• Home
  • Become a Hacker
    • Get Started
    • Hacker Mindset
    • Roadmap
    • Simple Setup – Hacker 101
    • Types of Hackers
    • Recommended Courses
  • Boot People Offline
  • Courses
    • All Hacking Courses
    • Cyber Security School
  • CTF
    • Beginners to Advanced Guide
    • Create your own CTF box
    • Field and Resources Guide
    • Platforms & Wargames
    • Tools Used for Solving CTF
    • Writeups
  • Dark Web
    • Beginners Guide
    • Darknet Markets
    • Darkweb 101 (Anonymity Guide)
    • Dark Web OSINT Tools
    • Hacking Forums
    • Latest News
    • Onion Links
  • Hacker Gadgets
  • Hacking Books
  • Tools Directory
Menu
  • Home
  • Become a Hacker
    • Get Started
    • Hacker Mindset
    • Roadmap
    • Simple Setup – Hacker 101
    • Types of Hackers
    • Recommended Courses
  • Boot People Offline
  • Courses
    • All Hacking Courses
    • Cyber Security School
  • CTF
    • Beginners to Advanced Guide
    • Create your own CTF box
    • Field and Resources Guide
    • Platforms & Wargames
    • Tools Used for Solving CTF
    • Writeups
  • Dark Web
    • Beginners Guide
    • Darknet Markets
    • Darkweb 101 (Anonymity Guide)
    • Dark Web OSINT Tools
    • Hacking Forums
    • Latest News
    • Onion Links
  • Hacker Gadgets
  • Hacking Books
  • Tools Directory
Search
Close
  • Home
  • 2019
  • June
  • 16
  • Shadow-Box: Lightweight and Practical Kernel Protector for x86

Shadow-Box: Lightweight and Practical Kernel Protector for x86

June 16, 2019July 7, 2019 Comments Off on Shadow-Box: Lightweight and Practical Kernel Protector for x86
kernel protector shadow box monitoring shadow box virtualization

Shadow-box is a security monitoring framework for operating systems using state-of-the-art virtualization technologies.

Shadow-box has a novel architecture inspired by a shadow play. We made Shadow-box from scratch, and it is primarily composed of a lightweight hypervisor and a security monitor.

The lightweight hypervisor, Light-box, efficiently isolates an OS inside a guest machine and projects static and dynamic kernel objects of the guest into the host machine so that our security monitor in the host can investigate the projected images. The security monitor, Shadow-Watcher, places event monitors on static kernel elements and tests security of dynamic kernel elements.

Shadow-box manipulates address translations from the guest physical address to the host physical address in order to exclude unauthorized accesses to the host and the hypervisor spaces. In that way, Shadow-box can properly introspect the guest operating system and mediate all accesses, even when the operating system is compromised.

2.1. Architecture of Shadow-Box

Shadow-box is a lightweight and practical security monitoring framework using virtualization technologies.

We developed a security monitoring framework, Shadow-box that keeps an OS safe by filtering out unauthorized accesses to important kernel elements and defending the integrity of kernel elements periodically. Shadow-box relies upon its two subparts: a lightweight hypervisor and a security monitor. The lightweight hypervisor, Light-box, efficiently isolates an OS inside a guest machine and projects static and dynamic kernel objects of the guest into the host machine, so that our security monitor in the host can investigate the projected images. The security monitor, Shadow-watcher, places event monitors on static kernel elements and tests security of dynamic kernel elements. Running inside the host, it can test the security of the guest without malicious interference even when the guest OS is compromised.

If you want to know more about Shadow-box, please see my presentation and paper at Black Hat Asia 2017 and HITBSecConf 2017.

RapidScan – The Multi-Tool Web Vulnerability Scanner

3. How to Build

3.1. Prepare Kernel Build Environment (Ubuntu 16.04)

Because the Shadow-box protects the code area of the kernel, it conflicts with the runtime kernel patch feature (CONFIG_JUMP_LABEL). Therefore, if your kernel uses the runtime kernel patch feature, you should remove the feature. To remove it, you need to set a kernel build environment, change the kernel options, and install. The process is as follows.

# Prepare kernel source and build environment.
$> apt-get source linux
$> sudo apt-get build-dep linux
$> sudo apt-get install ncurses-dev

# Make new .config file.
$> cd linux-<your_kernel_version>
$> cp /boot/config-<your_kernel_version> .config
$> make menuconfig
# Load the .config file using the "Load" menu and save it to .config using the "Save" menu.

$> sed -i 's/CONFIG_JUMP_LABEL=y/# CONFIG_JUMP_LABEL is not set/g' .config

# Build kernel and modules.
$> make -j8; make modules

# Install kernel and modules.
$> sudo make modules_install
$> sudo make install

3.2. Prepare Shadow-Box and Kernel Symbols

Shadow-box should locate the data structures and functions for kernel integrity verification. These symbols can be found using kallsyms, but all symbols are not exposed to kallsyms. Therefore, Shadow-box uses the System.map file to embed symbols and kernel versions. How to add symbols and kernel versions to Shadow-box is as follows:

# Prepare Shadow-box source.
$> git clone https://github.com/kkamagui/shadow-box-for-x86.git
$> cd shadow-box-for-x86

# Prepare kernel symbols.
$> uname -v
#37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016			<== Kernel version

# Copy system.map file to kernel_version name.
$> cp /boot/System.map-<your_kernel_version> system.map/"#37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016.map"

3.3. Build Shadow-Box

When the kernel symbol is ready, type “make” command to build the Shadow-box. Then you can find shadow_box.ko in the same directory.

$> make
$> ls
shadow_box.ko shadow_box.h ...

4. How to Use

Shadow-box is loadable kernel module (LKM). So, when you need protection, you can load the shadow-box.ko module into the kernel with the insmod command.

$> sudo insmod shadow-box.ko

After Shadow-box is loaded, you can test the protection mechanisms of Shadow-box using rootkits such as Adore-ng. If you want to watch demo videos, please follow these links, Demo 1 and Demo 2.

Here is the rootkit detection example. If Shadow-box detects rootkits, Shadow-box writes kernel log messages about rootkit attacks.

# Load Adore-ng rootkit by command-line.
$> insmod adore_ng.ko
Segmentation fault (codre dumped)

# Show kernel log messages.
$> dmesg
... omitted ...
[    4.182249] Bluetooth: BNEP filters: protocol multicast
[    4.182252] Bluetooth: BNEP socket layer initialized
[   43.615020] shadow_box: module verification failed: signature and/or required key missing - tainting kernel
[   43.625298]      
[   43.625299] ███████╗██╗  ██╗ █████╗ ██████╗  ██████╗ ██╗    ██╗      ██████╗  ██████╗ ██╗  ██╗
[   43.625300] ██╔════╝██║  ██║██╔══██╗██╔══██╗██╔═══██╗██║    ██║      ██╔══██╗██╔═══██╗╚██╗██╔╝
[   43.625301] ███████╗███████║███████║██║  ██║██║   ██║██║ █╗ ██║█████╗██████╔╝██║   ██║ ╚███╔╝ 
[   43.625302] ╚════██║██╔══██║██╔══██║██║  ██║██║   ██║██║███╗██║╚════╝██╔══██╗██║   ██║ ██╔██╗ 
[   43.625303] ███████║██║  ██║██║  ██║██████╔╝╚██████╔╝╚███╔███╔╝      ██████╔╝╚██████╔╝██╔╝ ██╗
[   43.625303] ╚══════╝╚═╝  ╚═╝╚═╝  ╚═╝╚═════╝  ╚═════╝  ╚══╝╚══╝       ╚═════╝  ╚═════╝ ╚═╝  ╚═╝
[   43.625304]      
[   43.625304]                Lightweight Hypervisor-Based Kernel Protector
[   43.625305]      
[   43.633127] Shadow-box: CPU Count 4
[   43.633128] Shadow-box: Booting CPU ID 0
[   43.648616] Shadow-box: Protect Kernel Code Area
[   43.670134] Shadow-box:     [*] Complete
[   43.670135] Shadow-box: Protect Module Code Area
[   43.677168] Shadow-box:     [*] Complete
[   43.677338] Shadow-box: Framework Preinitialize
[   43.678077] Shadow-box:     [*] Complete
[   43.702142] Shadow-box: Framework Initailize
[   43.702180] Shadow-box:     [*] Task count 225
[   43.702181] Shadow-box:     [*] Module count 86
[   43.702182] Shadow-box:     [*] Complete
[   44.793463] Shadow-box: Lock IOMMU
[   44.794091] Shadow-box:     [*] Lock IOMMU complete
[   44.921020] Shadow-box: Execution Complete
[   44.921023] Shadow-box: ErrorCode: 0

#==================================================
# Adore-ng rootkit module is detected.
#==================================================
[   67.081071] Shadow-box: VM [0] Kernel module is loaded. Current PID: 1805, PPID: 1804, process name: insmod, module: adore_ng

[   67.081411]  ▄▄▄      ▓█████▄  ▒█████   ██▀███  ▓█████        ███▄    █   ▄████ 
[   67.081412]  ▒████▄    ▒██▀ ██▌▒██▒  ██▒▓██ ▒ ██▒▓█   ▀        ██ ▀█   █  ██▒ ▀█▒ 
[   67.081413]  ▒██  ▀█▄  ░██   █▌▒██░  ██▒▓██ ░▄█ ▒▒███    ███  ▓██  ▀█ ██▒▒██░▄▄▄░ 
[   67.081414]  ░██▄▄▄▄██ ░▓█▄   ▌▒██   ██░▒██▀▀█▄  ▒▓█  ▄  ▒▒▒  ▓██▒  ▐▌██▒░▓█  ██▓ 
[   67.081415]   ▓█   ▓██▒░▒████▓ ░ ████▓▒░░██▓ ▒██▒░▒████▒      ▒██░   ▓██░░▒▓███▀▒ 
[   67.081415]    ▒▒   ▓▒█░ ▒▒▓  ▒ ░ ▒░▒░▒░ ░ ▒▓ ░▒▓░░░ ▒░ ░      ░ ▒░   ▒ ▒  ░▒   ▒ 
[   67.081416]      ▒   ▒▒ ░ ░ ▒  ▒   ░ ▒ ▒░   ░▒ ░ ▒░ ░ ░  ░      ░ ░░   ░ ▒░  ░   ░ 
[   67.081417] 	   ░   ▒    ░ ░  ░ ░ ░ ░ ▒    ░░   ░    ░            ░   ░ ░ ░ ░   ░ 
[   67.081418] 	         ░  ░   ░        ░ ░     ░        ░  ░               ░       ░ 
[   67.081418] 			            ░                                                       
[   67.081419] Hide process PID 1738

#==================================================
# A memory attack at FFFFFFFF81A2D2400 is detected.
#==================================================
[   67.081448] Shadow-box: VM [0] Memory attack is detected
[   67.081450] Shadow-box: VM [0] Guest Linear: -2120035776, FFFFFFFF81A2D240
[   67.081451] Shadow-box: VM [0] Guest Physical: 44225088, 0000000002A2D240
[   67.081452] Shadow-box: VM [0] virt_to_phys: virt FFFFFFFF81A2D240 phys 0000000002A2D240
[   67.081453] Shadow-box: ErrorCode: 4
[   67.081463] general protection fault: 0000 [#1] SMP 
[   67.081485] Modules linked in: bnep snd_hda_codec_hdmi dell_led snd_hda_codec_realtek snd_hda_codec_generic nls_iso8859_1 snd_hda_intel snd_hda_codec intel_rapl x86_pkg_temp_thermal intel_powerclamp coretemp snd_hda_core kvm_intel snd_hwdep kvm dell_wmi sparse_keymap input_leds joydev snd_pcm irqbypass crct10dif_pclmul crc32_pclmul dcdbas snd_seq_midi snd_seq_midi_event aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper snd_rawmidi cryptd snd_seq serio_raw

#==================================================
# A hidden process, backdoor, is detected.
#==================================================
[   67.081632] Shadow-box: VM [1] Task count is different: expect 220, real 219
[   67.081653]  snd_seq_device
[   67.081659] Shadow-box: VM [1] Task PID: 1738, TGID: 1738, fork name: backdoor, process name: backdoor is hidden

[   67.081692]  snd_timer snd soundcore mei_me shpchp mei hci_uart btbcm btqca 8250_fintek btintel bluetooth intel_lpss_acpi intel_lpss acpi_als kfifo_buf acpi_pad industrialio mac_hid parport_pc ppdev lp parport autofs4 hid_generic usbhid i915_bpo intel_ips i2c_algo_bit drm_kms_helper syscopyarea sysfillrect e1000e psmouse sysimgblt fb_sys_fops ptp drm ahci pps_core libahci wmi video pinctrl_sunrisepoint i2c_hid pinctrl_intel hid fjes
[   67.081843] CPU: 0 PID: 1805 Comm: insmod Tainted: G           OE   4.4.0-21-generic #37-Ubuntu
[   67.081867] Hardware name: Dell Inc. OptiPlex 7040/096JG8, BIOS 1.2.8 01/26/2016
[   67.081887] task: ffff8801535dd880 ti: ffff880153520000 task.ti: ffff880153520000
[   67.081908] RIP: 0010:[<ffffffffc00081ac>]  [<ffffffffc00081ac>] init_module+0x1ac/0x1000 [adore_ng]
[   67.081939] RSP: 0018:ffff880153523c60  EFLAGS: 00010286
[   67.081974] RAX: ffffffff81a2d240 RBX: ffffffff81e11080 RCX: 0000000000050bc5
[   67.081993] RDX: ffffffff8127a080 RSI: ffffffffc0620480 RDI: ffff880155001300
[   67.082012] RBP: ffff880153523c88 R08: 000000000001a080 R09: ffffffff8121be34
[   67.082032] R10: ffffea00019f9a00 R11: 0000000000000000 R12: ffff880150f87300
[   67.082051] R13: 0000000000000000 R14: ffffffffc0008000 R15: ffff8801516802a0
[   67.082071] FS:  00007fabee1ad700(0000) GS:ffff880159c00000(0000) knlGS:0000000000000000
[   67.082093] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080040033
[   67.082109] CR2: 000055b34445f5b8 CR3: 0000000135b46000 CR4: 00000000003426f0
[   67.082131] DR0: 0000000000000041 DR1: 0000000000000041 DR2: 0000000000000041
[   67.082151] DR3: 0000000000000041 DR6: 0000000000000041 DR7: 0000000000000041
[   67.082157] Shadow-box: ErrorCode: 4
[   67.082180] Stack:
[   67.082186]  ffffc900012b3fff 00000000b870b587 ffffffff81e11080 ffff880150fa4340
[   67.082211]  0000000000000000 ffff880153523d08 ffffffff81002123 ffffea000278af80
[   67.082234]  ffff880153523ce0 0000000000000286 0000000000000001 0000000000000007
[   67.082258] Call Trace:
[   67.082270]  [<ffffffff81002123>] do_one_initcall+0xb3/0x200
[   67.082287]  [<ffffffff811eaeb3>] ? kmem_cache_alloc_trace+0x183/0x1f0
[   67.082308]  [<ffffffff8118c163>] do_init_module+0x5f/0x1cf
[   67.082324]  [<ffffffff81109df7>] load_module+0x1667/0x1c00
[   67.082341]  [<ffffffff811063a0>] ? __symbol_put+0x60/0x60
[   67.082358]  [<ffffffff812126b0>] ? kernel_read+0x50/0x80
[   67.082374]  [<ffffffff8110a5d4>] SYSC_finit_module+0xb4/0xe0
[   67.082391]  [<ffffffff8110a61e>] SyS_finit_module+0xe/0x10
[   67.082408]  [<ffffffff818244f2>] entry_SYSCALL_64_fastpath+0x16/0x71
[   67.082426] Code: ff fe ff 0f 22 c0 49 8b 44 24 18 48 89 15 25 83 61 00 48 c7 c6 80 04 62 c0 48 8b 40 30 48 8b 40 20 48 8b 10 48 89 15 cc 82 61 00 <48> c7 00 f0 9e 61 c0 48 c7 c2 70 90 61 c0 48 8b 3d 67 3e 61 00 
[   67.082539] RIP  [<ffffffffc00081ac>] init_module+0x1ac/0x1000 [adore_ng]
[   67.082559]  RSP <ffff880153523c60>
[   67.089935] ---[ end trace f2a6f5de2615c18a ]---

#==================================================
# A hidden module, adore_ng, is detected.
#==================================================
[   67.120456] Shadow-box: VM [2] Module count is different: expect 87, real 86
[   67.120479] Shadow-box: VM [2] Hidden module name: adore_ng, ptr: ffffffffc061c080
[   67.121298] Shadow-box: ErrorCode: 4

Beemka – Electron Exploitation Toolkit

5.Caution

Shadow-box protects kernel code, read-only data, system table, privilege register, etc. from rootkits. So, if you want to use Shadow-box, you should disable some features below.

  • Disable CONFIG_JUMP_LABEL
    • Change kernel config (.config)
  • Disable hibernation and suspend
    • Change system power management setting
  • Disable IRQ remapping for using IOMMU protection feature
    • Insert intremap=off at the end of linux /boot/vmlinuz… line in grub.cfg file

6.Known Issue

Shadow-box has some known issues below.

  • Too many logs in secure world stops the system intermittently.
    • If you want to log massive information, make FIFO like a kfifo and connect normal world and secure world

Acknowledgments

Shadow-box has been used to protect the kernel of Gooroom platform which is an open source project. This work was supported by Institute for Information & communications Technology Promotion (IITP) grant funded by the Korea government (MSIP) (No.R0236-15-1006, Open Source Software Promotion).

 

Post navigation

Beemka – Electron Exploitation Toolkit
US Cyber Command to Implant Malware on the Russian Grid

Related Articles

PatrOwl – Smart and Scalable Security Operations Orchestration Platform

- Threat Intelligence
October 7, 2019

Sampler – A Tool For Shell Commands Execution, Visualization And Alerting

- Threat Intelligence
August 17, 2019

ThreatHunting – A Splunk App Mapped To MITRE ATT&CK To Guide Your Threat Hunts

- Threat Intelligence
August 14, 2019
hacker gadgets
hacker phone covers

Recent Posts

Seekr: multi-purpose toolkit for gathering and managing OSINT Data

Seekr: multi-purpose toolkit for gathering and managing OSINT Data

February 7, 2023
reportly: AzureAD user activity report tool

reportly: AzureAD user activity report tool

February 7, 2023
PoC Exploit For GoAnywhere MFT 0-Day Flaw (CVE-2023-0669) Published Online

PoC Exploit For GoAnywhere MFT 0-Day Flaw (CVE-2023-0669) Published Online

February 7, 2023
FirmAE: Towards Large-Scale Emulation of IoT Firmware for Dynamic Analysis

FirmAE: Towards Large-Scale Emulation of IoT Firmware for Dynamic Analysis

February 6, 2023
Heap_Detective - The Simple Way To Detect Heap Memory Pitfalls In C++ And C

Heap_Detective – The Simple Way To Detect Heap Memory Pitfalls In C++ And C

February 6, 2023
OneNoteAnalyzer: analyzing malicious OneNote documents

OneNoteAnalyzer: analyzing malicious OneNote documents

February 6, 2023

Social Media Hacking

SocialPath – Track users across Social Media Platforms

SocialPath – Track users across Social Media Platforms

- Social Media Hacking
October 16, 2019October 16, 2019

SocialPath is a django application for gathering social media intelligence on specific username. It checks for Twitter, Instagram, Facebook, Reddit...

SocialScan – Check Email Address and Username Availability on Online Platforms

SocialScan – Check Email Address and Username Availability on Online Platforms

June 17, 2019
Shellphish – Phishing Tool For 18 Social Media Apps

Shellphish – Phishing Tool For 18 Social Media Apps

June 10, 2019July 27, 2019
WhatsApp Hacking using QRLJacking

WhatsApp Hacking using QRLJacking

May 2, 2019May 19, 2019
How to Hack any Facebook Account with Z-Shadow

How to Hack any Facebook Account with Z-Shadow

April 26, 2019June 29, 2020
hacker buffs

About Us

Haxf4rall is a collective, a good starting point and provides a variety of quality material for cyber security professionals.

Join Our Community!

Please wait...
Get the latest News and Hacking Tools delivered to your inbox.
Don't Worry ! You will not be spammed

Active Members

Submit a Tool

Hackers Handbook 2018


Grab your copy here

ABOUT US

Haxf4rall is a collective, a good starting point and provides a variety of quality material for cyber security professionals.

Our primary focus revolves around the latest tools released in the Infosec community and provide a platform for developers to showcase their skillset and current projects.

COMPANY
  • Contact Us
  • Disclaimer
  • Hacker Gadgets
  • LANC Remastered
  • PCPS IP Puller
  • Privacy Policy
  • Sitemap
  • Submit your Tool
Menu
  • Contact Us
  • Disclaimer
  • Hacker Gadgets
  • LANC Remastered
  • PCPS IP Puller
  • Privacy Policy
  • Sitemap
  • Submit your Tool
Live Chat
RESOURCES
  • Attack Process
  • Become a Hacker
  • Career Pathways
  • Dark Web
  • Hacking Books
  • Practice Your Skills
  • Recommended Courses
  • Simple Setup – Hacker 101
Menu
  • Attack Process
  • Become a Hacker
  • Career Pathways
  • Dark Web
  • Hacking Books
  • Practice Your Skills
  • Recommended Courses
  • Simple Setup – Hacker 101
Get Started
TOOLBOX
  • Anonymity
  • Bruteforce
  • DoS – Denial of Service
  • Information Gathering
  • Phishing
  • SQL Injection
  • Vulnerability Scanners
  • Wifi Hacking
Menu
  • Anonymity
  • Bruteforce
  • DoS – Denial of Service
  • Information Gathering
  • Phishing
  • SQL Injection
  • Vulnerability Scanners
  • Wifi Hacking
Tools Directory

2014 – 2020 | Haxf4rall.com               Stay Connected:

Facebook Twitter Google-plus Wordpress
Please wait...

Join Our Community

Subscribe now and get your free HACKERS HANDBOOK

Don't Worry ! You will not be spammed
SIGN UP FOR NEWSLETTER NOW