Upload
security-bootcamp
View
1.814
Download
4
Tags:
Embed Size (px)
Citation preview
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
1
2
Nguyễn Chấn Việt | [email protected]
Malware Memory Forensic
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
2
2
Who am ISenior Security Researcher
+4 years in Information Security. Focusing on Malware Analysis and Exploit Development
Twitter : https://twitter.com/vietwow
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
3
2
AgendaWhy Memory Forensics?
What is Memory Forensics?
Our approach : Rootkit DetectionWindows Platform
Linux Platform
Real-world Malwares
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
4
2
Why Memory Forensics ?
In past, Forensic Analysis = File System Forensic
Why memory forensics ?Malware Analysis
Incident Respone (IR)
HOT Topic for researchers
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
5
2
Why Memory Forensics ?Everything in the OS traverses RAM
•Processes and threads
•Malware (including rootkit technologies)
•Network sockets, URLs, IP addresses
•Open files
•User generated content Passwords, caches, clipboards
•Encryption keys
•Hardware and software configuration
•Windows registry keys and event logs
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
6
2
Memory Forensics Questions…What processes were running on the suspect system at the time memory image was taken?
What (hidden or closed) processes existed?
Are there any (hidden or closed) network connections?
Are there any (hidden or closed) sockets?
What is the purpose and intent of the suspected file?
Are there any suspicious DLL modules?
Are there any suspicious URLs or IP addresses associated with a process?
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
7
2
Memory Forensics Questions…Are there any suspicious open files associated with a process?
Are there any closed or hidden files associated with any process?
Are there any suspicious strings associated with a particular process?
Are there any suspicious files present? Can you extract them?
Can you extract malicious processes from the memory and analyze it?
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
8
2
Memory Forensics Questions…Can you identify the attackers and their IP addresses?
Did the attacker create a user account on the system?
Did the malware modify or add any registry entry?
Does the malware use any type of hooks to hide itself?
Did the malware inject itself to any running processes?
What is the relationship between different processes?
What is the intent and purpose of this malware?
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
9
2
What is Memory Forensics?Là kỹ thuật/quá trình phân tích dấu vết dựa trên memory (RAM) của 1 hệ thống
Bao gồm physical memory (RAM) và Page File/Swap
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
10
2
Memory Acquisition Winen (Guidance Software)
FastDump Pro (HB Gary) - Limited Free version available
FTK Imager - Free
DD Free but limited - May not work on later versions of Windows
WinHex - Has some limitations
Nigilant32 - Free but for 32-bit systems only
Memoryze (Mandiant) - Free
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
11
2
Virtual Machine Memory Acquisition
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
12
2
Memory Forensic ToolsVolatility
https://www.volatilesystems.com/default/volatility
Free & Open Source
Mandiant Redline
http://www.mandiant.com/resources/download/redline/
Free
HBGary Responder
http://www.hbgary.com/responder-pro-2
$$$ - Pro
Community Edition available
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
13
2
VolatilityAn advanced memory forensics framework
OpenSource
Written by Python
Primarily Windows-focused
Linux (Android) & Mac support now available
Modular, portable
Main reason why I’m here :D
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
14
2
VolatilityVolatility supports the following extraction capabilities for memory images:
Image date and time
Running processes
Open network sockets
Open network connections
DLLs loaded for each process
Open files for each process
Open registry keys for each process
Memory maps for each process
Extract executable samples
Scanning examples: processes, threads, sockets, connections, modules
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
15
2
General checking
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
16
2
Windows Platform
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
17
2
Volatility
List the processes of a system. This walks the doubly-linked list pointed to by PsActiveProcessHead. It does not detect hidden or unlinked processes.
pslist
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
18
2
Volatility
To view the active connections
connections
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
19
2
Volatility
Print all loaded DLLs
dlllist
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
20
2
Volatility
List Windows services
svcscan
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
21
2
Linux Platform
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
22
2
Volatility
Print all loaded modules
linux_lsmod
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
23
2
Rootkit Dection
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
24
2
[1] Windows Platform
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
25
2
[1.1] DLL Injection
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
26
2
Normal DLL Interaction
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
27
2
Injected DLL Interactopn
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
28
2
DLL InjectionDLL Injection là kỹ thuật rất phổ biến được sử dụng bởi malwareVirtualAllocEx( ) và CreateRemoteThread( )
SetWindowsHookEx( )
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
29
2
DLL Injection Detectionldrmodules
Là module để detect DLL InjectionTrong mỗi process, các DLL sẽ được track trong 3
linked-listStealthy malware sẽ unlink dll của chúng trong các
linked-list nàyPlugin này sẽ query các linked-list này và hiển thị
thông tin để ta có thể so sánh
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
30
2
[1.2] Usermode & Kernelmode Hooking
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
31
2
Levels of Access in Windows Ring 3 – User Land
User
Administrator
System
Ring 0 – Kernel Land
Drivers
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
32
2
OS Internals• Readfile() called on File1.txt• Transition to Ring 0• NtReadFile() processed
• I/O Subsystem called
• IRP generated
• Data at File1.txt requested from ntfs.sys
• Data on D: requested from dmio.sys
• Data on disk 2 requested from disk.sys
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
33
2
OS Internals• Binary replacement eg modified Exe
or Dll
• Binary modification in memory eg He4Hook
• User land hooking eg Hacker Defender
• IAT hooking
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
34
2
OS Internals• Kernel Hooking • E.g. NtRootkit
• Driver replacement
• E.g. replace ntfs.sys with ntfss.sys
• Direct Kernel Object Manipulation – DKOM
• E.g. Fu, FuTo
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
35
2
OS Internals• IO Request Packet (IRP) Hooking • IRP Dispatch Table
• E.g. He4Hook (some versions)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
36
2
OS Internals• Filter Drivers• The official Microsoft method• Types
• File system filter
• Volume filter• Disk Filter• Bus Filter
•
• E.g. Clandestine File System Driver (CFSD)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
37
2
Current Rootkit CapabilitiesHide processes
Hide files
Hide registry entries
Hide services
Completely bypass personal firewalls
Undetectable by anti virus
Remotely undetectable
Covert channels - undetectable on the network
Defeat cryptographic hash checking
Install silently
All capabilities ever used by viruses or worms
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
38
2
[1.2.1] Usermode Hooking
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
39
2
Windows GUI Subsystem HookingMalware có thể dùng SetWindowsHookEx để intercept các window message
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
40
2
Windows GUI Hooking Detectionmessagehooks
Là module để detect Windows GUI Hooking
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
41
2
IAT HookingHook vào IAT Table của process
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
42
2
IAT HookingIAT Hook
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
43
2
IAT Hookingvoid hookFunction( PVOID * thunk, HookedFunction & hookedFunction )
{
MEMORY_BASIC_INFORMATION mbi;
//The IAT is marked as read-only memory so we mark it as read-write for the update.
ZeroMemory( &mbi, sizeof( MEMORY_BASIC_INFORMATION ) );
SIZE_T s = VirtualQuery( thunk, &mbi, sizeof( MEMORY_BASIC_INFORMATION ) );
BOOL b = VirtualProtect(mbi.BaseAddress, mbi.RegionSize,
PAGE_READWRITE, &mbi.Protect );
if ( hookedFunction.RealFunction == 0 )
{
hookedFunction.RealFunction = *thunk;
}
*thunk = hookedFunction.HookFunction;
DWORD oldProtect;
VirtualProtect(mbi.BaseAddress, mbi.RegionSize, mbi.Protect, &oldProtect);
}
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
44
2
Inline HookingThay đổi các byte (thường là 5) đầu tiên của chương trình
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
45
2
Usermode Hooking Detectionapihooks
Là module để detect IAT Hook và Inline Hook
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
46
2
[1.2.2] Kernelmode Hooking
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
47
2
SSDT HookingHook vào SSDT Table
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
48
2
SSDT Hooking
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
49
2
SSDT Hooking
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
50
2
SSDT Hooking• Hook the call when the device is created
NTSTATUS Create(PDEVICE_OBJECT DeviceObject,PIRP Irp)
{
NTSTATUS status = STATUS_SUCCESS;
if ( !CanWriteToSSDT() )
{
//Change the read-only SSDT memory block to read/write
EnableWritingToSSDT();
OldZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION)InterlockedExchange(
(PLONG)&g_MappedSystemCallTable[0xAD],
(LONG) NewQuerySytemInformation);
}
Irp->IoStatus.Status = status;
IoCompleteRequest(Irp,IO_NO_INCREMENT);
return status;
}
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
51
2
Kernelmode Hooking Detectionssdt_ex
Là module để detect SSDT và Inline Hook
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
52
2
OthersIDT(Interrupt Descriptor Table) Hooking
Sử dụng module “idt” để detect
SYSENTER / SDT Hooking
Hooking SST (KiServiceTable)
Hooking KiSystemService
IRP Hooking
Sử dụng module “driverirp” để detect
=> not enough time to cover all
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
53
2
[1.3] Process Hiding
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
54
2
DKOMThay đổi cấu trúc EPROCESS để unlink process cần hide
Ngoài việc hide process, DKOM còn có thể sử dụng để :Add Privileges to Tokens
Add Groups to Tokens
Manipulate the Token to Fool the Windows Event Viewer
Hide Ports
Hide drivers
=> FU là rootkit sử dụng kỹ thuật này
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
55
2
EPROCESS Linked List
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
56
2
EPROCESS Linked List
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
57
2
Rootkit Detectionpsxview (FU Rootkit)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
58
2
[1.4] Driver Hiding
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
59
2
Driver HidingRootkit sẽ sử dụng kỹ thuật DKOM unlink nó ra khỏi list of loaded module của kernel
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
60
2
Hiding the Kernel Module Detectionmodscan
Là module để detect hiding kernel module
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
61
2
[2] Linux Platform
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
62
2
[2.1] Hiding the Kernel Module
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
63
2
Hiding the Kernel ModuleRootkit thường tìm cách “giấu” bản thân bằng cách unlink nó ra khỏi linked-list loaded kernel modules
List này được export thông qua /proc/modules (lsmod chính là đọc từ list này và show ra)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
64
2
Hiding the Kernel Module Detectionlinux_check_modules
Là module để detect hiding kernel moduleHoạt động dựa trên sysfs để tìm các module đã bị
remove ra khỏi module list nhưng vẫn đang activesysfs là 1 kernel to userland interface, giống như
/proc, export các info & statistics của kernel
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
65
2
[2.2] Hooking System Call Table
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
66
2
Hooking System Call TableSystem call là cơ chế để userland code có thể trigger event handling ở kernel
Giống API trên Windows
Được quản lý bởi System call table
System call table là 1 array các function pointer. Mỗi 1 function pointer sẽ tương ứng với 1 syscall handler (vd : sys_read sẽ handle read system call)
Rootkit thường sẽ focus vào việc overwrite table này
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
67
2
Hooking System Call Table Detectionlinux_check_syscall
Là module để detect System Call Table HookingHoạt động dựa trên cơ chế là enumerate và verify
từng entry trong System Call Table
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
68
2
[2.3] Hiding Network Connections
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
69
2
Hiding Network ConnectionsHook vào cấu trúc “tcp4_seq_afinfo”, thay đổi member “show”
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
70
2
Hiding Network Connections Detectionlinux_check_afinfo
Là module để detect hiding network connectionHoạt động dựa trên cơ chế là duyệt cấu trúc
“file_operations” và “sequence_operations” của tất cả cấu trúc UDP and TCP protocol
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
71
2
[2.4] Hiding Processes
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
72
2
Hiding ProcessesPhương pháp 1 :Linux kernel chứa 1 array các cấu trúc task_struct
Cấu trúc task_struct giống như EPROCESS trên Windows
task_struct bao gồm 2 pointer là prev_run và next_run trỏ tới process trước và sau nó tương ứng
Để hide process, ta chỉ cần unlink process ra khỏi list prev_task và next_task này
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
73
2
Hiding Processestask_array
PIDProcess 0
State
*next_task*prev_task
*next_run*prev_run
*p_pptr (null)
*p_cptr *p_ysptr *p_osptr
...
...
PID
State
*next_task*prev_task
*next_run*prev_run
*p_pptr *p_cptr *p_ysptr *p_osptr
...
...
PID
State
*next_task*prev_task
*next_run*prev_run
*p_pptr *p_cptr *p_ysptr *p_osptr
...
...
PID1901
State
*next_task*prev_task
*next_run*prev_run
*p_pptr *p_cptr *p_ysptr *p_osptr
...
...
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
74
2
Hiding Processestask_array
PID1901
State
*next_task*prev_task
*next_run*prev_run
*p_pptr *p_cptr *p_ysptr *p_osptr
...
...
PIDProcess 0
State
*next_task*prev_task
*next_run*prev_run
...
...
PID
State
*next_task*prev_task
*next_run*prev_run
*p_pptr *p_cptr *p_ysptr *p_osptr
...
...
*p_pptr *p_cptr *p_ysptr *p_osptr
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
75
2
Hiding ProcessesPhương pháp 2 : Hooking /proc :Mỗi process sẽ có 1 directory tương ứng trong /proc
Để hide process, rookit sẽ hjack hàm “readdir” và filter out tên process cần
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
76
2
Hiding Processesstatic inline int fuckit_proc_filldir(void *__buf, const char *name, int namelen, loff_t
offset,
u64 ino, unsigned d_type){
//our hidden PID :)
if(!strcmp(name,HIDDEN_PID) || !strcmp(name,KEY)){
return 0;
}
return original_filldir(__buf,name,namelen,offset,ino,d_type);
}
static inline int fuckit_proc_readdir(struct file *filp, void *dirent, filldir_t filldir){
//save this, we will need to return it later
original_filldir = filldir;
return original_proc_readdir(filp,dirent,fuckit_proc_filldir);
}
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
77
2
Hiding Processes Detectionlinux_check_fop
Là module để detect hiding processHoạt động dựa trên cơ chế là enumerate /proc
filesystem và rất các opened file, verify từng member của từng file ops structure là hợp lệ
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
78
2
Anything else ?
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
79
2
Scan for Registry Artifactsvolatility hivescan -f dumped.vmemvolatility hivelist -f dumped.vmem -o 0x212cb60
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
80
2
Data Carving Using ForemostForemost
foremost -c foremost.conf -t exe –i <PID>.dmp -o output3
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
81
2
[3] Real-world Malwares
Mixed many concepts : VirTool:WinNT/Exforel.A
TDSS Rookit
Zeus
Stunex / Duqu
Flame
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
82
2
VirTool:WinNT/Exforel.ALà malware implement lại toàn bộ TCP/IP Stack
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
83
2
TDSS RootkitGồm 4 biến thể : TDL-1
TDL-2
TDL-3
TDL-4
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
84
2
ZeusLà 1 dạng trojan chuyên ăn cắp thông tin trong các công ty/tập đoàn tài chính
Có 1 số tính năng như 1 rootkit
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
85
2
Stunex / DuquLà 1 dạng worm, gồm 2 phiên bản :Stunex : focus vào việc phá hủy hạ tầng lò phản ứng hạt nhân (PLC) của Iran
Duqu : forcus vào việc ăn cắp thông tin
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
86
2
FlameCòn có tên là sKyWiper
Là malware nổi tiếng nhất gần đây, phức tạp hơn nhiều so với Duqu. Vừa là 1 backdoor, vừa là trojan, và cũng có những tính năng như 1 worm
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
87
2
Comparison
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
88
2
Other cases
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
89
2
Password KeeperPassword Keeper is a small utility useful for storing our frequently used passwords. Password information can be stored, edited and printed with this easy to use program.
No mention of protection against memory analysis
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
90
2
Password KeeperWith volatilty we dump the PasswordKeeper processes
And strings our password on it
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
91
2
ConclusionVolatility is a great tool for memory forensic
Want to learn more ?SANS FOR526: Windows Memory Forensics In-Depth
Windows Memory Forensics Training for Analysts by Volatility Developers
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
92
2
Any Questions ?
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
93
2Thank you very much !