HyperLeech: Stealthy System Analysis with Minimal Target Impact through DMA-Based Hypervisor Injection

Language
en
Document Type
Report
Issue Date
2024
Authors
Palutke, Ralph
Ruderich, Simon
Wild, Matthias
Hacker, Jonathan
Konrad, Jonas
Freiling, Felix
Editor
Abstract

In the recent past, malware began incorporating anti-forensic techniques at the kernel level to hinder analysts from gaining meaningful insights. Consequently, methods that allow the stealthy analysis of a system have become increasingly important. Recent approaches often rely on external devices that use Direct Memory Access (DMA) to transparently analyze volatile memory or shift a running system into a Virtual Machine (VM), performing forensics from the hypervisor level. While DMA suffers from low atomicity and a lack of semantics, virtualizing a running system usually requires privileged credentials and the installation of a kernel driver, which considerably alters a target’s state.

In this report, we present HyperLeech, the first approach which uses DMA to stealthily inject a forensic hypervisor into the memory of a running target host, transparently shifting its operation into a hardware-accelerated VM. For injecting code minimally invasively, we use external PCILeech hardware to enable DMA to the target memory. Combining the advantages of hardware-supported virtualization with the benefits provided by DMA-based code injection, our approach can serve analysts as a stealthy and privileged execution layer that enables powerful live forensics and atomic memory snapshots without the risk of destroying evidence or alerting malware. Our experiments reveal that HyperLeech is sufficient for virtualizing modern multi-core hosts during runtime while neither causing a notable impact on the target’s processor and memory state nor introducing a significant performance overhead. To give the target the impression of possessing the entire available memory even after injecting our system, HyperLeech incorporates a sophisticated DMA-based memory swapping protocol that makes the content evicted by our hypervisor re-available upon request. Although HyperLeech might be misused for malicious purposes, we conclude that it provides new possibilities for stealthy system analysis and digital forensics, raising the bar for malware to evade detection.

Series
Technical reports / Department Informatik
Series Nr.
CS-2024-01
DOI
URN
Faculties & Collections
Zugehörige ORCIDs