《内存取证检测恶意木马》由会员分享,可在线阅读,更多相关《内存取证检测恶意木马(27页珍藏版)》请在金锄头文库上搜索。
1、Detecting Malware With Memory Forensics Hal Pomeranz SANS Institute Why Memory Forensics? Everything in the OS traverses RAM Processes and threads Malware (including rootkit technologies) Network sockets, URLs, IP addresses Open files User generated content Passwords, caches, clipboards Encryption k
2、eys Hardware and software configuration Windows registry keys and event logs Memory Analysis Advantages Best place to identify malicious software activity Study running system configuration Identify inconsistencies (contradictions) in system Bypass packers, binary obfuscators, rootkits (including ke
3、rnel mode) and other hiding tools. Analyze and track recent activity on the system Identify all recent activity in context Profile user or attacker activities Collect evidence that cannot be found anywhere else Memory-only malware Chat threads Internet activities What is Memory Forensics? Study of d
4、ata captured from memory of a target system Ideal analysis includes physical memory data (from RAM) as well as Page File (or SWAP space) data Acquire Capture Raw Memory Hibernation File Context Establish Context Find Key Memory Offsets Analyze Analyze Data For Significant Elements Recover Evidence W
5、indows Memory Acquisition LIVE System (RAM Acquisition) DumpIt.exe http:/ win32dd.exe / win64dd.exe Author: Matthew Suiche http:/ Mandiant Redline http:/ DEAD System Hibernation File Contains a compressed RAM Image %SystemDrive%/hiberfil.sys Win2k XP Win2003 VISTA Win2008 Windows 7 Virtual Machine M
6、emory Acquisition VMware (Fusion/Workstation/Server/Player) .vmem file = raw memory image Microsoft Hyper-V .bin file = raw memory image Parallels .mem file = raw memory image VirtualBox .sav file = partial memory image Extract Memory from Hibernation File (hiberfil.sys) hibr2bin can acquire physica
7、l memory (RAM) from a Windows hibernation file (XP and VISTA only) Pro Version Compatible with XP-Win7/2008 (32 and 64 bit) hibr2bin.exe Location on COURSE DVD: D:windows forensic toolsmemory imaging Example: Extract hibernation file memory and save to a USB DRIVE D: hibr2bin D:hiberfil.sys E:hibern
8、ation_memory.img * Volatility can also convert hibernation files * DLL Injection Normal DLL Interaction ntdll.dll Kernel Library Call 1 2 3 4 User space Kernel space DLL Injection ntdll.dll Kernel Library Call 5 4 Rootkit 1 2 3 6 7 User space Kernel space Detecting Injection DLL injection is very co
9、mmon with modern malware VirtualAllocEx( ) and CreateRemoteThread( ) SetWindowsHookEx( ) Process hollowing is another injection technique Malware starts a new instance of legitimate process Original process code de-allocated and replaced Retains DLLs, handles, data, etc. from original process Code i
10、njection is relatively easy to detect Review memory sections marked as Page_Execute_ReadWrite and having no memory-mapped file present Scan for DLLs (PE files) and shellcode Process image not backed with file on disk = process hollowing Zeus / Zbot Overview Persistent malware designed to steal crede
11、ntials Many variants. A popular one does the following: Copies itself to %system32%sdra64.exe Injects code into winlogon.exe or explorer.exe Further injects code into every process but csrss & smss Auto-start path: HKLMSoftwareMicrosoftWindows NTwinlogonuserinit Creates local.ds & user.ds in %sytem3
12、2%lowsec Retrieves files from command and control server Mutant: _AVIRA_ Hooks over 50 system APIs Using Mandiant Redline Information Pane Process View Host View Guided Analysis Detecting Code Injection: Zeus/Zbot DLL Injection Detecting Code Injection: Finding Injected Sections Volatility Command-l
13、ine memory forensic tool Primarily Windows-focused Linux (Android) & Mac support now available Modular, portable Help! The h flag gives configuration information in Volatility Used alone it identifies the version, currently loaded plugins, and common parameters Use h with a plugin to get details and
14、 plugin-specific usage Code Injection ldrmodules DLLs are tracked in three different linked lists for each process. Stealthy malware can unlink loaded DLLs from these lists. This plugin queries each list and displays the results for comparison. Purpose Verbose - show full paths from each of the thre
15、e DLL lists (-v) Show information for specific process IDs (-p) Important Parameters Most loaded DLLs will be in all 3 lists, having a “1” in each column. Legitimate entries may be missing in some of the lists e.g. the process executable will not be present in the “InInit” list If an entry has no “MappedPath” information it is indicative of an injected DLL not available on disk (usually bad) Investigative Notes Rootkit Detection apihooks Detect inline and Import Address T
