Skip to content

Elevation of privilege detector based on HyperPlatform

License

Notifications You must be signed in to change notification settings

tandasat/EopMon

Repository files navigation

EopMon

Introduction

EopMon is a hypervisor-based elevation of privilege (EoP) detector. It can spots a process with a stolen system token and terminate it by utilizing hypervisor's ability to monitor process context-swiching.

While EopMon is tested against multiple EoP exploits carried out by in the wild malware (*1), it is rather meant to be an educational tool to demonstrate a potential use case of a hypervisor for security research and not aimed for comprehensive exploit prevention.

EopMon is implemented on the top of HyperPlatform. See a project page for more details of HyperPlatform:

*1: Tested samples

  • 2183be234b52ea2c5102fbc966de40476eef77c7, Necurs (CVE-2015-0057)
  • 4fe035b4359242f62248f44e65fda580d89459af, Gozi (CVE-2015-2387)

Installation and Uninstallation

Clone full source code from Github with a below command and compile it on Visual Studio.

$ git clone --recursive https://github.com/tandasat/EopMon.git

On the x64 platform, you have to enable test signing to install the driver. To do that, open the command prompt with the administrator privilege and type the following command, and then restart the system to activate the change:

>bcdedit /set testsigning on

To install and uninstall the driver, use the 'sc' command. For installation:

>sc create EopMon type= kernel binPath= C:\Users\user\Desktop\EopMon.sys
>sc start EopMon

For uninstallation:

>sc stop EopMon
>sc delete EopMon
>bcdedit /deletevalue testsigning

Note that the system must support the Intel VT-x and EPT technology to successfully install the driver.

To install the driver on a virtual machine on VMware Workstation, see an "Using VMware Workstation" section in the HyperPlatform User Document.

Output

All logs are printed out to DbgView and saved in C:\Windows\EopMon.log.

Source Navigation

All code specific to EopMon is in eopmon.cpp.

When the EopMon is loaded, EopmonInitializaion() enumerates all processes and remembers system process tokens first. Then, once processors are virtualized, EopmonCheckCurrentProcessToken() gets called when CR3 is being updated and checks if the current process has any of the system tokens but not its original owner process. If so, EopMon schedules EopmonpTerminateProcessWorkerRoutine() to terminate the process and it child processes as soon as possible.

Caveats

EopMon is meant to be an educational tool and not robust, production quality software which is able to handle various edge cases. For example, EopMon is unable to detect direct shellcode execution in user address space through replacing a function pointer in the kernel, or _TOKEN::_SEP_TOKEN_PRIVILEGES manipulation[1] enabling privileges without copying a token itself. For this reason, researchers are encouraged to use this project only as a reference to examine and develop ideas of using a hypervisor.

Supported Platforms

  • x86 and x64 Windows 7, 8.1 and 10
  • The system must support the Intel VT-x and EPT technology

License

This software is released under the MIT License, see LICENSE.

About

Elevation of privilege detector based on HyperPlatform

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published