A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #25417  by KeBugCheck
 Sat Mar 07, 2015 5:08 pm
TETYYSs wrote:hook NtGdiCreateCompatibleDC when parameter is null?
It's possible, but according to their patch notes, it is more than that. NtGdiCreateCompatibleDC should is only relevant when capturing with GDI, no?

According to KAV:
Code: Select all
Protection against unauthorized capture of screenshots in the Safe Money mode has been improved. The Hypervisor, DirectX®, and OpenGL technologies are used to enhance protection against screenshots.
They might do hooking for DirectX and OpenGL... but they still differentiate and say they use the hypervisor.
 #25421  by feryno
 Mon Mar 09, 2015 2:52 pm
2 methods to obtain screenshot are known to me teoretically

sending key event VK_SNAPSHOT, OpenClipboard, GetClipboardData, CloseClipboard
get screen DC, create compatible DC, create device independent bitmap, select the bitmap to DC, BitBlt from screen DC to compatible DC, ...

If you can strip some useful code from real malware obtaining screenshots and post it here I may think about methods of detecting such behavior using hypervisor.

I disassembled klhk.sys but I was interested only i hypervisor part which is only about 10% of the driver. I've seen its hypervisor part is watching OS at point where code execution switches from ring3 to ring0. Kaspersky certainly wanted to avoid installing hooks as much as possible (hooks are bad idea especially on x64 version), so they used hypervisor instead of hooks, that is transparent way.
I've also seen khlh.sys is doing something with KeAddSystemServiceTable but I was not interested in this part.
 #25422  by EP_X0FF
 Mon Mar 09, 2015 5:08 pm
feryno wrote:2 methods to obtain screenshot are known to me teoretically

sending key event VK_SNAPSHOT, OpenClipboard, GetClipboardData, CloseClipboard
get screen DC, create compatible DC, create device independent bitmap, select the bitmap to DC, BitBlt from screen DC to compatible DC, ...

If you can strip some useful code from real malware obtaining screenshots and post it here I may think about methods of detecting such behavior using hypervisor.
If we take financial trojans as main targets of this protection we can look on Carberp or Zeus methods as generic for the rest of malware of the same type.

Carberp
http://pastebin.com/raw.php?i=0J2zvLw6, see Make routine

Zeus
http://pastebin.com/raw.php?i=pdeBD0UM

So it is trivial BitBlt in most cases. Probably some extra methods related to keyboard key press emulation, hmm and maybe GetPixel, NtUserPrintWindow (user32!PrintWindow).
 #25427  by feryno
 Tue Mar 10, 2015 12:20 pm
EP_X0FF thank for samples.

From the second link, I briefly debugged gdi32.dll CreateDCW at win 7.1 x64 with params
CreateDCW(L"DISPLAY", NULL, NULL, NULL);
gdi32.dll just copied unicode string and then immediately called kernelmode (service number 10DAh at the above OS version).
Right at the moment when code leaves ring3 and attempts to enter kernelmode it is possible to use hypervisor to watch this attempt, compare whether the string is "DISPLAY" and deny the system service (e.g. immediately return back to ring3 with an error which is zero in this situation - instead of allowing ring0 to continue and execute the kernel service).

From the first link, I debugged ring3 user32.dll GetWindowDC at the same OS and it was even less work, it immediately called kernelmode service number 1064h. At that point again, hypervisor may detect switch from ring3 to ring0 and deny the service by immediately return back to ring3 with return value = 0.

There is even no need to worry about later steps like BitBlt, screenshot attempts may be discarded at the first step and that is obtaining DC of display or active window.

I'm also curious whether it is possible to use VK_SNAPSHOT to obtain screenshots (I guess teoretically it is also possible, but I didn't try it in reality). But again it certainly needs to execute some kernel service and at that point hypervisor may deny such attempt.
 #25428  by Vrtule
 Tue Mar 10, 2015 12:37 pm
Hello,

does Kaspersky hypervisor allow other software utilizing HW virtualization, such as VMWare or Virtualbox, to run? Or are there any problems related to the topic of running multiple "hypervisors" on the same machine?
 #25429  by EP_X0FF
 Tue Mar 10, 2015 1:51 pm
feryno wrote:Right at the moment when code leaves ring3 and attempts to enter kernelmode it is possible to use hypervisor to watch this attempt, compare whether the string is "DISPLAY" and deny the system service (e.g. immediately return back to ring3 with an error which is zero in this situation - instead of allowing ring0 to continue and execute the kernel service).

From the first link, I debugged ring3 user32.dll GetWindowDC at the same OS and it was even less work, it immediately called kernelmode service number 1064h. At that point again, hypervisor may detect switch from ring3 to ring0 and deny the service by immediately return back to ring3 with return value = 0.

There is even no need to worry about later steps like BitBlt, screenshot attempts may be discarded at the first step and that is obtaining DC of display or active window.

I'm also curious whether it is possible to use VK_SNAPSHOT to obtain screenshots (I guess teoretically it is also possible, but I didn't try it in reality). But again it certainly needs to execute some kernel service and at that point hypervisor may deny such attempt.
Interesting. Do you think they filter syscalls this way, this probably will broke screenshoting for all apps. While their product provides this feature as part of "protected browser". Well they can use whitelist.

I'm asking because last time I looked on KAV was maybe 5-6 years ago, where nothing like HV stuff was on board. Btw, any syscall filtering hv example available?

edit: I missed initial post
KeBugCheck wrote:all print-screens produce no capture (just black).
Seems they indeed broke screenshotting system-wide.
 #25474  by feryno
 Tue Mar 17, 2015 9:49 am
@Vrtule
no, Kaspesky klhk.sys does not support nested hypervisoring, it does only minimal interaction with running OS, only about 10% of klhk.sys contains hypervisor code (both Intel + AMD together), e.g. it must protect some bits in CR0, CR4, protect some MSRs, on execution of cpuid with input eax=1 the returned value in ECX bit 5. must be zeroed to say VMX is not present (so no other hypervisor attempts to start, if they supported nested hypervisoring they could let this bit unmodified)

@EP_X0FF
yes exactly Kaspersky uses hypervisor to watch syscalls in x64 version of OS without hooking kernel (I didn't look into 32 bit klhk.sys version, I was interested only in x64)
the advantage is not to hit patchguard attention and the disadvantage is that syscall numbers (value in eax at syscall execution) are different for various versions of OS (they very probably extracted these magic numbers manually and compiled hypervisor to support OS versions with extracted syscall numbers, maybe in feature someone evolves that into some automated way, something like: [0] cmd to hypervisor to record first soon coming syscall number, [1] call ring3 ntdll.Nt... of interest (may be even with wrong input params in a way that Nt... service fails that does not matter), [2] cmd to hypervisor that it should stop recording and save the first recorded number and assign this number to Nt... service, and repeat steps [0], [1], [2] for all Nt... services needed to be monitored (main problem on syscall trapping using hypevisor is to know which eax number means which Nt... service)