SlideShare a Scribd company logo

Defeating Windows memory forensics

L
lmilkovic
1 of 19
Download to read offline
Defeating Windows memory forensics FSEC 2012 September 19, 2012. Luka Milković Luka.Milkovic@infigo.hr INFIGO IS http://www.infigo.hr
Agenda Memory forensics Why? How? Previous memory anti-forensic techniques Windows related Memory acquisition process – flawed by design? Defeating Windows memory forensics Impossible in user-mode… …or not? Possible solutions
Memory forensics – why? Disk forensics prevalent, but memory forensics increasingly popular Used by incident handlers… Malware detection objects hidden by rootkits (processes, threads, etc.) memory-resident malware unpacked/unencrypted images Recently used files „Dead objects” terminated processes, threads, connections… … and the bad guys Password recovery
Memory forensics – how? Two consecutive processes Memory acquisition Memory analysis Acquisition Many tools, focus on free ones Mandiant Memoryze Moonsols Windows Memory Toolkit (Win32dd) ManTech MDD
Memory forensics – how? (2) Analysis Finding OS and other artifacts in image Free and commercial tools Volatility Framework Mandiant Redline/Memoryze EnCase, HBGary Responder and many other All support raw dump, weak support for hib/crash file Volatility has weak support for x64
Memory forensics – how? (3) „The big picture” Analysis tool Acquisition tool Memory dump User mode Install driver Kernel mode Acquisition driver Remote host Send dump over network Memory dump algorithm 1. Reading DevicePhysicalMemory 2. Physical space mapping (MmMapIoSpace()) 3. Raw Virtual2Physical mapping
Previous works - simple Blocking acquisition Killing acquisition process tools always have the same names Blocking driver installation driver installation is necessary on OS >= Win2k3 names not random Metasploit script not available anymore Evasion very simple Rename process Rename driver not that easy if you don’t have the source
Previous works – advanced Blocking analysis Haruyama/Suzuki BH-EU-12: One-byte Modification for Breaking Memory Forensic Analysis minimal modifications to OS artifacts in memory targets key steps of analysis to make it impossible/difficult so-called abort factors tool specific Pros: subtle modifications (harder detection) Cons: cannot hide arbitrary object (could theoretically) breaks entire analysis – can raise suspicion
Previous works – advanced (2) Attacking acquisition & analysis Sparks/Butler BH-JP-05: Shadow Walker – Raising the bar for Rootkit Detection intentional desynchronization of ITLB/DTLB faking reads of and writes to „arbitrary” memory location execute access not faked Pros: awesome idea:) hides (almost) arbitrary objects Cons: not very stable (and no MP/HT support) page fault handler visible (code and IDT hook) performance
Memory acquisition – flawed by design? Where is the weakest link? Analysis tool Acquisition tool Memory dump User mode Attacker kernel access == Install driver Kernel mode Acquisition driver Remote host Send dump over network Memory dump algorithm 1. Reading DevicePhysicalMemory 2. Physical space mapping (MmMapIoSpace()) 3. Raw Virtual2Physical mapping
Defeating Windows memory forensics Introducing Dementia PoC tool for hiding objects in memory dumps currently only processes x86 only Kernel driver NtWriteFile inline hook could hook even lower list of addresses to be hidden virt2phys translation – using DTB of System process clears process allocation (PoolTag „Proc”) „unlinks” the process from the process list in dump clears EPROCESS block
Defeating Windows memory forensics (2)
Defeating Windows memory forensics (3) Limitations Plenty of other artifacts not hidden Handle tables not cleaned Memory allocated by process not cleaned including process code and data Work in progress!
Memoryze case Memoryze is interesting… Not reliant on API calls? What about
Memoryze case (2) Memoryze re-designed the workflow a bit: Analysis tool Write dump Acquisition tool Memory dump User mode Install driver Kernel mode Return read page Acquisition driver Dump memory Memory dump algorithm 1. Reading DevicePhysicalMemory 2. Physical space mapping (MmMapIoSpace())
Memoryze case (3) Yes, attacker can now modify dump from the user mode:) Dementia module Hiding target process, process threads and connections completely from the user mode, no driver used currently even more advanced than the driver mode:) Injects to Memoryze process Hooks DeviceIoControl and sanitizes buffers on the fly Works similarly to Volatility but no virt2phys translation, determine everything from the dump has partial knowledge – only single pages of the dump
Memoryze case (4) DEMO
Possible solutions Memoryze should adopt traditional workflow Current is both slow and insecure Use crash dumps (native!) instead of raw dumps Entirely different OS mechanisms Use hibernation files Plagued by the same problems, but more difficult to tamper with Use hardware acquisition tools? Perform anti-rootkit scanning before acquisition?
Thank you!

Recommended

Embedded Virtualization for Mobile Devices
Embedded Virtualization for Mobile DevicesEmbedded Virtualization for Mobile Devices
Embedded Virtualization for Mobile DevicesNational Cheng Kung University
 
Android Virtualization: Opportunity and Organization
Android Virtualization: Opportunity and OrganizationAndroid Virtualization: Opportunity and Organization
Android Virtualization: Opportunity and OrganizationNational Cheng Kung University
 
olibc: Another C Library optimized for Embedded Linux
olibc: Another C Library optimized for Embedded Linuxolibc: Another C Library optimized for Embedded Linux
olibc: Another C Library optimized for Embedded LinuxNational Cheng Kung University
 
Develop Your Own Operating Systems using Cheap ARM Boards
Develop Your Own Operating Systems using Cheap ARM BoardsDevelop Your Own Operating Systems using Cheap ARM Boards
Develop Your Own Operating Systems using Cheap ARM BoardsNational Cheng Kung University
 
Embedded Virtualization applied in Mobile Devices
Embedded Virtualization applied in Mobile DevicesEmbedded Virtualization applied in Mobile Devices
Embedded Virtualization applied in Mobile DevicesNational Cheng Kung University
 
F9: A Secure and Efficient Microkernel Built for Deeply Embedded Systems
F9: A Secure and Efficient Microkernel Built for Deeply Embedded SystemsF9: A Secure and Efficient Microkernel Built for Deeply Embedded Systems
F9: A Secure and Efficient Microkernel Built for Deeply Embedded SystemsNational Cheng Kung University
 
Discover System Facilities inside Your Android Phone
Discover System Facilities inside Your Android Phone Discover System Facilities inside Your Android Phone
Discover System Facilities inside Your Android Phone National Cheng Kung University
 
Android Optimization: Myth and Reality
Android Optimization: Myth and RealityAndroid Optimization: Myth and Reality
Android Optimization: Myth and RealityNational Cheng Kung University
 

Recommended

Embedded Virtualization for Mobile Devices
Embedded Virtualization for Mobile DevicesEmbedded Virtualization for Mobile Devices
Embedded Virtualization for Mobile DevicesNational Cheng Kung University
 
Android Virtualization: Opportunity and Organization
Android Virtualization: Opportunity and OrganizationAndroid Virtualization: Opportunity and Organization
Android Virtualization: Opportunity and OrganizationNational Cheng Kung University
 
olibc: Another C Library optimized for Embedded Linux
olibc: Another C Library optimized for Embedded Linuxolibc: Another C Library optimized for Embedded Linux
olibc: Another C Library optimized for Embedded LinuxNational Cheng Kung University
 
Develop Your Own Operating Systems using Cheap ARM Boards
Develop Your Own Operating Systems using Cheap ARM BoardsDevelop Your Own Operating Systems using Cheap ARM Boards
Develop Your Own Operating Systems using Cheap ARM BoardsNational Cheng Kung University
 
Embedded Virtualization applied in Mobile Devices
Embedded Virtualization applied in Mobile DevicesEmbedded Virtualization applied in Mobile Devices
Embedded Virtualization applied in Mobile DevicesNational Cheng Kung University
 
F9: A Secure and Efficient Microkernel Built for Deeply Embedded Systems
F9: A Secure and Efficient Microkernel Built for Deeply Embedded SystemsF9: A Secure and Efficient Microkernel Built for Deeply Embedded Systems
F9: A Secure and Efficient Microkernel Built for Deeply Embedded SystemsNational Cheng Kung University
 
Discover System Facilities inside Your Android Phone
Discover System Facilities inside Your Android Phone Discover System Facilities inside Your Android Phone
Discover System Facilities inside Your Android Phone National Cheng Kung University
 
Android Optimization: Myth and Reality
Android Optimization: Myth and RealityAndroid Optimization: Myth and Reality
Android Optimization: Myth and RealityNational Cheng Kung University
 
Unix v6 Internals
Unix v6 InternalsUnix v6 Internals
Unix v6 InternalsNational Cheng Kung University
 
Faults inside System Software
Faults inside System SoftwareFaults inside System Software
Faults inside System SoftwareNational Cheng Kung University
 
Explore Android Internals
Explore Android InternalsExplore Android Internals
Explore Android InternalsNational Cheng Kung University
 
Edpm outline
Edpm outlineEdpm outline
Edpm outlineJacqueline Peters-Richardson
 
Implement Runtime Environments for HSA using LLVM
Implement Runtime Environments for HSA using LLVMImplement Runtime Environments for HSA using LLVM
Implement Runtime Environments for HSA using LLVMNational Cheng Kung University
 
Introduction to char device driver
Introduction to char device driverIntroduction to char device driver
Introduction to char device driverVandana Salve
 
Making Linux do Hard Real-time
Making Linux do Hard Real-timeMaking Linux do Hard Real-time
Making Linux do Hard Real-timeNational Cheng Kung University
 
Learn C Programming Language by Using GDB
Learn C Programming Language by Using GDBLearn C Programming Language by Using GDB
Learn C Programming Language by Using GDBNational Cheng Kung University
 
Linux device drivers
Linux device driversLinux device drivers
Linux device driversAbhishek Sagar
 
Understanding Modern Device Drivers
Understanding Modern Device DriversUnderstanding Modern Device Drivers
Understanding Modern Device Driversasimkadav
 
Hints for L4 Microkernel
Hints for L4 MicrokernelHints for L4 Microkernel
Hints for L4 MicrokernelNational Cheng Kung University
 
Device Driver in WinCE 6.0 R2
Device Driver in WinCE 6.0 R2Device Driver in WinCE 6.0 R2
Device Driver in WinCE 6.0 R2rahul_p_shukla
 
linux device driver
linux device driverlinux device driver
linux device driverRahul Batra
 
Gnu linux for safety related systems
Gnu linux for safety related systemsGnu linux for safety related systems
Gnu linux for safety related systemsDTQ4
 
Plan 9: Not (Only) A Better UNIX
Plan 9: Not (Only) A Better UNIXPlan 9: Not (Only) A Better UNIX
Plan 9: Not (Only) A Better UNIXNational Cheng Kung University
 
Accessing Forensic Images
Accessing Forensic ImagesAccessing Forensic Images
Accessing Forensic ImagesCTIN
 
A tour of F9 microkernel and BitSec hypervisor
A tour of F9 microkernel and BitSec hypervisorA tour of F9 microkernel and BitSec hypervisor
A tour of F9 microkernel and BitSec hypervisorLouie Lu
 
Device Drivers
Device DriversDevice Drivers
Device DriversKushal Modi
 
Kernel modules
Kernel modulesKernel modules
Kernel modulesElmàgic Àlàâ
 
Device Tree for Dummies (ELC 2014)
Device Tree for Dummies (ELC 2014)Device Tree for Dummies (ELC 2014)
Device Tree for Dummies (ELC 2014)Thomas Petazzoni
 
C lab manaual
C lab manaualC lab manaual
C lab manaualmanoj11manu
 
Dnb2 ibi rex (1)
Dnb2 ibi rex (1)Dnb2 ibi rex (1)
Dnb2 ibi rex (1)Katy Baldera
 

More Related Content

What's hot

Introduction to char device driver
Introduction to char device driverIntroduction to char device driver
Introduction to char device driverVandana Salve
 
Understanding Modern Device Drivers
Understanding Modern Device DriversUnderstanding Modern Device Drivers
Understanding Modern Device Driversasimkadav
 
Device Driver in WinCE 6.0 R2
Device Driver in WinCE 6.0 R2Device Driver in WinCE 6.0 R2
Device Driver in WinCE 6.0 R2rahul_p_shukla
 
linux device driver
linux device driverlinux device driver
linux device driverRahul Batra
 
Gnu linux for safety related systems
Gnu linux for safety related systemsGnu linux for safety related systems
Gnu linux for safety related systemsDTQ4
 
Accessing Forensic Images
Accessing Forensic ImagesAccessing Forensic Images
Accessing Forensic ImagesCTIN
 
A tour of F9 microkernel and BitSec hypervisor
A tour of F9 microkernel and BitSec hypervisorA tour of F9 microkernel and BitSec hypervisor
A tour of F9 microkernel and BitSec hypervisorLouie Lu
 
Device Tree for Dummies (ELC 2014)
Device Tree for Dummies (ELC 2014)Device Tree for Dummies (ELC 2014)
Device Tree for Dummies (ELC 2014)Thomas Petazzoni
 

What's hot (20)

Unix v6 Internals
Unix v6 InternalsUnix v6 Internals
Unix v6 Internals
 
Faults inside System Software
Faults inside System SoftwareFaults inside System Software
Faults inside System Software
 
Explore Android Internals
Explore Android InternalsExplore Android Internals
Explore Android Internals
 
Edpm outline
Edpm outlineEdpm outline
Edpm outline
 
Implement Runtime Environments for HSA using LLVM
Implement Runtime Environments for HSA using LLVMImplement Runtime Environments for HSA using LLVM
Implement Runtime Environments for HSA using LLVM
 
Introduction to char device driver
Introduction to char device driverIntroduction to char device driver
Introduction to char device driver
 
Making Linux do Hard Real-time
Making Linux do Hard Real-timeMaking Linux do Hard Real-time
Making Linux do Hard Real-time
 
Learn C Programming Language by Using GDB
Learn C Programming Language by Using GDBLearn C Programming Language by Using GDB
Learn C Programming Language by Using GDB
 
Linux device drivers
Linux device driversLinux device drivers
Linux device drivers
 
Understanding Modern Device Drivers
Understanding Modern Device DriversUnderstanding Modern Device Drivers
Understanding Modern Device Drivers
 
Hints for L4 Microkernel
Hints for L4 MicrokernelHints for L4 Microkernel
Hints for L4 Microkernel
 
Device Driver in WinCE 6.0 R2
Device Driver in WinCE 6.0 R2Device Driver in WinCE 6.0 R2
Device Driver in WinCE 6.0 R2
 
linux device driver
linux device driverlinux device driver
linux device driver
 
Gnu linux for safety related systems
Gnu linux for safety related systemsGnu linux for safety related systems
Gnu linux for safety related systems
 
Plan 9: Not (Only) A Better UNIX
Plan 9: Not (Only) A Better UNIXPlan 9: Not (Only) A Better UNIX
Plan 9: Not (Only) A Better UNIX
 
Accessing Forensic Images
Accessing Forensic ImagesAccessing Forensic Images
Accessing Forensic Images
 
A tour of F9 microkernel and BitSec hypervisor
A tour of F9 microkernel and BitSec hypervisorA tour of F9 microkernel and BitSec hypervisor
A tour of F9 microkernel and BitSec hypervisor
 
Device Drivers
Device DriversDevice Drivers
Device Drivers
 
Kernel modules
Kernel modulesKernel modules
Kernel modules
 
Device Tree for Dummies (ELC 2014)
Device Tree for Dummies (ELC 2014)Device Tree for Dummies (ELC 2014)
Device Tree for Dummies (ELC 2014)
 

Viewers also liked

Enoek Alves Application1
Enoek Alves Application1Enoek Alves Application1
Enoek Alves Application1Enoek Alves
 
Prezentacja michał błachnio
Prezentacja michał błachnioPrezentacja michał błachnio
Prezentacja michał błachnioMblachnio9845
 
Diane goodman Herdsa 2013 subm
Diane goodman Herdsa 2013 submDiane goodman Herdsa 2013 subm
Diane goodman Herdsa 2013 submDiane Goodman
 
MCFX Marketing Plan with Facebook Affiliate
MCFX Marketing Plan with Facebook AffiliateMCFX Marketing Plan with Facebook Affiliate
MCFX Marketing Plan with Facebook AffiliateJeanne Mike
 
Rainbow Industries
Rainbow IndustriesRainbow Industries
Rainbow Industriesxdesigns
 

Viewers also liked (7)

C lab manaual
C lab manaualC lab manaual
C lab manaual
 
Dnb2 ibi rex (1)
Dnb2 ibi rex (1)Dnb2 ibi rex (1)
Dnb2 ibi rex (1)
 
Enoek Alves Application1
Enoek Alves Application1Enoek Alves Application1
Enoek Alves Application1
 
Prezentacja michał błachnio
Prezentacja michał błachnioPrezentacja michał błachnio
Prezentacja michał błachnio
 
Diane goodman Herdsa 2013 subm
Diane goodman Herdsa 2013 submDiane goodman Herdsa 2013 subm
Diane goodman Herdsa 2013 subm
 
MCFX Marketing Plan with Facebook Affiliate
MCFX Marketing Plan with Facebook AffiliateMCFX Marketing Plan with Facebook Affiliate
MCFX Marketing Plan with Facebook Affiliate
 
Rainbow Industries
Rainbow IndustriesRainbow Industries
Rainbow Industries
 

Similar to Defeating Windows memory forensics

Hybis: Advanced Introspection for Effective Windows Guest Protection
Hybis: Advanced Introspection for Effective Windows Guest ProtectionHybis: Advanced Introspection for Effective Windows Guest Protection
Hybis: Advanced Introspection for Effective Windows Guest ProtectionFederico Franzoni
 
JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...
JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...
JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...Maarten Balliauw
 
Android Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsAndroid Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsMoe Tanabian
 
Reverse Engineering 101
Reverse Engineering 101Reverse Engineering 101
Reverse Engineering 101ysurer
 
Hunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of MemoryHunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of Memorysecurityxploded
 
One-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisOne-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisTakahiro Haruyama
 
Memory Management in Android
Memory Management in AndroidMemory Management in Android
Memory Management in AndroidOpersys inc.
 
Introduction To SPOT
Introduction To SPOTIntroduction To SPOT
Introduction To SPOTpauldeng
 
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...The Linux Foundation
 
Ov psim demo_slides_power_pc
Ov psim demo_slides_power_pcOv psim demo_slides_power_pc
Ov psim demo_slides_power_pcsimon56
 
Static Memory Leak Detector
Static Memory Leak DetectorStatic Memory Leak Detector
Static Memory Leak DetectorAditya Thatte
 
Memory Management in Android
Memory Management in AndroidMemory Management in Android
Memory Management in AndroidOpersys inc.
 

Similar to Defeating Windows memory forensics (20)

You suck at Memory Analysis
You suck at Memory AnalysisYou suck at Memory Analysis
You suck at Memory Analysis
 
淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道 淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道
 
Hybis: Advanced Introspection for Effective Windows Guest Protection
Hybis: Advanced Introspection for Effective Windows Guest ProtectionHybis: Advanced Introspection for Effective Windows Guest Protection
Hybis: Advanced Introspection for Effective Windows Guest Protection
 
Walking around linux kernel
Walking around linux kernelWalking around linux kernel
Walking around linux kernel
 
JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...
JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...
JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...
 
Android Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsAndroid Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android Apps
 
Reverse Engineering 101
Reverse Engineering 101Reverse Engineering 101
Reverse Engineering 101
 
.ppt
.ppt.ppt
.ppt
 
Hunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of MemoryHunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of Memory
 
One-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisOne-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic Analysis
 
[ppt]
[ppt][ppt]
[ppt]
 
Memory Management in Android
Memory Management in AndroidMemory Management in Android
Memory Management in Android
 
Introduction To SPOT
Introduction To SPOTIntroduction To SPOT
Introduction To SPOT
 
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
 
Ov psim demo_slides_power_pc
Ov psim demo_slides_power_pcOv psim demo_slides_power_pc
Ov psim demo_slides_power_pc
 
Hunting rootkit from dark corners of memory
Hunting rootkit from dark corners of memoryHunting rootkit from dark corners of memory
Hunting rootkit from dark corners of memory
 
Static Memory Leak Detector
Static Memory Leak DetectorStatic Memory Leak Detector
Static Memory Leak Detector
 
Understand study
Understand studyUnderstand study
Understand study
 
Spo2 t19 spo2-t19
Spo2 t19 spo2-t19Spo2 t19 spo2-t19
Spo2 t19 spo2-t19
 
Memory Management in Android
Memory Management in AndroidMemory Management in Android
Memory Management in Android
 

Defeating Windows memory forensics

  • 1. Defeating Windows memory forensics FSEC 2012 September 19, 2012. Luka Milković Luka.Milkovic@infigo.hr INFIGO IS http://www.infigo.hr
  • 2. Agenda Memory forensics Why? How? Previous memory anti-forensic techniques Windows related Memory acquisition process – flawed by design? Defeating Windows memory forensics Impossible in user-mode… …or not? Possible solutions
  • 3. Memory forensics – why? Disk forensics prevalent, but memory forensics increasingly popular Used by incident handlers… Malware detection objects hidden by rootkits (processes, threads, etc.) memory-resident malware unpacked/unencrypted images Recently used files „Dead objects” terminated processes, threads, connections… … and the bad guys Password recovery
  • 4. Memory forensics – how? Two consecutive processes Memory acquisition Memory analysis Acquisition Many tools, focus on free ones Mandiant Memoryze Moonsols Windows Memory Toolkit (Win32dd) ManTech MDD
  • 5. Memory forensics – how? (2) Analysis Finding OS and other artifacts in image Free and commercial tools Volatility Framework Mandiant Redline/Memoryze EnCase, HBGary Responder and many other All support raw dump, weak support for hib/crash file Volatility has weak support for x64
  • 6. Memory forensics – how? (3) „The big picture” Analysis tool Acquisition tool Memory dump User mode Install driver Kernel mode Acquisition driver Remote host Send dump over network Memory dump algorithm 1. Reading DevicePhysicalMemory 2. Physical space mapping (MmMapIoSpace()) 3. Raw Virtual2Physical mapping
  • 7. Previous works - simple Blocking acquisition Killing acquisition process tools always have the same names Blocking driver installation driver installation is necessary on OS >= Win2k3 names not random Metasploit script not available anymore Evasion very simple Rename process Rename driver not that easy if you don’t have the source
  • 8. Previous works – advanced Blocking analysis Haruyama/Suzuki BH-EU-12: One-byte Modification for Breaking Memory Forensic Analysis minimal modifications to OS artifacts in memory targets key steps of analysis to make it impossible/difficult so-called abort factors tool specific Pros: subtle modifications (harder detection) Cons: cannot hide arbitrary object (could theoretically) breaks entire analysis – can raise suspicion
  • 9. Previous works – advanced (2) Attacking acquisition & analysis Sparks/Butler BH-JP-05: Shadow Walker – Raising the bar for Rootkit Detection intentional desynchronization of ITLB/DTLB faking reads of and writes to „arbitrary” memory location execute access not faked Pros: awesome idea:) hides (almost) arbitrary objects Cons: not very stable (and no MP/HT support) page fault handler visible (code and IDT hook) performance
  • 10. Memory acquisition – flawed by design? Where is the weakest link? Analysis tool Acquisition tool Memory dump User mode Attacker kernel access == Install driver Kernel mode Acquisition driver Remote host Send dump over network Memory dump algorithm 1. Reading DevicePhysicalMemory 2. Physical space mapping (MmMapIoSpace()) 3. Raw Virtual2Physical mapping
  • 11. Defeating Windows memory forensics Introducing Dementia PoC tool for hiding objects in memory dumps currently only processes x86 only Kernel driver NtWriteFile inline hook could hook even lower list of addresses to be hidden virt2phys translation – using DTB of System process clears process allocation (PoolTag „Proc”) „unlinks” the process from the process list in dump clears EPROCESS block
  • 12. Defeating Windows memory forensics (2)
  • 13. Defeating Windows memory forensics (3) Limitations Plenty of other artifacts not hidden Handle tables not cleaned Memory allocated by process not cleaned including process code and data Work in progress!
  • 14. Memoryze case Memoryze is interesting… Not reliant on API calls? What about
  • 15. Memoryze case (2) Memoryze re-designed the workflow a bit: Analysis tool Write dump Acquisition tool Memory dump User mode Install driver Kernel mode Return read page Acquisition driver Dump memory Memory dump algorithm 1. Reading DevicePhysicalMemory 2. Physical space mapping (MmMapIoSpace())
  • 16. Memoryze case (3) Yes, attacker can now modify dump from the user mode:) Dementia module Hiding target process, process threads and connections completely from the user mode, no driver used currently even more advanced than the driver mode:) Injects to Memoryze process Hooks DeviceIoControl and sanitizes buffers on the fly Works similarly to Volatility but no virt2phys translation, determine everything from the dump has partial knowledge – only single pages of the dump
  • 18. Possible solutions Memoryze should adopt traditional workflow Current is both slow and insecure Use crash dumps (native!) instead of raw dumps Entirely different OS mechanisms Use hibernation files Plagued by the same problems, but more difficult to tamper with Use hardware acquisition tools? Perform anti-rootkit scanning before acquisition?