SlideShare a Scribd company logo
1 of 93
Download to read offline
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




           1




                       2




   Malware Memory Forensic
           Nguyễn Chấn Việt | vietwow@gmail.com
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




               2
                     Who am I
Senior Security Researcher
+4 years in Information Security. Focusing on
                        2
Malware Analysis and Exploit Development
Twitter : https://twitter.com/vietwow
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




               3
                        Agenda
Why Memory Forensics?
What is Memory Forensics?
                    2
Our approach : Rootkit Detection
Windows Platform
Linux Platform
Real-world Malwares
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



       Why4 Memory Forensics ?
In past, Forensic Analysis = File System
Forensic             2



Why memory forensics ?
Malware Analysis
Incident Respone (IR)


HOT Topic for researchers
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



             Why5 Memory Forensics ?
Everything in the OS traverses RAM
•Processes and threads
•Malware (including rootkit technologies)
                                  2
•Network sockets, URLs, IP addresses
•Open files
•User generated content
Passwords, caches, clipboards
•Encryption keys
•Hardware and software configuration
•Windows registry keys and event logs
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



   Memory Forensics Questions…
                6
What processes were running on the suspect system at
the time memory image was taken?
What (hidden or closed) 2processes existed?
Are there any (hidden or closed) network connections?
Are there any (hidden or closed) sockets?
What is the purpose and intent of the suspected file?
Are there any suspicious DLL modules?
Are there any suspicious URLs or IP addresses
associated with a process?
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



   Memory Forensics Questions…
                7
Are there any suspicious open files associated with a
process?
Are there any closed or hidden files associated with any
                         2
process?
Are there any suspicious strings associated with a
particular process?
Are there any suspicious files present? Can you extract
them?
Can you extract malicious processes from the memory
and analyze it?
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



   Memory Forensics Questions…
                8
Can you identify the attackers and their IP addresses?
Did the attacker create a user account on the system?
Did the malware modify 2 add any registry entry?
                          or
Does the malware use any type of hooks to hide itself?
Did the malware inject itself to any running processes?
What is the relationship between different processes?
What is the intent and purpose of this malware?
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



     What 9is Memory Forensics?
Là kỹ thuật/quá trình phân tích dấu vết dựa trên
memory (RAM) của 1 hệ thống
                         2
Bao gồm physical memory (RAM) và Page File/Swap
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



            Memory Acquisition
                10
Winen (Guidance Software)
FastDump Pro (HB Gary) - Limited Free version
available                2

FTK Imager - Free
DD Free but limited - May not work on later versions of
Windows
WinHex - Has some limitations
Nigilant32 - Free but for 32-bit systems only
Memoryze (Mandiant) - Free
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



Virtual Machine Memory Acquisition
               11




                           2
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



             Memory Forensic Tools
Volatility           12

https://www.volatilesystems.com/default/volatility
Free & Open Source
                                  2
Mandiant Redline
http://www.mandiant.com/resources/download/redline/
Free


HBGary Responder
http://www.hbgary.com/responder-pro-2
$$$ - Pro
Community Edition available
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




                13
                       Volatility
An advanced memory forensics framework
OpenSource
                      2
Written by Python
Primarily Windows-focused
Linux (Android) & Mac support now available
Modular, portable

Main reason why I’m here :D
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




                       14
                                Volatility
Volatility supports the following extraction capabilities for memory images:
Image date and time
Running processes
                                      2
Open network sockets
Open network connections
DLLs loaded for each process
Open files for each process
Open registry keys for each process
Memory maps for each process
Extract executable samples
Scanning examples: processes, threads, sockets, connections, modules
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




           15




                       2


          General checking
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




           16




                       2


         Windows Platform
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




               17
                      Volatility
                           pslist
List the processes of a system. This walks the doubly-
linked list pointed to by 2
                          PsActiveProcessHead. It does
not detect hidden or unlinked processes.
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




               18
                      Volatility
                      connections
To view the active connections
                           2
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




               19
                      Volatility
                           dlllist
Print all loaded DLLs
                           2
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




               20
                      Volatility
                         svcscan
List Windows services
                           2
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




           21




                       2


            Linux Platform
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




               22
                      Volatility
                     linux_lsmod
Print all loaded modules
                           2
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




           23




                       2


            Rootkit Dection
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




           24




                       2


      [1] Windows Platform
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




           25




                       2


        [1.1] DLL Injection
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



    Normal DLL Interaction
       26




                       2
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



   Injected DLL Interactopn
       27




                       2
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




                28
                  DLL Injection
DLL Injection là kỹ thuật rất phổ biến được sử dụng bởi
malware
                            2
VirtualAllocEx( ) và CreateRemoteThread( )
SetWindowsHookEx( )
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



        DLL Injection Detection
          29
                       ldrmodules
 Là module để detect DLL Injection
                          2
 Trong mỗi process, các DLL sẽ được track trong 3
  linked-list
 Stealthy malware sẽ unlink dll của chúng trong các
  linked-list này
 Plugin này sẽ query các linked-list này và hiển thị
  thông tin để ta có thể so sánh
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




                30




                            2


[1.2] Usermode & Kernelmode Hooking
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



    Levels31 Access in Windows
           of
 Ring 3 – User Land
    User
     Administrator         2
     System


 Ring 0 – Kernel Land
    Drivers
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




           32
                OS Internals
                               •   Readfile() called on File1.txt
                               •   Transition to Ring 0
                               •   NtReadFile() processed
                       2       •   I/O Subsystem called
                               •   IRP generated

                               •   Data at File1.txt requested from
                                   ntfs.sys

                               •   Data on D: requested from dmio.sys

                               •   Data on disk 2 requested from
                                   disk.sys
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




           33
                OS Internals
                               •   Binary replacement eg modified Exe
                                   or Dll


                       2       •   Binary modification in memory eg
                                   He4Hook



                               •   User land hooking eg Hacker
                                   Defender
                               •   IAT hooking
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




           34
                OS Internals
                               •   Kernel Hooking
                               •   E.g. NtRootkit

                       2       •   Driver replacement
                               •    E.g. replace ntfs.sys with ntfss.sys

                               •   Direct Kernel Object Manipulation –
                                   DKOM
                               •    E.g. Fu, FuTo
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




           35
                OS Internals
                               •   IO Request Packet (IRP) Hooking
                               •   IRP Dispatch Table

                       2
                               •    E.g. He4Hook (some versions)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




           36
                OS Internals
                               •   Filter Drivers
                               •   The official Microsoft method
                               •   Types
                       2       •   File system filter
                               •   Volume filter
                               •   Disk Filter
                               •   Bus Filter
                               •
                               •    E.g. Clandestine File System Driver
                                   (CFSD)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



         Current Rootkit Capabilities
              37
Hide processes
Hide files
Hide registry entries             2
Hide services
Completely bypass personal firewalls
Undetectable by anti virus
Remotely undetectable
Covert channels - undetectable on the network
Defeat cryptographic hash checking
Install silently
All capabilities ever used by viruses or worms
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




           38




                       2


 [1.2.1] Usermode Hooking
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



Windows39GUI Subsystem Hooking
Malware có thể dùng SetWindowsHookEx để intercept
các window message
                           2
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



Windows GUI Hooking Detection
      40
                    messagehooks
 Là module để detect Windows GUI Hooking
                           2
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




                     41
                        IAT Hooking
Hook vào IAT Table
của process

                              2
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




               42
                  IAT Hooking
IAT Hook

                           2
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




                       43
                          IAT Hooking
void hookFunction( PVOID * thunk, HookedFunction & hookedFunction )
{
    MEMORY_BASIC_INFORMATION mbi;

    //The IAT is marked as read-only memory so we mark it as read-write for the update.
                                       2
    ZeroMemory( &mbi, sizeof( MEMORY_BASIC_INFORMATION ) );
    SIZE_T s = VirtualQuery( thunk, &mbi, sizeof( MEMORY_BASIC_INFORMATION ) );

    BOOL b = VirtualProtect(mbi.BaseAddress, mbi.RegionSize,
                           PAGE_READWRITE, &mbi.Protect );

    if ( hookedFunction.RealFunction == 0 )
    {
      hookedFunction.RealFunction = *thunk;
    }
    *thunk = hookedFunction.HookFunction;

    DWORD oldProtect;
    VirtualProtect(mbi.BaseAddress, mbi.RegionSize, mbi.Protect, &oldProtect);
}
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



                 Inline Hooking
                44

Thay đổi các byte (thường là 5) đầu tiên của chương
trình
                            2
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



    Usermode Hooking Detection
         45
                        apihooks
 Là module để detect IAT Hook và Inline Hook
                           2
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




           46




                       2


[1.2.2] Kernelmode Hooking
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



                SSDT Hooking
               47

Hook vào SSDT Table

                           2
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



            SSDT Hooking
           48




                       2
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!


            SSDT Hooking
           49




                       2
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!


                         SSDT Hooking
• Hook the call when the device is created
              50

NTSTATUS Create(PDEVICE_OBJECT DeviceObject,PIRP Irp)
{
    NTSTATUS status = STATUS_SUCCESS;
    if ( !CanWriteToSSDT() )           2
    {
        //Change the read-only SSDT memory block to read/write
        EnableWritingToSSDT();

         OldZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION)InterlockedExchange(
                                       (PLONG)&g_MappedSystemCallTable[0xAD],
                                       (LONG) NewQuerySytemInformation);

     }

    Irp->IoStatus.Status = status;
    IoCompleteRequest(Irp,IO_NO_INCREMENT);
    return status;
}
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



  Kernelmode Hooking Detection
        51
                         ssdt_ex
 Là module để detect SSDT và Inline Hook
                           2
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




                         52
                                       Others
IDT(Interrupt Descriptor Table) Hooking
Sử dụng module “idt” để detect


SYSENTER / SDT Hooking                    2


Hooking SST (KiServiceTable)


Hooking KiSystemService


IRP Hooking
Sử dụng module “driverirp” để detect


=> not enough time to cover all 
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




           53




                       2


       [1.3] Process Hiding
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




                54
                         DKOM
Thay đổi cấu trúc EPROCESS để unlink process cần
hide
Ngoài việc hide process, 2
                         DKOM còn có thể sử dụng
để :
Add Privileges to Tokens
Add Groups to Tokens
Manipulate the Token to Fool the Windows Event Viewer
Hide Ports
Hide drivers
=> FU là rootkit sử dụng kỹ thuật này
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



    EPROCESS Linked List
       55




                       2
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



    EPROCESS Linked List
       56




                       2
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



          Rootkit Detection
          57
          psxview (FU Rootkit)
                       2
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




           58




                       2


        [1.4] Driver Hiding
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




                59
                   Driver Hiding
Rootkit sẽ sử dụng kỹ thuật DKOM unlink nó ra khỏi
list of loaded module của kernel
                            2
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



 Hiding the Kernel Module Detection
          60
                         modscan
 Là module để detect hiding kernel module
                            2
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




           61




                       2


         [2] Linux Platform
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




            62




                        2


[2.1] Hiding the Kernel Module
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



       Hiding the Kernel Module
           63

Rootkit thường tìm cách “giấu” bản thân bằng cách
unlink nó ra khỏi linked-list loaded kernel modules
                          2
List này được export thông qua /proc/modules (lsmod
chính là đọc từ list này và show ra)
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



 Hiding the Kernel Module Detection
          64
               linux_check_modules
 Là module để detect hiding kernel module
                          2
 Hoạt động dựa trên sysfs để tìm các module đã bị
  remove ra khỏi module list nhưng vẫn đang active
 sysfs là 1 kernel to userland interface, giống như
  /proc, export các info & statistics của kernel
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




             65




                         2


[2.2] Hooking System Call Table
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



      Hooking System Call Table
          66

System call là cơ chế để userland code có thể trigger
event handling ở kernel
                          2
Giống API trên Windows
Được quản lý bởi System call table
System call table là 1 array các function pointer. Mỗi 1
function pointer sẽ tương ứng với 1 syscall handler (vd :
sys_read sẽ handle read system call)
Rootkit thường sẽ focus vào việc overwrite table này
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



Hooking System Call Table Detection
        67
                linux_check_syscall
 Là module để detect System Call Table Hooking
                        2
 Hoạt động dựa trên cơ chế là enumerate và verify
  từng entry trong System Call Table
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




             68




                         2


[2.3] Hiding Network Connections
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



    Hiding Network Connections
         69

Hook vào cấu trúc “tcp4_seq_afinfo”, thay đổi member
“show”
                            2
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



 Hiding Network Connections Detection
         70
                 linux_check_afinfo
 Là module để detect hiding network connection
                        2
 Hoạt động dựa trên cơ chế là duyệt cấu trúc
  “file_operations” và “sequence_operations” của tất cả
  cấu trúc UDP and TCP protocol
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




           71




                       2


     [2.4] Hiding Processes
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



                 Hiding Processes
                 72

Phương pháp 1 :
Linux kernel chứa 1 array các cấu trúc task_struct
                             2
Cấu trúc task_struct giống như EPROCESS trên Windows
task_struct bao gồm 2 pointer là prev_run và next_run trỏ tới
process trước và sau nó tương ứng
Để hide process, ta chỉ cần unlink process ra khỏi list prev_task
và next_task này
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



           Hiding Processes
           73
                                     task_array




                 PID          PID                 PID        PID
              Process 0      2                              1901

                State        State                State     State

              *next_task   *next_task        *next_task   *next_task
              *prev_task   *prev_task        *prev_task   *prev_task
              *next_run    *next_run         *next_run    *next_run
              *prev_run    *prev_run         *prev_run    *prev_run


              *p_pptr
               (null)       *p_pptr           *p_pptr      *p_pptr
                            *p_cptr           *p_cptr      *p_cptr
               *p_cptr      *p_ysptr          *p_ysptr     *p_ysptr
               *p_ysptr     *p_osptr          *p_osptr     *p_osptr
               *p_osptr


                  ...          ...                 ...        ...

                  ...          ...                 ...        ...
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



           Hiding Processes
           74
                                         task_array




                 PID              PID                 PID
                1901           Process 0
                           2
                State            State                State

              *next_task       *next_task        *next_task
              *prev_task       *prev_task        *prev_task
              *next_run        *next_run         *next_run
              *prev_run        *prev_run         *prev_run



              *p_pptr          *p_pptr            *p_pptr
               *p_cptr          *p_cptr           *p_cptr
               *p_ysptr         *p_ysptr          *p_ysptr
               *p_osptr         *p_osptr          *p_osptr



                  ...              ...                 ...

                  ...              ...                 ...
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



                 Hiding Processes
                 75

Phương pháp 2 : Hooking /proc :
Mỗi process sẽ có 1 directory tương ứng trong /proc
                             2
Để hide process, rookit sẽ hjack hàm “readdir” và filter out tên
process cần
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



                      Hiding Processes
                      76

static inline int fuckit_proc_filldir(void *__buf, const char *name, int namelen, loff_t
    offset,
u64 ino, unsigned d_type){
    //our hidden PID :)
                                       2
    if(!strcmp(name,HIDDEN_PID) || !strcmp(name,KEY)){
      return 0;
    }
    return original_filldir(__buf,name,namelen,offset,ino,d_type);
}

static inline int fuckit_proc_readdir(struct file *filp, void *dirent, filldir_t
    filldir){
    //save this, we will need to return it later
    original_filldir = filldir;
    return original_proc_readdir(filp,dirent,fuckit_proc_filldir);
}
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



          Hiding Processes Detection
             77
                   linux_check_fop
 Là module để detect hiding process
                         2
 Hoạt động dựa trên cơ chế là enumerate /proc
  filesystem và rất các opened file, verify từng member
  của từng file ops structure là hợp lệ
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




           78




                       2


            Anything else ?
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



          Scan for Registry Artifacts
             79

 volatility hivescan -f dumped.vmem
 volatility hivelist -f dumped.vmem -o 0x212cb60
                            2
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



        Data80
             Carving Using Foremost
 Foremost
   foremost -c foremost.conf -t exe –i <PID>.dmp -o
                      2
    output3
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



       [3] Real-world Malwares
           81

Mixed many concepts :
VirTool:WinNT/Exforel.A
                     2
TDSS Rookit
Zeus
Stunex / Duqu
Flame
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



      VirTool:WinNT/Exforel.A
          82

Là malware implement lại toàn bộ TCP/IP Stack

                            2
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




                   83
                      TDSS Rootkit
Gồm 4 biến thể :
TDL-1
TDL-2                          2
TDL-3
TDL-4
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




                84
                           Zeus
Là 1 dạng trojan chuyên ăn cắp thông tin trong các công
ty/tập đoàn tài chính
                        2
Có 1 số tính năng như 1 rootkit
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




                    85
                      Stunex / Duqu
Là 1 dạng worm, gồm 2 phiên bản :
Stunex : focus vào việc phá hủy hạ tầng lò phản ứng hạt nhân (PLC) của Iran
                                  2
Duqu : forcus vào việc ăn cắp thông tin
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




                86
                          Flame
Còn có tên là sKyWiper
Là malware nổi tiếng nhất gần đây, phức tạp hơn nhiều
                        2
so với Duqu. Vừa là 1 backdoor, vừa là trojan, và cũng
có những tính năng như 1 worm
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




           87
                Comparison

                       2
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




           88




                       2


                Other cases
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



               Password Keeper
               89

Password Keeper is a small utility useful for storing our
frequently used passwords. Password information can
be stored, edited and printed with this easy to use
                          2

program.
No mention of protection against memory analysis
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



                      Password Keeper
                      90
With volatilty we dump the PasswordKeeper processes


                                   2


And strings our password on it
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




                91
                     Conclusion
Volatility is a great tool for memory forensic
Want to learn more ?
                            2
SANS FOR526: Windows Memory Forensics In-Depth
Windows Memory Forensics Training for Analysts by Volatility
Developers
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



           Any Questions ?
           92




                       2
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




           93




     Thank you very much !
                       2

More Related Content

What's hot

penetration test using Kali linux ppt
penetration test using Kali linux pptpenetration test using Kali linux ppt
penetration test using Kali linux pptAbhayNaik8
 
Offensive Security basics part 1
Offensive Security basics  part 1Offensive Security basics  part 1
Offensive Security basics part 1wharpreet
 
Practical Malware Analysis: Ch 4 A Crash Course in x86 Disassembly
Practical Malware Analysis: Ch 4 A Crash Course in x86 Disassembly Practical Malware Analysis: Ch 4 A Crash Course in x86 Disassembly
Practical Malware Analysis: Ch 4 A Crash Course in x86 Disassembly Sam Bowne
 
Intrusion prevention system(ips)
Intrusion prevention system(ips)Intrusion prevention system(ips)
Intrusion prevention system(ips)Papun Papun
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)LJ PROJECTS
 
Linux operating system
Linux operating systemLinux operating system
Linux operating systemITz_1
 
Tìm hiểu keylogger và thiết kế chương trình keylogger
Tìm hiểu keylogger và thiết kế chương trình keyloggerTìm hiểu keylogger và thiết kế chương trình keylogger
Tìm hiểu keylogger và thiết kế chương trình keyloggerVũ Mạnh Sơn
 
Intrusion Detection System
Intrusion Detection SystemIntrusion Detection System
Intrusion Detection SystemDevil's Cafe
 
X Window System
X Window SystemX Window System
X Window SystemRon Bandes
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static AnalysisHossein Yavari
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisCNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisSam Bowne
 
Understanding the Event Log
Understanding the Event LogUnderstanding the Event Log
Understanding the Event Logchuckbt
 

What's hot (20)

penetration test using Kali linux ppt
penetration test using Kali linux pptpenetration test using Kali linux ppt
penetration test using Kali linux ppt
 
Google Cloud DNS
Google Cloud DNSGoogle Cloud DNS
Google Cloud DNS
 
Intrusion Prevention System
Intrusion Prevention SystemIntrusion Prevention System
Intrusion Prevention System
 
Offensive Security basics part 1
Offensive Security basics  part 1Offensive Security basics  part 1
Offensive Security basics part 1
 
Practical Malware Analysis: Ch 4 A Crash Course in x86 Disassembly
Practical Malware Analysis: Ch 4 A Crash Course in x86 Disassembly Practical Malware Analysis: Ch 4 A Crash Course in x86 Disassembly
Practical Malware Analysis: Ch 4 A Crash Course in x86 Disassembly
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Virtualization security and threat
Virtualization security and threatVirtualization security and threat
Virtualization security and threat
 
Snort
SnortSnort
Snort
 
Introduction to Snort
Introduction to SnortIntroduction to Snort
Introduction to Snort
 
Intrusion prevention system(ips)
Intrusion prevention system(ips)Intrusion prevention system(ips)
Intrusion prevention system(ips)
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)
 
Linux operating system
Linux operating systemLinux operating system
Linux operating system
 
Tìm hiểu keylogger và thiết kế chương trình keylogger
Tìm hiểu keylogger và thiết kế chương trình keyloggerTìm hiểu keylogger và thiết kế chương trình keylogger
Tìm hiểu keylogger và thiết kế chương trình keylogger
 
Intrusion Detection System
Intrusion Detection SystemIntrusion Detection System
Intrusion Detection System
 
X Window System
X Window SystemX Window System
X Window System
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static Analysis
 
Metasploit framwork
Metasploit framworkMetasploit framwork
Metasploit framwork
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisCNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
 
UNIX/Linux training
UNIX/Linux trainingUNIX/Linux training
UNIX/Linux training
 
Understanding the Event Log
Understanding the Event LogUnderstanding the Event Log
Understanding the Event Log
 

Viewers also liked

Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory ForensicsAndrew Case
 
2006 03 15_pe & api hook
2006 03 15_pe & api hook2006 03 15_pe & api hook
2006 03 15_pe & api hook용환 노
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsTakahiro Haruyama
 
Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Frank Boldewin
 
One-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisOne-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisTakahiro Haruyama
 
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7  - Malware Memory ForensicsAdvanced Malware Analysis Training Session 7  - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory Forensicssecurityxploded
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseTakahiro Haruyama
 
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
Advanced Malware Analysis Training Session 4 - Anti-Analysis TechniquesAdvanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniquessecurityxploded
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1  Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 securityxploded
 
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
Advanced Malware Analysis Training Session 1 - Detection and Removal of MalwaresAdvanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwaressecurityxploded
 
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2securityxploded
 
HITCON GIRLS: Android 滲透測試介紹 (Elven Liu)
HITCON GIRLS: Android 滲透測試介紹 (Elven Liu)HITCON GIRLS: Android 滲透測試介紹 (Elven Liu)
HITCON GIRLS: Android 滲透測試介紹 (Elven Liu)HITCON GIRLS
 
HITCON CTF 2016導覽
HITCON CTF 2016導覽HITCON CTF 2016導覽
HITCON CTF 2016導覽HITCON GIRLS
 
HITCON GIRLS 成大講座 惡意程式分析(Turkey)
HITCON GIRLS 成大講座 惡意程式分析(Turkey)HITCON GIRLS 成大講座 惡意程式分析(Turkey)
HITCON GIRLS 成大講座 惡意程式分析(Turkey)HITCON GIRLS
 
HITCON GIRLS 成大講座 基礎知識(蜘子珣)
HITCON GIRLS 成大講座 基礎知識(蜘子珣)HITCON GIRLS 成大講座 基礎知識(蜘子珣)
HITCON GIRLS 成大講座 基礎知識(蜘子珣)HITCON GIRLS
 

Viewers also liked (20)

Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory Forensics
 
2006 03 15_pe & api hook
2006 03 15_pe & api hook2006 03 15_pe & api hook
2006 03 15_pe & api hook
 
THOR Apt Scanner
THOR Apt ScannerTHOR Apt Scanner
THOR Apt Scanner
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensics
 
Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Hunting malware with volatility v2.0
Hunting malware with volatility v2.0
 
One-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisOne-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic Analysis
 
Windows forensic
Windows forensicWindows forensic
Windows forensic
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
 
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7  - Malware Memory ForensicsAdvanced Malware Analysis Training Session 7  - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCase
 
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
Advanced Malware Analysis Training Session 4 - Anti-Analysis TechniquesAdvanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1  Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
 
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
Advanced Malware Analysis Training Session 1 - Detection and Removal of MalwaresAdvanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
 
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
 
HITCON GIRLS: Android 滲透測試介紹 (Elven Liu)
HITCON GIRLS: Android 滲透測試介紹 (Elven Liu)HITCON GIRLS: Android 滲透測試介紹 (Elven Liu)
HITCON GIRLS: Android 滲透測試介紹 (Elven Liu)
 
HITCON CTF 2016導覽
HITCON CTF 2016導覽HITCON CTF 2016導覽
HITCON CTF 2016導覽
 
HITCON GIRLS Malware Analysis
HITCON GIRLS Malware AnalysisHITCON GIRLS Malware Analysis
HITCON GIRLS Malware Analysis
 
CTF 經驗分享
CTF 經驗分享CTF 經驗分享
CTF 經驗分享
 
HITCON GIRLS 成大講座 惡意程式分析(Turkey)
HITCON GIRLS 成大講座 惡意程式分析(Turkey)HITCON GIRLS 成大講座 惡意程式分析(Turkey)
HITCON GIRLS 成大講座 惡意程式分析(Turkey)
 
HITCON GIRLS 成大講座 基礎知識(蜘子珣)
HITCON GIRLS 成大講座 基礎知識(蜘子珣)HITCON GIRLS 成大講座 基礎知識(蜘子珣)
HITCON GIRLS 成大講座 基礎知識(蜘子珣)
 

Similar to SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)

Finfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtFinfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtSecurity Bootcamp
 
IoT: Contrasting Yocto/Buildroot to binary OSes
IoT: Contrasting Yocto/Buildroot to binary OSesIoT: Contrasting Yocto/Buildroot to binary OSes
IoT: Contrasting Yocto/Buildroot to binary OSesMender.io
 
Piratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigationPiratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigationPriyanka Aash
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsenSilo
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2ShapeBlue
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22MichaelM85042
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...Felipe Prado
 
Rootkit Hunting & Compromise Detection
Rootkit Hunting & Compromise DetectionRootkit Hunting & Compromise Detection
Rootkit Hunting & Compromise Detectionamiable_indian
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Maksim Shudrak
 
IoT Development from Prototype to Production
IoT Development from Prototype to ProductionIoT Development from Prototype to Production
IoT Development from Prototype to ProductionMender.io
 
Hybis: Advanced Introspection for Effective Windows Guest Protection
Hybis: Advanced Introspection for Effective Windows Guest ProtectionHybis: Advanced Introspection for Effective Windows Guest Protection
Hybis: Advanced Introspection for Effective Windows Guest ProtectionFederico Franzoni
 
Journey from Monolith to a Modularized Application - Approach and Key Learnin...
Journey from Monolith to a Modularized Application - Approach and Key Learnin...Journey from Monolith to a Modularized Application - Approach and Key Learnin...
Journey from Monolith to a Modularized Application - Approach and Key Learnin...mfrancis
 
Iot development from prototype to production
Iot development from prototype to productionIot development from prototype to production
Iot development from prototype to productionMender.io
 
Fighting Malware Without Antivirus
Fighting Malware Without AntivirusFighting Malware Without Antivirus
Fighting Malware Without AntivirusEnergySec
 
Green Dam Analysis Valkyrie-X by Alnthony Lai
Green Dam Analysis Valkyrie-X by Alnthony LaiGreen Dam Analysis Valkyrie-X by Alnthony Lai
Green Dam Analysis Valkyrie-X by Alnthony LaiCharles Mok
 
Ceh v8 labs module 05 system hacking
Ceh v8 labs module 05 system hackingCeh v8 labs module 05 system hacking
Ceh v8 labs module 05 system hackingAsep Sopyan
 
TDC2016SP - Trilha Linux Embarcado
TDC2016SP - Trilha Linux EmbarcadoTDC2016SP - Trilha Linux Embarcado
TDC2016SP - Trilha Linux Embarcadotdc-globalcode
 
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...sparkfabrik
 

Similar to SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt) (20)

Finfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtFinfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn Việt
 
IoT: Contrasting Yocto/Buildroot to binary OSes
IoT: Contrasting Yocto/Buildroot to binary OSesIoT: Contrasting Yocto/Buildroot to binary OSes
IoT: Contrasting Yocto/Buildroot to binary OSes
 
Piratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigationPiratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigation
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
 
Rootkit Hunting & Compromise Detection
Rootkit Hunting & Compromise DetectionRootkit Hunting & Compromise Detection
Rootkit Hunting & Compromise Detection
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
 
IoT Development from Prototype to Production
IoT Development from Prototype to ProductionIoT Development from Prototype to Production
IoT Development from Prototype to Production
 
Hybis: Advanced Introspection for Effective Windows Guest Protection
Hybis: Advanced Introspection for Effective Windows Guest ProtectionHybis: Advanced Introspection for Effective Windows Guest Protection
Hybis: Advanced Introspection for Effective Windows Guest Protection
 
Journey from Monolith to a Modularized Application - Approach and Key Learnin...
Journey from Monolith to a Modularized Application - Approach and Key Learnin...Journey from Monolith to a Modularized Application - Approach and Key Learnin...
Journey from Monolith to a Modularized Application - Approach and Key Learnin...
 
Iot development from prototype to production
Iot development from prototype to productionIot development from prototype to production
Iot development from prototype to production
 
Fighting Malware Without Antivirus
Fighting Malware Without AntivirusFighting Malware Without Antivirus
Fighting Malware Without Antivirus
 
Compiling Malware Features
Compiling Malware FeaturesCompiling Malware Features
Compiling Malware Features
 
PostScript: Danger Ahead?!
PostScript: Danger Ahead?!PostScript: Danger Ahead?!
PostScript: Danger Ahead?!
 
Green Dam Analysis Valkyrie-X by Alnthony Lai
Green Dam Analysis Valkyrie-X by Alnthony LaiGreen Dam Analysis Valkyrie-X by Alnthony Lai
Green Dam Analysis Valkyrie-X by Alnthony Lai
 
Ceh v8 labs module 05 system hacking
Ceh v8 labs module 05 system hackingCeh v8 labs module 05 system hacking
Ceh v8 labs module 05 system hacking
 
TDC2016SP - Trilha Linux Embarcado
TDC2016SP - Trilha Linux EmbarcadoTDC2016SP - Trilha Linux Embarcado
TDC2016SP - Trilha Linux Embarcado
 
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
 

More from Security Bootcamp

Ransomware is Knocking your Door_Final.pdf
Ransomware is Knocking your Door_Final.pdfRansomware is Knocking your Door_Final.pdf
Ransomware is Knocking your Door_Final.pdfSecurity Bootcamp
 
Hieupc-The role of psychology in enhancing cybersecurity
Hieupc-The role of psychology in enhancing cybersecurityHieupc-The role of psychology in enhancing cybersecurity
Hieupc-The role of psychology in enhancing cybersecuritySecurity Bootcamp
 
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s viewNguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s viewSecurity Bootcamp
 
Sbc 2020 bao gio vn co anm dua vao cong nghe mo
Sbc 2020 bao gio vn co anm dua vao cong nghe moSbc 2020 bao gio vn co anm dua vao cong nghe mo
Sbc 2020 bao gio vn co anm dua vao cong nghe moSecurity Bootcamp
 
Giam sat thu dong thong tin an toan hang hai su dung sdr
Giam sat thu dong thong tin an toan hang hai su dung sdrGiam sat thu dong thong tin an toan hang hai su dung sdr
Giam sat thu dong thong tin an toan hang hai su dung sdrSecurity Bootcamp
 
Insider threat-what-us-do d-want
Insider threat-what-us-do d-wantInsider threat-what-us-do d-want
Insider threat-what-us-do d-wantSecurity Bootcamp
 
Macro malware common techniques - public
Macro malware   common techniques - publicMacro malware   common techniques - public
Macro malware common techniques - publicSecurity Bootcamp
 
Malware detection-using-machine-learning
Malware detection-using-machine-learningMalware detection-using-machine-learning
Malware detection-using-machine-learningSecurity Bootcamp
 
Tim dieu moi trong nhung dieu cu
Tim dieu moi trong nhung dieu cuTim dieu moi trong nhung dieu cu
Tim dieu moi trong nhung dieu cuSecurity Bootcamp
 
Threat detection with 0 cost
Threat detection with 0 costThreat detection with 0 cost
Threat detection with 0 costSecurity Bootcamp
 
GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active Directory
GOLDEN TICKET -  Hiểm hoa tiềm ẩn trong hệ thống Active DirectoryGOLDEN TICKET -  Hiểm hoa tiềm ẩn trong hệ thống Active Directory
GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active DirectorySecurity Bootcamp
 
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018Security Bootcamp
 
Lannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber AttacksLannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber AttacksSecurity Bootcamp
 
Letrungnghia-gopyluananm2018
Letrungnghia-gopyluananm2018Letrungnghia-gopyluananm2018
Letrungnghia-gopyluananm2018Security Bootcamp
 

More from Security Bootcamp (20)

Ransomware is Knocking your Door_Final.pdf
Ransomware is Knocking your Door_Final.pdfRansomware is Knocking your Door_Final.pdf
Ransomware is Knocking your Door_Final.pdf
 
Hieupc-The role of psychology in enhancing cybersecurity
Hieupc-The role of psychology in enhancing cybersecurityHieupc-The role of psychology in enhancing cybersecurity
Hieupc-The role of psychology in enhancing cybersecurity
 
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s viewNguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
 
Sbc 2020 bao gio vn co anm dua vao cong nghe mo
Sbc 2020 bao gio vn co anm dua vao cong nghe moSbc 2020 bao gio vn co anm dua vao cong nghe mo
Sbc 2020 bao gio vn co anm dua vao cong nghe mo
 
Deception change-the-game
Deception change-the-gameDeception change-the-game
Deception change-the-game
 
Giam sat thu dong thong tin an toan hang hai su dung sdr
Giam sat thu dong thong tin an toan hang hai su dung sdrGiam sat thu dong thong tin an toan hang hai su dung sdr
Giam sat thu dong thong tin an toan hang hai su dung sdr
 
Sbc2019 luong-cyber startup
Sbc2019 luong-cyber startupSbc2019 luong-cyber startup
Sbc2019 luong-cyber startup
 
Insider threat-what-us-do d-want
Insider threat-what-us-do d-wantInsider threat-what-us-do d-want
Insider threat-what-us-do d-want
 
Macro malware common techniques - public
Macro malware   common techniques - publicMacro malware   common techniques - public
Macro malware common techniques - public
 
Malware detection-using-machine-learning
Malware detection-using-machine-learningMalware detection-using-machine-learning
Malware detection-using-machine-learning
 
Tim dieu moi trong nhung dieu cu
Tim dieu moi trong nhung dieu cuTim dieu moi trong nhung dieu cu
Tim dieu moi trong nhung dieu cu
 
Threat detection with 0 cost
Threat detection with 0 costThreat detection with 0 cost
Threat detection with 0 cost
 
Build SOC
Build SOC Build SOC
Build SOC
 
AD red vs blue
AD red vs blueAD red vs blue
AD red vs blue
 
Securitybox
SecurityboxSecuritybox
Securitybox
 
GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active Directory
GOLDEN TICKET -  Hiểm hoa tiềm ẩn trong hệ thống Active DirectoryGOLDEN TICKET -  Hiểm hoa tiềm ẩn trong hệ thống Active Directory
GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active Directory
 
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
 
Api security-present
Api security-presentApi security-present
Api security-present
 
Lannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber AttacksLannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber Attacks
 
Letrungnghia-gopyluananm2018
Letrungnghia-gopyluananm2018Letrungnghia-gopyluananm2018
Letrungnghia-gopyluananm2018
 

Recently uploaded

So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfAarwolf Industries LLC
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...amber724300
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessWSO2
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Jeffrey Haguewood
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentMahmoud Rabie
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...Karmanjay Verma
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
WomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneWomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneUiPathCommunity
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Nikki Chapple
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Karmanjay Verma
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 

Recently uploaded (20)

So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdf
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with Platformless
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career Development
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
WomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneWomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyone
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 

SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)

  • 1. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 1 2 Malware Memory Forensic Nguyễn Chấn Việt | vietwow@gmail.com
  • 2. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 2 Who am I Senior Security Researcher +4 years in Information Security. Focusing on 2 Malware Analysis and Exploit Development Twitter : https://twitter.com/vietwow
  • 3. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 3 Agenda Why Memory Forensics? What is Memory Forensics? 2 Our approach : Rootkit Detection Windows Platform Linux Platform Real-world Malwares
  • 4. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Why4 Memory Forensics ? In past, Forensic Analysis = File System Forensic 2 Why memory forensics ? Malware Analysis Incident Respone (IR) HOT Topic for researchers
  • 5. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Why5 Memory Forensics ? Everything in the OS traverses RAM •Processes and threads •Malware (including rootkit technologies) 2 •Network sockets, URLs, IP addresses •Open files •User generated content Passwords, caches, clipboards •Encryption keys •Hardware and software configuration •Windows registry keys and event logs
  • 6. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Memory Forensics Questions… 6 What processes were running on the suspect system at the time memory image was taken? What (hidden or closed) 2processes existed? Are there any (hidden or closed) network connections? Are there any (hidden or closed) sockets? What is the purpose and intent of the suspected file? Are there any suspicious DLL modules? Are there any suspicious URLs or IP addresses associated with a process?
  • 7. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Memory Forensics Questions… 7 Are there any suspicious open files associated with a process? Are there any closed or hidden files associated with any 2 process? Are there any suspicious strings associated with a particular process? Are there any suspicious files present? Can you extract them? Can you extract malicious processes from the memory and analyze it?
  • 8. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Memory Forensics Questions… 8 Can you identify the attackers and their IP addresses? Did the attacker create a user account on the system? Did the malware modify 2 add any registry entry? or Does the malware use any type of hooks to hide itself? Did the malware inject itself to any running processes? What is the relationship between different processes? What is the intent and purpose of this malware?
  • 9. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! What 9is Memory Forensics? Là kỹ thuật/quá trình phân tích dấu vết dựa trên memory (RAM) của 1 hệ thống 2 Bao gồm physical memory (RAM) và Page File/Swap
  • 10. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Memory Acquisition 10 Winen (Guidance Software) FastDump Pro (HB Gary) - Limited Free version available 2 FTK Imager - Free DD Free but limited - May not work on later versions of Windows WinHex - Has some limitations Nigilant32 - Free but for 32-bit systems only Memoryze (Mandiant) - Free
  • 11. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Virtual Machine Memory Acquisition 11 2
  • 12. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Memory Forensic Tools Volatility 12 https://www.volatilesystems.com/default/volatility Free & Open Source 2 Mandiant Redline http://www.mandiant.com/resources/download/redline/ Free HBGary Responder http://www.hbgary.com/responder-pro-2 $$$ - Pro Community Edition available
  • 13. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 13 Volatility An advanced memory forensics framework OpenSource 2 Written by Python Primarily Windows-focused Linux (Android) & Mac support now available Modular, portable Main reason why I’m here :D
  • 14. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 14 Volatility Volatility supports the following extraction capabilities for memory images: Image date and time Running processes 2 Open network sockets Open network connections DLLs loaded for each process Open files for each process Open registry keys for each process Memory maps for each process Extract executable samples Scanning examples: processes, threads, sockets, connections, modules
  • 15. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 15 2 General checking
  • 16. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 16 2 Windows Platform
  • 17. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 17 Volatility pslist List the processes of a system. This walks the doubly- linked list pointed to by 2 PsActiveProcessHead. It does not detect hidden or unlinked processes.
  • 18. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 18 Volatility connections To view the active connections 2
  • 19. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 19 Volatility dlllist Print all loaded DLLs 2
  • 20. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 20 Volatility svcscan List Windows services 2
  • 21. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 21 2 Linux Platform
  • 22. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 22 Volatility linux_lsmod Print all loaded modules 2
  • 23. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 23 2 Rootkit Dection
  • 24. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 24 2 [1] Windows Platform
  • 25. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 25 2 [1.1] DLL Injection
  • 26. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Normal DLL Interaction 26 2
  • 27. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Injected DLL Interactopn 27 2
  • 28. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 28 DLL Injection DLL Injection là kỹ thuật rất phổ biến được sử dụng bởi malware 2 VirtualAllocEx( ) và CreateRemoteThread( ) SetWindowsHookEx( )
  • 29. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! DLL Injection Detection 29 ldrmodules  Là module để detect DLL Injection 2  Trong mỗi process, các DLL sẽ được track trong 3 linked-list  Stealthy malware sẽ unlink dll của chúng trong các linked-list này  Plugin này sẽ query các linked-list này và hiển thị thông tin để ta có thể so sánh
  • 30. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 30 2 [1.2] Usermode & Kernelmode Hooking
  • 31. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Levels31 Access in Windows of  Ring 3 – User Land  User  Administrator 2  System  Ring 0 – Kernel Land  Drivers
  • 32. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 32 OS Internals • Readfile() called on File1.txt • Transition to Ring 0 • NtReadFile() processed 2 • I/O Subsystem called • IRP generated • Data at File1.txt requested from ntfs.sys • Data on D: requested from dmio.sys • Data on disk 2 requested from disk.sys
  • 33. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 33 OS Internals • Binary replacement eg modified Exe or Dll 2 • Binary modification in memory eg He4Hook • User land hooking eg Hacker Defender • IAT hooking
  • 34. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 34 OS Internals • Kernel Hooking • E.g. NtRootkit 2 • Driver replacement • E.g. replace ntfs.sys with ntfss.sys • Direct Kernel Object Manipulation – DKOM • E.g. Fu, FuTo
  • 35. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 35 OS Internals • IO Request Packet (IRP) Hooking • IRP Dispatch Table 2 • E.g. He4Hook (some versions)
  • 36. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 36 OS Internals • Filter Drivers • The official Microsoft method • Types 2 • File system filter • Volume filter • Disk Filter • Bus Filter • • E.g. Clandestine File System Driver (CFSD)
  • 37. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Current Rootkit Capabilities 37 Hide processes Hide files Hide registry entries 2 Hide services Completely bypass personal firewalls Undetectable by anti virus Remotely undetectable Covert channels - undetectable on the network Defeat cryptographic hash checking Install silently All capabilities ever used by viruses or worms
  • 38. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 38 2 [1.2.1] Usermode Hooking
  • 39. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Windows39GUI Subsystem Hooking Malware có thể dùng SetWindowsHookEx để intercept các window message 2
  • 40. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Windows GUI Hooking Detection 40 messagehooks  Là module để detect Windows GUI Hooking 2
  • 41. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 41 IAT Hooking Hook vào IAT Table của process 2
  • 42. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 42 IAT Hooking IAT Hook 2
  • 43. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 43 IAT Hooking void hookFunction( PVOID * thunk, HookedFunction & hookedFunction ) { MEMORY_BASIC_INFORMATION mbi; //The IAT is marked as read-only memory so we mark it as read-write for the update. 2 ZeroMemory( &mbi, sizeof( MEMORY_BASIC_INFORMATION ) ); SIZE_T s = VirtualQuery( thunk, &mbi, sizeof( MEMORY_BASIC_INFORMATION ) ); BOOL b = VirtualProtect(mbi.BaseAddress, mbi.RegionSize, PAGE_READWRITE, &mbi.Protect ); if ( hookedFunction.RealFunction == 0 ) { hookedFunction.RealFunction = *thunk; } *thunk = hookedFunction.HookFunction; DWORD oldProtect; VirtualProtect(mbi.BaseAddress, mbi.RegionSize, mbi.Protect, &oldProtect); }
  • 44. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Inline Hooking 44 Thay đổi các byte (thường là 5) đầu tiên của chương trình 2
  • 45. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Usermode Hooking Detection 45 apihooks  Là module để detect IAT Hook và Inline Hook 2
  • 46. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 46 2 [1.2.2] Kernelmode Hooking
  • 47. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! SSDT Hooking 47 Hook vào SSDT Table 2
  • 48. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! SSDT Hooking 48 2
  • 49. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! SSDT Hooking 49 2
  • 50. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! SSDT Hooking • Hook the call when the device is created 50 NTSTATUS Create(PDEVICE_OBJECT DeviceObject,PIRP Irp) { NTSTATUS status = STATUS_SUCCESS; if ( !CanWriteToSSDT() ) 2 { //Change the read-only SSDT memory block to read/write EnableWritingToSSDT(); OldZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION)InterlockedExchange( (PLONG)&g_MappedSystemCallTable[0xAD], (LONG) NewQuerySytemInformation); } Irp->IoStatus.Status = status; IoCompleteRequest(Irp,IO_NO_INCREMENT); return status; }
  • 51. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Kernelmode Hooking Detection 51 ssdt_ex  Là module để detect SSDT và Inline Hook 2
  • 52. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 52 Others IDT(Interrupt Descriptor Table) Hooking Sử dụng module “idt” để detect SYSENTER / SDT Hooking 2 Hooking SST (KiServiceTable) Hooking KiSystemService IRP Hooking Sử dụng module “driverirp” để detect => not enough time to cover all 
  • 53. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 53 2 [1.3] Process Hiding
  • 54. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 54 DKOM Thay đổi cấu trúc EPROCESS để unlink process cần hide Ngoài việc hide process, 2 DKOM còn có thể sử dụng để : Add Privileges to Tokens Add Groups to Tokens Manipulate the Token to Fool the Windows Event Viewer Hide Ports Hide drivers => FU là rootkit sử dụng kỹ thuật này
  • 55. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! EPROCESS Linked List 55 2
  • 56. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! EPROCESS Linked List 56 2
  • 57. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Rootkit Detection 57 psxview (FU Rootkit) 2
  • 58. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 58 2 [1.4] Driver Hiding
  • 59. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 59 Driver Hiding Rootkit sẽ sử dụng kỹ thuật DKOM unlink nó ra khỏi list of loaded module của kernel 2
  • 60. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Hiding the Kernel Module Detection 60 modscan  Là module để detect hiding kernel module 2
  • 61. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 61 2 [2] Linux Platform
  • 62. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 62 2 [2.1] Hiding the Kernel Module
  • 63. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Hiding the Kernel Module 63 Rootkit thường tìm cách “giấu” bản thân bằng cách unlink nó ra khỏi linked-list loaded kernel modules 2 List này được export thông qua /proc/modules (lsmod chính là đọc từ list này và show ra)
  • 64. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Hiding the Kernel Module Detection 64 linux_check_modules  Là module để detect hiding kernel module 2  Hoạt động dựa trên sysfs để tìm các module đã bị remove ra khỏi module list nhưng vẫn đang active  sysfs là 1 kernel to userland interface, giống như /proc, export các info & statistics của kernel
  • 65. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 65 2 [2.2] Hooking System Call Table
  • 66. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Hooking System Call Table 66 System call là cơ chế để userland code có thể trigger event handling ở kernel 2 Giống API trên Windows Được quản lý bởi System call table System call table là 1 array các function pointer. Mỗi 1 function pointer sẽ tương ứng với 1 syscall handler (vd : sys_read sẽ handle read system call) Rootkit thường sẽ focus vào việc overwrite table này
  • 67. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Hooking System Call Table Detection 67 linux_check_syscall  Là module để detect System Call Table Hooking 2  Hoạt động dựa trên cơ chế là enumerate và verify từng entry trong System Call Table
  • 68. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 68 2 [2.3] Hiding Network Connections
  • 69. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Hiding Network Connections 69 Hook vào cấu trúc “tcp4_seq_afinfo”, thay đổi member “show” 2
  • 70. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Hiding Network Connections Detection 70 linux_check_afinfo  Là module để detect hiding network connection 2  Hoạt động dựa trên cơ chế là duyệt cấu trúc “file_operations” và “sequence_operations” của tất cả cấu trúc UDP and TCP protocol
  • 71. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 71 2 [2.4] Hiding Processes
  • 72. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Hiding Processes 72 Phương pháp 1 : Linux kernel chứa 1 array các cấu trúc task_struct 2 Cấu trúc task_struct giống như EPROCESS trên Windows task_struct bao gồm 2 pointer là prev_run và next_run trỏ tới process trước và sau nó tương ứng Để hide process, ta chỉ cần unlink process ra khỏi list prev_task và next_task này
  • 73. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Hiding Processes 73 task_array PID PID PID PID Process 0 2 1901 State State State State *next_task *next_task *next_task *next_task *prev_task *prev_task *prev_task *prev_task *next_run *next_run *next_run *next_run *prev_run *prev_run *prev_run *prev_run *p_pptr (null) *p_pptr *p_pptr *p_pptr *p_cptr *p_cptr *p_cptr *p_cptr *p_ysptr *p_ysptr *p_ysptr *p_ysptr *p_osptr *p_osptr *p_osptr *p_osptr ... ... ... ... ... ... ... ...
  • 74. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Hiding Processes 74 task_array PID PID PID 1901 Process 0 2 State State State *next_task *next_task *next_task *prev_task *prev_task *prev_task *next_run *next_run *next_run *prev_run *prev_run *prev_run *p_pptr *p_pptr *p_pptr *p_cptr *p_cptr *p_cptr *p_ysptr *p_ysptr *p_ysptr *p_osptr *p_osptr *p_osptr ... ... ... ... ... ...
  • 75. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Hiding Processes 75 Phương pháp 2 : Hooking /proc : Mỗi process sẽ có 1 directory tương ứng trong /proc 2 Để hide process, rookit sẽ hjack hàm “readdir” và filter out tên process cần
  • 76. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Hiding Processes 76 static inline int fuckit_proc_filldir(void *__buf, const char *name, int namelen, loff_t offset, u64 ino, unsigned d_type){ //our hidden PID :) 2 if(!strcmp(name,HIDDEN_PID) || !strcmp(name,KEY)){ return 0; } return original_filldir(__buf,name,namelen,offset,ino,d_type); } static inline int fuckit_proc_readdir(struct file *filp, void *dirent, filldir_t filldir){ //save this, we will need to return it later original_filldir = filldir; return original_proc_readdir(filp,dirent,fuckit_proc_filldir); }
  • 77. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Hiding Processes Detection 77 linux_check_fop  Là module để detect hiding process 2  Hoạt động dựa trên cơ chế là enumerate /proc filesystem và rất các opened file, verify từng member của từng file ops structure là hợp lệ
  • 78. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 78 2 Anything else ?
  • 79. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Scan for Registry Artifacts 79  volatility hivescan -f dumped.vmem  volatility hivelist -f dumped.vmem -o 0x212cb60 2
  • 80. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Data80 Carving Using Foremost  Foremost foremost -c foremost.conf -t exe –i <PID>.dmp -o 2 output3
  • 81. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! [3] Real-world Malwares 81 Mixed many concepts : VirTool:WinNT/Exforel.A 2 TDSS Rookit Zeus Stunex / Duqu Flame
  • 82. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! VirTool:WinNT/Exforel.A 82 Là malware implement lại toàn bộ TCP/IP Stack 2
  • 83. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 83 TDSS Rootkit Gồm 4 biến thể : TDL-1 TDL-2 2 TDL-3 TDL-4
  • 84. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 84 Zeus Là 1 dạng trojan chuyên ăn cắp thông tin trong các công ty/tập đoàn tài chính 2 Có 1 số tính năng như 1 rootkit
  • 85. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 85 Stunex / Duqu Là 1 dạng worm, gồm 2 phiên bản : Stunex : focus vào việc phá hủy hạ tầng lò phản ứng hạt nhân (PLC) của Iran 2 Duqu : forcus vào việc ăn cắp thông tin
  • 86. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 86 Flame Còn có tên là sKyWiper Là malware nổi tiếng nhất gần đây, phức tạp hơn nhiều 2 so với Duqu. Vừa là 1 backdoor, vừa là trojan, và cũng có những tính năng như 1 worm
  • 87. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 87 Comparison 2
  • 88. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 88 2 Other cases
  • 89. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Password Keeper 89 Password Keeper is a small utility useful for storing our frequently used passwords. Password information can be stored, edited and printed with this easy to use 2 program. No mention of protection against memory analysis
  • 90. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Password Keeper 90 With volatilty we dump the PasswordKeeper processes 2 And strings our password on it
  • 91. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 91 Conclusion Volatility is a great tool for memory forensic Want to learn more ? 2 SANS FOR526: Windows Memory Forensics In-Depth Windows Memory Forensics Training for Analysts by Volatility Developers
  • 92. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Any Questions ? 92 2
  • 93. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 93 Thank you very much ! 2