1. Defeating Windowsmemory forensicsFSEC 2012September 19, 2012.Luka MilkoviLuka.Milkovic@infigo.hrINFIGO IS http://www.infigo.hr
2. Agenda Memory forensics Why? How? Previous memory anti-forensic techniques Windows related Memory acquisition process flawed by design? Defeating Windows memory forensics Impossible in user-mode or not? Possible solutions 3. Memory forensics why?Disk forensics prevalent, but memoryforensics increasingly popularUsed by incident handlersMalware detectionobjects hidden by rootkits (processes, threads, etc.)memory-resident malwareunpacked/unencrypted imagesRecently used filesDead objectsterminated processes, threads, connections and the bad guysPassword recovery 4. Memory forensics how?Two consecutive processesMemory acquisitionMemory analysisAcquisitionMany tools, focus on free onesMandiant MemoryzeMoonsols Windows Memory Toolkit (Win32dd)ManTech MDD 5. Memory forensics how? (2)AnalysisFinding OS and other artifacts in imageFree and commercial toolsVolatility FrameworkMandiant Redline/MemoryzeEnCase, HBGary Responder and many otherAll support raw dump, weak support forhib/crash fileVolatility has weak support for x64 6. Memory forensics how? (3) The big picture Analysis toolAcquisition tool Memory dump User mode Install driverKernel modeAcquisition driver Remote host Send dump over networkMemory dumpalgorithm1. Reading DevicePhysicalMemory2. Physical space mapping (MmMapIoSpace())3. Raw Virtual2Physical mapping 7. Previous works - simple Blocking acquisition Killing acquisition process tools always have the same names Blocking driver installation driver installation is necessary on OS >= Win2k3 names not random Metasploit script not available anymore Evasion very simple Rename process Rename driver not that easy if you dont have the source 8. Previous works advancedBlocking analysisHaruyama/Suzuki BH-EU-12: One-byteModification for Breaking Memory ForensicAnalysisminimal modifications to OS artifacts in memorytargets key steps of analysis to make itimpossible/difficultso-called abort factorstool specificPros:subtle modifications (harder detection)Cons:cannot hide arbitrary object (could theoretically)breaks entire analysis can raise suspicion 9. Previous works advanced (2)Attacking acquisition & analysisSparks/Butler BH-JP-05: Shadow Walker Raising the bar for Rootkit Detectionintentional desynchronization of ITLB/DTLBfaking reads of and writes to arbitrary memorylocationexecute access not fakedPros:awesome idea:)hides (almost) arbitrary objectsCons:not very stable (and no MP/HT support)page fault handler visible (code and IDT hook)performance 10. Memory acquisition flawed by design?Where is the weakest link?Analysis tool Acquisition tool Memory dumpUser modeAttacker kernel access == Install driverKernel mode Acquisition driver Remote hostSend dump over network Memory dump algorithm 1. Reading DevicePhysicalMemory 2. Physical space mapping (MmMapIoSpace()) 3. Raw Virtual2Physical mapping 11. Defeating Windows memory forensicsIntroducing DementiaPoC tool for hiding objects in memory dumpscurrently only processesx86 onlyKernel driverNtWriteFile inline hookcould hook even lowerlist of addresses to be hiddenvirt2phys translation using DTB of System processclears process allocation (PoolTag Proc)unlinks the process from the process list in dumpclears EPROCESS block 12. Defeating Windows memory forensics (2) 13. Defeating Windows memory forensics (3)LimitationsPlenty of other artifacts not hiddenHandle tables not cleanedMemory allocated by process not cleanedincluding process code and dataWork in progress! 14. Memoryze case Memoryze is interesting Not reliant on API calls? What about 15. Memoryze case (2)Memoryze re-designed the workflow a bit: Analysis tool Write dumpAcquisition toolMemory dump User mode Install driverKernel mode Return read pageAcquisition driverDump memory Memory dumpalgorithm1. Reading DevicePhysicalMemory2. Physical space mapping (MmMapIoSpace()) 16. Memoryze case (3)Yes, attacker can now modify dump fromthe user mode:)Dementia moduleHiding target process, process threads andconnectionscompletely from the user mode, no driver usedcurrently even more advanced than the driver mode:)Injects to Memoryze processHooks DeviceIoControl and sanitizes buffers onthe flyWorks similarly to Volatilitybut no virt2phys translation, determine everythingfrom the dumphas partial knowledge only single pages of the dump 17. Memoryze case (4)DEMO 18. Possible solutions Memoryze should adopt traditional workflow Current is both slow and insecure Use crash dumps (native!) instead of raw dumps Entirely different OS mechanisms Use hibernation files Plagued by the same problems, but more difficult to tamper with Use hardware acquisition tools? Perform anti-rootkit scanning before acquisition? 19. Thank you!