

Windbg extension to find PatchGuard pages
C++
116
star
19

UEFI-BIOS-Security

Security Camp 2021 & GCC 2022
111
star
20

WinIoCtlDecoder

IDA Plugin which decodes Windows Device I/O control code into DeviceType, FunctionCode, AccessType and MethodType.
Python
106
star
21

FU_Hypervisor

A hypervisor hiding user-mode memory using EPT
C
104
star
22

WPBT-Builder

The simple UEFI application to create a Windows Platform Binary Table (WPBT) from the UEFI shell.
C
100
star
23

HelloSmm

This is an instruction to run your own SMM code.
C
100
star
24

DebugLogger

A software driver that lets you log kernel-mode debug output into a file on Windows.
C++
97
star
25

Hello-VT-rp

A simple hypervisor demonstrating the use of the Intel VT-rp (redirect protection) technology.
Rust
91
star
26

kraft_dinner

Tool to dump UEFI runtime drivers implementing runtime services for Windows
C
90
star
27

HelloAmdHvPkg

HelloAmdHvPkg is a type-1 research hypervisor for AMD processors.
C
86
star
28

CVE-2023-36427

Report and exploit of CVE-2023-36427
C++
86
star
29

Scavenger

A minifilter driver preserves all modified and deleted files.
C
77
star
30

RemoteWriteMonitor

A tool to help malware analysts tell that the sample is injecting code into other process.
C++
74
star
31

meow

nyā
C++
70
star
32

HelloIommuPkg

The sample DXE runtime driver demonstrating how to program DMA remapping.
C
57
star
33

DumpVTable

Generates a Python script to give public interface names in an ActiveX file to an IDB file.
C++
47
star
34

DrvLoader

A command line tool to load and unload a device driver.
C++
42
star
35

CVE-2022-25949

A years-old exploit of a local EoP vulnerability in Kingsoft Antivirus KWatch Driver version 2009.3.17.77.
C++
35
star
36

cs_driver

A sample project for using Capstone from a driver in Visual Studio 2015
C
34
star
37

CVE-2024-21305

Report and exploit of CVE-2024-21305.
C++
30
star
38

CVE-2014-0816

CVE-2014-0816
C++
24
star
39

tandasat.github.io

HTML
17
star
40

hyperplatform_log_parser

User-mode program parsing logs created by HyperPlatform
C++
17
star
41

ProjectLoadTimeMonitor

The Visual Studio extension that measures load time of each project when a solution file is opened.
C#
16
star
42

recon2024_demo

Provides commands to read from and write to arbitrary kernel-mode memory for users with the Administrator privilege. HVCI compatible. No test signing mode is required.
C++
14
star
43

CheckSDL

A tool evaluates security configurations of a given PE based on SDL without source code
C++
12
star
44

ListWorkItems

Lists work items being queued currently.
C++
12
star
45

DeviceOpener

A command line tool to check if a specified device is accessible.
C++
10
star
46

List-UEFI-Configuration-Tables

List UEFI Configuration Tables
Rust
10
star
47

windbg_init

Windbg Init Script
9
star
48

ScopedResource

Scoped Resource - Generic RAII Wrapper for the Standard Library by Peter Sommerlad and Andrew L. Sandoval
C++
8
star
49

win32_debugout

Shows debug strings on DebubView from an attached process by win32_remote.exe.
C++
8
star
50

ping_vmm

A user-mode program knocking at HyperPlatform's "backdoor"
C++
7
star
51

SecRuntimeSample

A sample usege of SecRuntime.dll on Windows Phone
C++
4
star
52

blog

Ruby
4
star
53

CopyFiles

Copy files onto the IsolatedStorage so that you can download them using IsoStoreSpy.
C#
3
star
54

mylight

Using LED of Samsung Galaxy Ace S5830
Java
2
star
55

tandasat

2
star
56

shared

Manages files that are shared with multiple boxes.
Vim Script
1
star