HyperLeech: Stealthy System Virtualization with Minimal Target Impact through DMA-Based Hypervisor Injection


Ralph Palutke, Simon Ruderich, Matthias Wild, and Felix Freiling, Friedrich-Alexander-Universität Erlangen-Nürnberg


In the recent past, malware began to incorporate anti-forensic techniques in order to hinder analysts from gaining meaningful results. Consequently, methods that allow the stealthy analysis of a system became increasingly important. In this paper, we present HyperLeech, the first approach which uses DMA to stealthily inject a thin hypervisor into the memory of a target host, transparently shifting its operation into a hardware-accelerated virtual machine. For the code injection, we make use of external PCILeech hardware to enable DMA to the target memory. Combining the advantages of hardware-supported virtualization with the benefits provided by DMA-based code injection, our approach can serve analysts as a stealthy and privileged execution layer that enables powerful live forensics and atomic memory snapshots for already running systems. Our experiments revealed that HyperLeech is sufficient to virtualize multi-core Linux hosts without causing significant impact on a target’s processor and memory state during its installation, execution, and removal. Although our approach might be misused for malicious purposes, we conclude that it provides new knowledge to help researchers with the design of stealthy system introspection techniques that focus on preserving a target system’s state.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {259701,
author = {Ralph Palutke and Simon Ruderich and Matthias Wild and Felix Freiling},
title = {{HyperLeech}: Stealthy System Virtualization with Minimal Target Impact through {DMA-Based} Hypervisor Injection},
booktitle = {23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2020)},
year = {2020},
isbn = {978-1-939133-18-2},
address = {San Sebastian},
pages = {165--179},
url = {https://www.usenix.org/conference/raid2020/presentation/palutke},
publisher = {USENIX Association},
month = oct