Ever wanted to dump all the executable pages of a process? Do you crave something capable of dealing with packed processes?
We've got you covered! May I introduce PageBuster, our tool to gather dumps of all executable pages of packed processes.
There are plenty of scenarios in which the ability to dump executable pages is highly desirable. Of course, there are many methods, some of which standard de facto, but it is not always as easy as it seems.
For example, think about the case of packed malware samples. Run-time packers are often used by malware-writers to obfuscate their code and hinder static analysis. Packers can be of growing complexity, and, in many cases, a precise moment in time when the entire original code is completely unpacked in memory doesn't even exist.
Therefore, the goals of PageBuster are:
In particular, given the widespread use of packers and their variety, our objective is to have a single all-encompassing solution, as opposed to packer-specific ones.
Ultimately, PageBuster fits in the context of the rev.ng decompiler. Specifically, it is related to what we call MetaAddress. Among other things, a MetaAddress enables you to represent an absolute value of an address together with a timestamp (epoch), so that it can be used to track how a memory location changes during the execution of a program. Frequently, you can have different code at different moments at the same address during program execution. PageBuster was designed around this simple yet effective data structure.
For more information, please refer to our blogpost.
There are two PageBuster implementations: a prototype user-space-only and the full-fledged one, employing with a kernel module.
The former is described in
The rest of this document describes the latter.
Make sure you have installed GCC and Linux kernel headers for your kernel. For Debian-based systems:
sudo apt install build-essential linux-headers-$(uname -r)
Then, build the kernel module:
cd pagebuster make
This will produce
pagebuster.ko, the module for the kernel you are currently running.
Please make sure the kernel version is lower than v5.9.2 since PageBuster has not been tested for newer versions.
Note: Please consider using a virtual machine (VirtualBox, VMWare, QEMU, etc.) for testing. The module could be harmful. Avoid killing your machine or production environment by accident.
To test PageBuster, you can insert the LKM and try it with whatever binary you want. We provided you with
.c program that simply maps and executes a shellcode. Inside the
/userland/c/ directory you will also find
simple.c, the one shown in the demo.
insmod the module and pass the name of the process as argument. Then, execute it.
insmod pagebuster.ko path=sigsegv.out ./sigsegv.out
/tmp directory, you will find all the timestamped dumps.
You should get an output similar to the following:
100000000_494 7ffff7d4b000_291 7ffff7dc7000_415 7ffff7eb9000_30 100001000_495 7ffff7d4c000_292 7ffff7dc8000_416 7ffff7eba000_31 7ffff7cd1000_169 7ffff7d4d000_293 7ffff7dc9000_417 7ffff7ebb000_32 7ffff7cd2000_170 7ffff7d4e000_294 7ffff7dca000_418 7ffff7ebc000_33 7ffff7cd3000_171 7ffff7d4f000_295 7ffff7dcb000_419 7ffff7ebd000_34 7ffff7cd4000_172 7ffff7d50000_296 7ffff7dcc000_420 7ffff7ebe000_35 7ffff7cd5000_173 7ffff7d51000_297 7ffff7dcd000_421 7ffff7ebf000_36 7ffff7cd6000_174 7ffff7d52000_298 7ffff7dce000_422 7ffff7ec0000_37 ...
To remove the LKM, run:
If you want to test it on a safe environment, you can use Ciro Santilli's emulation setup.
This setup has been mostly tested on Ubuntu. Reserve 12 GB of disk and run:
git clone https://github.com/cirosantilli/linux-kernel-module-cheat cd linux-kernel-module-cheat git reset --hard 5ec6595e1f3afb6213ba7c14ab5e4e3893a4089f
Unlike Ubuntu 20.04 LTS, here
kprobes is not enabled by default. So, you must enable it on linux kernel configs.
cd linux_config cat <<EOT >> default # Kprobes CONFIG_KPROBES=y EOT cd ..
Now, you can start the build:
# For Debian derivatives ./build --download-dependencies qemu-buildroot # If you use another distro, you'll have to install the deps manually ./build --no-apt --download-dependencies qemu-buildroot
The initial build will take a while (30 minutes to 2 hours) to clone and build.
Finally, what you need to do is to insert inside the environment the kernel module as well as all the
c programs you want to test it on.
If you want to do it manually, you can build the module as shown before, the target programs and then just put them inside QEMU:
cd linux-kernel-module-cheat cp /path/to/files $PWD/out/buildroot/build/default/x86_64/target/lkmc/ ./build-buildroot
In this way, you will find them inside the directory where you spawn.
You can now run QEMU:
Ctrl-A X to quit QEMU or type
If you use
linux-kernel-module-cheat to build the module and the programs for you, you can put
/kernel_modules, and the
c files inside
/userland/c. Then run:
# Rebuild and run ./build-userland ./build-modules ./run # Load kernel module cd /mnt/9p/out_rootfs_overlay/lkmc insmod pagebuster.ko path=sigsegv.out # Run the program ./c/sigsegv.out # List dumped pages ls /tmp
If you want to test with other binaries, you may put the source
.c file inside the
/userland/c folder and let the simulator compile it for you by running
./build-userland. Now, after running the system, you will find it compiled inside
If you want to try how PageBuster behaves with UPX-packed binaries, you should prepare them outside the QEMU guest environment, and then inject into it. First of all, install upx. On Ubuntu 20.04 LTS, run:
sudo apt-get update -y sudo apt-get install -y upx-ucl
Then, for instance, grab a
.c program and compile it. Make sure it reaches the minimum size required by upx to pack it: UPX cannot handle binaries under 40Kb. The best way to work-around this problem is to compile your binary in static mode, in order to get a bigger executable file.
So, just try:
gcc -static -o mytest mytest.c upx -o mytest_packed mytest
The easiest way to put it inside QEMU is the following.
cd linux-kernel-module-cheat cp /path/to/mytest_packed $PWD/out/buildroot/build/default/x86_64/target/lkmc/ ./build-buildroot
Now you can test it, in the usual way:
./run insmod /mnt/9p/out_rootfs_overlay/lkmc/pagebuster.ko path=mytest_packed ./mytest_packed ls /tmp
Output will be something like that:
401000_2 427000_40 44d000_78 473000_116 402000_3 428000_41 44e000_79 474000_117 403000_4 429000_42 44f000_80 475000_118 404000_5 42a000_43 450000_81 476000_119 405000_6 42b000_44 451000_82 477000_120 406000_7 42c000_45 452000_83 478000_121 407000_8 42d000_46 453000_84 479000_122 408000_9 42e000_47 454000_85 47a000_123 409000_10 42f000_48 455000_86 47b000_124 40a000_11 430000_49 456000_87 47c000_125
The content of this repository is licensed under the GPLv2. Many thanks to Alexei Lozovsky which inspired the ftrace hooking part of the project.