SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)

SECURITY BOOTCAMP 2012 | Make yourself to be an expert!

1

2

Malware Memory Forensic
Nguyễn Chấn Việt | vietwow@gmail.com


2
Who am I
Senior Security Researcher
+4 years in Information Security. Focusing on
2
Malware Analysis and Exploit Development
Twitter : https://twitter.com/vietwow


3
Agenda
Why Memory Forensics?
What is Memory Forensics?
2
Our approach : Rootkit Detection
Windows Platform
Linux Platform
Real-world Malwares


Why4 Memory Forensics ?
In past, Forensic Analysis = File System
Forensic 2

Why memory forensics ?
Malware Analysis
Incident Respone (IR)

HOT Topic for researchers


Why5 Memory Forensics ?
Everything in the OS traverses RAM
•Processes and threads
•Malware (including rootkit technologies)
2
•Network sockets, URLs, IP addresses
•Open files
•User generated content
Passwords, caches, clipboards
•Encryption keys
•Hardware and software configuration
•Windows registry keys and event logs


Memory Forensics Questions…
6
What processes were running on the suspect system at
the time memory image was taken?
What (hidden or closed) 2processes existed?
Are there any (hidden or closed) network connections?
Are there any (hidden or closed) sockets?
What is the purpose and intent of the suspected file?
Are there any suspicious DLL modules?
Are there any suspicious URLs or IP addresses
associated with a process?


7
Are there any suspicious open files associated with a
process?
Are there any closed or hidden files associated with any
2
process?
Are there any suspicious strings associated with a
particular process?
Are there any suspicious files present? Can you extract
them?
Can you extract malicious processes from the memory
and analyze it?


8
Can you identify the attackers and their IP addresses?
Did the attacker create a user account on the system?
Did the malware modify 2 add any registry entry?
or
Does the malware use any type of hooks to hide itself?
Did the malware inject itself to any running processes?
What is the relationship between different processes?
What is the intent and purpose of this malware?


What 9is Memory Forensics?
Là kỹ thuật/quá trình phân tích dấu vết dựa trên
memory (RAM) của 1 hệ thống
2
Bao gồm physical memory (RAM) và Page File/Swap


Memory Acquisition
10
Winen (Guidance Software)
FastDump Pro (HB Gary) - Limited Free version
available 2

FTK Imager - Free
DD Free but limited - May not work on later versions of
Windows
WinHex - Has some limitations
Nigilant32 - Free but for 32-bit systems only
Memoryze (Mandiant) - Free


Virtual Machine Memory Acquisition
11

2


Memory Forensic Tools
Volatility 12

https://www.volatilesystems.com/default/volatility
Free & Open Source
2
Mandiant Redline
http://www.mandiant.com/resources/download/redline/
Free

HBGary Responder
http://www.hbgary.com/responder-pro-2
$$$ - Pro
Community Edition available


13
Volatility
An advanced memory forensics framework
OpenSource
2
Written by Python
Primarily Windows-focused
Linux (Android) & Mac support now available
Modular, portable

Main reason why I’m here :D


14
Volatility
Volatility supports the following extraction capabilities for memory images:
Image date and time
Running processes
2
Open network sockets
Open network connections
DLLs loaded for each process
Open files for each process
Open registry keys for each process
Memory maps for each process
Extract executable samples
Scanning examples: processes, threads, sockets, connections, modules


15

2

General checking


16

2

Windows Platform


17
Volatility
pslist
List the processes of a system. This walks the doubly-
linked list pointed to by 2
PsActiveProcessHead. It does
not detect hidden or unlinked processes.


18
Volatility
connections
To view the active connections
2


19
Volatility
dlllist
Print all loaded DLLs
2


20
Volatility
svcscan
List Windows services
2


21

2

Linux Platform


22
Volatility
linux_lsmod
Print all loaded modules
2


23

2

Rootkit Dection


24

2

[1] Windows Platform


25

2

[1.1] DLL Injection


Normal DLL Interaction
26

2


Injected DLL Interactopn
27

2


28
DLL Injection
DLL Injection là kỹ thuật rất phổ biến được sử dụng bởi
malware
2
VirtualAllocEx( ) và CreateRemoteThread( )
SetWindowsHookEx( )


DLL Injection Detection
29
ldrmodules
 Là module để detect DLL Injection
2
 Trong mỗi process, các DLL sẽ được track trong 3
linked-list
 Stealthy malware sẽ unlink dll của chúng trong các
linked-list này
 Plugin này sẽ query các linked-list này và hiển thị
thông tin để ta có thể so sánh


30

2

[1.2] Usermode & Kernelmode Hooking


Levels31 Access in Windows
of
 Ring 3 – User Land
 User
 Administrator 2
 System

 Ring 0 – Kernel Land
 Drivers


32
OS Internals
• Readfile() called on File1.txt
• Transition to Ring 0
• NtReadFile() processed
2 • I/O Subsystem called
• IRP generated

• Data at File1.txt requested from
ntfs.sys

• Data on D: requested from dmio.sys

• Data on disk 2 requested from
disk.sys


33
OS Internals
• Binary replacement eg modified Exe
or Dll

2 • Binary modification in memory eg
He4Hook

• User land hooking eg Hacker
Defender
• IAT hooking


34
OS Internals
• Kernel Hooking
• E.g. NtRootkit

2 • Driver replacement
• E.g. replace ntfs.sys with ntfss.sys

• Direct Kernel Object Manipulation –
DKOM
• E.g. Fu, FuTo


35
OS Internals
• IO Request Packet (IRP) Hooking
• IRP Dispatch Table

2
• E.g. He4Hook (some versions)


36
OS Internals
• Filter Drivers
• The official Microsoft method
• Types
2 • File system filter
• Volume filter
• Disk Filter
• Bus Filter
•
• E.g. Clandestine File System Driver
(CFSD)


Current Rootkit Capabilities
37
Hide processes
Hide files
Hide registry entries 2
Hide services
Completely bypass personal firewalls
Undetectable by anti virus
Remotely undetectable
Covert channels - undetectable on the network
Defeat cryptographic hash checking
Install silently
All capabilities ever used by viruses or worms


38

2

[1.2.1] Usermode Hooking


Windows39GUI Subsystem Hooking
Malware có thể dùng SetWindowsHookEx để intercept
các window message
2


Windows GUI Hooking Detection
40
messagehooks
 Là module để detect Windows GUI Hooking
2


41
IAT Hooking
Hook vào IAT Table
của process

2


42
IAT Hooking
IAT Hook

2


43
IAT Hooking
void hookFunction( PVOID * thunk, HookedFunction & hookedFunction )
{
MEMORY_BASIC_INFORMATION mbi;

//The IAT is marked as read-only memory so we mark it as read-write for the update.
2
ZeroMemory( &mbi, sizeof( MEMORY_BASIC_INFORMATION ) );
SIZE_T s = VirtualQuery( thunk, &mbi, sizeof( MEMORY_BASIC_INFORMATION ) );

BOOL b = VirtualProtect(mbi.BaseAddress, mbi.RegionSize,
PAGE_READWRITE, &mbi.Protect );

if ( hookedFunction.RealFunction == 0 )
{
hookedFunction.RealFunction = *thunk;
}
*thunk = hookedFunction.HookFunction;

DWORD oldProtect;
VirtualProtect(mbi.BaseAddress, mbi.RegionSize, mbi.Protect, &oldProtect);
}


Inline Hooking
44

Thay đổi các byte (thường là 5) đầu tiên của chương
trình
2


Usermode Hooking Detection
45
apihooks
 Là module để detect IAT Hook và Inline Hook
2


46

2

[1.2.2] Kernelmode Hooking


SSDT Hooking
47

Hook vào SSDT Table

2


SSDT Hooking
48

2


SSDT Hooking
49

2


SSDT Hooking
• Hook the call when the device is created
50

NTSTATUS Create(PDEVICE_OBJECT DeviceObject,PIRP Irp)
{
NTSTATUS status = STATUS_SUCCESS;
if ( !CanWriteToSSDT() ) 2
{
//Change the read-only SSDT memory block to read/write
EnableWritingToSSDT();

OldZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION)InterlockedExchange(
(PLONG)&g_MappedSystemCallTable[0xAD],
(LONG) NewQuerySytemInformation);

}

Irp->IoStatus.Status = status;
IoCompleteRequest(Irp,IO_NO_INCREMENT);
return status;
}


Kernelmode Hooking Detection
51
ssdt_ex
 Là module để detect SSDT và Inline Hook
2


52
Others
IDT(Interrupt Descriptor Table) Hooking
Sử dụng module “idt” để detect

SYSENTER / SDT Hooking 2

Hooking SST (KiServiceTable)

Hooking KiSystemService

IRP Hooking
Sử dụng module “driverirp” để detect

=> not enough time to cover all 


53

2

[1.3] Process Hiding


54
DKOM
Thay đổi cấu trúc EPROCESS để unlink process cần
hide
Ngoài việc hide process, 2
DKOM còn có thể sử dụng
để :
Add Privileges to Tokens
Add Groups to Tokens
Manipulate the Token to Fool the Windows Event Viewer
Hide Ports
Hide drivers
=> FU là rootkit sử dụng kỹ thuật này


EPROCESS Linked List
55

2


EPROCESS Linked List
56

2


Rootkit Detection
57
psxview (FU Rootkit)
2


58

2

[1.4] Driver Hiding


59
Driver Hiding
Rootkit sẽ sử dụng kỹ thuật DKOM unlink nó ra khỏi
list of loaded module của kernel
2


Hiding the Kernel Module Detection
60
modscan
 Là module để detect hiding kernel module
2


61

2

[2] Linux Platform


62

2

[2.1] Hiding the Kernel Module


Hiding the Kernel Module
63

Rootkit thường tìm cách “giấu” bản thân bằng cách
unlink nó ra khỏi linked-list loaded kernel modules
2
List này được export thông qua /proc/modules (lsmod
chính là đọc từ list này và show ra)


Hiding the Kernel Module Detection
64
linux_check_modules
 Là module để detect hiding kernel module
2
 Hoạt động dựa trên sysfs để tìm các module đã bị
remove ra khỏi module list nhưng vẫn đang active
 sysfs là 1 kernel to userland interface, giống như
/proc, export các info & statistics của kernel


65

2

[2.2] Hooking System Call Table


Hooking System Call Table
66

System call là cơ chế để userland code có thể trigger
event handling ở kernel
2
Giống API trên Windows
Được quản lý bởi System call table
System call table là 1 array các function pointer. Mỗi 1
function pointer sẽ tương ứng với 1 syscall handler (vd :
sys_read sẽ handle read system call)
Rootkit thường sẽ focus vào việc overwrite table này


Hooking System Call Table Detection
67
linux_check_syscall
 Là module để detect System Call Table Hooking
2
 Hoạt động dựa trên cơ chế là enumerate và verify
từng entry trong System Call Table


68

2

[2.3] Hiding Network Connections


Hiding Network Connections
69

Hook vào cấu trúc “tcp4_seq_afinfo”, thay đổi member
“show”
2


Hiding Network Connections Detection
70
linux_check_afinfo
 Là module để detect hiding network connection
2
 Hoạt động dựa trên cơ chế là duyệt cấu trúc
“file_operations” và “sequence_operations” của tất cả
cấu trúc UDP and TCP protocol


71

2

[2.4] Hiding Processes


Hiding Processes
72

Phương pháp 1 :
Linux kernel chứa 1 array các cấu trúc task_struct
2
Cấu trúc task_struct giống như EPROCESS trên Windows
task_struct bao gồm 2 pointer là prev_run và next_run trỏ tới
process trước và sau nó tương ứng
Để hide process, ta chỉ cần unlink process ra khỏi list prev_task
và next_task này


Hiding Processes
73
task_array

PID PID PID PID
Process 0 2 1901

State State State State

*next_task *next_task *next_task *next_task
*prev_task *prev_task *prev_task *prev_task
*next_run *next_run *next_run *next_run
*prev_run *prev_run *prev_run *prev_run

*p_pptr
(null) *p_pptr *p_pptr *p_pptr
*p_cptr *p_cptr *p_cptr
*p_cptr *p_ysptr *p_ysptr *p_ysptr
*p_ysptr *p_osptr *p_osptr *p_osptr
*p_osptr

... ... ... ...

... ... ... ...


Hiding Processes
74
task_array

PID PID PID
1901 Process 0
2
State State State

*next_task *next_task *next_task
*prev_task *prev_task *prev_task
*next_run *next_run *next_run
*prev_run *prev_run *prev_run

*p_pptr *p_pptr *p_pptr
*p_cptr *p_cptr *p_cptr
*p_ysptr *p_ysptr *p_ysptr
*p_osptr *p_osptr *p_osptr

... ... ...

... ... ...


Hiding Processes
75

Phương pháp 2 : Hooking /proc :
Mỗi process sẽ có 1 directory tương ứng trong /proc
2
Để hide process, rookit sẽ hjack hàm “readdir” và filter out tên
process cần


Hiding Processes
76

static inline int fuckit_proc_filldir(void *__buf, const char *name, int namelen, loff_t
offset,
u64 ino, unsigned d_type){
//our hidden PID :)
2
if(!strcmp(name,HIDDEN_PID) || !strcmp(name,KEY)){
return 0;
}
return original_filldir(__buf,name,namelen,offset,ino,d_type);
}

static inline int fuckit_proc_readdir(struct file *filp, void *dirent, filldir_t
filldir){
//save this, we will need to return it later
original_filldir = filldir;
return original_proc_readdir(filp,dirent,fuckit_proc_filldir);
}


Hiding Processes Detection
77
linux_check_fop
 Là module để detect hiding process
2
 Hoạt động dựa trên cơ chế là enumerate /proc
filesystem và rất các opened file, verify từng member
của từng file ops structure là hợp lệ


78

2

Anything else ?


Scan for Registry Artifacts
79

 volatility hivescan -f dumped.vmem
 volatility hivelist -f dumped.vmem -o 0x212cb60
2


Data80
Carving Using Foremost
 Foremost
foremost -c foremost.conf -t exe –i <PID>.dmp -o
2
output3


[3] Real-world Malwares
81

Mixed many concepts :
VirTool:WinNT/Exforel.A
2
TDSS Rookit
Zeus
Stunex / Duqu
Flame


VirTool:WinNT/Exforel.A
82

Là malware implement lại toàn bộ TCP/IP Stack

2


83
TDSS Rootkit
Gồm 4 biến thể :
TDL-1
TDL-2 2
TDL-3
TDL-4


84
Zeus
Là 1 dạng trojan chuyên ăn cắp thông tin trong các công
ty/tập đoàn tài chính
2
Có 1 số tính năng như 1 rootkit


85
Stunex / Duqu
Là 1 dạng worm, gồm 2 phiên bản :
Stunex : focus vào việc phá hủy hạ tầng lò phản ứng hạt nhân (PLC) của Iran
2
Duqu : forcus vào việc ăn cắp thông tin


86
Flame
Còn có tên là sKyWiper
Là malware nổi tiếng nhất gần đây, phức tạp hơn nhiều
2
so với Duqu. Vừa là 1 backdoor, vừa là trojan, và cũng
có những tính năng như 1 worm


87
Comparison

2


88

2

Other cases


Password Keeper
89

Password Keeper is a small utility useful for storing our
frequently used passwords. Password information can
be stored, edited and printed with this easy to use
2

program.
No mention of protection against memory analysis


Password Keeper
90
With volatilty we dump the PasswordKeeper processes

2

And strings our password on it


91
Conclusion
Volatility is a great tool for memory forensic
Want to learn more ?
2
SANS FOR526: Windows Memory Forensics In-Depth
Windows Memory Forensics Training for Analysts by Volatility
Developers


Any Questions ?
92

2


93

Thank you very much !
2

SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt) (20)

More from Security Bootcamp (20)

Recently uploaded (20)

SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)