Palutke R, Ruderich S, Wild M, Freiling F (2020)
Publication Language: English
Publication Type: Conference contribution, Conference Contribution
Publication year: 2020
Publisher: USENIX Association
Pages Range: 165-179
Conference Proceedings Title: Proceedings of the 23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2020)
ISBN: 978-1-939133-18-2
URI: https://www.usenix.org/system/files/raid20-palutke.pdf
Open Access Link: https://www.usenix.org/system/files/raid20-palutke.pdf
In the recent past, malware began to incorporate anti-forensic techniques in order to hinder analysts from gaining meaningful results. Consequently, methods that allow the stealthy analysis of a system became increasingly important. In this paper, we present HyperLeech, the first approach which uses DMA to stealthily inject a thin hypervisor into the memory of a target host, transparently shifting its operation into a hardware-accelerated virtual machine. For the code injection, we make use of external PCILeech hardware to enable DMA to the target memory. Combining the advantages of hardware-supported virtualization with the benefits provided by DMA-based code injection, our approach can serve analysts as a stealthy and privileged execution layer that enables powerful live forensics and atomic memory snapshots for already running systems. Our experiments revealed that HyperLeech is sufficient to virtualize multi-core Linux hosts without causing significant impact on a target's processor and memory state during its installation, execution, and removal. Although our approach might be misused for malicious purposes, we conclude that it provides new knowledge to help researchers with the design of stealthy system introspection techniques that focus on preserving a target system's state.
APA:
Palutke, R., Ruderich, S., Wild, M., & Freiling, F. (2020). HyperLeech: Stealthy System Virtualization with Minimal Target Impact through DMA-Based Hypervisor Injection. In USENIX (Eds.), Proceedings of the 23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2020) (pp. 165-179). San Sebastian, ES: USENIX Association.
MLA:
Palutke, Ralph, et al. "HyperLeech: Stealthy System Virtualization with Minimal Target Impact through DMA-Based Hypervisor Injection." Proceedings of the 23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2020), San Sebastian Ed. USENIX, USENIX Association, 2020. 165-179.
BibTeX: Download