HyperLeech: Stealthy System Virtualization with Minimal Target Impact through DMA-Based Hypervisor Injection

Palutke R, Ruderich S, Wild M, Freiling F (2020)

Publication Language: English

Publication Type: Conference contribution, Conference Contribution

Publication year: 2020

Publisher: USENIX Association

Pages Range: 165-179

Conference Proceedings Title: Proceedings of the 23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2020)

Event location: San Sebastian ES

ISBN: 978-1-939133-18-2

URI: https://www.usenix.org/system/files/raid20-palutke.pdf

Open Access Link: https://www.usenix.org/system/files/raid20-palutke.pdf

Abstract

In the recent past, malware began to incorporate anti-forensic techniques in order to hinder analysts from gaining meaningful results. Consequently, methods that allow the stealthy analysis of a system became increasingly important. In this paper, we present HyperLeech, the first approach which uses DMA to stealthily inject a thin hypervisor into the memory of a target host, transparently shifting its operation into a hardware-accelerated virtual machine. For the code injection, we make use of external PCILeech hardware to enable DMA to the target memory. Combining the advantages of hardware-supported virtualization with the benefits provided by DMA-based code injection, our approach can serve analysts as a stealthy and privileged execution layer that enables powerful live forensics and atomic memory snapshots for already running systems. Our experiments revealed that HyperLeech is sufficient to virtualize multi-core Linux hosts without causing significant impact on a target's processor and memory state during its installation, execution, and removal. Although our approach might be misused for malicious purposes, we conclude that it provides new knowledge to help researchers with the design of stealthy system introspection techniques that focus on preserving a target system's state.

Authors with CRIS profile

Ralph Palutke Lehrstuhl für Informatik 1 (IT-Sicherheitsinfrastrukturen) Simon Ruderich Lehrstuhl für Informatik 4 (Verteilte Systeme und Betriebssysteme) Felix Freiling Lehrstuhl für Informatik 1 (IT-Sicherheitsinfrastrukturen)

Related research project(s)

Cyberkriminalität und forensische Informatik (Cybercrime) Oct. 1, 2019 - March 31, 2024

How to cite

APA:

Palutke, R., Ruderich, S., Wild, M., & Freiling, F. (2020). HyperLeech: Stealthy System Virtualization with Minimal Target Impact through DMA-Based Hypervisor Injection. In USENIX (Eds.), Proceedings of the 23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2020) (pp. 165-179). San Sebastian, ES: USENIX Association.

MLA:

Palutke, Ralph, et al. "HyperLeech: Stealthy System Virtualization with Minimal Target Impact through DMA-Based Hypervisor Injection." Proceedings of the 23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2020), San Sebastian Ed. USENIX, USENIX Association, 2020. 165-179.

BibTeX: Download