Upload File

the memory remains

45
How do I know I ’m secure?

Upload: nahidul-kibria

Post on 13-Apr-2017

271 views

Category:

Technology


0 download

Report

TRANSCRIPT

Page 1: The memory remains

How do I know I’m secure?

Page 2: The memory remains

Are my devices Infected?

Page 3: The memory remains

What if!

Page 4: The memory remains
Page 5: The memory remains

Incident Response

Page 6: The memory remains

What if!?!

Page 7: The memory remains

Or…

Page 8: The memory remains

We need to analyze malware

Page 9: The memory remains

Malware become smarterEncrypted Network Communications(c&c) Persistence (Auto Start) Privilege Escalation (run as admin) Data exfiltration Evades modern antivirus

Page 10: The memory remains

Fileless Malware

Page 11: The memory remains

Case Study

Page 12: The memory remains
Page 13: The memory remains
Page 14: The memory remains

We need a sampleContagio Malware Dump: Free; password required Das Malwerk: Free FreeTrojanBotnet: Free; registration required KernelMode.info: Free; registration required MalShare: Free; registration required Malware.lu’s AVCaesar: Free; registration required MalwareBlacklist: Free; registration required Malware DB: Free Malwr: Free; registration required Open Malware: Free theZoo aka Malware DB: Free Virusign: Free VirusShare: Free

http://contagiodump.blogspot.com/
http://dasmalwerk.eu/
http://www.freetrojanbotnet.com/
http://www.kernelmode.info/forum/viewforum.php?f=16
http://malshare.com/
http://avcaesar.malware.lu/
http://www.malwareblacklist.com/showMDL.php
http://ytisf.github.io/theZoo/
https://malwr.com/
http://openmalware.org/
http://ytisf.github.io/theZoo/
http://www.virusign.com/
http://virusshare.com/
Page 15: The memory remains

Let's get infected

Page 16: The memory remains

Win7x86/64

Page 17: The memory remains

Before infected1.Regshot 2.Memory dump

Page 18: The memory remains

After infectionCompare regshot

Page 19: The memory remains
Page 20: The memory remains
Page 21: The memory remains

But....

Page 22: The memory remains

The memory remains.

Page 23: The memory remains

Memory dumpVmware (Fusion/Workstation/Server/Player) — .vmem = raw memory. (.vmss and .vmsn = contain

memory image) (each snapshot will have its own .vmem file) Microsoft Hyper-V — .bin = raw memory image Parallels — .mem = raw memory image VirtualBox — .sav = partial memory image (Memory file only holds memory actively in use, not the

entire amount of memory assigned to the virtual machine.

Page 24: The memory remains

Volatility

Page 25: The memory remains
Page 26: The memory remains
Page 27: The memory remains
Page 28: The memory remains
Page 29: The memory remains
Page 30: The memory remains
Page 31: The memory remains
Page 32: The memory remains

Shellcode loading….

Page 33: The memory remains

But....

Page 34: The memory remains

The memory remains.

Page 35: The memory remains
Page 36: The memory remains
Page 37: The memory remains
Page 38: The memory remains
Page 39: The memory remains
Page 40: The memory remains
Page 41: The memory remains

vol.py -f afterinfected.raw --profile=Win7SP1x86 printkey --key="Software\Microsoft\Windows\CurrentVersion\Run" vol.py -f afterinfected.raw --profile=Win7SP1x86 pslist vol.py -f afterinfected.raw --profile=Win7SP1x86 malfind -p 3312 vol.py -f infected.raw --profile=Win7SP1x86 envars -p 3276 vol.py -f infected.raw --profile=Win7SP1x86 hivedump -o 0x8ced15c0 vol.py -f infected.raw --profile=Win7SP1x86 hivelist

Page 42: The memory remains

Yara

Page 43: The memory remains

dump the memory.

Page 44: The memory remains
Page 45: The memory remains

Writing code for fun and food. Security enthusiastic.

@nahidupaNahidul Kibria

Co-Founder, Beetles


The remains of the feast

Applications of Gait Analysis Data Compression for 3D ... · animation remains indistinguishable by humans from the original anima-tion, resulting in signi cant memory savings, while

DETOXICATION OF PESTICIDE AND OTHER TOXIC … fileDETOXICATION OF PESTICIDE AND OTHER TOXIC SUBSTANCE REMAINS IN SOIL WITH THE HELP OF NANOMATERIALS Dedicated to the blessed memory

Title Location-Unbound Color-Shape Binding Representations in … · 2016. 6. 13. · visual working memory, and the role of those features’ location in their binding, remains unknown

THE EFFECT OF THE SPACING OF BACKGROUND ELEMENTS … · affected by spacing. The ratio of the responses to various displacements within the limits of the memory zones remains the

THE REMAINS OF THE DAY

THE REMAINS OF THE KURSK - ussvicb.orgussvicb.org/misc pictures/THE REMAINS OF THE KURSK.pdfTHE REMAINS OF THE KURSK ... It was named after the Russian city Kursk, around which the

“The power of place—the power of ordinary urban landscapes to nurture citizens’ public memory, to encompass shared time in the form of shared territory—remains

Live MetallicaRIDE THE LIGHTNING CREEPING DEATH SAD BUT TRUE WHEREVER I MAY ROAM THE UNFORGIVEN ATLAS, RISE! THE MEMORY REMAINS MOTH INTO FLAME HIT THE LIGHTS RIDE THE LIGHTNING SAD

Memory Without a Tracebraude/pdfs_pubd/braude... · 2007. 9. 9. · Memory Without A Trace remains well-hidden. Memory trace theory is just one example of this. And I’d argue that

EAP764: Preserving the memory of the colonial past in ... · PDF filecarried out as part of the pilot ... the possible remains of a colonial archive and a forgotten source of local

MEMORY MANAGEMENT Y. Colette Lemard. MEMORY MANAGEMENT The management of memory is one of the functions of the Operating System MEMORY = MAIN MEMORY =

”The Memory Remains” - DiVA portal1127567/... · 2017. 7. 17. · 1 STOCKHOLMS UNIVERSITET Institutionen för Asien-, Mellanöstern- och Turkietstudier ”The Memory Remains”

Fairyland Remains the Same

The memory allocation problem Define the memory allocation problem Memory organization and memory allocation schemes

Memory Read only memory (ROM) – nonvolatile Data remains when power is turned off, data are written into the ROM during its fabrication at the factory

Thomas Mann - MARIO AND THE MAGICIAN · Thomas Mann . MARIO AND THE MAGICIAN . The atmosphere of Torre di Venere remains unpleasant in the memory. From the first moment the air of

Memory Loss: What’s Normal, What’s Not? · remains a clinical judgment of the physician. • Case example: A 68- year-old retired teacher has been becoming increasingly forgetful

The Memory Hierarchy Cache, Main Memory, and Virtual Memory

Remains of the Day

MergedFile - ide.hacettepe.edu.tr · Chapter 8: “The Lottery”: A Modern Primitive Dystopia Originating from Religion 135 Ayşe GÜNEŞ Chapter 9: ‘The Memory Remains’: Dystopian

SST25VF080B · 2019. 10. 12. · HOLD# signal is low, the memory remains in the Hold condition. To resume communication with the device, HOLD# must be driven active high, and CE#

PowerPoint Presentation · Bisp “How people die remains in the memory of those who live on” Dame Cicely Saunders Founder of the Modern Hospice Movement. Title: PowerPoint Presentation

LABELS DESIGNED FOR USE W ITH NEATO BRAND CD INSERTShardwired (hetfield/ulrich) the memory remains (hetfield/ulrich) ride the lightning whiskey in the jar (traditional) the unforgiven

Sepultura Beneath the Remains

Parallel Data Distribution Management on Shared-Memory ...studies [37], taming the complexity of large models remains chal-lenging, due to the potentially huge number of virtual entities

CHRISTCHURCH THAT WAS JUST YOUR LIFE CYANIDE HARVESTER OF SORROW THROUGH THE NEVER ONE THE MEMORY REMAINS THE FOUR HORSEMEN SAD BUT TRUE BASS SOLO TURN THE PAGE THE

Landscapes of Memory: Recording the Archaeological Remains of the Holocaust Caroline Sturdy Colls

RUSSIA‘S INFLUENCE AND PRESENCE IN LATVIA...The Soviet legacy and Russian influence are undeniably still present in Latvia’s society. History and collective memory remains one

History's Remains: Of Memory, Mourning, and the Eventdeathandreligion.plamienok.sk/files/19-ETHICS_ OF... · Jacques Derrida has written much in recent years on the topic of mourning

Cognition: Memory. The Phenomenon of Memory Introduction Memory Extremes of memory

Tissue-resident memory-like ILCs: innate counterparts of ... · haptens and viruses remains a mystery. Another unsolved question is how viral infection in the lung induces the formation

Monuments and Counter-Monument Sights in Post-Conflict … · 2020. 4. 13. · work, monuments may relieve viewers of their memory burden … the memorial operation remains self-contain

The Suspension Gap Remains

Memory CHAPTER 9. Intro to Memory The Mystery of Memory The Mystery of Memory The Mystery of Memory The Mystery of Memory