{"id":2475,"date":"2014-08-29T15:36:26","date_gmt":"2014-08-29T15:36:26","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=2475"},"modified":"2014-08-29T15:36:26","modified_gmt":"2014-08-29T15:36:26","slug":"anti-forensics-live-examples-part-3","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2014\/08\/29\/anti-forensics-live-examples-part-3\/","title":{"rendered":"Anti-forensics \u2013 live examples, Part 3"},"content":{"rendered":"<p>I recently spent some time analysing one of the ransomware samples (CryptoWall, md5=73a9ab2ea9ec4eaf45bce88afc7ee87e; thx to Kernelmode.info guys). Looking at the code I came across an interesting routine that the malware author crafted to release memory allocated by malware during run-time. The routine is interesting, because it releases the allocated buffer in a secure way.<\/p>\n<p>Let&#8217;s have a look.<\/p>\n<p>The function which I called ZeroFreeDecommitRelease is shown below:<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2014\/08\/CryptoWall1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-full wp-image-2476\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2014\/08\/CryptoWall1.png\" alt=\"CryptoWall1\" width=\"676\" height=\"608\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2014\/08\/CryptoWall1.png 676w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2014\/08\/CryptoWall1-300x269.png 300w\" sizes=\"(max-width: 676px) 100vw, 676px\" \/><\/a><\/p>\n<p>The querymem function it refers to is just a wrapper for ZwQueryVirtualMemory, and the rest is I hope self-explanatory (btw. the code is position independent so you see reference to getAPITableOffset which is basically a\u00a0 function returning a pointer to the sample&#8217;s import table allocated somewhere in memory).<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2014\/08\/CryptoWall2.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-full wp-image-2477\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2014\/08\/CryptoWall2.png\" alt=\"CryptoWall2\" width=\"546\" height=\"601\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2014\/08\/CryptoWall2.png 546w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2014\/08\/CryptoWall2-272x300.png 272w\" sizes=\"(max-width: 546px) 100vw, 546px\" \/><\/a><\/p>\n<p>There are a few interesting things here:<\/p>\n<ul>\n<li>When the function ZwQueryVirtualMemory is called, it uses the MemoryInformation block which is allocated on the stack; if the function succeeded the data from the buffer is passed to the caller and then the MemoryInformation block is cleaned up by zeroes (using the memset function)<\/li>\n<li>The ZeroFreeDecommitRelease function:\n<ul>\n<li>Is using the querymem wrapper to retrieve information about the block of memory it tries to free; it then tests its page attributes and if it is one of the attributes associated with a writable page it zeroes it first before decommitting it and then releasing it<\/li>\n<li>It zeroes the whole region &#8211; not necessarily the size of the region requested when the memory was allocated, but the actual region (taking care of page boundaries)<\/li>\n<li>Taking care of PAGE_WRITECOPY shows attention to details as it is not a page attribute that is often used by your average software \/ malware and could be omitted saving a few bytes of unnecessary code &#8211; the inclusion of this flag makes it look like a proper library function<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>This highlights not only the fact that some malware authors are seasoned developers, but also the fact they pay more and more attention to memory artifacts &#8211; buffers allocated by malware during run-time are full of juicy information and often contribute to finding a smoking gun or help in accessing unprotected\/unencrypted code and data (e.g. configs) directly from memory. Limiting exposure of such artifacts is a direct challenge to the Locard&#8217;s Exchange Principle. It also makes life hard for forensic analysts &#8211; relying on dynamic analysis is obviously a daily bread for all of us, but it is simply not enough.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I recently spent some time analysing one of the ransomware samples (CryptoWall, md5=73a9ab2ea9ec4eaf45bce88afc7ee87e; thx to Kernelmode.info guys). Looking at the code I came across an interesting routine that the malware author crafted to release memory allocated by malware during run-time. &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2014\/08\/29\/anti-forensics-live-examples-part-3\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[13,19,9],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/2475"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=2475"}],"version-history":[{"count":6,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/2475\/revisions"}],"predecessor-version":[{"id":2483,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/2475\/revisions\/2483"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=2475"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=2475"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=2475"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}