www.SecurityXploded.com
DisclaimerThe Content, Demonstration, Source Code and Programs presented here is "AS IS" withoutany warranty or conditions...
Acknowledgement Special thanks to null & Garage4Hackers community for their extended support and  cooperation. Thanks to...
Reversing & Malware Analysis TrainingThis presentation is part of our Reverse Engineering & Malware Analysis Trainingprogr...
Who am IMonnappa    m0nna    Member of SecurityXploded    Info Security Investigator @ Cisco    Reverse Engineering, M...
Contents   Why Memory Forensics?   Steps in Memory Forensics   Volatility Quick Overview   Volatility help and plugins...
Why Memory Forensics?   Finding and extracting forensic artefacts   Helps in malware analysis   Determining process, ne...
Steps in Memory Forensics   Memory acquisition - Dumping the memory of a target machine         - tools: Win32dd/Win64dd,...
Volatility Quick Overview   Advanced memory Forensics Framework written in python   Installation details:           - ht...
Volatility help and plugins-h or –help option displays help and available plug-in commands in volatility.                 ...
http://youtu.be/YcVusDjnBxw
Demo-ScenarioYour security device alerts, show malicious http connection to ip address208.91.197.54 from a source ip 192.1...
Step 1 – Start With what you knowVolatility’s connections module shows connection to the malicious ip by pid 1748         ...
Step 2 – Info about 208.91.197.54Google search shows 208.91.197.54 associated with malware, probably “spyeye”, we need to ...
Step 3 – Who is Pid 1748?“psscan” shows pid 1748 belongs to explorer.exe, also two process created during same time report...
Step 4 – Process handles of explorer.exeExplorer.exe opens a handle to the B6232F3A9F9.exe, indicating explorer.exe create...
Step 5 – apihooks in explorer.exeapihooks module show, inline api hooks in explorer.exe and jump to an unknown location   ...
Step 6 – exploring the hooksDisassembled hooked function (TranslateMessage), shows a short jump and then a long jump to ma...
Step 7 – Embedded exe in explorer.exePrinting the bytes show the presence of embedded executable in explorer.exe          ...
Step 8 – dumping the embedded exevaddump dumps the embedded exe from explorer.exe                                         ...
Step 9 – virustotal submissionSubmission to virustotal, confirms the dumped executable as component of “spyeye”           ...
Step 10 – Can we get more info?Strings extracted from the dumped executable, show reference to interesting artifacts (exec...
Step 11 – Printing the registry keyMalware creates registry key to survive the reboot                                     ...
Step 12 – Finding the malicious exe on infected machineFinding malicious sample from infected host and virustotal submissi...
Reference   Complete Reference Guide for Reversing & Malware Analysis Training                                 www.Securi...
Thank You !www.SecurityXploded.com
Upcoming SlideShare
Loading in...5
×

Reversing & Malware Analysis Training Part 8 - Malware Memory Forensics

14,807

Published on

This presentation is part of our Reverse Engineering & Malware Analysis Training program.

For more details refer our Security Training page
http://securityxploded.com/security-training.php

Published in: Technology
1 Comment
4 Likes
Statistics
Notes
  • Great article, as this is right down the road we are going at Payload Security. We have developed a tool that is similar to Volatility, just that it can take runtime data and combine it with static analysis techniques – something we call Hybrid Analysis. If you are interested, please contact me at jan(dot)miller(at)payload-security(dot)com or visit our webpage at http://www.payload-security.com. Thank you!
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
14,807
On Slideshare
0
From Embeds
0
Number of Embeds
10
Actions
Shares
0
Downloads
134
Comments
1
Likes
4
Embeds 0
No embeds

No notes for slide

Reversing & Malware Analysis Training Part 8 - Malware Memory Forensics

  1. 1. www.SecurityXploded.com
  2. 2. DisclaimerThe Content, Demonstration, Source Code and Programs presented here is "AS IS" withoutany warranty or conditions of any kind. Also the views/ideas/knowledge expressed here aresolely of the trainer’s only and nothing to do with the company or the organization in whichthe trainer is currently working.However in no circumstances neither the trainer nor SecurityXploded is responsible for anydamage or loss caused due to use or misuse of the information presented here. www.SecurityXploded.com
  3. 3. Acknowledgement Special thanks to null & Garage4Hackers community for their extended support and cooperation. Thanks to all the trainers who have devoted their precious time and countless hours to make it happen. www.SecurityXploded.com
  4. 4. Reversing & Malware Analysis TrainingThis presentation is part of our Reverse Engineering & Malware Analysis Trainingprogram. Currently it is delivered only during our local meet for FREE of cost.For complete details of this course, visit our Security Training page. www.SecurityXploded.com
  5. 5. Who am IMonnappa  m0nna  Member of SecurityXploded  Info Security Investigator @ Cisco  Reverse Engineering, Malware Analysis, Memory Forensics  GREM, CEH  Email: monnappa22@gmail.com www.SecurityXploded.com
  6. 6. Contents Why Memory Forensics? Steps in Memory Forensics Volatility Quick Overview Volatility help and plugins Demo www.SecurityXploded.com
  7. 7. Why Memory Forensics? Finding and extracting forensic artefacts Helps in malware analysis Determining process, network, registry activities Reconstructing original state of the system Assists with unpacking, rootkit detection and reverse engineering www.SecurityXploded.com
  8. 8. Steps in Memory Forensics Memory acquisition - Dumping the memory of a target machine - tools: Win32dd/Win64dd, Memoryze, DumpIt, FastDump - In Virtual machine: Suspend the VM and use .vmem file Memory analysis - Analyzing the memory dump for forensic artifacts - tools: Volatility, Memoryze www.SecurityXploded.com
  9. 9. Volatility Quick Overview Advanced memory Forensics Framework written in python Installation details: - http://code.google.com/p/volatility/wiki/FullInstallation Use -h or --help option to get list of command-line switches - example: python vol.py –h Use -f <filename> and --profile to indicate the memory dump you are analyzing example: python vol.py -f mem.dmp --profile=WinXPSP3x86 To know the --profile info use below command: example: python vol.py -f mem.dmp imageinfo www.SecurityXploded.com
  10. 10. Volatility help and plugins-h or –help option displays help and available plug-in commands in volatility. www.SecurityXploded.com
  11. 11. http://youtu.be/YcVusDjnBxw
  12. 12. Demo-ScenarioYour security device alerts, show malicious http connection to ip address208.91.197.54 from a source ip 192.168.1.100 on 8th june 2012 at around13:30hrs...you are asked to investigate and do memory forensics on that machine192.168.1.100- To start with, acquire the memory image “infected.dmp” from 192.168.1.100,using memory acquistion tools (win32dd) command: win32dd.exe /f infected.dmp- Analyze the memory dump “infected.dmp” www.SecurityXploded.com
  13. 13. Step 1 – Start With what you knowVolatility’s connections module shows connection to the malicious ip by pid 1748 www.SecurityXploded.com
  14. 14. Step 2 – Info about 208.91.197.54Google search shows 208.91.197.54 associated with malware, probably “spyeye”, we need to confirmthat yet. www.SecurityXploded.com
  15. 15. Step 3 – Who is Pid 1748?“psscan” shows pid 1748 belongs to explorer.exe, also two process created during same time reported by security device (i.e june8th 2012) www.SecurityXploded.com
  16. 16. Step 4 – Process handles of explorer.exeExplorer.exe opens a handle to the B6232F3A9F9.exe, indicating explorer.exe created that process, which might bemalicious…focusing on explorer.exe for now. www.SecurityXploded.com
  17. 17. Step 5 – apihooks in explorer.exeapihooks module show, inline api hooks in explorer.exe and jump to an unknown location www.SecurityXploded.com
  18. 18. Step 6 – exploring the hooksDisassembled hooked function (TranslateMessage), shows a short jump and then a long jump to malware location www.SecurityXploded.com
  19. 19. Step 7 – Embedded exe in explorer.exePrinting the bytes show the presence of embedded executable in explorer.exe www.SecurityXploded.com
  20. 20. Step 8 – dumping the embedded exevaddump dumps the embedded exe from explorer.exe www.SecurityXploded.com
  21. 21. Step 9 – virustotal submissionSubmission to virustotal, confirms the dumped executable as component of “spyeye” www.SecurityXploded.com
  22. 22. Step 10 – Can we get more info?Strings extracted from the dumped executable, show reference to interesting artifacts (executable and the registry key) www.SecurityXploded.com
  23. 23. Step 11 – Printing the registry keyMalware creates registry key to survive the reboot www.SecurityXploded.com
  24. 24. Step 12 – Finding the malicious exe on infected machineFinding malicious sample from infected host and virustotal submission confirms spyeye infection www.SecurityXploded.com
  25. 25. Reference Complete Reference Guide for Reversing & Malware Analysis Training www.SecurityXploded.com
  26. 26. Thank You !www.SecurityXploded.com
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×