00:00:00.000,00:00:03.937 >>Hi, so let's get this show on the road, please settle down, take a seat and please give a 00:00:03.937,00:00:08.942 warm welcome to a first time Defcon speaker Ulf [applause] so please >>[laughter]So thank you 00:00:15.182,00:00:20.153 everyone for coming and listening to me. Today we are going to direct memory attack 00:00:20.153,00:00:25.158 the kernel. My name is Ulf Frisk and helping me with the demos today, I have, er, 00:00:28.195,00:00:33.200 [inaudible]vist. Today, we are going to totally own Linux, Windows and OSX kernels by DMA 00:00:36.136,00:00:41.141 code injection. We're going to dump memory at speeds in excess of 150 megabytes per second, 00:00:43.877,00:00:49.249 we're going to both pull and push files from the target system. We're going to execute 00:00:49.249,00:00:54.254 code and spawn a system shell. After this talk I will be open sourcing the software making all 00:00:56.924,00:01:03.163 this possible, and since we are talking about a hardware based attack you're also need a 00:01:03.163,00:01:08.168 hardware, which is already available for purchase online for less than $100. But first a 00:01:10.804,00:01:16.977 little bit about myself. My name is Ulf Frisk, I'm working as a penetration tester, primarily 00:01:16.977,00:01:21.982 with online banking security. I'm employed in the financial sector in Stockholm, Sweden. I 00:01:24.251,00:01:30.157 have a master of Science in Computer Science and Engineering and er, most recently I've been 00:01:30.157,00:01:35.829 taking a special interest in low level Windows programming and DMA. And this has been a little 00:01:35.829,00:01:42.569 bit like learning by doing project from my part, learning more about 64 bit assembly and 00:01:42.569,00:01:47.574 operating system kernels. Actually in order to be able to do this talk, I had to put up 00:01:49.843,00:01:54.848 this slide, I need to point out that er this talk is given by me as an individual. My employer is 00:01:57.451,00:02:00.721 not involved in anyway whatsoever with what I'm doing here today. But I'm here today 00:02:00.721,00:02:02.723 to present PCILeech. PCILeech is the combination between the PLX technologies USB3380 development 00:02:02.723,00:02:04.725 board coupled with a custom firmware and a custom software. On the image here you see this 00:02:04.725,00:02:07.494 development board, in the mini PCI express form factor. To the left you see the PCI express 00:02:07.494,00:02:12.499 side, the side that goes into the target computer, or if you wanted to call it the victim 00:02:31.651,00:02:36.657 computer. The USB3380 is able to send both DMA reads and writes into the target system's main 00:02:41.928,00:02:46.933 memory. To right, you see a USB3 connector, which allows us for connecting this board to a 00:02:50.604,00:02:55.175 controlling computer, and once connecting to a controlling computer this controlling 00:02:55.175,00:03:00.113 computer is able to transfer memory at very high speeds with USB3 straight into the memory of 00:03:02.983,00:03:07.988 the target computer. What's very nice about this hardware, is that it requires no drivers at 00:03:09.990,00:03:14.995 all on the target computer, it just works. It's hardware only. And with this piece of hardware, 00:03:18.698,00:03:23.703 I'm able to get well over 150 megabytes per second DMA transfer speeds. Unfortunately 00:03:26.006,00:03:32.312 this ship is only capable of 32 bit addressing and that means that you're only able to access 00:03:32.312,00:03:37.984 the lower 4 gigabytes of memory with this card. As we will see later on that's not really a 00:03:37.984,00:03:42.989 problem in practice. Actually, actually, the USB380 has been presented here at Defcon before. 00:03:46.359,00:03:51.364 It was presented two years ago as the NSA playset slotscreamer device by Joe Fitzpatrick and 00:03:54.701,00:04:01.041 Miles Craybill. So I want to really thank Joe for bringing this really nice piece of 00:04:01.041,00:04:07.948 hardware into my attention, so thank you very much, Joe. If I compare PCILeech to 00:04:07.948,00:04:13.854 slotscreamer, it's obviously exactly the same hardware, it a complete, it's a different 00:04:13.854,00:04:20.360 firmware and different software. This also means that if you already do have a slotscreamer 00:04:20.360,00:04:25.365 device you should be able to reflash it and try this software on. It's er faster. The 00:04:27.834,00:04:33.206 slotscreener was be able to receive around 3MB per second, something like that and the 00:04:33.206,00:04:38.211 PCILeech device is able to achieve well over 150 MB per second, DMA transfer speeds. The 00:04:40.714,00:04:45.852 PCILeech is also capable of the kernel implants, in fact it's relying heavily on kernel 00:04:45.852,00:04:50.857 implants. But what makes all this possible is, of course PCI express. PCI express is a high 00:04:57.264,00:05:02.836 speed serial expansion bus, or it's not really a bus since it's point to point communication but 00:05:02.836,00:05:07.841 anyway, it's er packet based. And to the upper right you see a schematic of, er, PCI express. 00:05:10.710,00:05:17.017 You have the PCI express root complex anchored within the CPU ship. From this root complex you 00:05:17.017,00:05:22.088 have a er several serial lanes that you can connect several PCI express end points to, you can 00:05:22.088,00:05:28.428 also connect like PCI switches and bridges, so you can say that PCI express forms a small device 00:05:28.428,00:05:33.433 network within a computer. Depending on how much bandwidth the device needs it can er 00:05:36.036,00:05:40.974 consume between one and sixteen serial lanes, a graphics card that needs lots of bandwidth 00:05:40.974,00:05:45.979 typically consumes like sixteen lanes. PCI express is designed to be hot pluggable and it comes 00:05:48.348,00:05:54.287 in many form package and variations. It comes as the standard form factor as you 00:05:54.287,00:06:00.794 know, the PCI express, standard graphics card and similar things. It comes in the mini PCI 00:06:00.794,00:06:06.900 express form factor as you saw in a previous life. It comes as express card which goes into 00:06:06.900,00:06:11.905 laptops and also Thunderbolt encapsulates PCI express. And what's nice about PCI express 00:06:14.441,00:06:19.446 from our point of view is that it's DMA capable and that means it's circumventing the CPU of 00:06:21.481,00:06:26.486 course, so the PCI express points can read and write memory directly. But what's direct 00:06:30.090,00:06:35.095 memory access and how does it work? When you have the CPU core it usually executes code in 00:06:39.499,00:06:44.371 something called a virtual address space and you have a memory management unit which is 00:06:44.371,00:06:49.976 built into the CPU which uses page tables in order to translate these virtual 00:06:49.976,00:06:56.549 addresses into physical addresses and it actually translates pages and a page is 00:06:56.549,00:07:01.488 typically 4KB long and it can be larger as well but er, most cases are 4KB long. And PCI 00:07:04.691,00:07:09.095 express devices have traditionally been able to access all physical memories 00:07:09.095,00:07:14.100 straight out without any limitations whatsoever. But CPUs now a days do have something 00:07:17.070,00:07:22.075 called a IOMMU, which works a similar way to, to the memory management unit for a CPU and 00:07:24.311,00:07:29.316 this allows for, works as virtualization of device addresses as well. So in theory, 00:07:31.318,00:07:37.257 the operating system should be able to protect themselves fully against DMA attacks if the IOMMU 00:07:37.257,00:07:42.262 is fully used. But as we will see later on, that's not really the case. Actually this is the 00:07:46.466,00:07:51.471 complete firmware of the PCILeech device. It's a whopping 46 bytes in total and the first 00:07:56.309,00:08:01.247 two bytes is a header, or actually the first byte is a header 5A 00 tells us that it 00:08:03.249,00:08:09.389 jus load data from the data configuration er into the configuration registers at power 00:08:09.389,00:08:14.394 on. Next we have the length which is in little endian, so 2A is er, 4 to 2 bytes of 00:08:19.966,00:08:26.873 configuration data. Then we have the USB controller register, we need it to enable the USB three 00:08:26.873,00:08:32.846 port on this board because it's disabled by default. First you have an address to deregister, 00:08:32.846,00:08:37.851 with the 2310 here, and then you have er deward or 4 bytes or 32 bits which is er programmed into 00:08:41.788,00:08:46.793 that register at power on. And disenable the USB 3 port. Then we set the PCI express vendor ID 00:08:50.163,00:08:56.669 and Product ID to a broadcom SD card and erm, this pretty much a left over from the slotscreamer 00:08:56.669,00:09:01.608 software I started to toy toy around with. And then in green here we enable the four DMA 00:09:04.210,00:09:10.316 endpoints which are kept capable of high speed DMA transfers between USB three and PCI 00:09:10.316,00:09:12.318 express. Insert the first endpoint to a write endpoint which allows us to write memory 00:09:12.318,00:09:14.320 from USB into main memory of the target computer as high speeds. Then we set the following three 00:09:14.320,00:09:19.325 endpoints to read endpoints. Reason why we set three endpoint to read endpoints is that read 00:09:32.672,00:09:37.744 is much more common than write and we can get a little more transfer speed out of this ship 00:09:37.744,00:09:44.584 if we're doing multi threaded access. And of last we set the USB vendor product ID and end 00:09:44.584,00:09:51.157 product ID to Google Glass. And the reason why I'm doing this is that er I wrote this program for 00:09:51.157,00:09:56.162 Windows. Windows has a very nice user mode USB stack called WinUSB, but er in order to 00:09:58.264,00:10:03.803 activate it for a certain hardware you need to sign a small configuration file with a 00:10:03.803,00:10:10.710 driver sign certificate. And er those ones are kinda expensive, so I didn't want to purchase 00:10:10.710,00:10:15.715 one. It was much easier to find a device out there that actually uses this WinUSB stuff already 00:10:17.750,00:10:22.755 and lie about being that device. But, let's get into the kernels. Most computer today, they do 00:10:29.229,00:10:35.869 have more than 4GIGs of memory. If you are able to get the kernel module into a system it 00:10:35.869,00:10:42.509 should be able to access all memory. And also be able to execute code. So what we can do 00:10:42.509,00:10:48.815 is we can search for kernel structures, code signatures – whatever in lower memory using 00:10:48.815,00:10:53.820 DMA and patch that code and hijack execution flow of the kernel code that way. And when 00:10:56.956,00:11:01.261 we are doing this we need to keep in mind that the PCI express DMA works with physical 00:11:01.261,00:11:06.266 addresses. Kernel code runs in er virtual address space. I divided exploitation into three 00:11:09.602,00:11:14.607 stages: first you have the stage one which is pretty much just a hook, then we have the stage two 00:11:16.843,00:11:21.848 which is the stager for the final stage three kernel module implant. We start by er trying 00:11:26.052,00:11:32.792 to locate the kernel, or a driver or whatever in the kernel space that we can target. 00:11:32.792,00:11:39.766 Usually at the end of the kernel itself or a driver, there's some free space in the last page 00:11:39.766,00:11:45.471 because it's usually not completely filled out and that page is already executable so we 00:11:45.471,00:11:50.476 put our stage two code in there which is around 500 bytes. Then we search for a function to hook 00:11:52.946,00:11:57.951 and erm, yeah, and once we find that function we overwrite it with a cool into the stage two 00:12:00.820,00:12:06.726 code which is already written into the kernel. And when a thread starts executing the hook 00:12:06.726,00:12:11.731 function, it immediately jumps to the stage two hardcode and er the very first thing the stage 00:12:15.602,00:12:20.607 two code does, it restores the stage one code to its original state. Then we check if you're 00:12:23.409,00:12:29.015 the first thread running here, we might run in a multi-threaded environment. And er if you're 00:12:29.015,00:12:34.821 not the first thread running here, it immediately jumps back to the now unhooked stage one 00:12:34.821,00:12:40.827 function and resume the normal execution flow for that kernel thread. But if you are the first 00:12:40.827,00:12:46.232 thread running here, we locate the base of the kernel and we need that in order to look up 00:12:46.232,00:12:51.904 some er function pointers, that we are going to need later on. For example, we need those 00:12:51.904,00:12:56.909 function pointers in order to allocate two pages of memory. The first page we use as a 00:12:59.145,00:13:04.083 buffer, the PCILeech main control program running on the other computer can use DMA in 00:13:06.686,00:13:11.291 this buffer in order to communicate with the kernel module that we are going to 00:13:11.291,00:13:16.296 insert. The second stage is the kernel module or the stage three code itself. Then we write a 00:13:19.032,00:13:24.037 small stage three step into the second page, and this is pretty much just a tight loop. And then 00:13:27.140,00:13:33.680 we create a new kernel thread in that loop. And at the very end in the stage two section we 00:13:33.680,00:13:38.685 write the physically address of the buffer we allocated into the er code where the stage two part 00:13:41.120,00:13:46.125 is located and the PCILeech main control program is pulling this buffer all the time er with DMA 00:13:48.695,00:13:54.367 and once it receives the physical address, it writes the complete stage three contents in 00:13:54.367,00:13:59.372 that stage three contents into that address it received. Then the loop, which is already 00:14:04.510,00:14:09.649 executing the thre- the kernel thread there it senses that the complete stage three contents is 00:14:09.649,00:14:14.654 written so it exits exits and erm starts by setting up a DMA buffer which is around 4 to 16 00:14:17.523,00:14:24.130 megabytes big in lower memory. And then it starts looping, waiting for commands. The 00:14:24.130,00:14:29.135 commands are pretty much: read memory, write memory, execute code or exit. But, let's start 00:14:32.238,00:14:37.243 by attacking Linux. The Linux kernel is located in a low physical memory, if kernel 00:14:40.880,00:14:47.220 address layerization is not enabled it's located at 16 megabytes in physical memory. If 00:14:47.220,00:14:52.225 KASLR is enabled, it slides at 2 megabyte chunks. So once we find the kernel we search for a 00:14:56.929,00:15:02.935 function, a random function to hook, in my code I show [inaudible], since it gets 00:15:02.935,00:15:09.008 called pretty often and it works fine. And then I search for a function called kallsyms look-up 00:15:09.008,00:15:15.381 name. This is pretty much the equivalent of get proxy address in Windows. It allows me to use 00:15:15.381,00:15:21.721 a kernel symbol name, er and send it to that function and if we look up the function point, 00:15:21.721,00:15:27.627 function pointer for that, or a symbol for that. Then we write the stage 2 code and write the 00:15:27.627,00:15:34.500 stage 1 code, then we wait for the stage 2 code to return with a physical address of stage 3. 00:15:34.500,00:15:39.505 We write the complete stage 3 code and then it's demo time. In this demo I will show how we can 00:15:41.908,00:15:48.447 use a generic kernel implant in order to both pull and push files from and to a Linux system 00:15:48.447,00:15:53.452 and I'm also going to dump the memory. Hmm. Let's see, demos aren't supposed to be like this. 00:16:04.864,00:16:09.869 Sorry about that. You see a kallas Linux computer. We will try to log on to that computer 00:16:15.975,00:16:20.980 with the er root account. [extended silence] Ah! That one was not working here with Joe, 00:16:58.784,00:17:03.956 we will reboot the computer afterwards and do the demo, do the Windows demo but we will 00:17:03.956,00:17:07.093 start by dumping the memory on this computer anyway. So, er, let's dump the memory. Er...we 00:17:07.093,00:17:12.098 use the Linux 64 bit kernel module. We going to dump the memory and store in C temp here. 00:17:31.951,00:17:36.956 So first we insert the kernel module into RAMing kernel, then we receive execution and then 00:17:39.025,00:17:44.530 memory dumping is starting. Memory dumping works the following way, is that kernel 00:17:44.530,00:17:51.070 module first asks the RAMing kernel about the physical memory map. In computers, physical 00:17:51.070,00:17:56.943 memory was not one big chunk of memory, you have like memory PCI Express devices in between 00:17:56.943,00:18:01.347 there, that if you read those ones you can crash the computer whatever you also have 00:18:01.347,00:18:08.154 unreadable memory such as system management mode that you can't read. So, it first queries the 00:18:08.154,00:18:13.759 computer about the memory map. Reports this back to the PCILeech main control program 00:18:13.759,00:18:18.965 and once the main control program knows about the physical memory map it can ask the 00:18:18.965,00:18:23.970 inserted kernel module to read certain memory chunks. Dumping memory is usually pretty fast. 00:18:28.341,00:18:33.346 It's a should be well over 150 megabytes per second but in this demo I have to use a crappy USB 00:18:35.381,00:18:41.087 hub, so the speed is a little bit lower, but it should still be well in the excess of 100 00:18:41.087,00:18:46.092 megabytes per second as you can see here. [applause]Tthank you very much. And er when we dump 00:18:56.635,00:19:01.574 the memory, lets try run to run volatility on it as well. I'm running the Linux PCI command 00:19:10.950,00:19:17.656 here. Just to show you that it's working here. At the very bottom you see the PCILeech kernel 00:19:17.656,00:19:22.728 thread for the inserted kernel module. And if you scroll up here you see lots of kernel 00:19:22.728,00:19:27.733 threads, and user mode and the processes here and the system at the very top here. Er, so let's 00:19:30.936,00:19:35.941 move back to Windows 10. In Windows 10 the kernel is located at the top of the physical 00:19:41.881,00:19:48.454 memory which is em is kinda boring for us since we can't access it directly and this a 00:19:48.454,00:19:54.093 problem for us if a computer do have more than about 3 and a half GIGS of RAM. And the reason 00:19:54.093,00:19:59.832 for that is memory map PCI express devices and other things pushes the last bytes of memory 00:19:59.832,00:20:04.837 well over above 4 GIGS. So this means that the kernel executable is not reachable directly and 00:20:07.440,00:20:13.913 most drivers are a bit below below, above 4 gigs so they're not reachable, but if we look at 00:20:13.913,00:20:18.918 the memory structures below 4 gigs. We see that the page table for the kernel itself and 00:20:21.887,00:20:26.892 important er kernel drivers are actually a bit below 4 gigs in its entirety. So, let's attack 00:20:30.629,00:20:35.634 the page table. Paging on a 64 bit system works this way. First you have a virtual address or a 00:20:39.371,00:20:44.643 linear address in the top in red here that you wish to translate into a physical address, and 00:20:44.643,00:20:51.617 this what the memory management unit is doing. So, it memory management unit starts by 00:20:51.617,00:20:56.622 reading the physical address in a CPU register called CR3 in order to find the um physical 00:20:59.992,00:21:04.930 base address of a table called page mapping level 4. And you take the top most bits from the 00:21:07.800,00:21:12.805 virtual address to point out which entry in that table to use and then in the PLM 4 entry you 00:21:15.508,00:21:20.513 have the physical address of the page directory pointer table. And you take some more bits from 00:21:22.648,00:21:28.554 the virtual address to point out the entry in back table which contains the physical address of 00:21:28.554,00:21:33.559 the page directory. Take some more bits from the virtual address which contains the entry 00:21:35.628,00:21:40.633 in back table which erm is erm the physical base address of the page table itself. Take some 00:21:44.303,00:21:49.742 more bits in the page in the virtual address and you get the page table entry. It's the entry 00:21:49.742,00:21:55.080 that we're going to target and corrupt in order to gain kernel execution. What's nice about 00:21:55.080,00:22:00.019 this is that all four paging structures here are actually loaded below 4 GIGs, so we can 00:22:03.255,00:22:08.260 access them by using DMA. Kernel address space starts up the address that you see here on 00:22:10.763,00:22:16.502 this slide. Windows do have kernel address space layer randomization, so that means 00:22:16.502,00:22:22.141 that there is no fixed erm virtual addresses between reboots; the kernel is loaded up 00:22:22.141,00:22:28.747 different places and drivers are loaded up different places as well so we can't use that. But 00:22:28.747,00:22:35.554 if we take a page level entry and have a look at the er lowest three bits and the highest bit 00:22:35.554,00:22:40.559 which is the present bit, and if it's a read or write page or if it's a user or supervisor slash 00:22:43.062,00:22:49.134 kernel page or if it's an executable or non-executable page those four bits together 00:22:49.134,00:22:54.139 form what I call a page signature. And if you take, have a look at the driver, the kernel 00:22:58.010,00:23:04.450 itself, it actually, you can call those collec-collection of page signatures a driver 00:23:04.450,00:23:09.455 signature. So what I'm doing? I'm searching for the driver signature by walking the page 00:23:11.490,00:23:18.430 table. Once I find the correct driver to target, I locate the page. I rewrite the physical 00:23:18.430,00:23:23.435 address in the page table entry to a place below 4GIGs which I can control over DMA. So let's 00:23:26.839,00:23:31.844 continue onto the Windows 10 demo. In this demo I will use a page table rewrite in order to 00:23:34.046,00:23:40.452 er implant a kernel module. I'm going to execute code and I'm going to dump memory. I'm going 00:23:40.452,00:23:45.457 to spawn a system shell and also try to unlock the computer. So, let's switch over to the demo. 00:23:48.160,00:23:53.732 Here we have a Windows 10 computer, we will try to log on to that computer without using a 00:23:53.732,00:23:58.737 password here. As you can...[silence]. As you can see we couldn't log on to that 00:24:15.754,00:24:21.126 computer without using a password on the domain account. But what we can do is that we 00:24:21.126,00:24:26.131 can insert the PCILeech device here into the computer and once we done that we can try to load 00:24:29.668,00:24:34.673 a kernel module in to running kernel by using a page table hijack. So in Windows 10 because 00:24:37.209,00:24:41.580 we are looking for driver signatures we need to target a specific driver version. So 00:24:41.580,00:24:46.585 let's do that and use the page table hijack here. So we search for page table location. We 00:24:50.289,00:24:55.861 hijack the page table. We wait for a kernel thread to start executing there. We receive 00:24:55.861,00:25:02.668 execution and we loaded the kernel module at this memory address. And now we can try to 00:25:02.668,00:25:07.740 remove the password requirement on that computer. By the way it's fully bit lockered so we 00:25:07.740,00:25:12.745 can't log on to it without using a password. In order to do this we need to erm specify, we are 00:25:17.549,00:25:22.554 going to use the unlock implant. It works similar way to inception, but er this is all 00:25:25.190,00:25:30.195 done in kernel code because we are inserting this kernel module into the target system. And in 00:25:32.297,00:25:36.435 order to insert it, it also needs to specify the memory address we just received here. 00:25:36.435,00:25:41.440 So let's do that. And it has zero success here. So it's a zero here so, so let's try and 00:25:45.744,00:25:50.749 log on. [applause]. As you can see it's quite easy to log on to that, this computer. Erm, let's 00:26:08.400,00:26:13.405 er try to dump the memory of that computer as well. And we need to specify the kernel 00:26:16.642,00:26:21.647 module address of the loaded kernel module here as well. Dumping, dumping memory works in 00:26:25.217,00:26:32.090 a similar way to Linux. First we ask the er kernel module that is already inserted to report back 00:26:32.090,00:26:38.464 the physical memory map to the PCILeech main control program, running on er my demo computer 00:26:38.464,00:26:43.469 here. Then it er asks the running kernel module to read certain memory chunks it knows 00:26:45.671,00:26:52.044 it's already accessible. And store them in the DMA buffer that was already allocated in 00:26:52.044,00:26:57.049 lower memory. Memory dumping takes around a minute on an 8 GIG system. And of course once 00:27:00.319,00:27:04.857 you've dumped all the memory you run memory forensics tools on it such as volatility, you should 00:27:04.857,00:27:10.863 also be able to, for example extract credentials with mimecast or that things like 00:27:10.863,00:27:15.868 that. And this works on fully bit lockered computers by the way. So let's wait until the 00:27:23.809,00:27:28.814 memory dump is complete here. And let's er try to spawn the system shell. In order to spawn 00:27:41.960,00:27:46.965 the system shell, it can use the PMS and D system kernel implant. And we also need to specify the 00:27:50.269,00:27:55.541 memory address of the kernel module that is already inserted into the kernel, so let's try to 00:27:55.541,00:28:00.479 run it on the system shell. And it's as easy as that. So let's check who we are. [applause]. 00:28:09.788,00:28:15.360 Thank you very much. And as you can see, we're in a system here and once we're in a system of 00:28:15.360,00:28:20.365 course you can do everything. It can disable bitlocker, we can er spy on other users' files and er 00:28:23.535,00:28:26.238 do whatever stuff, so. But let's not do this here. So, erm because this is a Windows demo, 00:28:26.238,00:28:28.307 there is one more thing missing here. So, we need to specify the kernel module address here as 00:28:28.307,00:28:33.312 well. We're missing a blue screen here, and what's missing that one? So er let's run the PS 00:28:46.858,00:28:51.863 blue er kernel implant here. Erm and er as you can see [audience laughter and applause] as you 00:28:59.104,00:29:04.042 can see Windows don't like me. Actually, Windows 10 they do have some very nice anti DMA 00:29:12.784,00:29:17.789 features built in in the enterprise version. But they are not enabled by default. Windows 00:29:20.759,00:29:24.363 10 can be made rather secure against DMA attacks if er the rationalization base security 00:29:24.363,00:29:26.365 features are enabled like credentials guard and device guard. But, it's quite easy 00:29:26.365,00:29:28.367 often for users to mess around with settings in the UA Field. Like disable or disable VT-d, 00:29:28.367,00:29:30.369 disable the secure boot and things like that er, than er this virtualization base 00:29:30.369,00:29:35.374 security feature will be disabled in Windows as well so. So, we come to recommendations 00:29:55.193,00:30:00.198 later on. But er let's target the last missing operating system here, that is OSX. OSX is 00:30:03.168,00:30:08.173 just like Linux, it's located the kernel of OSX, is located in er low physical memory. Its 00:30:12.744,00:30:17.749 location is dependent on the kernel AS lower slide, it's large in 2 megabyte chunks. OSX 00:30:20.252,00:30:25.791 now a days imports kernel extension signing system integration protection means 00:30:25.791,00:30:31.730 that users can't write to certain folders. And kernel extension signing means that you 00:30:31.730,00:30:36.735 can't load unsigned drivers. OSX today pretty much have er Thunderbolt, but er Thnderbolt 00:30:41.473,00:30:46.478 is the actually protected with the Vt-d OSX actually uses this app IOMMU to protect itself from 00:30:50.382,00:30:55.387 DMA attacks so that's kinda boring, so what can we do? In order to change that? So we can 00:31:00.525,00:31:05.530 visit Apple's website. Thank you Apple. Erm Apple on their website tells us in pain how to 00:31:08.633,00:31:13.638 disable VT-d. So, ja, it's as easy as that. In OSX we'll first search by using DMA. We'll 00:31:20.979,00:31:27.686 search for the er Mach O kernel header. Mach O is the binary format on binarous in mach to 00:31:27.686,00:31:32.624 including the kernel. Erm, then we search for like a random nice function to hook. I think guy 00:31:32.624,00:31:37.629 hook mancop in this example. And then we write the stage 2 code into the memory of the target 00:31:42.067,00:31:47.973 computer, then we write the stage 1 code. We wait for stage 2 code to return with physical 00:31:47.973,00:31:52.978 address of stage 3 code, we write the stage 3 code then it's demo time. In this demo I will 00:31:56.148,00:32:02.454 show you how to erm to disable VT-d in order to gain DMA access. And then we're going to 00:32:02.454,00:32:07.459 dump the memory and unlock the computer. So here you have a Mac, actually to write here you 00:32:14.833,00:32:19.838 have a express card to er, Thunderbolt commander which you don't really need for this part. 00:32:22.808,00:32:27.813 Er, all you need in order to disable Vt-d is that you need to power on the Mac, which we will 00:32:35.987,00:32:40.992 do in a second, this is kinda slow here... I think the movie was very slow. Hmm. Let's try to 00:33:01.012,00:33:06.017 re-open it. Ah, let's move on here. We're actually rebooting to recover mode by pressing 00:33:17.495,00:33:24.035 command R, er when we are starting the computer, then you enter recovery mode, there is no 00:33:24.035,00:33:29.574 password entered into recovery mode [some clapping from audience] [laughs] and then you 00:33:29.574,00:33:36.348 start the terminal and then you type envy Ram boot or start equals CO, just er ask the Mac, 00:33:36.348,00:33:41.353 Apple tells you on their website and VT-d is now fully disabled here. Erm, so once VT-d is fully 00:33:46.458,00:33:51.496 disabled, we should be able to target the computer over Thunderbolt here, so let's do 00:33:51.496,00:33:56.501 that. Er, you have er Mac book air with that adapter connected to the right. And let's try to 00:34:01.940,00:34:06.945 log on to that computer without using a password at all. As you saw we could not log on to that 00:34:20.892,00:34:27.399 computer, which is kinda boring so let's insert the PCILeech, I control the adapter from 00:34:27.399,00:34:32.404 [inaudible] here so. Let's start by loading a kernel module into the running Mac OS kernel here. 00:34:36.341,00:34:40.845 And it's as easy as that. We say that we're going to load the kernel module and that we're 00:34:40.845,00:34:45.850 going to target OSX here. And the kernel module is loaded up this address, and then we should 00:34:48.253,00:34:53.258 be able to remove the password requirement on this Mac. So let's run the er Apple 64 bit 00:35:00.598,00:35:06.738 unlock implant here. And we need to specify the er memory address of the already inserted kernel 00:35:06.738,00:35:11.743 module as well. And it's a serious success here. We have a status zero here so we should be 00:35:14.779,00:35:19.784 able to log on here. So let's try to do that. [applause]. And we're in! Thank you very much. 00:35:32.530,00:35:37.535 Thank you very much. Erm, so what can we do about this? In order to protect ourselves 00:35:45.710,00:35:50.715 better? Of course we can purchase hardware without using any DMA porche whatsoever, it's 00:35:53.218,00:35:58.223 the low tech variant. Works perfectly fine. Erm, if you do have Windows with auto booting 00:36:00.492,00:36:06.631 bitlocker and things like that, erm we should be able to disable like express [inaudible] in the 00:36:06.631,00:36:11.636 er computers. You can do das, this in er UAP settings usually, but then you need to, you 00:36:15.273,00:36:21.780 probably need to change the bitlocker settings in order for it to trigger if this port is 00:36:21.780,00:36:26.785 re-enabled at a later stage. Of course, if you don't want your Mac erm security disabled in 00:36:30.955,00:36:36.561 recovery mode you can set a firmer password on the Mac in order to protect yourself and 00:36:36.561,00:36:41.566 also the setting a bio pasword in the pc is a good idea. Of course pre-boot authentication 00:36:44.269,00:36:49.274 is always nice to have. And er, of course the long term solution here is for the operating system 00:36:51.743,00:36:56.748 damage actually to make full use of the IOMMU that is already in the hardware. And Windows 10 has 00:37:00.118,00:37:05.957 some very nice virtualization based security features there going on. So Microsoft seem to 00:37:05.957,00:37:10.962 be do some very nice work as well. So what can we use PCILeech for? Of course we can 00:37:14.299,00:37:19.304 use it for awareness. It's part why I'm doing this talk. You saw today that full disk encryption 00:37:21.706,00:37:26.711 is not really invincible in anyway. It's er excellent for forensics and malware analysis. 00:37:30.548,00:37:35.887 Er sometimes you want to er run malware samples on relying hardware and you don't want to 00:37:35.887,00:37:41.192 pollute that system with lots of diagnostics , software whatever, so it could be nice to have a 00:37:41.192,00:37:46.197 kernel implant in a hardware device. You can use it to load unsigned drivers into your 00:37:49.067,00:37:54.072 operating system kernels. It's a good pen testing tool. I do realise that law enforcement 00:37:59.410,00:38:03.047 might use this tool as well. But er please, if you want to take a look at this don't do any evil 00:38:03.047,00:38:08.052 with this tool. PCILeech targets 64 bit operating systems. It runs on 64 bit Windows 7 and 10 00:38:14.993,00:38:19.998 at the moment. It's able to read up to 4 GIGs natively and if you are able to insert the kernel 00:38:22.100,00:38:28.606 module it should be able to read all memory of the target system that that kernel can er read. 00:38:28.606,00:38:32.744 And if a kernel module is inserted, obviously you can execute code on the target 00:38:32.744,00:38:37.749 system as well. I have kernel modules for Linux, Windows and OSX at the moment. It's er 00:38:40.685,00:38:47.425 written in C and Assembly in visual studio. It's a module [inaudible] sign. I tried to 00:38:47.425,00:38:53.198 make it as modular as possible. You should be able to create your own signatures very easily. 00:38:53.198,00:38:58.203 And er also create your own kernel implants. Actually to right here you see very minimal 00:39:00.205,00:39:05.210 kernel implant, erm it's in Assembly and it reads some control registers on of the CPU 00:39:08.179,00:39:13.184 and prints them on screen on the computer running the PCILeech main control program. Maybe we 00:39:16.821,00:39:21.826 should...but we are missing one thing here, to try the Linux demo again here. See if, er, 00:39:24.729,00:39:29.734 better luck this time. So as you saw we couldn't log on with the tor as the default password. So, 00:39:52.490,00:39:57.495 let's pull a file from the Linux system. A nice file to pull is the shadow file. And it's as 00:40:00.498,00:40:05.436 easy as that pulling a shadow file from a running Linux system, which uses the encrypt 00:40:05.436,00:40:10.441 by the way. And er, we can open the shadow file and have a look at it. And the router count here 00:40:20.919,00:40:26.624 has a very long password hash. So, of course you can try to crack it, but it's no fun doing 00:40:26.624,00:40:31.629 that, so let's replace it instead with the default password hash of tor er, so this 00:40:34.132,00:40:39.137 is the default password hash of Tor. Erm so let's write the file back. And erm we're going to 00:40:42.006,00:40:47.011 push it back to the Linux system. And we are going to use the file push kernel implant 00:40:50.181,00:40:55.186 here. And now it should be on the target system. So, let's try to log on here. See if it works 00:41:12.103,00:41:17.108 better this time. [extended silence] And as you can see we're in [applause]. So when you 00:41:36.427,00:41:41.432 leave here today er I want you to remember that em, inexpensive universal DMA attacking is here, 00:41:44.335,00:41:49.340 it's the new reality of today. Physical ac-access is erm, still very much an issue. You should 00:41:53.344,00:41:58.583 be aware of potential email attacks for example if you bring your Mac on to a security 00:41:58.583,00:42:05.289 conferences [laughter from audience] and er, please do remember that full disk 00:42:05.289,00:42:10.294 encryption it's not invincible. After this talk I will be making the er Github [inaudible] public 00:42:16.434,00:42:21.439 at er this address here. And please give me a couple of hours in order to do that, but I will 00:42:24.042,00:42:29.046 definitely do it er today. And thank you very much to Joe for er the slotscreamer and er 00:42:34.986,00:42:39.991 you've been a huge inspiration also for my work here so thank you very much Joe. [applause]. 00:42:49.767,00:42:56.340 And also thank you to inception for being a big inspirational source for my work. And also the 00:42:56.340,00:43:01.279 guys at PLX technologies for creating this wonderful ship. So, thank you, thank you very 00:43:04.916,00:43:09.921 much for today.[applause].