sbc 2012 - malware memory forensics (nguyễn chấn việt)
TRANSCRIPT
![Page 1: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/1.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
1
2
Nguyễn Chấn Việt | [email protected]
Malware Memory Forensic
![Page 2: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/2.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
2
2
Who am ISenior Security Researcher
+4 years in Information Security. Focusing on Malware Analysis and Exploit Development
Twitter : https://twitter.com/vietwow
![Page 3: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/3.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
3
2
AgendaWhy Memory Forensics?
What is Memory Forensics?
Our approach : Rootkit DetectionWindows Platform
Linux Platform
Real-world Malwares
![Page 4: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/4.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
4
2
Why Memory Forensics ?
In past, Forensic Analysis = File System Forensic
Why memory forensics ?Malware Analysis
Incident Respone (IR)
HOT Topic for researchers
![Page 5: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/5.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
5
2
Why Memory Forensics ?Everything in the OS traverses RAM
•Processes and threads
•Malware (including rootkit technologies)
•Network sockets, URLs, IP addresses
•Open files
•User generated content Passwords, caches, clipboards
•Encryption keys
•Hardware and software configuration
•Windows registry keys and event logs
![Page 6: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/6.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
6
2
Memory Forensics Questions…What processes were running on the suspect system at the time memory image was taken?
What (hidden or closed) processes existed?
Are there any (hidden or closed) network connections?
Are there any (hidden or closed) sockets?
What is the purpose and intent of the suspected file?
Are there any suspicious DLL modules?
Are there any suspicious URLs or IP addresses associated with a process?
![Page 7: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/7.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
7
2
Memory Forensics Questions…Are there any suspicious open files associated with a process?
Are there any closed or hidden files associated with any process?
Are there any suspicious strings associated with a particular process?
Are there any suspicious files present? Can you extract them?
Can you extract malicious processes from the memory and analyze it?
![Page 8: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/8.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
8
2
Memory Forensics Questions…Can you identify the attackers and their IP addresses?
Did the attacker create a user account on the system?
Did the malware modify or add any registry entry?
Does the malware use any type of hooks to hide itself?
Did the malware inject itself to any running processes?
What is the relationship between different processes?
What is the intent and purpose of this malware?
![Page 9: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/9.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
9
2
What is Memory Forensics?Là kỹ thuật/quá trình phân tích dấu vết dựa trên memory (RAM) của 1 hệ thống
Bao gồm physical memory (RAM) và Page File/Swap
![Page 10: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/10.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
10
2
Memory Acquisition Winen (Guidance Software)
FastDump Pro (HB Gary) - Limited Free version available
FTK Imager - Free
DD Free but limited - May not work on later versions of Windows
WinHex - Has some limitations
Nigilant32 - Free but for 32-bit systems only
Memoryze (Mandiant) - Free
![Page 11: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/11.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
11
2
Virtual Machine Memory Acquisition
![Page 12: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/12.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
12
2
Memory Forensic ToolsVolatility
https://www.volatilesystems.com/default/volatility
Free & Open Source
Mandiant Redline
http://www.mandiant.com/resources/download/redline/
Free
HBGary Responder
http://www.hbgary.com/responder-pro-2
$$$ - Pro
Community Edition available
![Page 13: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/13.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
13
2
VolatilityAn advanced memory forensics framework
OpenSource
Written by Python
Primarily Windows-focused
Linux (Android) & Mac support now available
Modular, portable
Main reason why I’m here :D
![Page 14: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/14.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
14
2
VolatilityVolatility supports the following extraction capabilities for memory images:
Image date and time
Running processes
Open network sockets
Open network connections
DLLs loaded for each process
Open files for each process
Open registry keys for each process
Memory maps for each process
Extract executable samples
Scanning examples: processes, threads, sockets, connections, modules
![Page 15: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/15.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
15
2
General checking
![Page 16: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/16.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
16
2
Windows Platform
![Page 17: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/17.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
17
2
Volatility
List the processes of a system. This walks the doubly-linked list pointed to by PsActiveProcessHead. It does not detect hidden or unlinked processes.
pslist
![Page 18: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/18.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
18
2
Volatility
To view the active connections
connections
![Page 19: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/19.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
19
2
Volatility
Print all loaded DLLs
dlllist
![Page 20: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/20.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
20
2
Volatility
List Windows services
svcscan
![Page 21: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/21.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
21
2
Linux Platform
![Page 22: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/22.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
22
2
Volatility
Print all loaded modules
linux_lsmod
![Page 23: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/23.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
23
2
Rootkit Dection
![Page 24: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/24.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
24
2
[1] Windows Platform
![Page 25: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/25.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
25
2
[1.1] DLL Injection
![Page 26: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/26.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
26
2
Normal DLL Interaction
![Page 27: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/27.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
27
2
Injected DLL Interactopn
![Page 28: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/28.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
28
2
DLL InjectionDLL Injection là kỹ thuật rất phổ biến được sử dụng bởi malwareVirtualAllocEx( ) và CreateRemoteThread( )
SetWindowsHookEx( )
![Page 29: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/29.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
29
2
DLL Injection Detectionldrmodules
Là module để detect DLL InjectionTrong mỗi process, các DLL sẽ được track trong 3
linked-listStealthy malware sẽ unlink dll của chúng trong các
linked-list nàyPlugin này sẽ query các linked-list này và hiển thị
thông tin để ta có thể so sánh
![Page 30: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/30.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
30
2
[1.2] Usermode & Kernelmode Hooking
![Page 31: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/31.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
31
2
Levels of Access in Windows Ring 3 – User Land
User
Administrator
System
Ring 0 – Kernel Land
Drivers
![Page 32: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/32.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
32
2
OS Internals• Readfile() called on File1.txt• Transition to Ring 0• NtReadFile() processed
• I/O Subsystem called
• IRP generated
• Data at File1.txt requested from ntfs.sys
• Data on D: requested from dmio.sys
• Data on disk 2 requested from disk.sys
![Page 33: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/33.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
33
2
OS Internals• Binary replacement eg modified Exe
or Dll
• Binary modification in memory eg He4Hook
• User land hooking eg Hacker Defender
• IAT hooking
![Page 34: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/34.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
34
2
OS Internals• Kernel Hooking • E.g. NtRootkit
• Driver replacement
• E.g. replace ntfs.sys with ntfss.sys
• Direct Kernel Object Manipulation – DKOM
• E.g. Fu, FuTo
![Page 35: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/35.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
35
2
OS Internals• IO Request Packet (IRP) Hooking • IRP Dispatch Table
• E.g. He4Hook (some versions)
![Page 36: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/36.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
36
2
OS Internals• Filter Drivers• The official Microsoft method• Types
• File system filter
• Volume filter• Disk Filter• Bus Filter
•
• E.g. Clandestine File System Driver (CFSD)
![Page 37: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/37.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
37
2
Current Rootkit CapabilitiesHide processes
Hide files
Hide registry entries
Hide services
Completely bypass personal firewalls
Undetectable by anti virus
Remotely undetectable
Covert channels - undetectable on the network
Defeat cryptographic hash checking
Install silently
All capabilities ever used by viruses or worms
![Page 38: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/38.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
38
2
[1.2.1] Usermode Hooking
![Page 39: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/39.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
39
2
Windows GUI Subsystem HookingMalware có thể dùng SetWindowsHookEx để intercept các window message
![Page 40: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/40.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
40
2
Windows GUI Hooking Detectionmessagehooks
Là module để detect Windows GUI Hooking
![Page 41: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/41.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
41
2
IAT HookingHook vào IAT Table của process
![Page 42: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/42.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
42
2
IAT HookingIAT Hook
![Page 43: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/43.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
43
2
IAT Hookingvoid hookFunction( PVOID * thunk, HookedFunction & hookedFunction )
{
MEMORY_BASIC_INFORMATION mbi;
//The IAT is marked as read-only memory so we mark it as read-write for the update.
ZeroMemory( &mbi, sizeof( MEMORY_BASIC_INFORMATION ) );
SIZE_T s = VirtualQuery( thunk, &mbi, sizeof( MEMORY_BASIC_INFORMATION ) );
BOOL b = VirtualProtect(mbi.BaseAddress, mbi.RegionSize,
PAGE_READWRITE, &mbi.Protect );
if ( hookedFunction.RealFunction == 0 )
{
hookedFunction.RealFunction = *thunk;
}
*thunk = hookedFunction.HookFunction;
DWORD oldProtect;
VirtualProtect(mbi.BaseAddress, mbi.RegionSize, mbi.Protect, &oldProtect);
}
![Page 44: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/44.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
44
2
Inline HookingThay đổi các byte (thường là 5) đầu tiên của chương trình
![Page 45: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/45.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
45
2
Usermode Hooking Detectionapihooks
Là module để detect IAT Hook và Inline Hook
![Page 46: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/46.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
46
2
[1.2.2] Kernelmode Hooking
![Page 47: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/47.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
47
2
SSDT HookingHook vào SSDT Table
![Page 48: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/48.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
48
2
SSDT Hooking
![Page 49: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/49.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
49
2
SSDT Hooking
![Page 50: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/50.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
50
2
SSDT Hooking• Hook the call when the device is created
NTSTATUS Create(PDEVICE_OBJECT DeviceObject,PIRP Irp)
{
NTSTATUS status = STATUS_SUCCESS;
if ( !CanWriteToSSDT() )
{
//Change the read-only SSDT memory block to read/write
EnableWritingToSSDT();
OldZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION)InterlockedExchange(
(PLONG)&g_MappedSystemCallTable[0xAD],
(LONG) NewQuerySytemInformation);
}
Irp->IoStatus.Status = status;
IoCompleteRequest(Irp,IO_NO_INCREMENT);
return status;
}
![Page 51: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/51.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
51
2
Kernelmode Hooking Detectionssdt_ex
Là module để detect SSDT và Inline Hook
![Page 52: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/52.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
52
2
OthersIDT(Interrupt Descriptor Table) Hooking
Sử dụng module “idt” để detect
SYSENTER / SDT Hooking
Hooking SST (KiServiceTable)
Hooking KiSystemService
IRP Hooking
Sử dụng module “driverirp” để detect
=> not enough time to cover all
![Page 53: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/53.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
53
2
[1.3] Process Hiding
![Page 54: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/54.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
54
2
DKOMThay đổi cấu trúc EPROCESS để unlink process cần hide
Ngoài việc hide process, DKOM còn có thể sử dụng để :Add Privileges to Tokens
Add Groups to Tokens
Manipulate the Token to Fool the Windows Event Viewer
Hide Ports
Hide drivers
=> FU là rootkit sử dụng kỹ thuật này
![Page 55: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/55.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
55
2
EPROCESS Linked List
![Page 56: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/56.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
56
2
EPROCESS Linked List
![Page 57: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/57.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
57
2
Rootkit Detectionpsxview (FU Rootkit)
![Page 58: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/58.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
58
2
[1.4] Driver Hiding
![Page 59: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/59.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
59
2
Driver HidingRootkit sẽ sử dụng kỹ thuật DKOM unlink nó ra khỏi list of loaded module của kernel
![Page 60: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/60.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
60
2
Hiding the Kernel Module Detectionmodscan
Là module để detect hiding kernel module
![Page 61: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/61.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
61
2
[2] Linux Platform
![Page 62: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/62.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
62
2
[2.1] Hiding the Kernel Module
![Page 63: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/63.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
63
2
Hiding the Kernel ModuleRootkit thường tìm cách “giấu” bản thân bằng cách unlink nó ra khỏi linked-list loaded kernel modules
List này được export thông qua /proc/modules (lsmod chính là đọc từ list này và show ra)
![Page 64: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/64.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
64
2
Hiding the Kernel Module Detectionlinux_check_modules
Là module để detect hiding kernel moduleHoạt động dựa trên sysfs để tìm các module đã bị
remove ra khỏi module list nhưng vẫn đang activesysfs là 1 kernel to userland interface, giống như
/proc, export các info & statistics của kernel
![Page 65: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/65.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
65
2
[2.2] Hooking System Call Table
![Page 66: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/66.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
66
2
Hooking System Call TableSystem call là cơ chế để userland code có thể trigger event handling ở kernel
Giống API trên Windows
Được quản lý bởi System call table
System call table là 1 array các function pointer. Mỗi 1 function pointer sẽ tương ứng với 1 syscall handler (vd : sys_read sẽ handle read system call)
Rootkit thường sẽ focus vào việc overwrite table này
![Page 67: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/67.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
67
2
Hooking System Call Table Detectionlinux_check_syscall
Là module để detect System Call Table HookingHoạt động dựa trên cơ chế là enumerate và verify
từng entry trong System Call Table
![Page 68: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/68.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
68
2
[2.3] Hiding Network Connections
![Page 69: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/69.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
69
2
Hiding Network ConnectionsHook vào cấu trúc “tcp4_seq_afinfo”, thay đổi member “show”
![Page 70: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/70.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
70
2
Hiding Network Connections Detectionlinux_check_afinfo
Là module để detect hiding network connectionHoạt động dựa trên cơ chế là duyệt cấu trúc
“file_operations” và “sequence_operations” của tất cả cấu trúc UDP and TCP protocol
![Page 71: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/71.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
71
2
[2.4] Hiding Processes
![Page 72: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/72.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
72
2
Hiding ProcessesPhương pháp 1 :Linux kernel chứa 1 array các cấu trúc task_struct
Cấu trúc task_struct giống như EPROCESS trên Windows
task_struct bao gồm 2 pointer là prev_run và next_run trỏ tới process trước và sau nó tương ứng
Để hide process, ta chỉ cần unlink process ra khỏi list prev_task và next_task này
![Page 73: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/73.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
73
2
Hiding Processestask_array
PIDProcess 0
State
*next_task*prev_task
*next_run*prev_run
*p_pptr (null)
*p_cptr *p_ysptr *p_osptr
...
...
PID
State
*next_task*prev_task
*next_run*prev_run
*p_pptr *p_cptr *p_ysptr *p_osptr
...
...
PID
State
*next_task*prev_task
*next_run*prev_run
*p_pptr *p_cptr *p_ysptr *p_osptr
...
...
PID1901
State
*next_task*prev_task
*next_run*prev_run
*p_pptr *p_cptr *p_ysptr *p_osptr
...
...
![Page 74: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/74.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
74
2
Hiding Processestask_array
PID1901
State
*next_task*prev_task
*next_run*prev_run
*p_pptr *p_cptr *p_ysptr *p_osptr
...
...
PIDProcess 0
State
*next_task*prev_task
*next_run*prev_run
...
...
PID
State
*next_task*prev_task
*next_run*prev_run
*p_pptr *p_cptr *p_ysptr *p_osptr
...
...
*p_pptr *p_cptr *p_ysptr *p_osptr
![Page 75: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/75.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
75
2
Hiding ProcessesPhương pháp 2 : Hooking /proc :Mỗi process sẽ có 1 directory tương ứng trong /proc
Để hide process, rookit sẽ hjack hàm “readdir” và filter out tên process cần
![Page 76: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/76.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
76
2
Hiding Processesstatic inline int fuckit_proc_filldir(void *__buf, const char *name, int namelen, loff_t
offset,
u64 ino, unsigned d_type){
//our hidden PID :)
if(!strcmp(name,HIDDEN_PID) || !strcmp(name,KEY)){
return 0;
}
return original_filldir(__buf,name,namelen,offset,ino,d_type);
}
static inline int fuckit_proc_readdir(struct file *filp, void *dirent, filldir_t filldir){
//save this, we will need to return it later
original_filldir = filldir;
return original_proc_readdir(filp,dirent,fuckit_proc_filldir);
}
![Page 77: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/77.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
77
2
Hiding Processes Detectionlinux_check_fop
Là module để detect hiding processHoạt động dựa trên cơ chế là enumerate /proc
filesystem và rất các opened file, verify từng member của từng file ops structure là hợp lệ
![Page 78: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/78.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
78
2
Anything else ?
![Page 79: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/79.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
79
2
Scan for Registry Artifactsvolatility hivescan -f dumped.vmemvolatility hivelist -f dumped.vmem -o 0x212cb60
![Page 80: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/80.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
80
2
Data Carving Using ForemostForemost
foremost -c foremost.conf -t exe –i <PID>.dmp -o output3
![Page 81: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/81.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
81
2
[3] Real-world Malwares
Mixed many concepts : VirTool:WinNT/Exforel.A
TDSS Rookit
Zeus
Stunex / Duqu
Flame
![Page 82: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/82.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
82
2
VirTool:WinNT/Exforel.ALà malware implement lại toàn bộ TCP/IP Stack
![Page 83: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/83.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
83
2
TDSS RootkitGồm 4 biến thể : TDL-1
TDL-2
TDL-3
TDL-4
![Page 84: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/84.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
84
2
ZeusLà 1 dạng trojan chuyên ăn cắp thông tin trong các công ty/tập đoàn tài chính
Có 1 số tính năng như 1 rootkit
![Page 85: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/85.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
85
2
Stunex / DuquLà 1 dạng worm, gồm 2 phiên bản :Stunex : focus vào việc phá hủy hạ tầng lò phản ứng hạt nhân (PLC) của Iran
Duqu : forcus vào việc ăn cắp thông tin
![Page 86: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/86.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
86
2
FlameCòn có tên là sKyWiper
Là malware nổi tiếng nhất gần đây, phức tạp hơn nhiều so với Duqu. Vừa là 1 backdoor, vừa là trojan, và cũng có những tính năng như 1 worm
![Page 87: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/87.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
87
2
Comparison
![Page 88: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/88.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
88
2
Other cases
![Page 89: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/89.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
89
2
Password KeeperPassword Keeper is a small utility useful for storing our frequently used passwords. Password information can be stored, edited and printed with this easy to use program.
No mention of protection against memory analysis
![Page 90: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/90.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
90
2
Password KeeperWith volatilty we dump the PasswordKeeper processes
And strings our password on it
![Page 91: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/91.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
91
2
ConclusionVolatility is a great tool for memory forensic
Want to learn more ?SANS FOR526: Windows Memory Forensics In-Depth
Windows Memory Forensics Training for Analysts by Volatility Developers
![Page 92: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/92.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
92
2
Any Questions ?
![Page 93: SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)](https://reader034.vdocuments.site/reader034/viewer/2022052505/555c436dd8b42a2c068b4f03/html5/thumbnails/93.jpg)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
93
2Thank you very much !