MEMORY ANALYSIS: UNDERSTANDING MALWARES AND INCIDENTS THROUGH THE MEMORY

Size: px

Start display at page:

Download "MEMORY ANALYSIS: UNDERSTANDING MALWARES AND INCIDENTS THROUGH THE MEMORY"

Melanie Carpenter
5 years ago
Views:

1 MEMORY ANALYSIS: UNDERSTANDING MALWARES AND INCIDENTS THROUGH THE MEMORY National Congress of Criminalistics 2017 By Alexandre Borges 1

2 PROFILE AND TOC TOC: Malware and Security Researcher. Consultant, Instructor and Speaker on Malware Analysis, Memory Analysis, Digital Forensics, Rootkits and Software Exploitation. Instructor at Oracle, (ISC)2 and EC-Council. Exinstructor at Symantec. Member of Digital Law and Compliance Committee (CDDC / SP) Member of the CHFI Advisory Board in EC-Council. Reviewer member of the The Journal of Digital Forensics, Security and Law Refereer on Digital Investigation:The International Journal of Digital Forensics & Incident Response Author of Oracle Solaris Advanced Administration book Introduction Memory Acquisition Memory Analysis Example 1 Example 2 Thank you. 2

3 INTRODUCTION 3

4 INTRODUCTION While handling an infection case, we could perform the following approach: Interview and photos of the physical environment Memory acquisition Incident Response commands Disk image acquisition Network packets gathering Analysis Report 4

5 INTRODUCTION Malware Analysis: Basic Static Analysis Basic Dynamic Analysis Memory Analysis Advanced Static and Dynamic Analysis (IDA PRO / RADARE2 + DEBUGGING ring 3 and 0) 5

6 INTRODUCTION Unfortunately, there are several Anti-Forensic techniques that make our analysis more complicated, such as: Anti-VM Anti-Disassembling Packers Instruction Virtualization Anti-debugging Obfuscation 6

7 INTRODUCTION Nevertheless, while working on real incidents, the main question still is: Where is the malware? 7

8 INTRODUCTION Hidden and terminated processes Hidden services Hidden DLLs hidden sockets Kernel modules Internet history Registry keys existing only on the memory Passwords Shell history 8

9 INTRODUCTION flink 101 blink flink 102 blink flink 103 blink flink 101 blink flink 102 blink flink 103 blink

10 INTRODUCTION Listening sockets and established connections. inserted deleted 10

11 INTRODUCTION Why should we use memory forensic analysis? Most time, we don t know where the malware is. Most information that can be recovered from the memory is neither on disk nor network. On the memory, malwares have few protections. Modern malwares operate only on the memory (Duqu 2) 11

12 MEMORY ACQUISTION 12

13 MEMORY ACQUISITION There are interesting sources of information such as: RAM Hibernation Files Crash Dump (complete) Page Files 13

14 MEMORY ACQUISITION Page Files Do you know how to list all pages files from a Windows system? (remember: up to 16 pages files on Windows) Hibernation Files Compressed we need to uncompress it (raw memory no headers and CPU registers/state) Usually it is enabled Sometimes it is not zeroed out after a lapstop resuming. 14

15 MEMORY ACQUISITION Crash Dump It should be a complete memory dump (not kernel memory or small dump). Usually, it does not include device memory region. Usually, it does not include first physical page (MBR). it may be subverted by a malware that registered bug check callback (KeRegisterBugCheckCallback function) 15

16 MEMORY ACQUISITION Excellent tools for Memory Acquisition are: Surge Collect Pro from Volexity (mainly Win10 and Win2016) F-Response KnTDD from KnTTool package (unfortunately, George M. Garner Jr. passed away last July. He was 61.) 16

17 MEMORY ACQUISITION Memoryze FTK Imager Belkasoft Live RAM Capturer MoonSools LiME Linux Memory Extractor Hardware devices 17

18 MEMORY ACQUISITION Acquire memory and other important files by running the following command: E:\dumps> kntdd.exe -v -o win7mem.bin --log -- cryptsum sha_512 --pagefiles --force_pagefiles -- 4gplus --cert alexandre.borges.cer --comp gzip -- case alex001 18

19 MEMORY ACQUISITION Where: -v verbose mode. -o output file. --log sends the log output to a file. --cryptsum generates checksums for image using the specified algorithm. This case we used sha pagefiles acquires system pagefiles. 19

20 MEMORY ACQUISITION --force_pagefiles acquires all system pagefiles including that report zero current and peak usage. --4gplus acquires unmanaged memory above 4 GB. --comp compresses the output (possible values: zlib, gzip, bzip2, lznt1, zlib+, gzip+, lznt1+) --cert digital certificate --case case number 20

21 MEMORY ACQUISITION E:\Dumps\{40D335F2-A504-4A68-97AB-49A8F72F8DA5}\> dir 09/30/ :37 PM 934 win7mem.bin.dumpheader.gz.kpg 09/30/ :37 PM 1,112,025,286 win7mem.bin.gz.kpg 09/30/ :37 PM 7,734 win7mem.log.kpg 09/30/ :37 PM 1,021,030 win7mem.user_system_state.xml.kpg 09/30/ :37 PM 7,558 win7mem.xml.kpg 09/30/ :37 PM <DIR> WINDOWS 21

22 MEMORY ACQUISITION The KnTDD has acquired physical memory dump, page files, log, user system state and hashes. Few critical OS files such as ntoskrnl.exe, ndis.sys, tcpip.sys, etc, are also usually collected. On the forensic workstation, decrypt the files by using the following command: C:\> kntencrypt.exe -v -d --cert alexandre.borges.cer E:\Dumps\{40D335F2-A504-4A68-97AB- 49A8F72F8DA5}\*" 22

23 MEMORY ACQUISITION Uncompress the evidence files by running the following command: C:\> dd.exe -v if= E:\Dumps\{40D335F2-A504-4A68-97AB- 49A8F72F8DA5}\*" of=decompressed\ --decomp gzip -- sparse localwrt Where: if files to be decompressed of directory to save decompressed files --decomp algorithm used to decompress files --sparse files are recompressed using NTFS file compression --localwrt enables writing output to a local fixed drive. 23

24 MEMORY ACQUISITION Using RamCapture by Belkasoft: C:\RamCapturer> dir 09/29/ :29 AM 148,192 RamCapture64.exe 09/29/ :29 AM 13,344 RamCaptureDriver64.sys

25 MEMORY ACQUISITION ALEXANDRE BORGES IT IS NOT ALLOWED TO COPY OR REPRODUCE THIS S LIDE.

26 MEMORY ANALYSYS 26

27 MEMORY ANALYSIS Developed by Michael Ligh, Jamie Levy, Andrew Case and Aaron Walters. Windows, Linux, Mac (32 bits and 64 bits) Four methods to install it: standalone python source code git clone

28 EXAMPLE 1 28

29 MEMORY ANALYSIS EXAMPLE 1 29

30 MEMORY ANALYSIS EXAMPLE 1 30

31 MEMORY ANALYSIS EXAMPLE 1 31

32 MEMORY ANALYSIS EXAMPLE 1 32

33 MEMORY ANALYSIS EXAMPLE 1 root@kali:~# /root/volatility26/vol.py -f /mnt/hgfs/vms/malware1.vmem apihooks 33

34 MEMORY ANALYSIS EXAMPLE 1 When a driver has finished all processing for a given IRP, it calls IoCompleteRequest. The I/O manager checks the IRP to determine whether any higher-level drivers have set up an IoCompletion routine for the IRP. If so, each IoCompletion routine is called, in turn, until every layered driver in the chain has completed the IRP. VOID IoCompleteRequest( _In_ PIRP Irp, _In_ CCHAR PriorityBoost ); 34

35 MEMORY ANALYSIS EXAMPLE 1 35

36 MEMORY ANALYSIS EXAMPLE 1 36

37 MEMORY ANALYSIS EXAMPLE 1 37

38 MEMORY ANALYSIS EXAMPLE 1 root@kali:/tmp# strings -el driver.8643b000.sys \Driver svchost.exe \DosDevices\%s \Device\%s {9DD6AFA B-EDCB A} RulesData 38

39 MEMORY ANALYSIS EXAMPLE 1 39

40 MEMORY ANALYSIS EXAMPLE 1 40

41 MEMORY ANALYSIS EXAMPLE 1 41

42 MEMORY ANALYSIS EXAMPLE 1 42

43 MEMORY ANALYSIS EXAMPLE 1 43

44 MEMORY ANALYSIS EXAMPLE 1 root@kali:~# /root/volatility26/vol.py -f /mnt/hgfs/vms/malware1.vmem rootkitscanner 44

45 MEMORY ANALYSIS EXAMPLE 1 root@kali:~# /root/volatility26/vol.py -f /mnt/hgfs/vms/malware1.vmem svcscan -v grep -B5 -A4 -i hqyigk Offset: 0x38bb98 Order: 280 Start: SERVICE_AUTO_START Process ID: - Service Name: hqyigk Display Name: hqyigk Service Type: SERVICE_KERNEL_DRIVER Service State: SERVICE_STOPPED Binary Path: - ServiceDll: 45

46 MEMORY ANALYSIS EXAMPLE 1 46

47 MEMORY ANALYSIS EXAMPLE 1 We have gotten the driver module for a possible analysis using IDA PRO... 47

48 MEMORY ANALYSIS EXAMPLE 1 Callbacks are a kind of modern hooks because they tell us the kernel module that will be called when an specified event occurs. Additionally, they are safe for multicore systems. For example, PsSetCreateThreadNotifyRoutine indicates a routine that is called every time when a thread starts or ends. 48

49 MEMORY ANALYSIS EXAMPLE 1 49

50 MEMORY ANALYSIS EXAMPLE 1 50

51 MEMORY ANALYSIS EXAMPLE 1 51

52 MEMORY ANALYSIS EXAMPLE 1 root@kali:/tmp/vaddump# ls grep f80000 svchost.exe.661e6e8.0x00f x00f88fff.dmp root@kali:/tmp/vaddump# strings -a svchost.exe.661e6e8.0x00f x00f88fff.dmp > /tmp/strings.txt root@kali:/tmp/vaddump# strings -el svchost.exe.661e6e8.0x00f x00f88fff.dmp >> /tmp/strings.txt 52

53 MEMORY ANALYSIS EXAMPLE 1 root@kali:/tmp# cat strings.txt cmd.exe /C \drivers\ main.dll.bdata POST Content-Type: application/x-www-form-urlencoded rexec lexec http xwinxp_380eed8c C:\WINDOWS\system32\drivers\str.sys 53

54 MEMORY ANALYSIS EXAMPLE 1 54

55 MEMORY ANALYSIS EXAMPLE 1 55

56 MEMORY ANALYSIS EXAMPLE 1 INT 2E SYSENTER SSDT (System Service Descriptor Table) picture User Mode KiSystemService() Native SSDT Service Table Native Functions Table Function 1 Kernel Mode SSDT #1 (ntoskrnl.exe) SSDT #2 (win32k.sys) SSDT #3 (not used) Counter Table Service Limit Arguments Table GUI SSDT Service Table Function 2 Function... Function n GUI Functions Table Function 1 ntoskrnl.exe SSDT #4 (not used) Counter Table Service Limit Function 2 Function... win32k.sys Arguments Table Function n 56

57 MEMORY ANALYSIS EXAMPLE 1 57

58 MEMORY ANALYSIS EXAMPLE 1 We should remember that since Windows 8.1 x64 there is not _ETHREAD.Tcb.ServiceTable member anymore (as there was in Windows XP 32-bits). Therefore, to enumerate the SSDT, it s necessary to disassembly the nt!keaddsystemservicetable function and extract the RVAs (relative virtual addresses) for KeServiceDescriptorTable and KeServiceDescriptorTableShadow symbols. 58

59 MEMORY ANALYSIS EXAMPLE 1 RVA for KeServiceDescriptorTable RVA for KeServiceDescriptorTableShadow 59

60 EXAMPLE 2 60

61 MEMORY ANALYSIS EXAMPLE 2 ALEXANDRE BORGES IT IS NOT ALLOWED TO COPY OR REPRODUCE THIS S LIDE. 61

62 MEMORY ANALYSIS EXAMPLE 2 62

63 MEMORY ANALYSIS EXAMPLE 2 63

64 MEMORY ANALYSIS EXAMPLE 2 64

65 MEMORY ANALYSIS EXAMPLE 2 65

66 MEMORY ANALYSIS EXAMPLE 2 66

67 MEMORY ANALYSIS EXAMPLE 2 67

68 MEMORY ANALYSIS EXAMPLE 2 68

69 MEMORY ANALYSIS EXAMPLE 2 69

70 MEMORY ANALYSIS EXAMPLE 2 70

71 MEMORY ANALYSIS EXAMPLE 2 71

72 MEMORY ANALYSIS EXAMPLE 2 72

73 MEMORY ANALYSIS EXAMPLE 2 73

74 MEMORY ANALYSIS EXAMPLE 2 74

75 MEMORY ANALYSIS EXAMPLE 2 75

76 MEMORY ANALYSIS EXAMPLE 2 76

77 MEMORY ANALYSIS EXAMPLE 2 77

78 MEMORY ANALYSIS EXAMPLE 2 78

79 MEMORY ANALYSIS EXAMPLE 2 79

80 MEMORY ANALYSIS EXAMPLE 2 80

81 MEMORY ANALYSIS EXAMPLE 2 81

82 MEMORY ANALYSIS EXAMPLE 2 82

83 MEMORY ANALYSIS EXAMPLE 2 83

84 MEMORY ANALYSIS EXAMPLE 2 84

85 MEMORY ANALYSIS EXAMPLE 2 85

86 MEMORY ANALYSIS EXAMPLE 2 86

87 MEMORY ANALYSIS EXAMPLE 2 87

88 MEMORY ANALYSIS EXAMPLE 2 88

89 MEMORY ANALYSIS EXAMPLE 2 89

90 MEMORY ANALYSIS EXAMPLE 2 90

91 MEMORY ANALYSIS EXAMPLE 2 91

92 MEMORY ANALYSIS EXAMPLE 2 92

93 MEMORY ANALYSIS EXAMPLE 2 93

94 MEMORY ANALYSIS EXAMPLE 2 94

95 REMEMBER We are always in CONTROL... 95

96 ALMOST FINISHING... 96

97 THANK YOU FOR ATTENDING MY LECTURE! LinkedIn: Site: Malware and Security Researcher. Consultant, Instructor and Speaker on Malware Analysis, Memory Analysis, Digital Forensics, Rootkits and Software Exploitation. Instructor at Oracle, (ISC)2 and EC-Council. Exinstructor at Symantec. Member of the CHFI Advisory Board in EC-Council. Reviewer member of the The Journal of Digital Forensics, Security and Law Refereer on Digital Investigation:The International Journal of Digital Forensics & Incident Response Author of Oracle Solaris Advanced Administration book 97

Windows Memory Analysis. Jesse Kornblum

Windows Memory Analysis. Jesse Kornblum C Y B E R S E C T O R Windows Memory Analysis Jesse Kornblum Why Memory Analysis Windows without Windows Gathering Information Parsing the Processes The Rootkit Paradox Address Translation Recovering Executables