1. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
1
2
Malware Memory Forensic
Nguyễn Chấn Việt | vietwow@gmail.com
2. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
2
Who am I
Senior Security Researcher
+4 years in Information Security. Focusing on
2
Malware Analysis and Exploit Development
Twitter : https://twitter.com/vietwow
3. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
3
Agenda
Why Memory Forensics?
What is Memory Forensics?
2
Our approach : Rootkit Detection
Windows Platform
Linux Platform
Real-world Malwares
4. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
Why4 Memory Forensics ?
In past, Forensic Analysis = File System
Forensic 2
Why memory forensics ?
Malware Analysis
Incident Respone (IR)
HOT Topic for researchers
5. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
Why5 Memory Forensics ?
Everything in the OS traverses RAM
•Processes and threads
•Malware (including rootkit technologies)
2
•Network sockets, URLs, IP addresses
•Open files
•User generated content
Passwords, caches, clipboards
•Encryption keys
•Hardware and software configuration
•Windows registry keys and event logs
6. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
Memory Forensics Questions…
6
What processes were running on the suspect system at
the time memory image was taken?
What (hidden or closed) 2processes existed?
Are there any (hidden or closed) network connections?
Are there any (hidden or closed) sockets?
What is the purpose and intent of the suspected file?
Are there any suspicious DLL modules?
Are there any suspicious URLs or IP addresses
associated with a process?
7. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
Memory Forensics Questions…
7
Are there any suspicious open files associated with a
process?
Are there any closed or hidden files associated with any
2
process?
Are there any suspicious strings associated with a
particular process?
Are there any suspicious files present? Can you extract
them?
Can you extract malicious processes from the memory
and analyze it?
8. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
Memory Forensics Questions…
8
Can you identify the attackers and their IP addresses?
Did the attacker create a user account on the system?
Did the malware modify 2 add any registry entry?
or
Does the malware use any type of hooks to hide itself?
Did the malware inject itself to any running processes?
What is the relationship between different processes?
What is the intent and purpose of this malware?
9. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
What 9is Memory Forensics?
Là kỹ thuật/quá trình phân tích dấu vết dựa trên
memory (RAM) của 1 hệ thống
2
Bao gồm physical memory (RAM) và Page File/Swap
10. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
Memory Acquisition
10
Winen (Guidance Software)
FastDump Pro (HB Gary) - Limited Free version
available 2
FTK Imager - Free
DD Free but limited - May not work on later versions of
Windows
WinHex - Has some limitations
Nigilant32 - Free but for 32-bit systems only
Memoryze (Mandiant) - Free
11. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
Virtual Machine Memory Acquisition
11
2
12. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
Memory Forensic Tools
Volatility 12
https://www.volatilesystems.com/default/volatility
Free & Open Source
2
Mandiant Redline
http://www.mandiant.com/resources/download/redline/
Free
HBGary Responder
http://www.hbgary.com/responder-pro-2
$$$ - Pro
Community Edition available
13. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
13
Volatility
An advanced memory forensics framework
OpenSource
2
Written by Python
Primarily Windows-focused
Linux (Android) & Mac support now available
Modular, portable
Main reason why I’m here :D
14. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
14
Volatility
Volatility supports the following extraction capabilities for memory images:
Image date and time
Running processes
2
Open network sockets
Open network connections
DLLs loaded for each process
Open files for each process
Open registry keys for each process
Memory maps for each process
Extract executable samples
Scanning examples: processes, threads, sockets, connections, modules
17. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
17
Volatility
pslist
List the processes of a system. This walks the doubly-
linked list pointed to by 2
PsActiveProcessHead. It does
not detect hidden or unlinked processes.
18. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
18
Volatility
connections
To view the active connections
2
19. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
19
Volatility
dlllist
Print all loaded DLLs
2
20. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
20
Volatility
svcscan
List Windows services
2
28. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
28
DLL Injection
DLL Injection là kỹ thuật rất phổ biến được sử dụng bởi
malware
2
VirtualAllocEx( ) và CreateRemoteThread( )
SetWindowsHookEx( )
29. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
DLL Injection Detection
29
ldrmodules
Là module để detect DLL Injection
2
Trong mỗi process, các DLL sẽ được track trong 3
linked-list
Stealthy malware sẽ unlink dll của chúng trong các
linked-list này
Plugin này sẽ query các linked-list này và hiển thị
thông tin để ta có thể so sánh
30. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
30
2
[1.2] Usermode & Kernelmode Hooking
31. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
Levels31 Access in Windows
of
Ring 3 – User Land
User
Administrator 2
System
Ring 0 – Kernel Land
Drivers
32. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
32
OS Internals
• Readfile() called on File1.txt
• Transition to Ring 0
• NtReadFile() processed
2 • I/O Subsystem called
• IRP generated
• Data at File1.txt requested from
ntfs.sys
• Data on D: requested from dmio.sys
• Data on disk 2 requested from
disk.sys
33. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
33
OS Internals
• Binary replacement eg modified Exe
or Dll
2 • Binary modification in memory eg
He4Hook
• User land hooking eg Hacker
Defender
• IAT hooking
34. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
34
OS Internals
• Kernel Hooking
• E.g. NtRootkit
2 • Driver replacement
• E.g. replace ntfs.sys with ntfss.sys
• Direct Kernel Object Manipulation –
DKOM
• E.g. Fu, FuTo
35. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
35
OS Internals
• IO Request Packet (IRP) Hooking
• IRP Dispatch Table
2
• E.g. He4Hook (some versions)
36. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
36
OS Internals
• Filter Drivers
• The official Microsoft method
• Types
2 • File system filter
• Volume filter
• Disk Filter
• Bus Filter
•
• E.g. Clandestine File System Driver
(CFSD)
37. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
Current Rootkit Capabilities
37
Hide processes
Hide files
Hide registry entries 2
Hide services
Completely bypass personal firewalls
Undetectable by anti virus
Remotely undetectable
Covert channels - undetectable on the network
Defeat cryptographic hash checking
Install silently
All capabilities ever used by viruses or worms
39. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
Windows39GUI Subsystem Hooking
Malware có thể dùng SetWindowsHookEx để intercept
các window message
2
40. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
Windows GUI Hooking Detection
40
messagehooks
Là module để detect Windows GUI Hooking
2
41. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
41
IAT Hooking
Hook vào IAT Table
của process
2
50. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
SSDT Hooking
• Hook the call when the device is created
50
NTSTATUS Create(PDEVICE_OBJECT DeviceObject,PIRP Irp)
{
NTSTATUS status = STATUS_SUCCESS;
if ( !CanWriteToSSDT() ) 2
{
//Change the read-only SSDT memory block to read/write
EnableWritingToSSDT();
OldZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION)InterlockedExchange(
(PLONG)&g_MappedSystemCallTable[0xAD],
(LONG) NewQuerySytemInformation);
}
Irp->IoStatus.Status = status;
IoCompleteRequest(Irp,IO_NO_INCREMENT);
return status;
}
51. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
Kernelmode Hooking Detection
51
ssdt_ex
Là module để detect SSDT và Inline Hook
2
52. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
52
Others
IDT(Interrupt Descriptor Table) Hooking
Sử dụng module “idt” để detect
SYSENTER / SDT Hooking 2
Hooking SST (KiServiceTable)
Hooking KiSystemService
IRP Hooking
Sử dụng module “driverirp” để detect
=> not enough time to cover all
54. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
54
DKOM
Thay đổi cấu trúc EPROCESS để unlink process cần
hide
Ngoài việc hide process, 2
DKOM còn có thể sử dụng
để :
Add Privileges to Tokens
Add Groups to Tokens
Manipulate the Token to Fool the Windows Event Viewer
Hide Ports
Hide drivers
=> FU là rootkit sử dụng kỹ thuật này
59. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
59
Driver Hiding
Rootkit sẽ sử dụng kỹ thuật DKOM unlink nó ra khỏi
list of loaded module của kernel
2
60. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
Hiding the Kernel Module Detection
60
modscan
Là module để detect hiding kernel module
2
62. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
62
2
[2.1] Hiding the Kernel Module
63. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
Hiding the Kernel Module
63
Rootkit thường tìm cách “giấu” bản thân bằng cách
unlink nó ra khỏi linked-list loaded kernel modules
2
List này được export thông qua /proc/modules (lsmod
chính là đọc từ list này và show ra)
64. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
Hiding the Kernel Module Detection
64
linux_check_modules
Là module để detect hiding kernel module
2
Hoạt động dựa trên sysfs để tìm các module đã bị
remove ra khỏi module list nhưng vẫn đang active
sysfs là 1 kernel to userland interface, giống như
/proc, export các info & statistics của kernel
65. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
65
2
[2.2] Hooking System Call Table
66. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
Hooking System Call Table
66
System call là cơ chế để userland code có thể trigger
event handling ở kernel
2
Giống API trên Windows
Được quản lý bởi System call table
System call table là 1 array các function pointer. Mỗi 1
function pointer sẽ tương ứng với 1 syscall handler (vd :
sys_read sẽ handle read system call)
Rootkit thường sẽ focus vào việc overwrite table này
67. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
Hooking System Call Table Detection
67
linux_check_syscall
Là module để detect System Call Table Hooking
2
Hoạt động dựa trên cơ chế là enumerate và verify
từng entry trong System Call Table
68. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
68
2
[2.3] Hiding Network Connections
69. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
Hiding Network Connections
69
Hook vào cấu trúc “tcp4_seq_afinfo”, thay đổi member
“show”
2
70. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
Hiding Network Connections Detection
70
linux_check_afinfo
Là module để detect hiding network connection
2
Hoạt động dựa trên cơ chế là duyệt cấu trúc
“file_operations” và “sequence_operations” của tất cả
cấu trúc UDP and TCP protocol
72. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
Hiding Processes
72
Phương pháp 1 :
Linux kernel chứa 1 array các cấu trúc task_struct
2
Cấu trúc task_struct giống như EPROCESS trên Windows
task_struct bao gồm 2 pointer là prev_run và next_run trỏ tới
process trước và sau nó tương ứng
Để hide process, ta chỉ cần unlink process ra khỏi list prev_task
và next_task này
73. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
Hiding Processes
73
task_array
PID PID PID PID
Process 0 2 1901
State State State State
*next_task *next_task *next_task *next_task
*prev_task *prev_task *prev_task *prev_task
*next_run *next_run *next_run *next_run
*prev_run *prev_run *prev_run *prev_run
*p_pptr
(null) *p_pptr *p_pptr *p_pptr
*p_cptr *p_cptr *p_cptr
*p_cptr *p_ysptr *p_ysptr *p_ysptr
*p_ysptr *p_osptr *p_osptr *p_osptr
*p_osptr
... ... ... ...
... ... ... ...
74. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
Hiding Processes
74
task_array
PID PID PID
1901 Process 0
2
State State State
*next_task *next_task *next_task
*prev_task *prev_task *prev_task
*next_run *next_run *next_run
*prev_run *prev_run *prev_run
*p_pptr *p_pptr *p_pptr
*p_cptr *p_cptr *p_cptr
*p_ysptr *p_ysptr *p_ysptr
*p_osptr *p_osptr *p_osptr
... ... ...
... ... ...
75. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
Hiding Processes
75
Phương pháp 2 : Hooking /proc :
Mỗi process sẽ có 1 directory tương ứng trong /proc
2
Để hide process, rookit sẽ hjack hàm “readdir” và filter out tên
process cần
76. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
Hiding Processes
76
static inline int fuckit_proc_filldir(void *__buf, const char *name, int namelen, loff_t
offset,
u64 ino, unsigned d_type){
//our hidden PID :)
2
if(!strcmp(name,HIDDEN_PID) || !strcmp(name,KEY)){
return 0;
}
return original_filldir(__buf,name,namelen,offset,ino,d_type);
}
static inline int fuckit_proc_readdir(struct file *filp, void *dirent, filldir_t
filldir){
//save this, we will need to return it later
original_filldir = filldir;
return original_proc_readdir(filp,dirent,fuckit_proc_filldir);
}
77. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
Hiding Processes Detection
77
linux_check_fop
Là module để detect hiding process
2
Hoạt động dựa trên cơ chế là enumerate /proc
filesystem và rất các opened file, verify từng member
của từng file ops structure là hợp lệ
79. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
Scan for Registry Artifacts
79
volatility hivescan -f dumped.vmem
volatility hivelist -f dumped.vmem -o 0x212cb60
2
80. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
Data80
Carving Using Foremost
Foremost
foremost -c foremost.conf -t exe –i <PID>.dmp -o
2
output3
81. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
[3] Real-world Malwares
81
Mixed many concepts :
VirTool:WinNT/Exforel.A
2
TDSS Rookit
Zeus
Stunex / Duqu
Flame
82. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
VirTool:WinNT/Exforel.A
82
Là malware implement lại toàn bộ TCP/IP Stack
2
83. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
83
TDSS Rootkit
Gồm 4 biến thể :
TDL-1
TDL-2 2
TDL-3
TDL-4
84. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
84
Zeus
Là 1 dạng trojan chuyên ăn cắp thông tin trong các công
ty/tập đoàn tài chính
2
Có 1 số tính năng như 1 rootkit
85. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
85
Stunex / Duqu
Là 1 dạng worm, gồm 2 phiên bản :
Stunex : focus vào việc phá hủy hạ tầng lò phản ứng hạt nhân (PLC) của Iran
2
Duqu : forcus vào việc ăn cắp thông tin
86. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
86
Flame
Còn có tên là sKyWiper
Là malware nổi tiếng nhất gần đây, phức tạp hơn nhiều
2
so với Duqu. Vừa là 1 backdoor, vừa là trojan, và cũng
có những tính năng như 1 worm
89. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
Password Keeper
89
Password Keeper is a small utility useful for storing our
frequently used passwords. Password information can
be stored, edited and printed with this easy to use
2
program.
No mention of protection against memory analysis
90. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
Password Keeper
90
With volatilty we dump the PasswordKeeper processes
2
And strings our password on it
91. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
91
Conclusion
Volatility is a great tool for memory forensic
Want to learn more ?
2
SANS FOR526: Windows Memory Forensics In-Depth
Windows Memory Forensics Training for Analysts by Volatility
Developers