Real-time Memory Forensic Technology Based On Hardware Virtualization

With the development of the Internet,the security confrontation in cyberspace is becoming more and more fierce.Every year,the network attacks organized by APT(Ocean Lotus,API Platinum,Formula Organization)will cause immeasurable losses to country,enterprises,and individuals.It is essential to collect evidence of cyber-attack criminal objects,capture attack evidence,analyze attack methods and techniques,trace attack traces,reconstruct the attack process,and formulate defense measures and plans for the next attack.Forensic technology has practical significance in real scenarios.Traditional forensic technology has problems such as too long time for forensics,too much memory space for forensics,and long time for forensic analysis.Especially for the forensics of transient memory attack,the attack payload of attack object often has the characteristics of encryption,confusion,fast allocation,execution and release.These characteristics make the forensic work have many difficulties,and at the same time rely heavily on the timeliness of the forensics and the experience and technical level of the forensic analysts.The traditional kernel function monitoring methods,such as SSDT hook and IDT hook,have failed on the advanced 64 bit system of windows.This paper presents a technical implementation of kernel function interception by bypassing Microsoft patchguard protection,which is composed of three modules:kernel function address acquisition module,trampoline building module,and core module bypassing PG protection mechanism.The memory page of the target kernel function address is replaced,so that the memory page read by the client is different from the memory page executed,Bypass Microsoft integrity checking.This paper proposes a real-time forensic technology based on EPT access control for memory pages of transient attacks.It consists of four modules:memory page control module based on EPT access control,information interaction module,physical memory marking module and physical memory extraction and analysis module.Based on EPT extended page table mechanism and MTF mechanism,it monitors the marked suspicious memory pages in real time and records their physical memory Page data writing or code execution,forensic physical memory and behavioral evidence chain.In the physical memory marking module,it innovatively proposes to use the page based write verification method to realize the actual mapping from the new memory virtual address to the physical memory.In the physical memory extraction analysis module,it proposes to create a system thread to reduce the interrupt request level to achieve IO reading and writing,and summarizes the methods of mapping the physical address memory to the virtual address.The experimental samples are selected to test the effectiveness of the RFSBHV system in this paper,and compared with the kernel level behavior monitoring tool hrsword and the memory threat detection script Get-InjectionThreads to test the impact of RFSBHV and hrsword on the performance of windows.After testing,RFSBHV has less influence on the system performance than hrsword,and the performance is better.