Applying Memory Forensics to Rootkit Detection

  • View
    799

  • Download
    2

Embed Size (px)

DESCRIPTION

Volatile memory dump and its analysis is an essential part of digital forensics. Among a number of various software and hardware approaches for memory dumping there are authors who point out that some of these approaches are not resilient to various anti-forensic techniques, and others that require a reboot or are highly platform dependent. New resilient tools have certain disadvantages such as low speed or vulnerability to rootkits which directly manipulate kernel structures e.g. page tables. A new memory forensic system – Malware Analysis System for Hidden Knotty Anomalies (MASHKA) is described in this paper. It is resilient to popular anti-forensic techniques. The system can be used for doing a wide range of memory forensics tasks. This paper describes how to apply the system for research and detection of kernel mode rootkits and also presents analysis of the most popular anti-rootkit tools. Applying Memory Forensics to Rootkit Detection #adfsl #Virginia #USA http://bit.ly/cdfsl_paper http://bit.ly/cdfsl_slides http://bit.ly/cdfsl_speech

Text of Applying Memory Forensics to Rootkit Detection

  • 1. APPLYING MEMORY FORENSICS TO ROOTKIT DETECTION Igor Korkin Ivan Nesterov CDFSL 2014

2. Goals of memory forensics Passwords, crypto keys and etc. revealing software Software reverse engineering Rootkits analysis & detection 3. Agenda Memory Dump System RPI for drivers DBS for processes 1. Review of dump & analysis tools in rootkit conditions 2-3. MASHKA Malware Analysis System for Hidden Knotty Anomalies: 4. Review of rootkits techniques Rootkits techniques malware hiding from OS & AV function hooking object manipulation (byte modification) func_A func_B func_A func_B hook EPROCESS structures 5. Dump approaches classification Software Hardware Virtual memory Physical memory Ease of distribution? Vulnerable? 6. Dump approaches are either vulnerable or non applicable in enterprises Hooking resilience Ease of distribution Software + Hardware + 7. Why are software approaches vulnerable? 8. Details of dump & analysis tools Memory mapping routines ZwWriteFile or analogue Analysis of kernel OS structures Hook Hook Byte Modification J.Stuttgen, M.Cohen (`13) L.Milkovic (`12) T.Haruyama, H.Suzuki (`12) Typical dump & analysis tool 9. What can we do under these circumstances? 10. What can we do under these circumstances? Let's omit the functions! 11. What can we use instead? What can we do under these circumstances? Let's omit the functions! 12. Virtual and Physical memoryusermodekernelmode calc.exe word.exe kernel ? Virtual memory Physical memory calc.exe kernel word.exe ? 13. How does addresses translation work? Virtual address Page Directory & Page Tables FLAGS PFN Tables entry: Physical memory ACCESS Address = PFN*0x1000 14. How does addresses translation work? Virtual address Page Directory & Page Tables FLAGS PFN Tables entry: Physical memory ACCESS Address = PFN*0x1000 Is it possible to use paging in a dump? 15. How does addresses translation work? Virtual address Page Directory & Page Tables FLAGS PFN Tables entry: Physical memory ACCESS Address = PFN*0x1000 Lets run addresses translation in reverse! Is it possible to use paging in a dump? 16. MASHKAs memory dump algorithm Page Directory others P PS BE 3C 0 1 Go to next entry . . . i 5 6 7 17. MASHKAs memory dump algorithm Page Directory others P PS BE 3C 0 1 BE 4C 1 1 Go to next entry Save memory page (4 Mb or 2Mb) by i . . . i 5 6 7 18. MASHKAs memory dump algorithm Page Directory others P PS BE 3C 0 1 BE 4C 1 1 Go to next entry Save memory page (4 Mb or 2Mb) by i BE FF 1 0 Go to Page Table . . . Page Table others P . . . i 5 6 7 j 0 1 19. Page Directory others P PS BE 3C 0 1 BE 4C 1 1 Go to next entry Save memory page (4 Mb or 2Mb) by i BE FF 1 0 Go to Page Table . . . Page Table others P BF 00 0 . . . Go to next entry i 5 6 7 j 0 1 MASHKAs memory dump algorithm 20. MASHKAs memory dump algorithm Page Directory others P PS BE 3C 0 1 BE 4C 1 1 Go to next entry Save memory page (4 Mb or 2Mb) by i BE FF 1 0 Go to Page Table . . . Page Table others P BF 00 0 BF 01 1 . . . Go to next entry Save memory page (4 Kb) by i & j i 5 6 7 j 0 1 21. MASHKAs memory dump algorithm Page Directory others P PS BE 3C 0 1 BE 4C 1 1 Go to next entry Save memory page (4 Mb or 2Mb) by i BE FF 1 0 Go to Page Table . . . Page Table others P BF 00 0 BF 01 1 . . . Go to next entry Save memory page (4 Kb) by i & j i 5 6 7 j 0 1 22. MASHKAs dump algorithm details Page 2 Page 1 Virtual Memory (4GB) Dump File (300Mb) Struct File StartAddr_1 Page 4 Page 5 Page 2 Page 1 Page 4 Page 5 FinishAddr_1 DumpOffset_1 . . . StartAddr_3 DumpOffset_3 Page 3 Page 3 FinishAddr_3 StartAddr_2 FinishAddr_2 DumpOffset_2 StartAddr_5 FinishAddr_5 DumpOffset_5 StartAddr_3 FinishAddr_3 DumpOffset_3 23. MASHKAs dump algorithm details Page 2 Page 1 Virtual Memory (4GB) Dump File (300Mb) Struct File StartAddr_1 Page 4 Page 5 Page 2 Page 1 Page 4 Page 5 FinishAddr_1 DumpOffset_1 . . . StartAddr_3 DumpOffset_3 Page 3 Page 3 FinishAddr_3 StartAddr_2 FinishAddr_2 DumpOffset_2 StartAddr_5 FinishAddr_5 DumpOffset_5 StartAddr_3 FinishAddr_3 DumpOffset_3 How should new files be used? 24. MASHKA in memory forensics tasks Loaded Dump File ".sys" VALF ODUF VALF Virtual Address in the Loaded dump File ODUF Offset in DUmp File 2E 73 79 73 00 25. MASHKA in memory forensics tasks Loaded Dump File ".sys" VALF ODUF Struct File VAOM VAOM Virtual Address in the Original virt. Memory VALF Virtual Address in the Loaded dump File ODUF Offset in DUmp File ODUF 2E 73 79 73 00 26. MASHKA in memory forensics tasks Loaded Dump File ".sys" VALF ODUF 2E 73 79 73 Original Virt. memory VAOM Struct File VAOM VAOM Virtual Address in the Original virt. Memory VALF Virtual Address in the Loaded dump File ODUF Offset in DUmp File ODUF 2E 73 79 73 00 27. How is VAOM etc used? 28. Use MASHKA in drivers forensics DRIVER_OBJECT SCM structures list: SERVICES.EXE PsLoadModuleList: user mode kernel mode 29. Use MASHKA in drivers forensics CreateService( ServiceName, DisplayName, BinaryPath,...) ServiceName BinaryPath ServiceName DisplayName SCM structure, DRIVER_OBJECT and others will be added 30. Use MASHKA in drivers forensics CreateService( ServiceName, DisplayName, BinaryPath,...) ServiceName BinaryPath ServiceName DisplayName SCM structure, DRIVER_OBJECT and others will be added ServiceName > VAOMs of SN 31. Use MASHKA in drivers forensics CreateService( ServiceName, DisplayName, BinaryPath,...) ServiceName BinaryPath ServiceName DisplayName SCM structure, DRIVER_OBJECT and others will be added ServiceName > VAOMs of SN VAOMs of SN > VAOM of DRV_OBJ 32. Advantages of MASHKA Uses only two functions: KeAttachProcess and ZwWriteFile Resilient to hooks due to low-level OS calls usage Protects the stored data by run-time encryption Finds different memory templates fast 33. How to apply MASHKA to processes detection? 34. ZwQuerySystemInformation hooking PsActiveProcessList modifying OS processes list handling or how can the process be hidden? How to detect a hidden process? 35. Process detection approaches review hooking functions such as SwapContext or KiFastCallEntry a processes list from CSRSS.EXE a processes handle table list static signatures by Schuster (07) robust signatures by Dolan-Gavitt (09) structures location by Grizzard (10) Object structure lists Heuristic analyzer Static signature scans 36. Process detection approaches review hooking functions such as SwapContext or KiFastCallEntry a processes list from CSRSS.EXE a processes handle table list static signatures by Schuster (07) robust signatures by Dolan-Gavitt (09) structures location by Grizzard (10) Object structure lists Heuristic analyzer Static signature scans 37. Scan is based on Disadvantages some EPROCESS fields values are either known or exceed the constant, e.g. 0x8000_0000 vulnerable to field modifications difficult to achieve portability Analysis of static signature scan GMER, PowerTool and XueTr use it 38. Scan is based on Disadvantages some EPROCESS fields values are either known or exceed the constant, e.g. 0x8000_0000 vulnerable to field modifications difficult to achieve portability Analysis of static signature scan GMER, PowerTool and XueTr use it 39. How can we improve signature scans? 40. Objects structures typical design 03 28 87 1B 05 56 01 01 E4 03 28 84 1B 05 B0 E4 E4 E4 03 28 84 1B 05 B0 18 18 E4 Objects structures 03 28 85 1B 05 78 12 E412 41. Objects structures typical design 03 28 87 1B 05 56 01 01 E4 03 28 84 1B 05 B0 E4 E4 E4 03 28 84 1B 05 B0 18 18 E4 Objects structures 03 28 85 1B 05 78 12 E412 03 28 1B 05 E4- - - - Dynamic Byte Signature memory pattern 42. Process detection with Dynamic Byte Signature 1. Create Dynamic Byte Signature by using EPROCESS structures in PsActiveProcessList 2. Use byte to byte DBS search to find all EPROCESS structures 3. Compare a new list with NtQuerySystemInformation list 43. Bit signature = thorough analysis 03 28 87 1B 05 56 01 01 E4 03 28 84 1B 05 B0 E4 E4 E4 03 28 84 1B 05 B0 18 18 E4 03 28 85 1B 05 78 12 E412 87 84 1 0 0 0 0 1 1 1 0 0 0 0 1 0 Downscale from bytes to bits 1 0 44. Bit signature = thorough analysis 03 28 87 1B 05 56 01 01 E4 03 28 84 1B 05 B0 E4 E4 E4 03 28 84 1B 05 B0 18 18 E4 03 28 85 1B 05 78 12 E412 87 84 1 0 0 0 0 1 1 1 0 0 0 0 1 0 Downscale from bytes to bits 1 0 45. 03 28 1B 05 E4- - - - Bit signature = thorough analysis 03 28 87 1B 05 56 01 01 E4 03 28 84 1B 05 B0 E4 E4 E4 03 28 84 1B 05 B0 18 18 E4 03 28 85 1B 05 78 12 E412 87 84 1 0 0 0 0 1 1 1 0 0 0 0 1 0 Downscale from bytes to bits 1 0 Dynamic bit signature: 46. DBS features Advantages Automatic learning Easily portable Bit based analysis More thorough analysis Probabilistic check Able to recognize structures even without full pattern match Dynamic Bit Signature Analysis 47. What about hidden drivers and their detection? 48. Hidden drivers have similar cases List view Activity to hide Processes TaskMgr.exe PsActiveProcessList modification Drivers DriverQuery.exe PsLoadedModuleList modification ZwQuerySystemInformation hooking leads to processes & drivers hiding 49. Drivers detection approaches review ObjectDirectory lists Service Control Manager list Schusters signature approach has adapted by W.Tsaur and L.Yeh (12) to drivers detection Object structure lists Signature scans 50. Is it possible to adapt DBS for driver detection? 51. Is it possible to adapt DBS for driver detection? DBS only can detect structures with a lot of fields 52. Is it possible to adapt DBS for driver detection? EPROCESS DRIVER_OBJECT DBS only can detect structures with a lot of fields 53. Rating Point Inspection (RPI) RPI improvements over DBS RPI utilizes additional weight matrix for precise pattern matching RPI use selective matching algorithm If one of the checks is true DB