Session ID:

Session Classification:

Andrew CaseThe Volatility Project

HTA-W22

Advanced

Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced Malware

► Showcase the power of memory forensics ► Distinguish memory forensics from disk forensics► Show why live forensics is futile and should be

replaced with offline memory forensics

Purpose of This Presentation

► Memory forensics is the analysis of captures (samples) of physical memory (RAM) for artifacts relevant to an investigation

► Requires modeling of the operating system’s data structures and algorithms offline in order to recreate state at the time of the capture

What is Memory Forensics?

► Traditional forensics only looks at disk images► This misses information never written to disk

► Network connections, memory allocations, running processes, open file lists, and much more

► Skilled attackers know to avoid the disk and securely clean up any on-disk artifacts

Why We *Need* Memory Forensics

► Malware can trivially defeat live analysis► Live analysis is running tools built into the OS to gather

volatile data (the general sysadmin/IR response)► Malware can lie to any and all userland and even in-

kernel tools

► Advanced malware only operates in memory► Never touches the disk, all network traffic encrypted► Good luck without memory forensics!

Why Cont.

Volatility

► Most popular memory analysis framework► Open source, written in Python► Supports Windows {XP, Vista, 7, 2003, 2008} x86/x64► Supports Linux on Intel and ARM (Android)► Supports Mac 10.5.x-10.8.x x86/x64

► Allows for analysis plugins to be easily written► Used daily in real forensics investigations

Volatility

► A profile is set of vtypes and (optionally) symbol addresses that are used to model a particular OS version

► This is what allows Volatility plugins to be generic to all the different versions of Windows, Linux, Mac, etc

Volatility Terminology - Profiles

► Address spaces are used to translate virtual addresses into physical offsets► Intel x86, x86 PAE, x86-64► ARM

► They also prevent the need to convert all memory captures to a linear format► Crash dumps► Hibernation files► VMware vmss► Lime► Mac Memory Reader► More…

Volatility Terminology – Address Spaces

► List and recover processes, network connections, drivers, file systems, and much more

► Detect malware in both userland and the kernel► We will be using Volatility to recover artifacts

throughout the presentation

Volatility Capabilities

Investigating Advanced Malware

► Determine system effects ► Uncover processes, network connections, drivers,

etc that are “hidden” by malware► Acquire the unpacked/unencrypted malware in

memory

Malware Analysis Capabilities

► A running system builds a process list by using APIs that eventually traverse the PsActiveProcessHead list► This logic is performed by the pslist plugin► Rootkits break processes from this list to hide

themselves

► Pool scanning for EPROCESS structures can find these hidden processes► This is performed in the psscan plugin► POC rootkits exist to defeat this by pool header

tampering

Finding (Hidden) Processes

► Volatility’s psxview plugin can detect all known process hiding techniques by enumerating from many sources► A number of these sources are not documented except

for in Volatility

Finding (Hidden) Processes Cont.

$ python vol.py -f ds_fuzz_hidden_proc.img psxviewVolatile Systems Volatility Framework 2.3_alphaOffset(P) Name PID pslist psscan thrdproc pspcdid csrss session deskthrd---------- ---------------- ------ ------ ------ -------- ------- ----- ------- -------0x01a2b100 winlogon.exe 620 True True True True True True True 0x01a3d360 svchost.exe 932 True True True True True True True 0x018a13c0 VMwareService.e 1756 True True True True True True True 0x018e75e8 spoolsv.exe 1648 True True True True True True True 0x019dbc30 lsass.exe 684 True True True True True True True 0x0184e3a8 wscntfy.exe 560 True True True True True True True 0x018af860 VMwareTray.exe 1896 True True True True True True True 0x01a4bc20 network_listene 1696 False False True True True True True 0x01843b28 wuauclt.exe 1372 True True True True True True True 0x01a59d70 svchost.exe 844 True True True True True True True [snip]

psxview Output

► Each process has three lists that track its loaded DLLs

► Process explorer and other live tools focus on one of the lists (load order)

► Malware commonly breaks this list to avoid detection► Flame is a popular and high-profile example [2]

► ldrmodules cross references the three lists with VAD information for mapped files

Hiding Loaded DLLs

$ python vol.py -f flame.raw -p 912 ldrmodulesVolatile Systems Volatility Framework 2.1_alphaPid Process Base InLoad InInit InMem MappedPath-------- -------------------- ---------- ------ ------ ----- ---------- 912 services.exe 0x7c900000 True True True \WINDOWS\system32\ntdll.dll 912 services.exe 0x7c9c0000 False False False \WINDOWS\system32\shell32.dll[snip]

ldrmodules Detecting Flame

► malfind looks for pages with suspicious protection bits set (e.g. RWX)

► The following code injection/hiding techniques are all detected by malfind:► Remote Library Injection ► Remote Shellcode Injection► Reflective DLL loading

Detecting Common Code Hiding Techniques

$ python vol.py -f stuxnet.vmem malfindProcess: lsass.exe Pid: 868 Address: 0x80000Vad Tag: Vad Protection: PAGE_EXECUTE_READWRITEFlags: Protection: 6

0x00080000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ..............0x00080010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......0x00080020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................0x00080030 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 ................

Malfind Detecting Stuxnet

Metasploit’s Reflective VNC Loader

► Technique:► Overwrite the beginning of API functions in order to

redirect control flow► Allows the malware to hide virtually any data from

userland tools and even some in-kernel monitors

► The apihooks plugin detects API hooks► Performs static analysis on the beginning instructions of

functions

API Hooking

Hook mode: UsermodeHook type: Inline/TrampolineProcess: 1176 (lsass.exe)Victim module: ntdll.dll (0x7c900000 - 0x7c9af000)Function: ntdll.dll!ZwQuerySection at 0x7c90d8b0Hook address: 0x980a02Hooking module: <unknown>

Disassembly(0):0x7c90d8b0 b8020a9800       MOV EAX, 0x980a020x7c90d8b5 ffe0             JMP EAX0x7c90d8b7 03fe             ADD EDI, ESI0x7c90d8b9 7fff             JG 0x7c90d8ba0x7c90d8bb 12c2             ADC AL, DL0x7c90d8bd 1400             ADC AL, 0x00x7c90d8bf 90               NOP0x7c90d8c0 b8a8000000       MOV EAX, 0xa80x7c90d8c5 ba               DB 0xba0x7c90d8c6 0003             ADD [EBX], AL

apihooks - Duqu

► The binaries (.exe, .dll, .sys, etc) involved with malicious processes and drivers can be dumped to disk for analysis

► Volatility can also be used to acquire the unpacked version of malware samples from memory► Run sample, take memory capture, acquire executable

Dumping Processes to Disk

► Instead of actively hooking functions in the kernel to determine when certain events occur, there is a much safer, passive option

► You can "register" a function to be called by the system

► Every time the event occurs, your function is called

Kernel Callbacks

► Process related► Activated on process/thread creation, executable

loading, etc► Used to inject DLL into processes on startup and to stop

processes from starting► Used by Mebroot, BlackEnergy, Rustock, TDL

► File system► Activated on new file system registration► TDL3 infects MBR and uses callback to know when FS is

mounted► Stuxnet uses to attach to device stack to hide its files

Malware Targeted Callbacks

► Bugcheck► Activated when machine is crashing (BSOD, crash

dumping being written)► Rustock.C cleans itself from memory before a crash

dump is written► Sinowal ensures the MBR is still infected before shutting

down after a BSOD

► Registry► Activated on modifications to the registry, the callback

can monitor, block, or modify the operation► Malware uses to prevent persistence methods inside the

registry (run keys, etc) from being modified/deleted

Targeted Callbacks Cont.

Skilled Attackers

► Besides malware, we also want to recover actions performed directly by attackers► Most of the artifacts used to recover this data are not

written to disk

► Volatility has many capabilities for this purpose that span across its supported operating systems

► We will discuss capabilities not covered in the malware section

Skilled Attackers

► cmdscan/consoles► Plugins that can recover both the input and output of

cmd.exe sessions

► bash_history/bash_hash► Plugins that can recover commands entered on a system

and when they were entered as well as the number of times each binary was executed

Attacker Keyboard Input/Interaction

► List files/handles opened by each process on a system

► Determine which files, processes, registry keys, IPC data, etc were being interacted with by a process

► On Linux socket handles are just file descriptors

Opened Handles/Files

► Can recover loaded kernel drivers► Can uncover “hidden” drivers through a

combination of memory scanning and cross-referencing

► Windows► modules & modscan

► Linux► linux_lsmod & linux_check_modules

Kernel Drivers/Modules

► Can list both active connections (e.g. recreate netstat output) as well locate previously terminated network connection structures

► On Linux we can also recover previously sent and received packets and trace them to their owning process

Network Connections

► Volatility can recover filesystem information from memory including both metadata and file contents

► Windows - mftparser ► Recovers and parses the MFT for every active NTFS file

system► Output includes metadata for all files and contents for

resident files

► Linux – linux_find_file► Parses any standard (non-stacked) file system from

memory and dumps the file system to disk► tmpfs (/dev/shm) lives only in memory!

File systems in Memory

► Volatility can recover privileges assigned to a process

► Help determine what level of access the attacker and/or malware gained on your system

Process Privileges

Grrcon: What type of access did the attacker gain?

Software-Based Encryption

► All major software encryption systems store encryption keys in memory

► The key is used to decrypt file data being read and encrypt file data being written

► Memory forensics can recover these keys

Software-Based Encryption

► The following have tools and techniques published to recover keys from memory:► Truecrypt► BitLocker► FileVault2 (Mac)► Luks & dm-crypt (Linux, Android)

Volume Encryption

► The following have tools and techniques published to recover keys from memory:► PGP► Truecrypt Containers► <<A number of enterprise/commercial tools>>

File-Based Encryption

► The protected media must be currently or very recently accessed/mounted for the key to be in memory

► Closed-source projects require reversing both of the in-memory key-storage and on-disk format► Already done for Bitlocker and FileVault2

Limitations of Key Recovery

► Memory forensics recovers a wealth of evidence that is never stored to disk and is essential to many investigations

► Live forensics processes are outdated and trivially defeated/lied to by malware

► Modern malware avoids disk completely► Will never find it if you pull the plug!

► The pain of encryption can be eased with memory forensics

Conclusion

► Contact:► andrew@memoryanalysis.net► @attrc

► Volatility:► http://volatility-labs.blogspot.com/► @volatility

Questions/Comments?

[1] http://code.google.com/p/volatility/[2] http://mnin.blogspot.com/2012/06/quickpost-flame-volatility.html

References