PV204 Security technologies
In-Memory Malware Analysis
Václav Lorenc
Principal Security Engineer, Here Technologies
2 | PV204 In-Memory Malware Analysis
Agenda
• Motivation!
– No x86 assembly required
– No malware (de)obfuscation magic
• How does an OS look “inside”?
– Processes and other data structures
– How the memory is organized
• Common tools used for analysis
• Searching for system “oddities”
– What are the important system indicators?
• Real samples discussed and analyzed! (Labs)
3 | PV204 In-Memory Malware Analysis
Why memory analysis?
• It’s fun!
• Acquiring evidence for legal investigations
– It used to be different in the past
• Technical simplification of reverse engineering
– No binary obfuscation present – the code has to run
• Incident response activities
– Easy way how to learn more about the attackers
– Malicious binary may only be present in memory
– Fast: RAM is (usually) smaller than full hard-drive images
4 | PV204 In-Memory Malware Analysis
5 | PV204 In-Memory Malware Analysis
Challenges in Reverse Engineering (RE)
• Assembly language (for multiple platforms)
– Along with undocumented instructions (or behavior)
• Anti-debugging tricks
– Exceptions, interrupts, PE manipulations, time checking, ...
• Anti-VM tricks
– Uncommon behavior of known instructions
– Registry detections, HW detections
• Code obfuscation/packing
– The most challenging to overcome, mostly
7 | PV204 In-Memory Malware Analysis
8
PE File Format
MEMORY ANALYSIS
‘cause reverse engineering ninjas are busy
9 | PV204 In-Memory Malware Analysis
x86/x64 Memory organization
• Physical memory
– RAM; what we really have installed
• Virtual memory
– Separation of logical process memory from the physical
– Logical address space > physical (e.g., swap)
– Address space shared by several processes, yet separated
• Paging vs. Segmentation
– Possible memory organization approaches
10 | PV204 In-Memory Malware Analysis
Segmentation Paging Physical Address
11 | PV204 In-Memory Malware Analysis
12 | PV204 In-Memory Malware Analysis
Win32 Address Space
13 | PV204 In-Memory Malware Analysis
Linux Address Space
14 | PV204 In-Memory Malware Analysis
15 | PV204 In-Memory Malware Analysis
Operating System Data Structures
• How the OS knows about processes, files, …?
– A lot of ‘metadata’ for important data
– Based on C/C++ data structures (see MSDN documentation)
• (Double-)linked list
– Another common data structure (not only in OS)
– Method for implementing lists in computer memory
• Direct Kernel Object Manipulation (DKOM)
– Used for manipulating the structures to hide malicious stuff
16 | PV204 In-Memory Malware Analysis
Double Linked Lists
17 | PV204 In-Memory Malware Analysis
DKOM – Direct Kernel Object Manipulation
• Dozens of various (double-)linked lists in Windows
– Maintained by kernel
– Processes, threads, opened files, memory allocations, …
• DKOM is used by rootkits
– Hiding from the sight of the user
• Rootkit paradox
– Rootkits need to run on the system
– … and need to remain hidden at the same time
• Memory analysis can help to discover DKOM
– Anti-analysis techniques are known as well
18 | PV204 In-Memory Malware Analysis
Interesting OS Structures
• Suspicious Memory Pages
• Processes
• Threads
• Sockets (Connections)
• Handles (Files)
• Recently executed binaries
• Modules/Libraries
• Mutexes
• LSA (Local Security Authority)
• Registry
• …
• Files
• Caches
20 | PV204 In-Memory Malware Analysis
Memory Pages
• Various ‘flags’
– Read/write/executable pages
– Helping OS to organize memory efficiently
• Executable + Writable pages
– Why is it bad?
• Process Injection Technique(s)
– Allocating a memory that can be modified (unpacked, decoded, decrypted)
and executed.
– Used by legitimate processes too (Windows OLE)
21 | PV204 In-Memory Malware Analysis
DLL/Process
Injection
22 | PV204 In-Memory Malware Analysis
So that Internet Explorer
behaves like a malicious
process…
23 | PV204 In-Memory Malware Analysis
AND NOW SOMETHING COMPLETELY…
PRACTICAL
24 | PV204 In-Memory Malware Analysis
25 | PV204 In-Memory Malware Analysis
MEMORY ACQUISITION
Phase #1
26 | PV204 In-Memory Malware Analysis
Memory (re)sources
• Live RAM
– The most common source for analysis
– Easier to obtain from virtualized hosts
• Paging file/Swap
– Used by operating systems to allocate more memory then available RAM
• Hibernation file
• Memory crash dumps
– Limited analysis options
27 | PV204 In-Memory Malware Analysis
28 | PV204 In-Memory Malware Analysis
VM?
Memory Dump
Snapshot
Clone
Running?
Hibernation File
Page File (Swap)
Crash Dumps
Got root?
Dumping locally
Remote access?
Cost / Benefits
Tool Footprint
FireWire
PCI Probes
Yes
Yes
Yes
No
No
No
MemoryAcquisition
Memory Acquisition
• Virtual Machines
– VMWare, VirtualBox, …
– VirtualBox –dbg –startvm “MalwareVM” (and .pgmphystofile command or
vboxmanage debugvm)
• Directly from the system! (if we have permissions to do that)
– windd, fastdump, dumpit, memorize, winpmem
– Or we can hibernate the system (hiberfil.sys)
• Remotely
– Encase Enterprise, Mandiant Intelligent Response, Access Data FTK
• Common issues
– Unsupported OS (Linux, MacOS; 32bit/64bit)
– Swap (portions of memory on drive)
– Malware not running inside a virtual machine
29 | PV204 In-Memory Malware Analysis
Memory Acquisition (2)
• Local memory acquisition notes
– Unless you have plenty of money, try to get root/admin access to the host
– Better to acquire to external storage (USB, network)
– The lower tool’s memory footprint, the better
– If you run malware in VM, better have less RAM
• Faster analysis
• .. And configure no swap for the system too
• However: malware can check for the available memory
30 | PV204 In-Memory Malware Analysis
Memory Acquisition (3)
• Remote memory acquisition
– Very useful for fast Incident Response
– Requires enterprise licenses for the commercial tools
– Acquisition is done over network
– Agents already in memory, no extra memory demands
– Modern EDR/XDR solutions support this too
• Open-source alternative?
– GRR (Google Rapid Response)
• Still in development, primarily Incident Response tool
• Allows remote memory acquisition
31 | PV204 In-Memory Malware Analysis
MEMORY ANALYSIS
Phase #2
32 | PV204 In-Memory Malware Analysis
Memory Analysis Tools
• FireEye Redline
– Free, available for Windows
• HBGary/GoSecure Responder Pro
– Community Edition used to be available
• Volatility Framework
– Open source, no GUI
33 | PV204 In-Memory Malware Analysis
FireEye Redline
• Free tool for Incident Response
– Not open-source, though
– .NET executable (runs only under Windows)
– Support OS X and Linux artifacts too
• Nice and simple user interface
– Very nice analysis workflow
– Perfect for searching for string information
– Rates the level of suspiciousness over processes
• Sad things
– Memory analysis not reliable, process rating as well
34 | PV204 In-Memory Malware Analysis
Redline: Start
Redline: Timeline
Redline: Time Wrinkles
HBGary Responder (Pro/CE)
• Professional Tool
– Very expensive
– Yet not very well maintained in the last few years
• Windows only
– .NET written, supports only Windows images
• ‘Killer’ features
– Digital DNA
• automatic rating of suspicious processes
– Visual ‘Canvas’ debugger
• Supports the analysis of (unpacked) binaries
• Replaced with CounterTack Responder Pro
38 | PV204 In-Memory Malware Analysis
HBGary Responder Pro -- DDNA
• Examples of the ‘reasoning’ behind DDNA
– Does the process communicate over TCP/IP?
– Does it manipulate with registry?
– Did the analysis reveal any known bad stuff (strings, IPs, mutexes?)
– Does the process access any other process in the system?
– Does it access some system-critical process?
– Did the analysis find any evidence of obfuscation?
39 | PV204 In-Memory Malware Analysis
Responder Pro: DDNA
Responder Pro: DDNA
Responder Pro: Canvas
Volatility Framework
• Open-source tool
– GPL licensed
• Written in Python
– Available for variety of platforms (Linux, Windows, Mac OS)
– Can be automated; many contributed plugins
• Supports analysis of memory dumps from various OSs
– Windows, Linux, MacOS, Android
– Both 32-bit and 64-bit versions
• Command-line driven
• Two (experimental) web GUIs
Google Rekall
• Another open source tool
• Supported by Google
– Included as a part of GRR (Google Rapid Response) agent
• Originally based on the code of Volatility
– Shared commands
– Different architectural concepts
• Proof-of-concept GUI
– Better workflows
• Discontinued since 2020
44 | PV204 In-Memory Malware Analysis
Additional Important Tools
• Strings
– Both *nix and Windows
– Extracts strings information from the file
– Can be used in cooperation with Volatility/Rekall
– Beware of text encoding! (ascii, utf-8, …)
• Foremost
– Forensic tool
– Can extract various data files from an image (or process)
• Images, executables, documents, …
45 | PV204 In-Memory Malware Analysis
Forensic analysis of RAM?
• Are there any benefits?
• Collecting forensic evidence
– Executable images
– PDF/Doc documents
• Possible origin of the infection?
– Images
– URLs
• Getting approximate timeline
– Works better on servers (always online, higher uptime, way more RAM)
46 | PV204 In-Memory Malware Analysis
What to search for in Operating System?
• Command & Control (C2) communication
• Hidden processes
• Process/DLL injection evidence
• Non-standard/infamous binaries/mutexes
• Open sockets and files
• Registry records
• Command-line history
• Encryption keys!
47 | PV204 In-Memory Malware Analysis
Known Bad Mutexes
• Conficker: .*-7 and .*-99
• Sality.AA: Op1mutx9
• Flystud.??: Hacker.com.cn_MUTEX
• NetSky: 'D'r'o'p'p'e'd'S'k'y'N'e't'
• Sality.W: u_joker_v3.06
• Poison Ivy: )!VoqA.I4 (and 10 thousand others)
• Koobface: 35fsdfsdfgfd5339
48 | PV204 In-Memory Malware Analysis
Known Good Processes/Locations
Process Name Expected Path
lsass.exe \windows\system32
services.exe \windows\system32
csrss.exe \windows\system32
explorer.exe \windows
spoolsv.exe \windows\system32
smss.exe \windows\system32
svchost.exe \windows\system32
iexplore.exe \program files
\program files (x86)
winlogon.exe \windows\system32
49 | PV204 In-Memory Malware Analysis
Operational Security (OpSec)
• Basics of OpSec
– “Think before you act” mentality
– Limited information sharing
• Specifics of memory analysis
– You can often upload acquired executables to VirusTotal
• MD5/SHA1 of the dump is different from the executable
• This doesn’t apply for documents/HTML pages!
– However, incomplete binaries still can infect your system!
• Running in VM or other OS is recommended
50 | PV204 In-Memory Malware Analysis
Recommended Analysis Process
• Use Internet! (Google, VirusTotal, …)
• Make notes!
– What OS is being analyzed? (imageinfo)
– Network connections? (+ whois records, …)
– Processes (hidden, odd, non-standard; timestamps, …)
– Mutexes (+ files open)
– Dump processes when needed (OpSec!)
– Strings (URIs, C-like strings %s %d, domains, …)
• Summarize your findings in final report
51 | PV204 In-Memory Malware Analysis
More information
• Web pages of this course
– https://dior.ics.muni.cz/~valor/pv204
• Additional resources
– Public memory images for analysis
– Reverse Engineering for Beginners (amazing PDF doc)
– REMnux: All you need to start with RE
– ContagioDump blog (for additional malware samples)
– Malware Traffic Analysis (both traffic & samples)
52 | PV204 In-Memory Malware Analysis
ANSWERS & QUESTIONS
Thank you for your attention.
53 | PV204 In-Memory Malware Analysis
LAB
54 | PV204 In-Memory Malware Analysis
Lab Requirements
• Oracle VM VirtualBox
– And enough space on your hard drive (12 GB at least)
• Volatility Framework
– Version 2 (version 3 is available in the VM too)
• Unix tools
– strings, foremost
• Your favorite text editor for notes
• Voluntary:
– Javascript/PDF analysis tools
55 | PV204 In-Memory Malware Analysis
Recommended Analysis Process
• Use Internet! (Google, VirusTotal, …)
• Make notes!
– What OS is being analyzed?
– Network connections? (+ whois records, …)
– Processes (hidden, odd, non-standard; timestamps, …)
– Mutexes (+ files open)
– Strings (URIs, C-like strings %s %d, domains, …)
– …
• Summarize your findings in final report
56 | PV204 In-Memory Malware Analysis
Volatility2 Framework – cheat sheet
• psxview (search for hidden processes)
• apihooks
• driverscan
• ssdt / driverirp / idt
• connections / connscan (WinXP, active network connections)
• netscan (Win7, opened network sockets and connections)
• pslist / psscan (process listing from WinAPI vs. EPROCESS blocks)
• malfind / ldrmodules (code injection + dump / DLL detection)
• hivelist (registry lookup and parsing) / hashdump
• handles / dlllist / filescan (filelist / DLL files / FILE_OBJECT handles)
• cmdscan / consoles (cmd.exe history / console buffer)
• shimcache (application compatibility info)
• memdump / procmemdump / procexedump
57 | PV204 In-Memory Malware Analysis
Analysis: xp-infected.vmem
• Recommended tools
– Volatility, Rekall (or Redline)
• Objectives:
– Get familiar with memory of your first infected system
58 | PV204 In-Memory Malware Analysis
Analysis: win7_x64.vmem
• Recommended tools
– Volatility, Rekall (or Redline)
• Objectives:
– Get familiar with memory of Win7 x64 system
– Can you see any differences from the previous sample?
59 | PV204 In-Memory Malware Analysis
Analysis: zeus.vmem
• Recommended tools
– Volatility, Rekall
• Objectives:
– Find suspicious network connections
– Find process responsible for the network activity
– Can you figure out what infections this
60 | PV204 In-Memory Malware Analysis
Analysis: zeus2x4.vmem
• Recommended tools
– Volatility, Rekall
• Objectives:
– Find suspicious network connections
– Find process responsible for the network activity
– Can you figure out what infections this
– Can you dump the virus configuration?
61 | PV204 In-Memory Malware Analysis
Analysis: bob.vmem
• Recommended tools
– Volatility, Rekall, Foremost, Strings
• Objectives:
– Find suspicious network connections
– Find process responsible for the network activity
– Can you figure out what caused the infection?
– Can you dump the initial source vector?
– What known vulnerability (CVE) has been exploited?
62 | PV204 In-Memory Malware Analysis
More information
• Web pages of this course
– https://dior.ics.muni.cz/~valor/pv204
• Additional resources
– Public memory images for analysis
– Reverse Engineering for Beginners (amazing PDF doc)
– REMnux: All you need to start with RE
– ContagioDump blog (for additional malware samples)
– Malware Traffic Analysis (both traffic & samples)
63 | PV204 In-Memory Malware Analysis
Answers & Questions
Thank you for your attention.
64 | PV204 In-Memory Malware Analysis