PageBuster - dump all executable pages of packed processes.

Overview

PageBuster

Ever wanted to dump all the executable pages of a process? Do you crave something capable of dealing with packed processes?

We've got you covered! May I introduce PageBuster, our tool to gather dumps of all executable pages of packed processes.

asciicast

Introduction

There are plenty of scenarios in which the ability to dump executable pages is highly desirable. Of course, there are many methods, some of which standard de facto, but it is not always as easy as it seems.

For example, think about the case of packed malware samples. Run-time packers are often used by malware-writers to obfuscate their code and hinder static analysis. Packers can be of growing complexity, and, in many cases, a precise moment in time when the entire original code is completely unpacked in memory doesn't even exist.

Therefore, the goals of PageBuster are:

  1. To dump all the executable pages, without assuming there is a moment in time where the program is fully unpacked;
  2. To do this in a stealthy way (no VM, no ptrace).

In particular, given the widespread use of packers and their variety, our objective is to have a single all-encompassing solution, as opposed to packer-specific ones.

Ultimately, PageBuster fits in the context of the rev.ng decompiler. Specifically, it is related to what we call MetaAddress. Among other things, a MetaAddress enables you to represent an absolute value of an address together with a timestamp (epoch), so that it can be used to track how a memory location changes during the execution of a program. Frequently, you can have different code at different moments at the same address during program execution. PageBuster was designed around this simple yet effective data structure.

For more information, please refer to our blogpost.

There are two PageBuster implementations: a prototype user-space-only and the full-fledged one, employing with a kernel module. The former is described in userpagebuster/. The rest of this document describes the latter.

Build

Make sure you have installed GCC and Linux kernel headers for your kernel. For Debian-based systems:

sudo apt install build-essential linux-headers-$(uname -r)

Then, build the kernel module:

cd pagebuster
make

This will produce pagebuster.ko, the module for the kernel you are currently running. Please make sure the kernel version is lower than v5.9.2 since PageBuster has not been tested for newer versions.

Note: Please consider using a virtual machine (VirtualBox, VMWare, QEMU, etc.) for testing. The module could be harmful. Avoid killing your machine or production environment by accident.

Usage

To test PageBuster, you can insert the LKM and try it with whatever binary you want. We provided you with sigsegv.c, a .c program that simply maps and executes a shellcode. Inside the /userland/c/ directory you will also find simple.c, the one shown in the demo.

So, just insmod the module and pass the name of the process as argument. Then, execute it.

insmod pagebuster.ko path=sigsegv.out
./sigsegv.out

Inside the /tmp directory, you will find all the timestamped dumps.

ls /tmp

You should get an output similar to the following:

100000000_494     7ffff7d4b000_291  7ffff7dc7000_415  7ffff7eb9000_30
100001000_495     7ffff7d4c000_292  7ffff7dc8000_416  7ffff7eba000_31
7ffff7cd1000_169  7ffff7d4d000_293  7ffff7dc9000_417  7ffff7ebb000_32
7ffff7cd2000_170  7ffff7d4e000_294  7ffff7dca000_418  7ffff7ebc000_33
7ffff7cd3000_171  7ffff7d4f000_295  7ffff7dcb000_419  7ffff7ebd000_34
7ffff7cd4000_172  7ffff7d50000_296  7ffff7dcc000_420  7ffff7ebe000_35
7ffff7cd5000_173  7ffff7d51000_297  7ffff7dcd000_421  7ffff7ebf000_36
7ffff7cd6000_174  7ffff7d52000_298  7ffff7dce000_422  7ffff7ec0000_37
...

To remove the LKM, run:

rmmod pagebuster.ko

Quickly test in QEMU

If you want to test it on a safe environment, you can use Ciro Santilli's emulation setup.

This setup has been mostly tested on Ubuntu. Reserve 12 GB of disk and run:

git clone https://github.com/cirosantilli/linux-kernel-module-cheat
cd linux-kernel-module-cheat
git reset --hard 5ec6595e1f3afb6213ba7c14ab5e4e3893a4089f

Unlike Ubuntu 20.04 LTS, here kprobes is not enabled by default. So, you must enable it on linux kernel configs.

cd linux_config
cat <<EOT >> default

# Kprobes
CONFIG_KPROBES=y
EOT
cd ..

Now, you can start the build:

# For Debian derivatives
./build --download-dependencies qemu-buildroot
# If you use another distro, you'll have to install the deps manually
./build --no-apt --download-dependencies qemu-buildroot

The initial build will take a while (30 minutes to 2 hours) to clone and build.

Finally, what you need to do is to insert inside the environment the kernel module as well as all the c programs you want to test it on. If you want to do it manually, you can build the module as shown before, the target programs and then just put them inside QEMU:

cd linux-kernel-module-cheat
cp /path/to/files $PWD/out/buildroot/build/default/x86_64/target/lkmc/
./build-buildroot

In this way, you will find them inside the directory where you spawn.

You can now run QEMU:

./run

Use with Ctrl-A X to quit QEMU or type poweroff.

If you use linux-kernel-module-cheat to build the module and the programs for you, you can put pagebuster.c inside /kernel_modules, and the c files inside /userland/c. Then run:

# Rebuild and run
./build-userland
./build-modules
./run

# Load kernel module
cd /mnt/9p/out_rootfs_overlay/lkmc
insmod pagebuster.ko path=sigsegv.out

# Run the program
./c/sigsegv.out

# List dumped pages
ls /tmp

If you want to test with other binaries, you may put the source .c file inside the /userland/c folder and let the simulator compile it for you by running ./build-userland. Now, after running the system, you will find it compiled inside /mnt/9p/out_rootfs_overlay/lkmc/c/.

UPX testing

If you want to try how PageBuster behaves with UPX-packed binaries, you should prepare them outside the QEMU guest environment, and then inject into it. First of all, install upx. On Ubuntu 20.04 LTS, run:

sudo apt-get update -y
sudo apt-get install -y upx-ucl

Then, for instance, grab a .c program and compile it. Make sure it reaches the minimum size required by upx to pack it: UPX cannot handle binaries under 40Kb. The best way to work-around this problem is to compile your binary in static mode, in order to get a bigger executable file. So, just try:

gcc -static -o mytest mytest.c
upx -o mytest_packed mytest

The easiest way to put it inside QEMU is the following.

cd linux-kernel-module-cheat
cp /path/to/mytest_packed $PWD/out/buildroot/build/default/x86_64/target/lkmc/
./build-buildroot

Now you can test it, in the usual way:

./run
insmod /mnt/9p/out_rootfs_overlay/lkmc/pagebuster.ko path=mytest_packed
./mytest_packed
ls /tmp

Output will be something like that:

401000_2        427000_40       44d000_78       473000_116
402000_3        428000_41       44e000_79       474000_117
403000_4        429000_42       44f000_80       475000_118
404000_5        42a000_43       450000_81       476000_119
405000_6        42b000_44       451000_82       477000_120
406000_7        42c000_45       452000_83       478000_121
407000_8        42d000_46       453000_84       479000_122
408000_9        42e000_47       454000_85       47a000_123
409000_10       42f000_48       455000_86       47b000_124
40a000_11       430000_49       456000_87       47c000_125

Licensing

The content of this repository is licensed under the GPLv2. Many thanks to Alexei Lozovsky which inspired the ftrace hooking part of the project.

Issues
  • UserPageBuster improvements

    UserPageBuster improvements

    • Move userpagebuster-related stuff in its own directory
    • Simplify build (using __attribute__((constructor)) instead of invoking ld directly)
    • Introduce a simple working example and demo instructions to assess success
    opened by aleclearmind 0
  • Various improvements

    Various improvements

    • I've made some changes to the README.md
    • I've dropped checkout.sh in favor of just checking out the exact commit of linux-kernel-module-cheat we need. That should do.
    • I made some changes to be able to build the module against recent kernels.

    Let me know what you think.

    opened by aleclearmind 0
Owner
rev.ng
We're building the next generation decompiler. Binary analysis is a dish best served static.
rev.ng
Manual mapper that uses PTE manipulation, Virtual Address Descriptor (VAD) manipulation, and forceful memory allocation to hide executable pages. (VAD hide / NX bit swapping)

Stealthy Kernel-mode Injector Manual mapper that uses PTE manipulation, Virtual Address Descriptor (VAD) manipulation, and forceful memory allocation

Charlie Wolfe 79 Jun 22, 2022
Inter-process communication library to enable allocation between processes/threads and send/receive of allocated regions between producers/consumer processes or threads using this ipc buffer.

This is a relatively simple IPC buffer that allows multiple processes and threads to share a dynamic heap allocator, designate "channels" between processes, and share that memory between producer/consumer pairs on those channels.

RaftLib 7 May 24, 2022
Random access array of tightly packed unsigned integers

PackedArray: random access array of tightly packed unsigned integers TLDR PackedArray comes to the rescue when you're in a desperate need for an uint9

Gregory Pakosz 131 Jun 22, 2022
An implementation of a weak handle interface to a packed vector in C++

Experimental handle container in C++ Overview Following on from c-handle-container, this library builds on the same ideas but supports a dynamic numbe

Tom Hulton-Harrop 12 Mar 11, 2022
A utility to fix intentionally corrupted UPX packed files.

UPX Fixer Some C code to repair corrupt p_info header on UPX! packed malware. It fixes two variants I found that were pretty common. There are many ot

Larry W. Cashdollar 48 Jun 26, 2022
Simple font renderer library written in Opengl 3.3 using stb_truetype.h to load a packed bitmap into texture of a .ttf font.

mv_easy_font Simple font renderer library written in Opengl 3.3 using stb_truetype.h to load a packed bitmap into texture of a .ttf font. Uses instanc

null 27 May 13, 2022
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).

Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).

hasherezade 1.4k Jun 24, 2022
This PoC uses two diferent technics for stealing the primary token from all running processes, showing that is possible to impersonate and use whatever token present at any process

StealAllTokens This PoC uses two diferent technics for stealing the primary token from all running processes, showing that is possible to impersonate

lab52.io 42 Jun 15, 2022
Detect-KeAttachProcess by iterating through all processes as well as checking the context of the thread.

Detect-KeAttachProcess Detect-KeAttachProcess - by iterating through all processes as well as checking the context of the thread. Recently I started s

null 79 Jun 11, 2022
Attempts to dump all nonpaged BigPools from kernel.

pooldump Attempts to dump all nonpaged BigPools from kernel. WARNING: Insanely retarded code. This project can and will induce brain damage. Usage mkd

Layle | Luca 26 Apr 21, 2022
Formatted C++20 stdlib man pages (cppreference)

C++ stdlib man pages stdman is a tool that parses archived HTML files from cppreference and generates groff-formatted manual pages for Unix-based syst

Jeaye Wilkerson 824 Jun 21, 2022
C++ 98/11/14 manual pages for Linux/MacOS

cppman C++ 98/11/14/17/20 manual pages for Linux, with source from cplusplus.com and cppreference.com. Features Supports two backends (switch it with

Wei-Ning Huang 1k Jun 22, 2022
Formatted C++20 stdlib man pages (cppreference)

C++ stdlib man pages stdman is a tool that parses archived HTML files from cppreference and generates groff-formatted manual pages for Unix-based syst

Jeaye Wilkerson 824 Jun 21, 2022
Offical repo for "Moynihan, M., Ruano, S., Pagés, R. and Smolic, A., 2021. Autonomous Tracking For Volumetric Video Sequences"

MeshTracker A segmentation-based tracking algorithm for registering volumetric video meshes (ply/obj) in C++. This is the official implementation of t

V-Sense 20 Jun 7, 2022
This is kdmapper but it doesn't use ExAllocatePool instead it allocates pages to avoid being in BigPoolTable,

KDMapper without allocating memory in BigPoolTable Original creator https://github.com/z175 Improved by https://github.com/TheCruZ TheCruz has intergr

tygo lokum 33 Jun 12, 2022
Remap ELF LOAD segments to huge pages

Quick start Not recommended as a production solution, but it's a very fast way to benchmark if your application benefits from remapping your text and

null 14 Mar 28, 2022
A command-line tool to generate Linux manual pages from C source code.

mangen A command-line tool to generate Linux manual pages from C source code. Description mangen is, as said above, a program to generate Linux manual

null 2 Nov 15, 2021
Locate the current executable and the current module/library on the file system

Where Am I? A drop-in two files library to locate the current executable and the current module on the file system. Supported platforms: Windows Linux

Gregory Pakosz 357 Jun 25, 2022
A way to delete a locked file, or current running executable, on disk.

??️ delete-self-poc A way to delete a locked, or current running executable, on disk. This was originally found by Jonas Lykkegaard - I just wrote the

Lloyd 356 Jun 16, 2022
Utility to convert any binary file into C source that can be compiled and linked to the executable.

bin2c Utility to convert any binary file into C source that can be compiled and linked to the executable. bin2o Utility to convert any binary file int

Vadim A. Anisimov 16 Jul 14, 2021
4K Executable Graphics framework

Blossom ?? Blossom is a small framework for creating 4K Executable Graphics artworks for the demoscene. You are free to use this as the basis for your

Luna 159 Jun 22, 2022
A simple PoC to demonstrate that is possible to write Non writable memory and execute Non executable memory on Windows

WindowsPermsPoC A simple PoC to demonstrate that is possible to write Non writable memory and execute Non executable memory on Windows You can build i

Lorenzo Maffia 56 Jun 25, 2022
Programming language that compiles into a x86 ELF executable.

ocean Programming language that compiles into a x86 ELF executable. The main goal at the moment is to create a C compiler, which can atleast compile i

Richard 165 Jun 21, 2022
Cobalt Strike beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving

Beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving "cmd.exe" by using DCOM object.

Chris Au 75 Jun 15, 2022
The C source code was RESTORED by disassembling the original executable file OPTIM.COM from the Hi-Tech v3.09 compiler.

The C source code was RESTORED by disassembling the original executable file OPTIM.COM from the Hi-Tech v3.09 compiler. This file is compiled by Hi-Te

null 9 May 23, 2022
Resolve DOS MZ executable symbols at runtime

NtSymbol Resolve DOS MZ executable symbols at runtime Example You no longer have not have to use memory pattern scan inside your sneaky rootkit. Pass

Kento Oki 76 Jun 26, 2022
Decrypt FairPlay encrypted executable binaries on macOS

UnFairPlay Decrypt FairPlay encrypted binaries on macOS when SIP-enabled. By mapping an executable as r-x and then using mremap_encrypted on the encry

subdiox 58 Apr 19, 2022
Simple one file header for hijacking windows version.dll for desired executable to do 3rd party modifying without dll injection.

Version-Hijack Simple one file header for hijacking windows version.dll for desired executable to do 3rd party modifying without dll injection. Usage

sneakyevil 5 Mar 31, 2022
Code::Blocks template for custom launcher executable.

Launcher Code::Blocks template for custom launcher executables. This is a basic Code::Blocks project for creating authentic Windows executables. Inclu

Federico Cappelletti 1 Feb 5, 2022