Sunday, January 27, 2008

Detecting and blocking Shadow Walker

Recently we got a sample of code that conceals itself in the memory by modifying the page table (a technology known as Shadow Walker). Shadow Walker is based on the fact that Intel IA-32 CPUs have 2 address-translation caches: for code pages (ITLB) and for data pages (DTLB). It works like this. A page fault handler (int 0x0e) is intercepted, and then the pages of concealed code in the page table are marked as missing pages. After that, any attempts to access those pages for read, write or execute lead to page faults. The page fault handler checks requested access to page: either execution or access to data. In the case of execution, the handler loads ITLB with a original code page. In the case of access to data, the handler loads DTLB with a fake page. Thus, using desynchronization of ITLB and DTLB, Shadow Walker conceals its presence in the memory.

We tried to run Shadow Walker on a computer with installed Hypersight RD 0.3.543.

Test 1. Detecting

In this test Hypersight RD worked with the default settings. By these settings, modifications of the page table are allowed and recorded. After running Shadow Walker we noticed the window Hypersight RD had started to scroll messages on writing to page table. Hypersight RD window had been looked as follows.

The figure shows that a code that doesn’t belong to any of the kernel modules, writes to the page table. This activity is performed by the page fault handler, marking concealed pages as present or absent when loading them to TLB.

Test 2. Blocking

For this test we have turned on the option "Disable page table modification (unsafe)". This option turns on blocking of the page table modification by untrusted code.

Then Shadow Walker was loaded. Hypersight RD window had taken the following form.

You can see that Hypersight RD blocked Shadow Walker’s attempts to modify the page table. Subsequent work of Shadow Walker became impossible since Shadow Walker was unable to mark pages of code as missing. Thus, the Shadow Walker had been completely blocked.


Martim said...

You could also detect it by simply monitoring the IDT, where the PF handler hook is put.

northlabs said...

Certainly you can scan IDT. This approach is usual for kernel scanners. It requires complete disassembling/heuristic analysis/debugging. This can be hijacked by writing of polymorphyc PF handler or even hiding real PF handler using Shadow Walker technics.

Instead of that, Hypersight intercepts malicious accesses to page table. This allows to determine attacking code.