Using Kernel Type Graphs to Detect Dummy Structures

An open problem for signature-based scanners for kernel data structures in memory is the potential for attackers to create dummy objects that, while syntactically valid, are not actually used by the operating system. These fake structures can cause false positives when searching for data structures in memory, creating noise in which an attacker can hide malicious objects. As a result, a method for weeding out such false positives, separating the active instances from the maliciously placed dummies, is needed if context-free scanners are to be successful. To solve the problem, we first noted that in most common operating systems, legitimate kernel data structures are highly interlinked: each structure generally contains one or more pointers to other kernel objects. Thus the structures in memory can be seen as a graph, where each structure is a node and an edge is formed when there is a pointer from one object to the next. This miniproject sought to investigate the use of graph-theoretic properties to distinguish between active and inactive kernel data structures. Our hypothesis was that inactive structures would have a very low indegree; as the structure is not currently used by the operating system, other kernel data structures should not point to it. In order to generate a representation of such a graph, accurate information on all kernel data structures and their relationships is needed. We decided to work with the Windows kernel, as it was most familiar to the authors. Windows itself is closed source, however, most of its data types are freely available in the debug symbols (PDB files) distributed by Microsoft [3]. These types can be extracted using the open-source tool PDBparse [2]. The type data by itself serves as a template for the graph of actual instances in memory. There are a number of complications that prevent the type data from being used directly. First, linked lists are heavily used throughout the kernel; however, the list pointers themselves are contained in a LIST ENTRY object embedded in list each member, and they point not at the next member, but at the next LIST ENTRY inside that member. We worked around this by manually annotating the raw type data with information on what type of object each embedded LIST ENTRY pointed to, using information derived by hand from the Windows Research Kernel [4] source code. Second, many data structures contain unions, and hence the type pointed to may be ambiguous; we opted to traverse each member of the union, rather than trying to guess the correct type. Our assumption is that attempting to traverse the graph from the incorrect type will eventually fail, as the pointers going outward will not point at valid memory. Finally, there are a number of structures that have pointers to void as members; the actual type pointed to in this case is not known, and we have opted to ignore them for now. To construct the instance graph, we decided to write a new plugin for Volatility [5], an open source memory analysis framework. Volatility was chosen mainly because PDBparse has the ability to export data structure definitions in Volatility’s native structure definition format. The plugin takes as input the virtual address of a seed node, along with the type of that node. For our experiments we focused on EPROCESS data structures (used in Windows to hold information about