{"id":4257,"date":"2017-07-10T22:00:57","date_gmt":"2017-07-10T22:00:57","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=4257"},"modified":"2017-07-17T10:37:15","modified_gmt":"2017-07-17T10:37:15","slug":"if-memory-doesnt-serve-me-right","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2017\/07\/10\/if-memory-doesnt-serve-me-right\/","title":{"rendered":"If memory doesn&#8217;t serve me right&#8230;"},"content":{"rendered":"<p><strong>Update<\/strong><\/p>\n<p>One <a href=\"https:\/\/twitter.com\/JamesHabben\/status\/886778509930016768\">more item<\/a> from <a href=\"https:\/\/twitter.com\/JamesHabben\">@JamesHabben<\/a>:<\/p>\n<ul>\n<li>One situation I frequently face is determining IIV for malware from months to years before. Memory analysis is useless for that.<\/li>\n<\/ul>\n<p><strong>Old post<\/strong><\/p>\n<p>I love memory forensics. So do you.<\/p>\n<p>This is why you gonna hate me \ud83d\ude09<\/p>\n<p>In a quick post on Twitter, <a href=\"https:\/\/twitter.com\/MalwareJake\">@MalwareJake<\/a> <a href=\"https:\/\/twitter.com\/MalwareJake\/status\/883397139564437505\">asked<\/a>:<\/p>\n<p style=\"padding-left: 30px;\">Memory forensics cuts through the lies of code injection and rootkits<\/p>\n<p style=\"padding-left: 30px;\">Yes or no?<\/p>\n<p>I replied:<\/p>\n<p style=\"padding-left: 30px;\">Most of the time: yes. BUT lots of examples for: No<\/p>\n<p>I thought it will be an interesting task to brainstorm&amp;braindump these examples in one place and by doing so, find an excuse to look at the limitations of memory forensics. I am far from being the first one to talk about it, but it&#8217;s worth rehashing old ideas every once in a while&#8230;<\/p>\n<p>So, without further ado, here&#8217;s a brain-dump of &#8216;malicious&#8217; ideas that memory forensics will not help with, or will find at least challenging:<\/p>\n<ul>\n<li>We must start with the well-known examples of <a href=\"https:\/\/www.blackhat.com\/presentations\/bh-jp-05\/bh-jp-05-sparks-butler.pdf\">Shadow Walker<\/a> [PDF warning] and <a href=\"https:\/\/en.wikipedia.org\/wiki\/Blue_Pill_(software)\">Blue Pill<\/a> rootkits of course<\/li>\n<li>&#8220;One-bit&#8221; modifications f.ex. enabling a debug\/verbose flag in a software resulting in local data leaks &#8211; hard to detect<\/li>\n<li>Same goes for small changes to configs &#8211; slightly modified path or server name can easily stay under radar<\/li>\n<li>Modification of scrips, batch files, any sort of interpreted code (and in particular, any server-side code) &#8211; especially if it doesn&#8217;t run in a context of a typical windows user (f.ex. a line added to a task running on server that is responsible for batch-processing could simply copy files from a local system to a pwned share elsewhere)<\/li>\n<li>Unusual, but temporary persistence mechanisms allowing to load malware w\/o many side effects and malware exiting as soon as possible (not persistent in memory) f.ex. <a href=\"https:\/\/www.hexacorn.com\/blog\/2015\/03\/13\/beyond-good-ol-run-key-part-29\/\">Hot Keys trick<\/a> (granted, you may see zombie processes though)<\/li>\n<li>Small, in-place, viral modification of files (and especially EPO modifications), in particular OS files, but could be any file that is executed on regular basis (especially DLLs)<\/li>\n<li>.NET rootkits &amp; any sort of .NET modification (imho still under-explored areas)<\/li>\n<li>Shadow-Wakerish Rootkit that intercepts access to a physical memory device and &#8216;cleans&#8217; memory content on the fly, removing its code and related artifacts<\/li>\n<li>Watchdog could wipe the code out when the memory dumping tool is loaded &#8211; by monitoring file, registry key\/service creation or known detecting known mutexes etc. f.ex.:\n<ul>\n<li>Comae DumpIt \/\/ 32 and 64-bit\n<ul>\n<li>DumpIt<\/li>\n<li>HKLM\\SYSTEM\\CurrentControlSet\\Services\\DumpIt<\/li>\n<li>%SYSTEM%\\Drivers\\DumpIt.sys<\/li>\n<\/ul>\n<\/li>\n<li>MoonSols Windd\n<ul>\n<li>32-bit\n<ul>\n<li>win32dd<\/li>\n<li>HKLM\\SYSTEM\\CurrentControlSet\\Services\\win32dd<\/li>\n<\/ul>\n<\/li>\n<li>64-bit\n<ul>\n<li>win64dd<\/li>\n<li>HKLM\\SYSTEM\\CurrentControlSet\\Services\\win64dd<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>HBGary FastDump\n<ul>\n<li>32-bit\n<ul>\n<li>fastdumpx86<\/li>\n<li>HKLM\\SYSTEM\\CurrentControlSet\\Services\\fastdumpx86<\/li>\n<\/ul>\n<\/li>\n<li>64-bit\n<ul>\n<li>fastdumpx64<\/li>\n<li>HKLM\\SYSTEM\\CurrentControlSet\\Services\\fastdumpx64<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Encase\n<ul>\n<li>32-bit\n<ul>\n<li>winen_<\/li>\n<li>HKLM\\SYSTEM\\CurrentControlSet\\Services\\winen_<\/li>\n<\/ul>\n<\/li>\n<li>64-bit\n<ul>\n<li>winen64_<\/li>\n<li>HKLM\\SYSTEM\\CurrentControlSet\\Services\\winen64_<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>FTK Imager \/\/ 32- and 64-bit\n<ul>\n<li>Memory\n<ul>\n<li>AccessData Driver<\/li>\n<li>%TEMP%\\ad_driver.sys<\/li>\n<li>HKLM\\SYSTEM\\CurrentControlSet\\Services\\ad_driver<\/li>\n<\/ul>\n<\/li>\n<li>Filesystem driver\n<ul>\n<li>FRIdrv<\/li>\n<li>%SYSTEM%\\Drivers\\FRIdrv.sys<\/li>\n<li>HKLM\\SYSTEM\\CurrentControlSet\\Services\\FRIdrv<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Rekall&#8217;s pmem\n<ul>\n<li>pmem<\/li>\n<li>%TEMP%\\pme*.tmp<\/li>\n<li>HKLM\\SYSTEM\\CurrentControlSet\\Services\\pmem<\/li>\n<\/ul>\n<\/li>\n<li>Memoryze\n<ul>\n<li>Mandiant_Tools<\/li>\n<li>HKLM\\SYSTEM\\CurrentControlSet\\Services\\Mandiant_Tools<\/li>\n<\/ul>\n<\/li>\n<li>Redline\n<ul>\n<li>FeKern<\/li>\n<li>%SYSTEM%\\Drivers\\FeKern.sys<\/li>\n<li>HKLM\\SYSTEM\\CurrentControlSet\\Services\\FeKern<\/li>\n<li>C:\\Program Files\\Redline\\<\/li>\n<\/ul>\n<\/li>\n<li>(OLD!!!) MDD\n<ul>\n<li>ManTech MemDd Device Driver<\/li>\n<li>HKLM\\SYSTEM\\CurrentControlSet\\Services\\mdd<\/li>\n<\/ul>\n<\/li>\n<li>(OLD!!!) Physmem\n<ul>\n<li>HKCU\\Software\\Sysinternals\\Physmem<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Additionally, one could try to open (using CreateFile) the devices created by these services, or simply look for process names associated with these tools. The memory dumping process takes a while and if malware checks every second or so, it is enough to detect the acquisition in progress&#8230;<\/p>\n<p>I guess it&#8217;s obvious now that using fixed \/ hard-coded names in these tools is not a good idea. For this very reason old rootkit detection tools like RKU and GMER use randomized device names for nearly 10 years or so.<\/p>\n<p>Last, but not least &#8211; this post is not to bash the memory forensics. It&#8217;s one of the most important tools we have in our arsenal. However, it&#8217;s important to know that it&#8217;s just one of the tools and under some circumstances we may simply need to use different approach.<\/p>\n<p>Some references &#8211; far more advanced ideas and techniques:<\/p>\n<ul>\n<li><a href=\"https:\/\/www.slideshare.net\/lmilkovic\/defeating-windows-memory-forensics\">https:\/\/www.slideshare.net\/lmilkovic\/defeating-windows-memory-forensics<\/a><\/li>\n<li><a href=\"https:\/\/media.blackhat.com\/bh-eu-12\/Haruyama\/bh-eu-12-Haruyama-Memory_Forensic-Slides.pdf\">https:\/\/media.blackhat.com\/bh-eu-12\/Haruyama\/bh-eu-12-Haruyama-Memory_Forensic-Slides.pdf<\/a> [PDF warning]<\/li>\n<li><a href=\"https:\/\/www.blackhat.com\/presentations\/bh-jp-05\/bh-jp-05-sparks-butler.pdf\">https:\/\/www.blackhat.com\/presentations\/bh-jp-05\/bh-jp-05-sparks-butler.pdf<\/a> [PDF warning]<\/li>\n<li><a href=\"https:\/\/events.ccc.de\/congress\/2012\/Fahrplan\/attachments\/2231_Defeating%20Windows%20memory%20forensics.ppt\">https:\/\/events.ccc.de\/congress\/2012\/Fahrplan\/attachments\/2231_Defeating%20Windows%20memory%20forensics.ppt<\/a> [PPT warning]<\/li>\n<\/ul>\n<p>If you know other artifacts related to memory acquisition tools, or have other anti-memory forensics ideas please let me know, thanks!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Update One more item from @JamesHabben: One situation I frequently face is determining IIV for malware from months to years before. Memory analysis is useless for that. Old post I love memory forensics. So do you. This is why you &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2017\/07\/10\/if-memory-doesnt-serve-me-right\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[43,13,19],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4257"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=4257"}],"version-history":[{"count":8,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4257\/revisions"}],"predecessor-version":[{"id":4273,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4257\/revisions\/4273"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=4257"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=4257"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=4257"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}