Malware analysis using volatility

5,026 views
4,555 views

Published on

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
5,026
On SlideShare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
145
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Malware analysis using volatility

  1. 1. Malware Analysis Using Volatility Yashashree Shivaji Gund
  2. 2. Why Memory Analysis of Malware? - Injected code or file. - Different Hooks. - Unpacked file. - Kernel memory Accessibility. - Memory/registry forensics.
  3. 3. Volatility • Memory forensic on Windows, Linux, Mac and Android. • Easily available plugin and documentation. • We can use on variety of file formats (memory image). • Works on Only RAM content. No Hard disk content. http://code.google.com/p/volatility/wiki/VolatilityIntroduction
  4. 4. Memory Imaging for Analysis • Crash Dumps. • Livekd Dumps. • Virtual Machine Imaging. • Raw Dumps. and many more techniques http://www.forensicswiki.org/wiki/Tools:Memory_Imaging
  5. 5. VMware image • *.vmem its nothing but RAM image of current VMware state. • Just select last updated *.vmem file for volatility analysis. • We need to suspend VMware OS.
  6. 6. Use ‘DumpIT’ for Memory Dump • “DumpIT.exe” just run file it will ask for dumping memory. • Just make sure you have enough space for dumping memory. • It will dump in root folder with extension .raw.
  7. 7. Some Situations when Volatility is useful • Ransom ware screen lock . • After Infection we are not able to run any reversing tool. • Kernel driver is encrypted or packed and we need to unpack. • Strong anti debugging and protections applied for packed files and we need unpacked file.
  8. 8. Volatility syntax • volatility.exe [plugin] -f [image] --profile=[profile] Default profile of WinXPSP2x86 is set internally. • Volatility.exe pslist –f “malware.raw” • Volatility.exe pstree –f “malware.raw” • Volatility.exe connections –f “malware.raw” • Volatility.exe malfind –f “malware.vmem” • http://code.google.com/p/volatility/
  9. 9. Some more commands • “driverscan” will display all loaded drivers. • “apihooks” will display all hooks in memory.(It takes time) • If want to use some command only for one process we can use • “-p 1624” (1624 is PID) • e.g volatility.exe –f “memory.raw” –p 1220 modules It Will display loaded modules of PID 1220 • http://code.google.com/p/volatility/wiki/CommandReference21
  10. 10. Commands.. • “malfind” • Volatility.exe –f “malware.vmem” malfind • It can find injected code and dll. • http://code.google.com/p/volatility/wiki/CommandReferenceMal 23#malfind • ‘apihooks’ • Volatility.exe –f “malware.vmem” apihooks • http://code.google.com/p/volatility/wiki/CommandReferenceMal 23#apihooks • Both this commands will take time, I will suggest to redirect the output of these commands to text file.
  11. 11. Command.. • ‘procmemdump’ “Volatility.exe –f “malware.vmem” procmemdump –d dump_folder/ p 1624” To dump executable of PID 1624 to path “dump_folder” http://code.google.com/p/volatility/wiki/CommandReference23#procmemdu mp • ‘connections’ “volatility.exe –f “ransomware.vmem” connections” Similarly we can use sockets and some other commands related network. • http://code.google.com/p/volatility/wiki/CommandReference23#co nnections
  12. 12. Commands.. • ‘devicetree’ Volatility –f “necurs.vmem” devicetree (for rootkit analysis) • http://code.google.com/p/volatility/wiki/CommandReferenceMal 23#devicetree • ‘moddump’ Volatility –f “necurs.vmem” moddump –D dump_folder/ Will dump all kernel drivers http://code.google.com/p/volatility/wiki/CommandReference23#m oddump
  13. 13. Commands.. • ‘printkey’ • “volatility.exe –f “ransomware.vmem” printkey -K "Microsoftwindows NTCurrentVersionWinlogon“ It will display winlogon key contents similarly we can check run key to auto start objects. http://code.google.com/p/volatility/wiki/CommandReference23#pr intkey
  14. 14. Ransom ware • Volatility is useful in Winlock situations(VMware). - Process running.(pstree) - connections.(connections,sockets) - injection.(malfind) - Registry changes.(printkey) - Dump the Executable.(procmemdump)
  15. 15. Necurs • I am explaining here only how to dump necurs kernel driver. This driver will cause BSOD in Vmware once its loaded in memory so we need to suspend VMware after login screen before bsod. • “NtSecureSys” • • • • Use “devicetree” Check unknown entries in report Search “NtSecureSys” necurs device name. Dump all drivers using “moddump or We can dump one specific driver using base address. • Use of “driverirp” –r ddc9572038295e1f.
  16. 16. Conclusion • Open source framework , Python language plugin based architecture. • We can write plugin which are more useful with malwares. • Analyst should have Windows internals knowledge to use Volatility effectively. • http://code.google.com/p/volatility/
  17. 17. Thanks

×