SlideShare uma empresa Scribd logo

One-Byte Modification for Breaking Memory Forensic Analysis

Takahiro Haruyama
Takahiro Haruyama
Tecnologia
1 de 61
Baixar para ler offline
One-byte Modification for Breaking Memory Forensic Analysis Takahiro Haruyama / Hiroshi Suzuki Internet Initiative Japan Inc. eyes-only
• Memory Forensics Overview – Memory Acquisition – Memory Analysis • Previous Works: Anti Memory Forensics • Proposed Anti Analysis Method • Improvement Plans • Wrap-up Agenda 2
MEMORY FORENSICS OVERVIEW 3
• Analyzing volatile data is important to detect threats quickly – increasing amounts of disk data – anti disk forensic methods used by malwares • Memory forensics became popular over the last few years • 2 steps for memory forensics – memory acquisition and memory analysis 4 What’s Memory Forensics? Target Machine Investigator’s Machine Memory Image File 1. Acquire RAM data as an image file 2. Parse and analyze the image offline
• Offline parsing a memory image doesn’t use system APIs • Memory forensics can get – unallocated data (e.g., terminated process) – data hidden by malware (e.g., hidden process) 5 Why Memory Forensics? Live Response Tool Memory Forensic Analysis Tool Running Process Hidden Process Terminated Process Allocated Unallocated Windows API Parse binary image and extract information from it Get information through system API
• Raw Image Acquisition – HBGary FastDump Pro [1] – Guidance WinEn [2] – MoonSols Windd [3] • Crash Dump Image Acquisition – MoonSols Windd • Memory Image Conversion – MoonSols Windows Memory Toolkit [3] 6 Some Formats / Acquisition Tools Memory Image File CPU Register Included Crash Dump Hibernation Not Included Raw
Difference between Raw Image and Crash Dump • Crash dump file doesn’t include – 1st Page – Pages reserved by devices Run[0] BasePage = 0x1, PageCount = 0x9e Run[1] BasePage = 0x100, PageCount = 0xeff Run[2] BasePage = 0x1000, PageCount = 0xeef0 Run[3] BasePage = 0xff00, PageCount = 0x100 1st Page (BIOS Reserved) Address Space Reserved by Devices (Not Included in crash dump) Physical Memory Address Space (e.g., 256MB RAM) 7
Evaluation of Memory Acquisition Tools • Can raw image acquisition tools get 1st page and device-reserved pages? [4] – WinEn – Win32dd /c 0 • Memory Content (/c) option – Caution: /c 0 option may cause BSOD on x64 machine WinEn FDPro Win32dd /c 0 Win32dd /c 1 Win32dd /c 2 1st Page ✔ ✔ ✔ ✔ Device reserved pages ✔ ✔ 8
Analysis Example: Making Object Creation Timeline 9 • Volatility Framework [5] – timeliner plugin [6] • used kernel objects (process/thread/socket) • event logs SpyEye bot (dead process) TCP connection established by explorer.exe Code injection activity?
Analysis Example: Detecting Code Injection 10 • Detecting code injection – Volatility Framework malfind – EnCase EnScript [7] VadDump – Mandiant Redline [8] (GUI front-end for Memoryze [9]) • The tools check protection flag of Virtual Address Descriptor
Mandiant Redline (Memoryze) HBGary Responder Volatility Framework 2.0 EnCase EnScirpt Supported Windows OS All All XP/Vista/7/ 2003/2008 XP/7/2003/ 2008 Supported Image Format Raw Raw Raw Crash dump Hibernation Raw Crash dump Supported CPU Architecture Intel x86 AMD x64 Intel x86 AMD x64 Intel x86 Intel x86 AMD x64 Extracting dead process/closed connection No No Yes Yes Note Malware Risk Index, MemD5 Digital DNA, code graphing Open source, rich plugins Multilingual search, Entropy Comparison of Memory Analysis Tools 11
PREVIOUS WORKS: ANTI MEMORY FORENSICS 12
• Kernel-mode malwares with anti memory forensic functionality – Anti Memory Acquisition • hide specific data (Shadow Walker) • abort acquisition (Meterpreter script) – Anti Memory Analysis • hide specific data (anti object carving) • abort analysis (proposed method) 13 Attacking Scenario
• ShadowWalker is proposed by Sherri Sparks and Jamie Butler to hide malicious memory regions – Installed page fault handler makes de-synchronized DTLB/ITLB • data access -> random garbage data • execute access -> rootkit code • Memory acquisition tools cannot prevent ShadowWalker from hiding memory pages – But Analysis tools can detect the IDT hooking 14 Anti Acquisition Methods: Shadow Walker [10]
• Proof of concept script – killing specified processes or preventing driver loadings with the aim of memory acquisition failure • Very easy to implement – The evasion is also easy (e.g., random name) – Preventing driver loadings has an impact on the running system 15 Anti Acquisition Methods: Meterpreter Anti Memory Forensics Script [11]
• Object carving is one technique to extract kernel object information – e.g., process object (_EPROCESS) • PTFinder: Type/Size in _DISPATCHER_HEADER • Volatility Framework: PoolTag in _POOL_HEADER • Brendan Dolan-Gavitt et al. warned an attacker could change the values to hide a specified object [12] – Instead, they proposed robust signatures causing BSOD or functionality failures if the values are changed 16 Anti Analysis Method: Anti Object Carving modifying header values of cmd.exe
• Closed-source analysis tools can find the hidden process – How do they find it? • Other than object carving, there are several key operations for analyzing memory image – The operations are robust? • Let’s check it! 17 Anti Analysis Method: Anti Object Carving (Cont.) Memoryze HBGary Responder
PROPOSED ANTI ANALYSIS METHOD 18
• Researched implementations of three major tools – Volatility Framework 2.0 – Mandiant Memoryze 2.0 – HBGary Responder Community Edition 2.0 • Found three operations executed in memory analysis include a few unconsidered assumptions – Proposed method modifies one-byte of data related to the operations • The data is defined as “Abort Factor” – It can’t hide specific objects, but can abort analyses – No impact on the running system • No BSOD, no errors for a few days to 2 weeks 19 Abstract of Proposed Method
• Virtual address translation in kernel space • Guessing OS version and Architecture • Getting kernel objects – traversing linked lists or binary trees – object carving 20 Sensitive Three Operations in Memory Analysis
• Virtual address translation in kernel space • Guessing OS version and Architecture • Getting kernel objects – traversing linked lists or binary trees – object carving 21 Sensitive Three Operations in Memory Analysis
• OS switches its context by loading Directory Table Base (DTB) of each process – DTB is stored in each process object (_EPROCESS) • Initially, analysis tools must get DTB value for kernel space • Two processes have the kernel DTB – PsInitialSystemProcess (System process) – PsIdleProcess (Idle process) 22 Virtual Address Translation in Kernel Space OS loads Directory Table Base (Start physical address for address translation) into Control Register (CR3) x86 Address Translation - How PAE X86 Works http://technet.microsoft.com/en-us/library/cc736309(WS.10).aspx
23 Virtual Address Translation in Kernel Space: Process Object Structure _POOL_HEADER _OBJECT_HEADER _EPROCESS _KPROCESS _DISPATCHER_HEADER PoolTag: “Pro” Type and Size DTB ImageFileName: “System” or “Idle” Flags
• Search _DISPATCHER_HEADER to get _EPROCESS • Check whether the ImageFileName is “Idle” – If the process is Idle, get DTB value in _KPROCESS 24 Virtual Address Translation in Kernel Space: Volatility Framework _DISPATCHER_HEADER (e.g., “x03x00x1bx00”) ImageFileName
• Search “System” to find ImageFileName in _EPROCESS of PsInitialSystemProcess • Validate by using _DISPATCHER_HEADER in the _KPROCESS • All _DISPATCHER_HEADER patterns are checked 25 Virtual Address Translation in Kernel Space: Mandiant Memoryze _DISPATCHER_HEADERs of all OS versions ImageFileName
• Validate by using Flags in _OBJECT_HEADER and PoolTag in _POOL_HEADER – Check the distance between PoolTag and _EPROCESS • e.g., 32bit OS: 0x1C or 0x2C • If all data is valid, get the DTB value 26 Virtual Address Translation in Kernel Space: Mandiant Memoryze (Cont.) PsInitialSystemProcess Flags in _OBJECT_HEADER PoolTag in _POOL_HEADER
• Search _DISPATCHER_HEADERs to get _EPROCESS • Get DTB value from the result and validate it at VirtualMemory::Discover 27 Virtual Address Translation in Kernel Space: HBGary Responder registering _DISPATCHER_HEADERs of all OS versions
• Responder seems to be equipped with the algorithm guessing kernel DTB – If DTBs of PsInitialSystemProcess and PsIdleProcess are not found, a guessed DTB value is used 28 Virtual Address Translation in Kernel Space: HBGary Responder (Cont.) If the arguments for DTB value is 0, the kernel DTB is calculated inside VirtualMemory::Discover function
29 Virtual Address Translation in Kernel Space: Related Data Tool Related Data Abort Factor Remarks Volatility Framework _DISPATCHER_HEADER X PsIdleProcess ImageFileName in _EPROCESS X Mandiant Memoryze _DISPATCHER_HEADER X PsInitialSystemPr ocessPoolTag in _POOL_HEADER X Flags in _OBJECT_HEADER X ImageFileName in _EPROCESS X HBGary Responder _DISPATCHER_HEADER original guessing algorithm
• Virtual address translation in kernel space • Guessing OS version and Architecture • Getting Kernel Objects – traversing linked lists or binary trees – object carving 30 Sensitive Three Operations in Memory Analysis
• Size and definition of kernel data structures differ according to – OS version (e.g., XP SP2/SP3, 7 SP0/SP1) – architecture (x86 and x64) • All analysis tools guess the version using debug structures 31 Guessing OS version and Architecture OS version _EPROCESS size (bytes) Windows XP SP3 32bit 0x260 Windows 7 SP0 32bit 0x2C0 Windows 7 SP0 64bit 0x4D0 Windows Vista SP2 32bit 0x270 Windows Vista SP2 64bit 0x3E8
32 Guessing OS version and Architecture: Debug Structures and Key Values _KPCR _DBGKD_GET_VERSION64 _KDDEBUGGER_DATA64 KdVersionBlock DebuggerDataList Header CmNtCSDVersion _DBGKD_DEBUG_DATA_ HEADER64 OwnerTag: “KDBG” Size KernBase KernBase PrcbData PsActiveProcessHead PsLoadedModuleList _KPRCB CurrentThread
• Users must specify OS version and Architecture – e.g., --profile=WinXPSP2x86 • If the version is unknown, imageinfo command can guess it – scan _DBGKD_DEBUG_DATA_HEADER64 [13] 33 Guessing OS version and Architecture: Volatility Framework OwnerTag: “KDBG” Size
• Supposedly determine OS and architecture based on _DISPATCHER_HEADER • Validate them by using an offset value of ImageFileName in _EPROCESS 34 Guessing OS version and Architecture: Mandiant Memoryze _DISPATCHER_HEADER offset value of ImageFileName
• Try to translate a virtual address of ThreadListHead in _KPROCESS – If possible, the OS version and architecture are correct • Get SP version from CmNtCSDVersion in _KDDEBUGGER_DATA64 35 Guessing OS version and Architecture: Mandiant Memoryze (Cont.)
• Get KernBase value – _DBGKD_GET_VERSION64 or _KDDEBUGGER_DATA64 • Validate the PE header signatures – DOS header and NT header 36 Guessing OS version and Architecture: HBGary Responder Get KernBase by calling Kernel::FindNtoskrnlBase function PE header signatures (DOS header/NT header) PE header signatures (DOS header/NT header)
• Get OS version – OperatingSystemVersions in Optional Header • e.g., Windows7: MajorOperatingSystemVersion=6 and MinorOperatingSystemVersion=1 • Get more specific version – TimeDataStamp in File header 37 Guessing OS version and Architecture: HBGary Responder (Cont.) Check OperatingSystemVersion Check TimeDataStamp
38 Guessing OS version and Architecture: Related Data Tool Related Data Abort Factor Remarks Volatility Framework _DBGKD_DEBUG_DATA_HEADE R64 X Mandiant Memoryze _DISPATCHER_HEADER X PsInitialSystemPr ocessoffset value of ImageFileName X ThreadListHead in _KPROCESS CmNtCSDVersion in _KDDEBUGGER_DATA64 HBGary Responder KernBase in _DBGKD_GET_VERSION64 or _KDDEBUGGER_DATA64 PE Header of Windows kernel PE header signatures “MZ”/”PE” OperatingSystemVersion in Optional Header X TimeDataStamp in File Header
• Virtual address translation in kernel space • Guessing OS version and Architecture • Getting Kernel Objects – traversing linked lists or binary trees – object carving 39 Sensitive Three Operations in Memory Analysis
• Traversing linked lists or binary trees – Generally, use special lead/root addresses • PsActiveProcessHead for process list • PsLoadedModuleList for kernel module list • VadRoot for Virtual Address Descriptor tree • Object carving – Generally, use fixed values in headers • _POOL_HEADER • _DISPATCHER_HEADER • My research focused on getting _EPROCESS 40 Getting Kernel Objects
• Process list is two-way link – Each _EPROCESS includes ActiveProcessLinks • _LIST_ENTRY (Flink and Blink) – PsActiveProcessHead and PsInitialSystemProcess are bound up together 41 Getting Kernel Objects: Process Linked List PsActiveProcessHead _EPROCESS “System” _EPROCESS “smss.exe” _EPROCESS “win32dd.exe” FLINK BLINK FLINK BLINK FLINK BLINK FLINK BLINK ... ... ...
• Traversing linked lists or binary trees – Search _DBGKD_DEBUG_DATA_HEADER64 – get PsActiveProcessHead in _KDDEBUGGER_DATA64 • Object carving – use PoolTag in _POOL_HEADER 42 Getting Kernel Objects: Volatility Framework Executing KDBGScanner Getting _DBGKD_DEBUG_DATA_HEADER64 (= _KDDEBUGGER_DATA64) address
• Object carving – find _EPROCESS using address values – similar to robust signatures proposed by Brendan Dolan-Gavitt et al. [12] 43 Getting Kernel Objects: Mandiant Memoryze Is DTB 0x20 bytes aligned? (ActiveProcessLinks.Flink & 0x80000000) == 0x80000000 ? (Peb & 0x7ffd0000) == 0x7ffd0000 ?
• Traversing linked lists or binary trees – get CurrentThread in _KPRCB – get _EPROCESS from the thread • e.g., ApcState.Process in _KTHREAD (XP) – start to traverse process list from the _EPROCESS 44 Getting Kernel Objects: HBGary Responder Be careful not to get data with PsActiveProcessHead as _EPROCESS
45 Getting Kernel Objects: Related Data Tool Related Data Abort Factor Remarks Volatility Framework _DBGKD_DEBUG_DATA_HEADER 64 X PsActiveProcessHead in _KDDEBUGGER_DATA64 X PoolTag in _POOL_HEADER Mandiant Memoryze address values in _EPROCESS (DTB, Peb, etc.) HBGary Responder CurrentThread in _KPRCB PsInitialSyste mProcess _EPROCESS pointer in _KTHREAD ImageFileName in _EPROCESS X
46 Abort Factors Tool Virtual Address Translation in Kernel Space Guessing OS version and Architecture Getting Kernel Objects Volatility Framework 2 factors: _DISPATCHER_ HEADER and ImageFileName (PsIdleProcess) 1 factor: _DBGKD_DEBUG_ DATA_HEADER64 2 factors: _DBGKD_DEBUG_ DATA_HEADER64 and PsActiveProcessHead Mandiant Memoryze 4 factors: _DISPATCHER_ HEADER, PoolTag, Flags and ImageFileName (PsInitialSystem Process) 2 factors: _DISPATCHER_ HEADER and offset value of ImageFileName (PsInitialSystem Process) None HBGary Responder None 1 factor: OperatingSystem Version of kernel header 1 factor: ImageFileName (PsInitialSystem Process)
• Load a kernel driver into x86 XP VM – The driver modifies 1 byte of the following data • Size in _DISPATCHER_HEADER of PsIdleProcess • PoolTag in _POOL_HEADER of PsInitialSystemProcess • MajorOperatingSystemVersion in PE header of Windows kernel • Check the modification using WinDbg • Acquire the memory image using LiveCloudKd [14] • Analyze it using three tools 47 Demo using PoC Driver (Video)
48 Analysis Results of Normal Memory Images How about the demo image?
IMPROVEMENT PLANS 49
• Guessing based on address values • Minimum guessing • Separating implementations to get kernel objects 50 Improvement Plans
• The modification of address values often causes BSOD or function failures – _EPROCESS object carving by Memoryze – _KPCR object carving by Volatility Framework [15] 51 Guessing Based on Address Values _KPCR address == SelfPcr and _KPRCB address == Prcb
• Support crash dump format – Register values cannot be modified 52 Minimum guessing (1) Data in crash dump header Extracted from (Win32dd implementation) Abort Factor DTB CR3 register OS version nt!NtBuildNumber X PAE enabled CR4 register PsActiveProcessHead _KDDEBUGGER_DATA64 X PsLoadedModuleList _KDDEBUGGER_DATA64 X
• Support argument passing options about DTB and OS version – Volatility Framework supports them • specify OS version by using “--profile” option • specify DTB value by using “--dtb” option 53 Minimum guessing (2)
• If DTB value cannot be acquired, display the result minimally-extracted by object carving 54 Separating implementations to get kernel objects Psscan doesn’t use kernel DTB (object carving only) Pslist requires kernel DTB to traverse linked list
WRAP-UP 55
• Proposed anti analysis method can abort memory analysis tools by modifying only one-byte – The method is effective for memory images of all OS versions and architectures – About the impact on the running system, long term evaluations may be needed • I hope – Developers improve the implementations – Users figure out internals of memory analysis and deal with analysis errors 56 Wrap-up
57 Questions? (twitter: @cci_forensics) Please complete the Speaker Feedback Surveys!
58
59
60
[1] HBGary FastDump Pro <http://www.hbgary.com/fastdump-pro> [2] EnCase WinEn (build-in tool of EnCase) <http://www.guidancesoftware.com/> [3] MoonSols Windows Memory Toolkit <http://www.moonsols.com/windows-memory-toolkit/> [4] Reserved Address Space in Windows Physical Memory <http://cci.cocolog- nifty.com/blog/2011/02/device-reserved.html> [5] Volatility Framework <https://www.volatilesystems.com/default/volatility> [6] timeliner plugin <http://gleeda.blogspot.com/2011/09/volatility-20-timeliner- registryapi.html> [7] Update: Memory Forensic EnScript <http://cci.cocolog-nifty.com/blog/2011/03/memory- forensic.html> [8] Mandiant Redline <http://www.mandiant.com/products/free_software/redline/> [9] Mandiant Memoryze <http://www.mandiant.com/products/free_software/memoryze/> [10] "SHADOW WALKER" Raising The Bar For Rootkit <http://www.blackhat.com/presentations/bh-jp-05/bh-jp-05-sparks-butler.pdf> [11] Meterpreter Anti Memory Forensics (Memoryze) Script <http://t0x1cs.blogspot.com/2012/02/meterpreter-anti-memory-forensics.html> [12] Robust Signatures for Kernel Data Structures <http://www.cc.gatech.edu/~brendan/ccs09_siggen.pdf> [13] Identifying Memory Images <http://gleeda.blogspot.com/2010/12/identifying-memory- images.html> [14] YOUR CLOUD IS IN MY POCKET <https://media.blackhat.com/bh-dc- 11/Suiche/BlackHat_DC_2011_Suiche_Cloud_Pocket-wp.pdf> [15] Finding Object Roots in Vista (KPCR) <http://blog.schatzforensic.com.au/2010/07/finding- object-roots-in-vista-kpcr/> 61 References

Recomendados

Malicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareMalicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic Software
Takahiro Haruyama
 
Fast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility PluginFast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility Plugin
Takahiro Haruyama
 
Volatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseVolatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident Response
Takahiro Haruyama
 
Winnti Polymorphism
Winnti PolymorphismWinnti Polymorphism
Winnti Polymorphism
Takahiro Haruyama
 
I Know You Want Me - Unplugging PlugX
I Know You Want Me - Unplugging PlugXI Know You Want Me - Unplugging PlugX
I Know You Want Me - Unplugging PlugX
Takahiro Haruyama
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensics
Takahiro Haruyama
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
enSilo
 
REMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of ArtifactsREMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of Artifacts
Rhydham Joshi
 

Recomendados

Malicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareMalicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic Software
Takahiro Haruyama
 
Fast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility PluginFast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility Plugin
Takahiro Haruyama
 
Volatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseVolatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident Response
Takahiro Haruyama
 
Winnti Polymorphism
Winnti PolymorphismWinnti Polymorphism
Winnti Polymorphism
Takahiro Haruyama
 
I Know You Want Me - Unplugging PlugX
I Know You Want Me - Unplugging PlugXI Know You Want Me - Unplugging PlugX
I Know You Want Me - Unplugging PlugX
Takahiro Haruyama
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensics
Takahiro Haruyama
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
enSilo
 
REMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of ArtifactsREMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of Artifacts
Rhydham Joshi
 
Malware Analysis and Defeating using Virtual Machines
Malware Analysis and Defeating using Virtual MachinesMalware Analysis and Defeating using Virtual Machines
Malware Analysis and Defeating using Virtual Machines
intertelinvestigations
 
Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryoneTwo-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for Everyone
Paul Melson
 
Remnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) FilesRemnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Rhydham Joshi
 
REMnux Tutorial-3: Investigation of Malicious PDF & Doc documents
REMnux Tutorial-3: Investigation of Malicious PDF & Doc documentsREMnux Tutorial-3: Investigation of Malicious PDF & Doc documents
REMnux Tutorial-3: Investigation of Malicious PDF & Doc documents
Rhydham Joshi
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in Android
E Hacking
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniques
enSilo
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbg
Sam Bowne
 
Metasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationMetasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel Exploitation
zeroSteiner
 
Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1
Rhydham Joshi
 
Practical Malware Analysis Ch12
Practical Malware Analysis Ch12Practical Malware Analysis Ch12
Practical Malware Analysis Ch12
Sam Bowne
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware style
Sander Demeester
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbg
Sam Bowne
 
Investigating Hackers' Tools
Investigating Hackers' ToolsInvestigating Hackers' Tools
Investigating Hackers' Tools
Israel Umana
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Sam Bowne
 
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static TechniquesCNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
Sam Bowne
 
Forensic Memory Analysis of Android's Dalvik Virtual Machine
Forensic Memory Analysis of Android's Dalvik Virtual MachineForensic Memory Analysis of Android's Dalvik Virtual Machine
Forensic Memory Analysis of Android's Dalvik Virtual Machine
Source Conference
 
Memory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual MachineMemory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual Machine
Andrew Case
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
CODE BLUE
 
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs
Sam Bowne
 
Practical Malware Analysis Ch13
Practical Malware Analysis Ch13Practical Malware Analysis Ch13
Practical Malware Analysis Ch13
Sam Bowne
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCase
Takahiro Haruyama
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
Prince Boonlia
 

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Malware Analysis and Defeating using Virtual Machines
Malware Analysis and Defeating using Virtual MachinesMalware Analysis and Defeating using Virtual Machines
Malware Analysis and Defeating using Virtual Machines
 
Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryoneTwo-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for Everyone
 
Remnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) FilesRemnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) Files
 
REMnux Tutorial-3: Investigation of Malicious PDF & Doc documents
REMnux Tutorial-3: Investigation of Malicious PDF & Doc documentsREMnux Tutorial-3: Investigation of Malicious PDF & Doc documents
REMnux Tutorial-3: Investigation of Malicious PDF & Doc documents
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in Android
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniques
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbg
 
Metasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationMetasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel Exploitation
 
Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1
 
Practical Malware Analysis Ch12
Practical Malware Analysis Ch12Practical Malware Analysis Ch12
Practical Malware Analysis Ch12
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware style
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbg
 
Investigating Hackers' Tools
Investigating Hackers' ToolsInvestigating Hackers' Tools
Investigating Hackers' Tools
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
 
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static TechniquesCNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
 
Forensic Memory Analysis of Android's Dalvik Virtual Machine
Forensic Memory Analysis of Android's Dalvik Virtual MachineForensic Memory Analysis of Android's Dalvik Virtual Machine
Forensic Memory Analysis of Android's Dalvik Virtual Machine
 
Memory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual MachineMemory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual Machine
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
 
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs
 
Practical Malware Analysis Ch13
Practical Malware Analysis Ch13Practical Malware Analysis Ch13
Practical Malware Analysis Ch13
 

Destaque

Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCase
Takahiro Haruyama
 
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
Security Bootcamp
 

Destaque (19)

Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCase
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
 
nullcon 2010 - Steganography & Stegananalysis: A Technical & Psychological Pe...
nullcon 2010 - Steganography & Stegananalysis: A Technical & Psychological Pe...nullcon 2010 - Steganography & Stegananalysis: A Technical & Psychological Pe...
nullcon 2010 - Steganography & Stegananalysis: A Technical & Psychological Pe...
 
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory Forensics
 
Windows forensic
Windows forensicWindows forensic
Windows forensic
 
Windows Forensics
Windows ForensicsWindows Forensics
Windows Forensics
 
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory ForensicsAdvanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
 
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
Advanced Malware Analysis Training Session 4 - Anti-Analysis TechniquesAdvanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
 
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
Advanced Malware Analysis Training Session 1 - Detection and Removal of MalwaresAdvanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
 
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
 
HITCON GIRLS: Android 滲透測試介紹 (Elven Liu)
HITCON GIRLS: Android 滲透測試介紹 (Elven Liu)HITCON GIRLS: Android 滲透測試介紹 (Elven Liu)
HITCON GIRLS: Android 滲透測試介紹 (Elven Liu)
 
HITCON CTF 2016導覽
HITCON CTF 2016導覽HITCON CTF 2016導覽
HITCON CTF 2016導覽
 
HITCON GIRLS Malware Analysis
HITCON GIRLS Malware AnalysisHITCON GIRLS Malware Analysis
HITCON GIRLS Malware Analysis
 
CTF 經驗分享
CTF 經驗分享CTF 經驗分享
CTF 經驗分享
 
HITCON GIRLS 成大講座 惡意程式分析(Turkey)
HITCON GIRLS 成大講座 惡意程式分析(Turkey)HITCON GIRLS 成大講座 惡意程式分析(Turkey)
HITCON GIRLS 成大講座 惡意程式分析(Turkey)
 
HITCON GIRLS 成大講座 基礎知識(蜘子珣)
HITCON GIRLS 成大講座 基礎知識(蜘子珣)HITCON GIRLS 成大講座 基礎知識(蜘子珣)
HITCON GIRLS 成大講座 基礎知識(蜘子珣)
 
Forensic Analysis - Empower Tech Days 2013
Forensic Analysis - Empower Tech Days 2013Forensic Analysis - Empower Tech Days 2013
Forensic Analysis - Empower Tech Days 2013
 

Semelhante a One-Byte Modification for Breaking Memory Forensic Analysis

You suck at Memory Analysis
You suck at Memory AnalysisYou suck at Memory Analysis
You suck at Memory Analysis
Francisco Ribeiro
 
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessDetect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Igor Korkin
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
DefCamp
 

Semelhante a One-Byte Modification for Breaking Memory Forensic Analysis (20)

Workshop - Linux Memory Analysis with Volatility
Workshop - Linux Memory Analysis with VolatilityWorkshop - Linux Memory Analysis with Volatility
Workshop - Linux Memory Analysis with Volatility
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
 
Hybis: Advanced Introspection for Effective Windows Guest Protection
Hybis: Advanced Introspection for Effective Windows Guest ProtectionHybis: Advanced Introspection for Effective Windows Guest Protection
Hybis: Advanced Introspection for Effective Windows Guest Protection
 
Linux Memory Analysis with Volatility
Linux Memory Analysis with VolatilityLinux Memory Analysis with Volatility
Linux Memory Analysis with Volatility
 
You suck at Memory Analysis
You suck at Memory AnalysisYou suck at Memory Analysis
You suck at Memory Analysis
 
Mac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityMac Memory Analysis with Volatility
Mac Memory Analysis with Volatility
 
Ganesh naik linux_kernel_internals
Ganesh naik linux_kernel_internalsGanesh naik linux_kernel_internals
Ganesh naik linux_kernel_internals
 
Ganesh naik linux_kernel_internals
Ganesh naik linux_kernel_internalsGanesh naik linux_kernel_internals
Ganesh naik linux_kernel_internals
 
Linux Char Device Driver
Linux Char Device DriverLinux Char Device Driver
Linux Char Device Driver
 
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessDetect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgPractical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
 
Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devices
 
Linux introduction
Linux introductionLinux introduction
Linux introduction
 
Mapping Detection Coverage
Mapping Detection CoverageMapping Detection Coverage
Mapping Detection Coverage
 
Lec 10-linux-review
Lec 10-linux-reviewLec 10-linux-review
Lec 10-linux-review
 
Windows internals
Windows internalsWindows internals
Windows internals
 
A Taste of Monitoring and Post Mortem Debugging with Node
A Taste of Monitoring and Post Mortem Debugging with Node A Taste of Monitoring and Post Mortem Debugging with Node
A Taste of Monitoring and Post Mortem Debugging with Node
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
 
SDAccel Design Contest: Xilinx SDAccel
SDAccel Design Contest: Xilinx SDAccel SDAccel Design Contest: Xilinx SDAccel
SDAccel Design Contest: Xilinx SDAccel
 
.NET Fest 2018. Maarten Balliauw. Let’s refresh our memory! Memory management...
.NET Fest 2018. Maarten Balliauw. Let’s refresh our memory! Memory management....NET Fest 2018. Maarten Balliauw. Let’s refresh our memory! Memory management...
.NET Fest 2018. Maarten Balliauw. Let’s refresh our memory! Memory management...
 

Último

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 

Último (20)

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 

One-Byte Modification for Breaking Memory Forensic Analysis

  • 1. One-byte Modification for Breaking Memory Forensic Analysis Takahiro Haruyama / Hiroshi Suzuki Internet Initiative Japan Inc. eyes-only
  • 2. • Memory Forensics Overview – Memory Acquisition – Memory Analysis • Previous Works: Anti Memory Forensics • Proposed Anti Analysis Method • Improvement Plans • Wrap-up Agenda 2
  • 4. • Analyzing volatile data is important to detect threats quickly – increasing amounts of disk data – anti disk forensic methods used by malwares • Memory forensics became popular over the last few years • 2 steps for memory forensics – memory acquisition and memory analysis 4 What’s Memory Forensics? Target Machine Investigator’s Machine Memory Image File 1. Acquire RAM data as an image file 2. Parse and analyze the image offline
  • 5. • Offline parsing a memory image doesn’t use system APIs • Memory forensics can get – unallocated data (e.g., terminated process) – data hidden by malware (e.g., hidden process) 5 Why Memory Forensics? Live Response Tool Memory Forensic Analysis Tool Running Process Hidden Process Terminated Process Allocated Unallocated Windows API Parse binary image and extract information from it Get information through system API
  • 6. • Raw Image Acquisition – HBGary FastDump Pro [1] – Guidance WinEn [2] – MoonSols Windd [3] • Crash Dump Image Acquisition – MoonSols Windd • Memory Image Conversion – MoonSols Windows Memory Toolkit [3] 6 Some Formats / Acquisition Tools Memory Image File CPU Register Included Crash Dump Hibernation Not Included Raw
  • 7. Difference between Raw Image and Crash Dump • Crash dump file doesn’t include – 1st Page – Pages reserved by devices Run[0] BasePage = 0x1, PageCount = 0x9e Run[1] BasePage = 0x100, PageCount = 0xeff Run[2] BasePage = 0x1000, PageCount = 0xeef0 Run[3] BasePage = 0xff00, PageCount = 0x100 1st Page (BIOS Reserved) Address Space Reserved by Devices (Not Included in crash dump) Physical Memory Address Space (e.g., 256MB RAM) 7
  • 8. Evaluation of Memory Acquisition Tools • Can raw image acquisition tools get 1st page and device-reserved pages? [4] – WinEn – Win32dd /c 0 • Memory Content (/c) option – Caution: /c 0 option may cause BSOD on x64 machine WinEn FDPro Win32dd /c 0 Win32dd /c 1 Win32dd /c 2 1st Page ✔ ✔ ✔ ✔ Device reserved pages ✔ ✔ 8
  • 9. Analysis Example: Making Object Creation Timeline 9 • Volatility Framework [5] – timeliner plugin [6] • used kernel objects (process/thread/socket) • event logs SpyEye bot (dead process) TCP connection established by explorer.exe Code injection activity?
  • 10. Analysis Example: Detecting Code Injection 10 • Detecting code injection – Volatility Framework malfind – EnCase EnScript [7] VadDump – Mandiant Redline [8] (GUI front-end for Memoryze [9]) • The tools check protection flag of Virtual Address Descriptor
  • 11. Mandiant Redline (Memoryze) HBGary Responder Volatility Framework 2.0 EnCase EnScirpt Supported Windows OS All All XP/Vista/7/ 2003/2008 XP/7/2003/ 2008 Supported Image Format Raw Raw Raw Crash dump Hibernation Raw Crash dump Supported CPU Architecture Intel x86 AMD x64 Intel x86 AMD x64 Intel x86 Intel x86 AMD x64 Extracting dead process/closed connection No No Yes Yes Note Malware Risk Index, MemD5 Digital DNA, code graphing Open source, rich plugins Multilingual search, Entropy Comparison of Memory Analysis Tools 11
  • 13. • Kernel-mode malwares with anti memory forensic functionality – Anti Memory Acquisition • hide specific data (Shadow Walker) • abort acquisition (Meterpreter script) – Anti Memory Analysis • hide specific data (anti object carving) • abort analysis (proposed method) 13 Attacking Scenario
  • 14. • ShadowWalker is proposed by Sherri Sparks and Jamie Butler to hide malicious memory regions – Installed page fault handler makes de-synchronized DTLB/ITLB • data access -> random garbage data • execute access -> rootkit code • Memory acquisition tools cannot prevent ShadowWalker from hiding memory pages – But Analysis tools can detect the IDT hooking 14 Anti Acquisition Methods: Shadow Walker [10]
  • 15. • Proof of concept script – killing specified processes or preventing driver loadings with the aim of memory acquisition failure • Very easy to implement – The evasion is also easy (e.g., random name) – Preventing driver loadings has an impact on the running system 15 Anti Acquisition Methods: Meterpreter Anti Memory Forensics Script [11]
  • 16. • Object carving is one technique to extract kernel object information – e.g., process object (_EPROCESS) • PTFinder: Type/Size in _DISPATCHER_HEADER • Volatility Framework: PoolTag in _POOL_HEADER • Brendan Dolan-Gavitt et al. warned an attacker could change the values to hide a specified object [12] – Instead, they proposed robust signatures causing BSOD or functionality failures if the values are changed 16 Anti Analysis Method: Anti Object Carving modifying header values of cmd.exe
  • 17. • Closed-source analysis tools can find the hidden process – How do they find it? • Other than object carving, there are several key operations for analyzing memory image – The operations are robust? • Let’s check it! 17 Anti Analysis Method: Anti Object Carving (Cont.) Memoryze HBGary Responder
  • 19. • Researched implementations of three major tools – Volatility Framework 2.0 – Mandiant Memoryze 2.0 – HBGary Responder Community Edition 2.0 • Found three operations executed in memory analysis include a few unconsidered assumptions – Proposed method modifies one-byte of data related to the operations • The data is defined as “Abort Factor” – It can’t hide specific objects, but can abort analyses – No impact on the running system • No BSOD, no errors for a few days to 2 weeks 19 Abstract of Proposed Method
  • 20. • Virtual address translation in kernel space • Guessing OS version and Architecture • Getting kernel objects – traversing linked lists or binary trees – object carving 20 Sensitive Three Operations in Memory Analysis
  • 21. • Virtual address translation in kernel space • Guessing OS version and Architecture • Getting kernel objects – traversing linked lists or binary trees – object carving 21 Sensitive Three Operations in Memory Analysis
  • 22. • OS switches its context by loading Directory Table Base (DTB) of each process – DTB is stored in each process object (_EPROCESS) • Initially, analysis tools must get DTB value for kernel space • Two processes have the kernel DTB – PsInitialSystemProcess (System process) – PsIdleProcess (Idle process) 22 Virtual Address Translation in Kernel Space OS loads Directory Table Base (Start physical address for address translation) into Control Register (CR3) x86 Address Translation - How PAE X86 Works http://technet.microsoft.com/en-us/library/cc736309(WS.10).aspx
  • 23. 23 Virtual Address Translation in Kernel Space: Process Object Structure _POOL_HEADER _OBJECT_HEADER _EPROCESS _KPROCESS _DISPATCHER_HEADER PoolTag: “Pro” Type and Size DTB ImageFileName: “System” or “Idle” Flags
  • 24. • Search _DISPATCHER_HEADER to get _EPROCESS • Check whether the ImageFileName is “Idle” – If the process is Idle, get DTB value in _KPROCESS 24 Virtual Address Translation in Kernel Space: Volatility Framework _DISPATCHER_HEADER (e.g., “x03x00x1bx00”) ImageFileName
  • 25. • Search “System” to find ImageFileName in _EPROCESS of PsInitialSystemProcess • Validate by using _DISPATCHER_HEADER in the _KPROCESS • All _DISPATCHER_HEADER patterns are checked 25 Virtual Address Translation in Kernel Space: Mandiant Memoryze _DISPATCHER_HEADERs of all OS versions ImageFileName
  • 26. • Validate by using Flags in _OBJECT_HEADER and PoolTag in _POOL_HEADER – Check the distance between PoolTag and _EPROCESS • e.g., 32bit OS: 0x1C or 0x2C • If all data is valid, get the DTB value 26 Virtual Address Translation in Kernel Space: Mandiant Memoryze (Cont.) PsInitialSystemProcess Flags in _OBJECT_HEADER PoolTag in _POOL_HEADER
  • 27. • Search _DISPATCHER_HEADERs to get _EPROCESS • Get DTB value from the result and validate it at VirtualMemory::Discover 27 Virtual Address Translation in Kernel Space: HBGary Responder registering _DISPATCHER_HEADERs of all OS versions
  • 28. • Responder seems to be equipped with the algorithm guessing kernel DTB – If DTBs of PsInitialSystemProcess and PsIdleProcess are not found, a guessed DTB value is used 28 Virtual Address Translation in Kernel Space: HBGary Responder (Cont.) If the arguments for DTB value is 0, the kernel DTB is calculated inside VirtualMemory::Discover function
  • 29. 29 Virtual Address Translation in Kernel Space: Related Data Tool Related Data Abort Factor Remarks Volatility Framework _DISPATCHER_HEADER X PsIdleProcess ImageFileName in _EPROCESS X Mandiant Memoryze _DISPATCHER_HEADER X PsInitialSystemPr ocessPoolTag in _POOL_HEADER X Flags in _OBJECT_HEADER X ImageFileName in _EPROCESS X HBGary Responder _DISPATCHER_HEADER original guessing algorithm
  • 30. • Virtual address translation in kernel space • Guessing OS version and Architecture • Getting Kernel Objects – traversing linked lists or binary trees – object carving 30 Sensitive Three Operations in Memory Analysis
  • 31. • Size and definition of kernel data structures differ according to – OS version (e.g., XP SP2/SP3, 7 SP0/SP1) – architecture (x86 and x64) • All analysis tools guess the version using debug structures 31 Guessing OS version and Architecture OS version _EPROCESS size (bytes) Windows XP SP3 32bit 0x260 Windows 7 SP0 32bit 0x2C0 Windows 7 SP0 64bit 0x4D0 Windows Vista SP2 32bit 0x270 Windows Vista SP2 64bit 0x3E8
  • 32. 32 Guessing OS version and Architecture: Debug Structures and Key Values _KPCR _DBGKD_GET_VERSION64 _KDDEBUGGER_DATA64 KdVersionBlock DebuggerDataList Header CmNtCSDVersion _DBGKD_DEBUG_DATA_ HEADER64 OwnerTag: “KDBG” Size KernBase KernBase PrcbData PsActiveProcessHead PsLoadedModuleList _KPRCB CurrentThread
  • 33. • Users must specify OS version and Architecture – e.g., --profile=WinXPSP2x86 • If the version is unknown, imageinfo command can guess it – scan _DBGKD_DEBUG_DATA_HEADER64 [13] 33 Guessing OS version and Architecture: Volatility Framework OwnerTag: “KDBG” Size
  • 34. • Supposedly determine OS and architecture based on _DISPATCHER_HEADER • Validate them by using an offset value of ImageFileName in _EPROCESS 34 Guessing OS version and Architecture: Mandiant Memoryze _DISPATCHER_HEADER offset value of ImageFileName
  • 35. • Try to translate a virtual address of ThreadListHead in _KPROCESS – If possible, the OS version and architecture are correct • Get SP version from CmNtCSDVersion in _KDDEBUGGER_DATA64 35 Guessing OS version and Architecture: Mandiant Memoryze (Cont.)
  • 36. • Get KernBase value – _DBGKD_GET_VERSION64 or _KDDEBUGGER_DATA64 • Validate the PE header signatures – DOS header and NT header 36 Guessing OS version and Architecture: HBGary Responder Get KernBase by calling Kernel::FindNtoskrnlBase function PE header signatures (DOS header/NT header) PE header signatures (DOS header/NT header)
  • 37. • Get OS version – OperatingSystemVersions in Optional Header • e.g., Windows7: MajorOperatingSystemVersion=6 and MinorOperatingSystemVersion=1 • Get more specific version – TimeDataStamp in File header 37 Guessing OS version and Architecture: HBGary Responder (Cont.) Check OperatingSystemVersion Check TimeDataStamp
  • 38. 38 Guessing OS version and Architecture: Related Data Tool Related Data Abort Factor Remarks Volatility Framework _DBGKD_DEBUG_DATA_HEADE R64 X Mandiant Memoryze _DISPATCHER_HEADER X PsInitialSystemPr ocessoffset value of ImageFileName X ThreadListHead in _KPROCESS CmNtCSDVersion in _KDDEBUGGER_DATA64 HBGary Responder KernBase in _DBGKD_GET_VERSION64 or _KDDEBUGGER_DATA64 PE Header of Windows kernel PE header signatures “MZ”/”PE” OperatingSystemVersion in Optional Header X TimeDataStamp in File Header
  • 39. • Virtual address translation in kernel space • Guessing OS version and Architecture • Getting Kernel Objects – traversing linked lists or binary trees – object carving 39 Sensitive Three Operations in Memory Analysis
  • 40. • Traversing linked lists or binary trees – Generally, use special lead/root addresses • PsActiveProcessHead for process list • PsLoadedModuleList for kernel module list • VadRoot for Virtual Address Descriptor tree • Object carving – Generally, use fixed values in headers • _POOL_HEADER • _DISPATCHER_HEADER • My research focused on getting _EPROCESS 40 Getting Kernel Objects
  • 41. • Process list is two-way link – Each _EPROCESS includes ActiveProcessLinks • _LIST_ENTRY (Flink and Blink) – PsActiveProcessHead and PsInitialSystemProcess are bound up together 41 Getting Kernel Objects: Process Linked List PsActiveProcessHead _EPROCESS “System” _EPROCESS “smss.exe” _EPROCESS “win32dd.exe” FLINK BLINK FLINK BLINK FLINK BLINK FLINK BLINK ... ... ...
  • 42. • Traversing linked lists or binary trees – Search _DBGKD_DEBUG_DATA_HEADER64 – get PsActiveProcessHead in _KDDEBUGGER_DATA64 • Object carving – use PoolTag in _POOL_HEADER 42 Getting Kernel Objects: Volatility Framework Executing KDBGScanner Getting _DBGKD_DEBUG_DATA_HEADER64 (= _KDDEBUGGER_DATA64) address
  • 43. • Object carving – find _EPROCESS using address values – similar to robust signatures proposed by Brendan Dolan-Gavitt et al. [12] 43 Getting Kernel Objects: Mandiant Memoryze Is DTB 0x20 bytes aligned? (ActiveProcessLinks.Flink & 0x80000000) == 0x80000000 ? (Peb & 0x7ffd0000) == 0x7ffd0000 ?
  • 44. • Traversing linked lists or binary trees – get CurrentThread in _KPRCB – get _EPROCESS from the thread • e.g., ApcState.Process in _KTHREAD (XP) – start to traverse process list from the _EPROCESS 44 Getting Kernel Objects: HBGary Responder Be careful not to get data with PsActiveProcessHead as _EPROCESS
  • 45. 45 Getting Kernel Objects: Related Data Tool Related Data Abort Factor Remarks Volatility Framework _DBGKD_DEBUG_DATA_HEADER 64 X PsActiveProcessHead in _KDDEBUGGER_DATA64 X PoolTag in _POOL_HEADER Mandiant Memoryze address values in _EPROCESS (DTB, Peb, etc.) HBGary Responder CurrentThread in _KPRCB PsInitialSyste mProcess _EPROCESS pointer in _KTHREAD ImageFileName in _EPROCESS X
  • 46. 46 Abort Factors Tool Virtual Address Translation in Kernel Space Guessing OS version and Architecture Getting Kernel Objects Volatility Framework 2 factors: _DISPATCHER_ HEADER and ImageFileName (PsIdleProcess) 1 factor: _DBGKD_DEBUG_ DATA_HEADER64 2 factors: _DBGKD_DEBUG_ DATA_HEADER64 and PsActiveProcessHead Mandiant Memoryze 4 factors: _DISPATCHER_ HEADER, PoolTag, Flags and ImageFileName (PsInitialSystem Process) 2 factors: _DISPATCHER_ HEADER and offset value of ImageFileName (PsInitialSystem Process) None HBGary Responder None 1 factor: OperatingSystem Version of kernel header 1 factor: ImageFileName (PsInitialSystem Process)
  • 47. • Load a kernel driver into x86 XP VM – The driver modifies 1 byte of the following data • Size in _DISPATCHER_HEADER of PsIdleProcess • PoolTag in _POOL_HEADER of PsInitialSystemProcess • MajorOperatingSystemVersion in PE header of Windows kernel • Check the modification using WinDbg • Acquire the memory image using LiveCloudKd [14] • Analyze it using three tools 47 Demo using PoC Driver (Video)
  • 48. 48 Analysis Results of Normal Memory Images How about the demo image?
  • 50. • Guessing based on address values • Minimum guessing • Separating implementations to get kernel objects 50 Improvement Plans
  • 51. • The modification of address values often causes BSOD or function failures – _EPROCESS object carving by Memoryze – _KPCR object carving by Volatility Framework [15] 51 Guessing Based on Address Values _KPCR address == SelfPcr and _KPRCB address == Prcb
  • 52. • Support crash dump format – Register values cannot be modified 52 Minimum guessing (1) Data in crash dump header Extracted from (Win32dd implementation) Abort Factor DTB CR3 register OS version nt!NtBuildNumber X PAE enabled CR4 register PsActiveProcessHead _KDDEBUGGER_DATA64 X PsLoadedModuleList _KDDEBUGGER_DATA64 X
  • 53. • Support argument passing options about DTB and OS version – Volatility Framework supports them • specify OS version by using “--profile” option • specify DTB value by using “--dtb” option 53 Minimum guessing (2)
  • 54. • If DTB value cannot be acquired, display the result minimally-extracted by object carving 54 Separating implementations to get kernel objects Psscan doesn’t use kernel DTB (object carving only) Pslist requires kernel DTB to traverse linked list
  • 56. • Proposed anti analysis method can abort memory analysis tools by modifying only one-byte – The method is effective for memory images of all OS versions and architectures – About the impact on the running system, long term evaluations may be needed • I hope – Developers improve the implementations – Users figure out internals of memory analysis and deal with analysis errors 56 Wrap-up
  • 58. 58
  • 59. 59
  • 60. 60
  • 61. [1] HBGary FastDump Pro <http://www.hbgary.com/fastdump-pro> [2] EnCase WinEn (build-in tool of EnCase) <http://www.guidancesoftware.com/> [3] MoonSols Windows Memory Toolkit <http://www.moonsols.com/windows-memory-toolkit/> [4] Reserved Address Space in Windows Physical Memory <http://cci.cocolog- nifty.com/blog/2011/02/device-reserved.html> [5] Volatility Framework <https://www.volatilesystems.com/default/volatility> [6] timeliner plugin <http://gleeda.blogspot.com/2011/09/volatility-20-timeliner- registryapi.html> [7] Update: Memory Forensic EnScript <http://cci.cocolog-nifty.com/blog/2011/03/memory- forensic.html> [8] Mandiant Redline <http://www.mandiant.com/products/free_software/redline/> [9] Mandiant Memoryze <http://www.mandiant.com/products/free_software/memoryze/> [10] "SHADOW WALKER" Raising The Bar For Rootkit <http://www.blackhat.com/presentations/bh-jp-05/bh-jp-05-sparks-butler.pdf> [11] Meterpreter Anti Memory Forensics (Memoryze) Script <http://t0x1cs.blogspot.com/2012/02/meterpreter-anti-memory-forensics.html> [12] Robust Signatures for Kernel Data Structures <http://www.cc.gatech.edu/~brendan/ccs09_siggen.pdf> [13] Identifying Memory Images <http://gleeda.blogspot.com/2010/12/identifying-memory- images.html> [14] YOUR CLOUD IS IN MY POCKET <https://media.blackhat.com/bh-dc- 11/Suiche/BlackHat_DC_2011_Suiche_Cloud_Pocket-wp.pdf> [15] Finding Object Roots in Vista (KPCR) <http://blog.schatzforensic.com.au/2010/07/finding- object-roots-in-vista-kpcr/> 61 References