Notespaceos

spaceos  时间:2021-03-28  阅读:()
One-byteModificationforBreakingMemoryForensicAnalysisTakahiroHaruyama/HiroshiSuzukiInternetInitiativeJapanInc.
forsubmissionMemoryForensicsOverview–MemoryAcquisition–MemoryAnalysisPreviousWorks:AntiMemoryForensicsProposedAntiAnalysisMethodImprovementPlansWrap-upSummary2MEMORYFORENSICSOVERVIEW3Analyzingvolatiledataisimportanttodetectthreatsquickly–increasingamountsofdiskdata–antidiskforensicmethodsusedbymalwaresMemoryforensicsbecamepopularoverthelastfewyears2stepsformemoryforensics–memoryacquisitionandmemoryanalysis4What'sMemoryForensicsTargetMachineInvestigator'sMachineMemoryImageFile1.
AcquireRAMdataasanimagefile2.
ParseandanalyzetheimageofflineOfflineparsingamemoryimagedoesn'tusesystemAPIsMemoryforensicscanget–unallocateddata(e.
g.
,terminatedprocess)–datahiddenbymalware(e.
g.
,hiddenprocess)5WhyMemoryForensicsLiveResponseToolMemoryForensicAnalysisToolRunningProcessHiddenProcessTerminatedProcessAllocatedUnallocatedWindowsAPIParsebinaryimageandextractinformationfromitGetinformationthroughsystemAPIRawImageAcquisition–HBGaryFastDumpPro[1]–GuidanceWinEn[2]–MoonSolsWindd[3]CrashDumpImageAcquisition–MoonSolsWinddMemoryImageConversion–MoonSolsWindowsMemoryToolkit[3]6SomeFormats/AcquisitonToolsMemoryImageFileCPURegisterIncludedCrashDumpHibernationNotIncludedRawDifferencebetweenRawImageandCrashDumpCrashdumpfiledoesn'tinclude–1stPage–PagesreservedbydevicesRun[0]BasePage=0x1,PageCount=0x9eRun[1]BasePage=0x100,PageCount=0xeffRun[2]BasePage=0x1000,PageCount=0xeef0Run[3]BasePage=0xff00,PageCount=0x1001stPage(BIOSReserved)AddressSpaceReservedbyDevices(NotIncludedincrashdump)PhysicalMemoryAddressSpace(e.
g.
,256MBRAM)7EvaluationofMemoryAcquisitionToolsCanrawimageacquisitiontoolsget1stpageanddevice-reservedpages[4]–WinEn–Win32dd/c0MemoryContent(/c)option–Caution:/c0optionmaycauseBSODonx64machineWinEnFDProWin32dd/c0Win32dd/c1Win32dd/c21stPageDevicereservedpages8AnalysisExample:MakingObjectCreationTimeline9VolatilityFramework[5]–timelinerplugin[6]usedkernelobjects(process/thread/socket)eventlogsSpyEyebot(deadprocess)TCPconnectionestablishedbyexplorer.
exeCodeinjectionactivityAnalysisExample:DetectingCodeInjection10Detectingcodeinjection–VolatilityFrameworkmalfind–EnCaseEnScript[7]VadDump–MandiantRedline[8](GUIfront-endforMemoryze[9])ThetoolscheckprotectionflagofVirtualAddressDescriptorMandiantRedline(Memoryze)HBGaryResponderVolatilityFramework2.
0EnCaseEnScirptSupportedWindowsOSAllAllXP/Vista/7/2003/2008XP/7/2003/2008SupportedImageFormatRawRawRawCrashdumpHibernationRawCrashdumpSupportedCPUArchitectureIntelx86AMDx64Intelx86AMDx64Intelx86Intelx86AMDx64Extractingdeadprocess/closedconnectionNoNoYesYesNoteMalwareRiskIndex,MemD5DigitalDNA,codegraphingOpensource,richpluginsMultilingualsearch,EntropyComparisonofMemoryAnalysisTools11PREVIOUSWORKS:ANTIMEMORYFORENSICS12ShadowWalkerisproposedbySherriSparksandJamieButlertohidemaliciousmemoryregions–Installedpagefaulthandlermakesde-synchronizedDTLB/ITLBdataaccess->randomgarbagedataexecuteaccess->rootkitcodeMemoryacquisitiontoolscannotpreventShadowWalkerfromhidingmemorypages–ButAnalysistoolscandetecttheIDThooking13AntiAcquisitionMethods:ShadowWalker[10]Proofofconceptscript–killingspecifiedprocessesorpreventingdriverloadingswiththeaimofmemoryacquisitionfailureVeryeasytoimplement–Theevasionisalsoeasy(e.
g.
,randomname)–Preventingdriverloadingshasanimpactontherunningsystem14AntiAcquisitionMethods:MeterpreterAntiMemoryForensicsScript[11]Objectcarvingisonetechniquetoextractkernelobjectinformation–e.
g.
,processobject(_EPROCESS)PTFinder:Type/Sizein_DISPATCHER_HEADERVolatilityFramework:PoolTagin_POOL_HEADERBrendanDolan-Gavittetal.
warnedanattackercouldchangethevaluestohideaspecifiedobject[12]–Instead,theyproposedrobustsignaturescausingBSODorfunctionalityfailuresifthevaluesarechanged15AntiAnalysisMethod:AntiObjectCarvingmodifyingheadervaluesofcmd.
exeClosed-sourceanalysistoolscanfindthehiddenprocess–HowdotheyfinditOtherthanobjectcarving,thereareseveralkeyoperationsforanalyzingmemoryimage–TheoperationsarerobustLet'scheckit!
16AntiAnalysisMethod:AntiObjectCarving(Cont.
)MemoryzeHBGaryResponderPROPOSEDANTIANALYSISMETHOD17Researchedimplementationsofthreemajortools–VolatilityFramework2.
0–MandiantMemoryze2.
0–HBGaryResponderCommunityEdition2.
0Foundthreeoperationsexecutedinmemoryanalysisincludeafewunconsideredassumptions–Proposedmethodmodifiesone-byteofdatarelatedtotheoperationsThedataisdefinedas"AbortFactor"–Itcan'thidespecificobjects,butcanabortanalyses–NoimpactontherunningsystemNoBSOD,noerrorsforafewdaysto2weeks18AbstractofProposedMethodVirtualaddresstranslationinkernelspaceGuessingOSversionandArchitectureGettingkernelobjects–traversinglinkedlistsorbinarytrees–objectcarving19SensitiveThreeOperationsinMemoryAnalysisVirtualaddresstranslationinkernelspaceGuessingOSversionandArchitectureGettingkernelobjects–traversinglinkedlistsorbinarytrees–objectcarving20SensitiveThreeOperationsinMemoryAnalysisOSswitchesitscontextbyloadingDirectoryTableBase(DTB)ofeachprocess–DTBisstoredineachprocessobject(_EPROCESS)Initially,analysistoolsmustgetDTBvalueforkernelspaceTwoprocesseshavethekernelDTB–PsInitialSystemProcess(Systemprocess)–PsIdleProcess(Idleprocess)21VirtualAddressTranslationinKernelSpaceOSloadsDirectoryTableBase(Startphysicaladdressforaddresstranslation)intoControlRegister(CR3)x86AddressTranslation-HowPAEX86Workshttp://technet.
microsoft.
com/en-us/library/cc736309(WS.
10).
aspx22VirtualAddressTranslationinKernelSpace:ProcessObjectStructure_POOL_HEADER_OBJECT_HEADER_EPROCESS_KPROCESS_DISPATCHER_HEADERPoolTag:"Pro"TypeandSizeDTBImageFileName:"System"or"Idle"FlagsSearch_DISPATCHER_HEADERtoget_EPROCESSCheckwhethertheImageFileNameis"Idle"–IftheprocessisIdle,getDTBvaluein_KPROCESS23VirtualAddressTranslationinKernelSpace:VolatilityFramework_DISPATCHER_HEADER(e.
g.
,"x03x00x1bx00")ImageFileNameSearch"System"tofindImageFileNamein_EPROCESSofPsInitialSystemProcessValidatebyusing_DISPATCHER_HEADERinthe_KPROCESS–All_DISPATCHER_HEADERpatternsarechecked24VirtualAddressTranslationinKernelSpace:MandiantMemoryzeOSversion_DISPATCHER_HEADERByteSequenceXP32bit03001B00200332bit03001E00200364bit03002E00Vista32bit03002000Vista64bit03003000732bit03002600764bit03005800Validatebyusingthefollowingvalues–Flagsin_OBJECT_HEADERThedistancebetweenPoolTagand_EPROCESSiscalculatedaccordingtothevalue–PoolTagin_POOL_HEADERSearchPoolTagfrom_EPROCESSpositionandcheckwhetherthesearchhitoffsetisequaltothecalculateddistanceIfalldataisvalid,gettheDTBvalue25VirtualAddressTranslationinKernelSpace:MandiantMemoryze(Cont.
)Search_DISPATCHER_HEADERstoget_EPROCESSGetDTBvaluefromtheresultandvalidateitResponderseemstobeequippedwiththealgorithmguessingkernelDTB–IfDTBsofPsInitialSystemProcessandPsIdleProcessarenotfound,aguessedDTBvalueisused26VirtualAddressTranslationinKernelSpace:HBGaryResponder27VirtualAddressTranslationinKernelSpace:RelatedDataToolRelatedDataAbortFactorRemarksVolatilityFramework_DISPATCHER_HEADERXPsIdleProcessImageFileNamein_EPROCESSXMandiantMemoryze_DISPATCHER_HEADERXPsInitialSystemProcessPoolTagin_POOL_HEADERXFlagsin_OBJECT_HEADERXImageFileNamein_EPROCESSXHBGaryResponder_DISPATCHER_HEADERoriginalguessingalgorithmVirtualaddresstranslationinkernelspaceGuessingOSversionandArchitectureGettingKernelObjects–traversinglinkedlistsorbinarytrees–objectcarving28SensitiveThreeOperationsinMemoryAnalysisSizeanddefinitionofkerneldatastructuresdifferaccordingto–OSversion(e.
g.
,XPSP2/SP3,7SP0/SP1)–architecture(x86andx64)Allanalysistoolsguesstheversionusingdebugstructures29GuessingOSversionandArchitectureOSversion_EPROCESSsize(bytes)WindowsXPSP332bit0x260Windows7SP032bit0x2C0Windows7SP064bit0x4D0WindowsVistaSP232bit0x270WindowsVistaSP264bit0x3E830GuessingOSversionandArchitecture:DebugStructuresandKeyValues_KPCR_DBGKD_GET_VERSION64_KDDEBUGGER_DATA64KdVersionBlockDebuggerDataListHeaderCmNtCSDVersion_DBGKD_DEBUG_DATA_HEADER64OwnerTag:"KDBG"SizeKernBaseKernBasePrcbDataPsActiveProcessHeadPsLoadedModuleList_KPRCBCurrentThreadUsersmustspecifyOSversionandArchitecture–e.
g.
,--profile=WinXPSP2x86Iftheversionisunknown,imageinfocommandcanguessit–scan_DBGKD_DEBUG_DATA_HEADER64[13]31GuessingOSversionandArchitecture:VolatilityFrameworkOwnerTag:"KDBG"SizeSupposedlydetermineOSandarchitecturebasedon_DISPATCHER_HEADERValidatethembyusinganoffsetvalueofImageFileNamein_EPROCESS32GuessingOSversionandArchitecture:MandiantMemoryzeOSversionoffsetvalueofImageFileNameXP32bit0x174200332bitSP00x154200332bitSP1/SP20x164XP/200364bit0x268Vista32bit0x14CVista64bit0x238732bit0x16C7/200864bit0x2E0TrytotranslateavirtualaddressofThreadListHeadin_KPROCESS–Ifpossible,theOSversionandarchitecturearecorrectGetSPversionfromCmNtCSDVersionin_KDDEBUGGER_DATA6433GuessingOSversionandArchitecture:MandiantMemoryze(Cont.
)GetKernBasevalue–_DBGKD_GET_VERSION64or_KDDEBUGGER_DATA64ValidatethePEheadersignatures–DOSheader"MZ"andNTheader"PE"GetOSversion–OperatingSystemVersionsinOptionalHeadere.
g.
,Windows7–MajorOperatingSystemVersion=6–MinorOperatingSystemVersion=1Getmorespecificversion–TimeDataStampinFileheader34GuessingOSversionandArchitecture:HBGaryResponder35GuessingOSversionandArchitecture:RelatedDataToolRelatedDataAbortFactorRemarksVolatilityFramework_DBGKD_DEBUG_DATA_HEADER64XMandiantMemoryze_DISPATCHER_HEADERXPsInitialSystemProcessoffsetvalueofImageFileNameXThreadListHeadin_KPROCESSCmNtCSDVersionin_KDDEBUGGER_DATA64HBGaryResponderKernBasein_DBGKD_GET_VERSION64or_KDDEBUGGER_DATA64PEHeaderofWindowskernelPEheadersignatures"MZ"/"PE"OperatingSystemVersioninOptionalHeaderXTimeDataStampinFileHeaderVirtualaddresstranslationinkernelspaceGuessingOSversionandArchitectureGettingKernelObjects–traversinglinkedlistsorbinarytrees–objectcarving36SensitiveThreeOperationsinMemoryAnalysisTraversinglinkedlistsorbinarytrees–Generally,usespeciallead/rootaddressesPsActiveProcessHeadforprocesslistPsLoadedModuleListforkernelmodulelistVadRootforVirtualAddressDescriptortreeObjectcarving–Generally,usefixedvaluesinheaders_POOL_HEADER_DISPATCHER_HEADERMyresearchfocusedongetting_EPROCESS37GettingKernelObjectsProcesslististwo-waylink–Each_EPROCESSincludesActiveProcessLinks_LIST_ENTRY(FlinkandBlink)–PsActiveProcessHeadandPsInitialSystemProcessarebounduptogether38GettingKernelObjects:ProcessLinkedListPsActiveProcessHead_EPROCESS"System"_EPROCESS"smss.
exe"_EPROCESS"win32dd.
exe"FLINKBLINKFLINKBLINKFLINKBLINKFLINKBLINK.
.
.
.
.
.
.
.
.
Traversinglinkedlistsorbinarytrees–Search_DBGKD_DEBUG_DATA_HEADER64–getPsActiveProcessHeadin_KDDEBUGGER_DATA64Objectcarving–usePoolTagin_POOL_HEADER39GettingKernelObjects:VolatilityFrameworkExecutingKDBGScannerGetting_DBGKD_DEBUG_DATA_HEADER64(=_KDDEBUGGER_DATA64)addressObjectcarving–find_EPROCESSusingaddressvaluese.
g.
,–DTBis0x20-bytesaligned–(Peb&0x7ffd0000)==0x7ffd0000–(ActiveProcessLinks.
Flink&0x80000000)==0x80000000–similartorobustsignaturesproposedbyBrendanDolan-Gavittetal.
[12]40GettingKernelObjects:MandiantMemoryzeTraversinglinkedlistsorbinarytrees–getCurrentThreadin_KPRCB–get_EPROCESSfromthethreade.
g.
,ApcState.
Processin_KTHREAD(XP)–starttotraverseprocesslistfromthe_EPROCESS"System"stringiscomparedwithImageFileNameof_EPROCESS–foridentifyingPsActiveProcessHead–fordetectinghiddenprocess41GettingKernelObjects:HBGaryResponder42GettingKernelObjects:RelatedDataToolRelatedDataAbortFactorRemarksVolatilityFramework_DBGKD_DEBUG_DATA_HEADER64XPsActiveProcessHeadin_KDDEBUGGER_DATA64XPoolTagin_POOL_HEADERMandiantMemoryzeaddressvaluesin_EPROCESS(DTB,Peb,etc.
)HBGaryResponderCurrentThreadin_KPRCBPsInitialSystemProcess_EPROCESSpointerin_KTHREADImageFileNamein_EPROCESSX43AbortFactorsToolVirtualAddressTranslationinKernelSpaceGuessingOSversionandArchitectureGettingKernelObjectsVolatilityFramework2factors:_DISPATCHER_HEADERandImageFileName(PsIdleProcess)1factor:_DBGKD_DEBUG_DATA_HEADER642factors:_DBGKD_DEBUG_DATA_HEADER64andPsActiveProcessHeadMandiantMemoryze4factors:_DISPATCHER_HEADER,PoolTag,FlagsandImageFileName(PsInitialSystemProcess)2factors:_DISPATCHER_HEADERandoffsetvalueofImageFileName(PsInitialSystemProcess)NoneHBGaryResponderNone1factor:OperatingSystemVersionofkernelheader1factor:ImageFileName(PsInitialSystemProcess)Loadakerneldriverintox86XPVM–Thedrivermodifies1byteofthefollowingdataSizein_DISPATCHER_HEADERofPsIdleProcessPoolTagin_POOL_HEADERofPsInitialSystemProcessMajorOperatingSystemVersioninPEheaderofWindowskernelCheckthemodificationusingWinDbgAcquirethememoryimageusingLiveCloudKd[14]Analysisusingthreetools44DemousingPoCDriver(Video)IMPROVEMENTPLANS45GuessingbasedonaddressvaluesMinimumguessingSeparatingimplementationstogetkernelobjects46ImprovementPlansThemodificationofaddressvaluesoftencausesBSODorfunctionfailures–_EPROCESSobjectcarvingbyMemoryze–_KPCRobjectcarvingbyVolatilityFramework[15]47GuessingBasedonAddressValues_KPCRaddress==SelfPcrand_KPRCBaddress==PrcbSupportcrashdumpformat–Registervaluescannotbemodified48Minimumguessing(1)DataincrashdumpheaderExtractedfrom(Win32ddimplementation)AbortFactorDTBCR3registerOSversionnt!
NtBuildNumberXPAEenabledCR4registerPsActiveProcessHead_KDDEBUGGER_DATA64XPsLoadedModuleList_KDDEBUGGER_DATA64XSupportargumentpassingoptionsaboutDTBandOSversion–VolatilityFrameworksupportsthemspecifyOSversionbyusing"--profile"optionspecifyDTBvaluebyusing"--dtb"option49Minimumguessing(2)IfDTBvaluecannotbeacquired,displaytheresultminimally-extractedbyobjectcarving50SeparatingimplementationstogetkernelobjectsGettingtheseinformationdoesn'tneedDTBvalueWRAP-UP51Proposedantianalysismethodcanabortmemoryanalysistoolsbymodifyingonlyone-byte–ThemethodiseffectiveformemoryimagesofallOSversionsandarchitectures–Abouttheimpactontherunningsystem,longtermevaluationsmaybeneededIhope–Developersimprovetheimplementations–Usersfigureoutinternalsofmemoryanalysisanddealwithanalysiserrors52Wrap-up53Questions(twitter:@cci_forensics)PleasecompletetheSpeakerFeedbackSurveys!
[1]HBGaryFastDumpPro[2]EnCaseWinEn(build-intoolofEnCase)[3]MoonSolsWindowsMemoryToolkit[4]ReservedAddressSpaceinWindowsPhysicalMemory[5]VolatilityFramework[6]timelinerplugin[7]Update:MemoryForensicEnScript[8]MandiantRedline[9]MandiantMemoryze[10]"SHADOWWALKER"RaisingTheBarForRootkit[11]MeterpreterAntiMemoryForensics(Memoryze)Script[12]RobustSignaturesforKernelDataStructures[13]IdentifyingMemoryImages[14]YOURCLOUDISINMYPOCKET[15]FindingObjectRootsinVista(KPCR)54References
展开全文

欧路云:美国CUVIP线路10G防御,8折优惠,19元/月起

欧路云新上了美国洛杉矶cera机房的云服务器,具备弹性云特征(可自定义需要的资源配置:E5-2660 V3、内存、硬盘、流量、带宽),直连网络(联通CUVIP线路),KVM虚拟,自带一个IP,支持购买多个IP,10G的DDoS防御。付款方式:PayPal、支付宝、微信、数字货币(BTC USDT LTC ETH)测试IP:23.224.49.126云服务器 全场8折 优惠码:zhujiceping...

快快云:香港沙田CN2/美国Cera大宽带/日本CN2,三网直连CN2 GIA云服务器和独立服务器

快快云怎么样?快快云是一家成立于2021年的主机服务商,致力于为用户提供高性价比稳定快速的主机托管服务,快快云目前提供有香港云服务器、美国云服务器、日本云服务器、香港独立服务器、美国独立服务器,日本独立服务器。快快云专注为个人开发者用户,中小型,大型企业用户提供一站式核心网络云端服务部署,促使用户云端部署化简为零,轻松快捷运用云计算!多年云计算领域服务经验,遍布亚太地区的海量节点为业务推进提供强大...

digital-vm$80/月,最高10GDigital-VM1Gbps带宽带宽

digital-vm在日本东京机房当前提供1Gbps带宽、2Gbps带宽、10Gbps带宽接入的独立服务器,每个月自带10T免费流量,一个独立IPv4。支持额外购买流量:20T-$30/月、50T-$150/月、100T-$270美元/月;也支持额外购买IPv4,/29-$5/月、/28-$13/月。独立从下单开始一般24小时内可以上架。官方网站:https://digital-vm.com/de...

spaceos为你推荐
美国互联网瘫痪如果全球网络瘫痪3分钟会造成多少损失比肩工场比肩是什么意思,行比肩大运的主要意象百度关键词价格查询百度推广里怎么查指定的关键字参与竞价的价位呢百花百游迎得春来非自足,百花千卉共芬芳什么意思seo优化工具seo优化软件有哪些?777k7.comwww.777tk.com.怎么打不 开www.e12.com.cn有什么好的高中学习网?www.7788dy.com回家的诱惑 哪个网站更新的最快啊javbibitreebibi是什么牌子的www.kaspersky.com.cn卡巴斯基杀毒软件有免费的吗?稳定版的怎么找?
云南虚拟主机 虚拟主机提供商 域名中介 欧洲欧洲vps vps推荐 北京vps主机 狗爹 isatap 网站被封 最好看的qq空间 免费smtp服务器 丹弗 韩国网名大全 天互数据 gspeed 电信网络测速器 万网服务器 聚惠网 godaddy退款 hosts文件修改 更多
赞助商
保加利亚 免费版 直达 全球 旧金山 面板 内存 备案 安装 台湾 双核 计费 页面 镜像 测试 虚拟主机 华纳 域名 东京 菲律宾 带宽 德克萨斯州 摩尔多瓦 套餐 日本 莫斯科 深圳 香港 隐私保护 公网 西伯利亚 网络 德阳 抢购 达拉斯 节点 青果 新加坡 路由器 荷兰 安徽 德国 数据 机房 防御 邦联 美国洛杉矶 宝塔 越南 联通