SigPath: A Memory Graph Based Approach for Program Data Introspection and Modification

  • David Urbina
  • Yufei Gu
  • Juan Caballero
  • Zhiqiang Lin
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8713)

Abstract

Examining and modifying data of interest in the memory of a target program is an important capability for security applications such as memory forensics, rootkit detection, game hacking, and virtual machine introspection. In this paper we present a novel memory graph based approach for program data introspection and modification, which does not require source code, debugging symbols, or any API in the target program. It takes as input a sequence of memory snapshots taken while the program executes, and produces a path signature, which can be used in different executions of the program to efficiently locate and traverse the in-memory data structures where the data of interest is stored. We have implemented our approach in a tool called SigPath. We have applied SigPath to game hacking, building cheats for 10 popular real-time and turn-based games, and for memory forensics, recovering from snapshots the contacts a user has stored in four IM applications including Skype and Yahoo Messenger.

Keywords

program data introspection memory graph game hacking 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Petroni Jr., N.L., Walters, A., Fraser, T., Arbaugh, W.A.: Fatkit: A framework for the extraction and analysis of digital forensic data from volatile system memory. Digital Investigation 3(4), 197–210 (2006)CrossRefGoogle Scholar
  2. 2.
    Schuster, A.: Searching for processes and threads in Microsoft Windows memory dumps. Digital Investigation 3(suppl.-1), 10–16 (2006)CrossRefGoogle Scholar
  3. 3.
    Walters, A.: The volatility framework: Volatile memory artifact extraction utility framework, https://www.volatilesystems.com/default/volatility
  4. 4.
    Lin, Z., Rhee, J., Wu, C., Zhang, X., Xu, D.: Dimsum: Discovering semantic data of interest from un-mappable memory with confidence. In: Proceedings of Network and Distributed System Security Symposium, San Diego, CA (February 2012)Google Scholar
  5. 5.
    Carbone, M., Cui, W., Lu, L., Lee, W., Peinado, M., Jiang, X.: Mapping Kernel Objects to Enable Systematic Integrity Checking. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, Chicago, IL (November 2009)Google Scholar
  6. 6.
    Dolan-Gavitt, B., Srivastava, A., Traynor, P., Giffin, J.: Robust Signatures for Kernel Data Structures. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, Chicago, IL (November 2009)Google Scholar
  7. 7.
    Lin, Z., Rhee, J., Zhang, X., Xu, D., Jiang, X.: SigGraph: Brute Force Scanning of Kernel Data Structure Instances Using Graph-based Signatures. In: Proceedings of the 18th Annual Network and Distributed System Security Symposium, San Diego, CA (February 2011)Google Scholar
  8. 8.
    Bursztein, E., Hamburg, M., Lagarenn, J., Boneh, D.: OpenConflict: Preventing Real Time Map Hacks in Online Games. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA (May 2011)Google Scholar
  9. 9.
    Lin, Z., Zhang, X., Xu, D.: Automatic Reverse Engineering of Data Structures from Binary Execution. In: Proceedings of the 17th Annual Network and Distributed System Security Symposium, San Diego, CA (February 2010)Google Scholar
  10. 10.
    Lee, J., Avgerinos, T., Brumley, D.: TIE: Principled Reverse Engineering of Types in Binary Programs. In: Proceedings of the 18th Annual Network and Distributed System Security Symposium, San Diego, CA (February 2011)Google Scholar
  11. 11.
    Slowinska, A., Stancescu, T., Bos, H.: Howard: A Dynamic Excavator for Reverse Engineering Data Structures. In: Proceedings of the 18th Annual Network and Distributed System Security Symposium, San Diego, CA (February 2011)Google Scholar
  12. 12.
    Garfinkel, T., Rosenblum, M.: A Virtual Machine Introspection Based Architecture for Intrusion Detection. In: Proceedings of the 10th Annual Network and Distributed Systems Security Symposium, San Diego, CA (February 2003)Google Scholar
  13. 13.
    Dolan-Gavitt, B., Leek, T., Zhivich, M., Giffin, J., Lee, W.: Virtuoso: Narrowing the Semantic Gap in Virtual Machine Introspection. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA (May 2011)Google Scholar
  14. 14.
    Fu, Y., Lin, Z.: Space Traveling across VM: Automatically Bridging the Semantic-Gap in Virtual Machine Introspection via Online Kernel Data Redirection. In: Proceedings of the IEEE Symposium on Security and Privacy, San Francisco, CA (May 2012)Google Scholar
  15. 15.
    Jiang, X., Wang, X., Xu, D.: Stealthy Malware Detection Through VMM-Based Out-of-the-Box Semantic View Reconstruction. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, Alexandria, VA (November 2007)Google Scholar
  16. 16.
    Cui, W., Peinado, M., Xu, Z., Chan, E.: Tracking Rootkit Footprints with a Practical Memory Analysis System. In: Proceedings of the USENIX Security Symposium (August 2012)Google Scholar
  17. 17.
    Cozzie, A., Stratton, F., Xue, H., King, S.T.: Digging for Data Structures. In: Proceedings of the 8th Symposium on Operating System Design and Implementation, San Diego, CA (December 2008)Google Scholar
  18. 18.
  19. 19.
    Yin, H., Song, D.: TEMU: Binary Code Analysis via Whole-System Layered Annotative Execution. Technical Report UCB/EECS-2010-3, EECS Department, University of California, Berkeley, CA (January 2010)Google Scholar
  20. 20.
    McDonald, J., Valasek, C.: Practical windows xp/2003 heap exploitation (2009)Google Scholar
  21. 21.
  22. 22.
  23. 23.
    Team, C.E.: Cheat engine, http://www.cheatengine.org/
  24. 24.
    Biondi, P., Desclaux, F.: Silver Needle in the Skype. In: BlackHat Europe (March 2006)Google Scholar
  25. 25.
    Lin, Z., Riley, R.D., Xu, D.: Polymorphing Software by Randomizing Data Structure Layout. In: Proceedings of the 6th SIG SIDAR Conference on Detection of Intrusions and Malware and Vulnerability Assessment, Milan, Italy (July 2009)Google Scholar
  26. 26.
    Chen, X., Slowinska, A., Bos, H.: Who Allocated my Memory? Detecting Custom Memory Allocators in C Binaries. In: Working Conference on Reverse Engineering (October 2013)Google Scholar
  27. 27.
    Hoglund, G., McGraw, G.: Exploiting Online Games: Cheating Massively Distributed Systems, 1st edn. Addison-Wesley Professional (2007)Google Scholar
  28. 28.
    Petroni Jr., N.L., Hicks, M.: Automated Detection of Persistent Kernel Control-Flow Attacks. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, Alexandria, VA (October 2007)Google Scholar
  29. 29.
    Dolan-Gavitt, B., Leek, T., Hodosh, J., Lee, W.: Tappan zee (north) bridge: Mining memory accesses for introspection. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security (November 2013)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • David Urbina
    • 1
  • Yufei Gu
    • 1
  • Juan Caballero
    • 2
  • Zhiqiang Lin
    • 1
  1. 1.UT DallasUSA
  2. 2.IMDEA Software InstituteSpain

Personalised recommendations