Windows Memory Forensics and Direct Kernel ... - Jesse Kornblum
Most modern tools looks for a magic value. ⢠Magic values may .... Prefetching content. â Indexing ... Structure used by Windows to schedule threads. ⢠Organized ...
Introduction • Direct Kernel Object Manipulation (DKOM) • Powerful technique for p0wning a computer – or crashing it • Memory forensics should be able help us – but can be subverted too • But we shall prevail
4
The Kernel • The kernel must maintain lots of data – Processes – Threads – File handles – Network connections – Interrupts – Really everything on the system • All stored in kernel data structures
5
How it’s Supposed to Work • Structures are modified by API functions • Several different levels of API functions – CreateProcess – NtCreateProcess – ZwCreateProcess – And many more! • These functions provide – Sanity checking – Memory allocation – Data initialization
6
Direct Kernel Object Manipulation • Modify data structures without using API functions • Must be done by code running in ring zero – Also called kernel mode – But not userland programs • Can be done by drivers – This is why drivers can cause crashes • Code injected into the kernel process
7
The Kernel • Lots of lists • Linked lists • Each item points to the next item in the list
8
The Kernel • Doubly linked lists • Each item points to the next and previous items in the list
9
How it’s Supposed to Work
10
How it’s Supposed to Work List Head
11
DKOM Example • Unlink a process to hide it • Adjust forward and back links to skip an item
12
Standard DKOM List Head
13
Detecting Standard DKOM • High-low analysis – Follow process links, record all processes – Brute force search for processes • Compare the results • Any process that shows up in one list but not the other is suspicious
How do you do a brute force search? Most modern tools looks for a magic value Magic values may not be required Some can be replaced with arbitrary values – System still runs
15
Process Structures • Execute Process structure – EPROCESS • Consists of several substructures • Lives in pool memory • Starts with a POOL_HEADER – You don’t need to know what this is – Contains values set by kernel – But not referenced while running
Image courtesy Flickr user leozaza and licensed under the Creative Commons
16
Devious DKOM • On Windows XP the POOL_HEADER starts with 50 72 6f e3 (“Proã” in ASCII) • Can be replaced with, for example 00 00 00 00
17
Devious DKOM Demo • Using Volatility Framework – https://www.volatilesystems.com/default/volatility • Not picking on Volatility – All existing tools use magic values – Best free memory forensics tool • Demo…
18
Detecting Devious DKOM • Two approaches – Get better magic – Detect using something else
19
Better Magic • Better Magic Through Fuzzing™ • Fuzzing means inputting random data and seeing what happens • Use automated tools to only report the interesting inputs Image courtesy Flickr user LaMenta3 and licensed under the Creative Commons
20
Better Magic • Method by Brendan Dolan-Gavitt et al. • Fuzzing to find magic values – Fire up virtual machine and start a process – Pause VM – Change EPROCESS values at random – Resume VM – Record if change made the
Malware authors generally pick one of two strategies for obscuring their malicious processes: ... as services with svchost.exe, or injected into legitimate processes. .... try to identify unusual network behavior, keep an eye out for the following:.
Jun 11, 2014 - Memory Acquisition for Memory Forensic Analysis on Windows and Linux Systems .... examination. Mandiant offers a software named Redline.
/f Image destination and filename. /s Hash function (0=none, 1=SHA1, 2=MD5, 3=SHA256). /t Remote host or IP to receive image. /p Port used to receive image.
Jan 1, 2013 - a constant companion not just because of its traditional phone .... of companies like HTC, Samsung, Qualcomm, Texas Instruments, and last but .... the time of writing, Volatility contains official support for Microsoft Windows,.
Jan 1, 2013 - Forensic Investigations of Android Applications . . . . . . . . . . 61. 6.1.1. ...... This knowledge is useful for understanding the forensic ..... Most of the described fields will be used when creating the Volatility plugins in Sectio
Mar 8, 2013 - Jun 2012: BlackHole developer begins to test this exploit. ... The exploit contains kernel mode shellcode, which .... Just Go Read Apple's.
Mar 8, 2013 - within Adobe Systems, Type 1 BuildChar was designed with the expectation that only error- free Type 1 font programs would be presented to it.
Digital Forensics; Virtual Memory Analysis; Pagefile Analysis; Windows NT Paging ...... NT kernel versions can be carved from physical memory via a signature.
Sep 7, 2010 - The IEEE 1394 interface is a serial expansion bus found on many personal computers. ...... URL http://citp.princeton.edu/pub/coldboot.pdf.
Jan 16, 2013 - Kernel mode application .... algorithm provider, desired algorithm ID input, an optional specific ... The thread ID of the currently running thread ... List Read with Wait Miss, Cache manager Read Ahead IOs, Cache manager.
Jan 16, 2013 - Microsoft Windows 7 requires authentication from the trusted control ..... The BCryptSignHash() function creates a signature of a hash value.
Kernel Shared Memory or Kernel Samepage Merging if ... evant memory merging advice parameter. ... to use KSM, their application has to call into the KVM.