Code Monkey home page Code Monkey logo

devicemon's Introduction

DeviceMon

DeviceMon is a Windows Driver that intercept the communication between your PCI devices and kernel driver.

Description

DeviceMon will be on-going developed for support more PCI devices, and currently support monitoring SPI controller behavior, with SPI behavior monitoring, anyone send a cycle to SPI controller it can be captured by DeviceMon, means, in case of someone whose are trying to attack the Flash ROM, theoretically could be capture by DeviceMon. By intercepting a MMIO translation path, the communication between driver and devices could be easily exposed.

Environment

  • Visual Studio 2015 update 3
  • Windows SDK 10
  • Windowr Driver Kit 10
  • Windows 10 x64 RS4
  • With VT-x enabled machine
  • Series 100 / 200 / 300 Chipset's SPI Interface

Installation

  • Compiled DeviceMon.sys

  • Enable Testsigning on x64:

    bcdedit /set testsigning on

  • Install DeviceMon.sys

    sc create DeviceMon type= kernel binPath= C:\DeviceMon.sys

    sc start DeviceMon

Mechanism

  • With VT-x and EPT assisted, we are able to intercept the address translation between guest physical address to host physical address, PCI device communication heavily rely on MMIO, before host physical address is sent out to the address bus and perform I/O operation, the final step could be simplify as address translation, so we could take an advantage from address translation intercept and for runtime mal-behave detection, and analysis device driver protocol. See my recent blogpost for more detail.

Test it

  • Step 1: Collect the following information of your testing device.
typedef struct _PCI_MONITOR_CFG
{
	UINT8	BusNumber;		//
	UINT8	DeviceNum;		//
	UINT8	FuncNum;		//
	UINT8	BarOffset[6];		// BAR offset in PCI Config , check your chipset datasheet
	UINT8	BarCount;		// Number of BAR in PCI Config , check your chipset datasheet
	//...
}PCIMONITORCFG, *PPCIMONITORCFG;
  • Step 2: Construct it and fill into the global config as follow
PCIMONITORCFG SpiDeviceInfo = 
{
 SPI_INTERFACE_BUS_NUMBER,
 SPI_INTERFACE_DEVICE_NUMBER,
 SPI_INTERFACE_FUNC_NUMBER ,
 {
   SPI_INTERFACE_SPIBAR_OFFSET,
   0,0,0,0,0
 },
 1,
 { 0 , 0 , 0 , 0 , 0 , 0 },
 SpiHandleMmioAccessCallback,
 { 0 , 0 , 0 , 0 , 0 , 0 },
 nullptr,
};

PCIMONITORCFG IntelMeDeviceInfo = 
{
 INTEL_ME_BUS_NUMBER,	
 INTEL_ME_DEVICE_NUMBER,
 INTEL_ME_FUNC_NUMBER ,
 {
   INTEL_ME_BAR_LOWER_OFFSET,
   INTEL_ME_BAR_UPPER_OFFSET,
   0,0,0,0,
 },
 1,		
 { 0 , 0 , 0 , 0 , 0 , 0 },
 IntelMeHandleMmioAccessCallback,
 {
   PCI_BAR_64BIT ,
   0 , 0 , 0 , 0 , 0 ,
 },
 IntelMeHandleBarCallback,
};

PCIMONITORCFG IntelMe2DeviceInfo = 
{
 INTEL_ME_BUS_NUMBER,	
 INTEL_ME_DEVICE_NUMBER,
 INTEL_ME_2_FUNC_NUMBER ,
 {
   INTEL_ME_BAR_LOWER_OFFSET,
   INTEL_ME_BAR_UPPER_OFFSET,
   0,0,0,0,
 },
 1,		
 { 0 , 0 , 0 , 0 , 0 , 0 },
 IntelMeHandleMmioAccessCallback,
 {
   PCI_BAR_64BIT ,
   0 , 0 , 0 , 0 , 0 ,
 },
 IntelMeHandleBarCallback,
};

PCIMONITORCFG IntelMe3DeviceInfo = 
{
 INTEL_ME_BUS_NUMBER,	
 INTEL_ME_DEVICE_NUMBER,
 INTEL_ME_3_FUNC_NUMBER ,
 {
   INTEL_ME_BAR_LOWER_OFFSET,
   INTEL_ME_BAR_UPPER_OFFSET,
   0,0,0,0,
 },
 1,		
 { 0 , 0 , 0 , 0 , 0 , 0 },
 IntelMeHandleMmioAccessCallback,
 {
   PCI_BAR_64BIT ,
   0 , 0 , 0 , 0 , 0 ,
 },
 IntelMeHandleBarCallback,
};

   

//Put your device config here. Engine will be able to distract them automatically.
PCIMONITORCFG g_MonitorDeviceList[] =
{
  SpiDeviceInfo,
  IntelMeDeviceInfo,
  IntelMe2DeviceInfo,
  IntelMe3DeviceInfo,
};
  • Step 3: Implement your callback with your device logic It will be eventually get invoke your callback on access (R/W) with the following prototype
typedef bool(*MMIOCALLBACK)(GpRegisters*  Context,
   	ULONG_PTR InstPointer,
   	ULONG_PTR MmioAddress,
   	ULONG	  InstLen,
   	ULONG	  Access
   );

Because huge differences between PCI devices, you have to check device config from your data-sheet from your hardware manufacture.

Windows 10 RS4 Test demo

A demo has captured a malware that starting the attack and dumping the SPI Flash ROM. Also, as following figure shown, two binary compared there's no any effect on dumped SPI Flash when VMM in the middle.

  • SPI Device Monitoring

Moreover, Except for the malware behavior capturing, DeviceMon is also a good helper for analysis device driver protocol. :)

Request for more device monitoring is welcome. please feel free to contact via [email protected] / [email protected] or directly create an issue.

devicemon's People

Contributors

kelvinmsft avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.