Notespaceos
spaceos 时间:2021-03-28 阅读:(
)
One-byteModificationforBreakingMemoryForensicAnalysisTakahiroHaruyama/HiroshiSuzukiInternetInitiativeJapanInc.
forsubmissionMemoryForensicsOverview–MemoryAcquisition–MemoryAnalysisPreviousWorks:AntiMemoryForensicsProposedAntiAnalysisMethodImprovementPlansWrap-upSummary2MEMORYFORENSICSOVERVIEW3Analyzingvolatiledataisimportanttodetectthreatsquickly–increasingamountsofdiskdata–antidiskforensicmethodsusedbymalwaresMemoryforensicsbecamepopularoverthelastfewyears2stepsformemoryforensics–memoryacquisitionandmemoryanalysis4What'sMemoryForensicsTargetMachineInvestigator'sMachineMemoryImageFile1.
AcquireRAMdataasanimagefile2.
ParseandanalyzetheimageofflineOfflineparsingamemoryimagedoesn'tusesystemAPIsMemoryforensicscanget–unallocateddata(e.
g.
,terminatedprocess)–datahiddenbymalware(e.
g.
,hiddenprocess)5WhyMemoryForensicsLiveResponseToolMemoryForensicAnalysisToolRunningProcessHiddenProcessTerminatedProcessAllocatedUnallocatedWindowsAPIParsebinaryimageandextractinformationfromitGetinformationthroughsystemAPIRawImageAcquisition–HBGaryFastDumpPro[1]–GuidanceWinEn[2]–MoonSolsWindd[3]CrashDumpImageAcquisition–MoonSolsWinddMemoryImageConversion–MoonSolsWindowsMemoryToolkit[3]6SomeFormats/AcquisitonToolsMemoryImageFileCPURegisterIncludedCrashDumpHibernationNotIncludedRawDifferencebetweenRawImageandCrashDumpCrashdumpfiledoesn'tinclude–1stPage–PagesreservedbydevicesRun[0]BasePage=0x1,PageCount=0x9eRun[1]BasePage=0x100,PageCount=0xeffRun[2]BasePage=0x1000,PageCount=0xeef0Run[3]BasePage=0xff00,PageCount=0x1001stPage(BIOSReserved)AddressSpaceReservedbyDevices(NotIncludedincrashdump)PhysicalMemoryAddressSpace(e.
g.
,256MBRAM)7EvaluationofMemoryAcquisitionToolsCanrawimageacquisitiontoolsget1stpageanddevice-reservedpages[4]–WinEn–Win32dd/c0MemoryContent(/c)option–Caution:/c0optionmaycauseBSODonx64machineWinEnFDProWin32dd/c0Win32dd/c1Win32dd/c21stPageDevicereservedpages8AnalysisExample:MakingObjectCreationTimeline9VolatilityFramework[5]–timelinerplugin[6]usedkernelobjects(process/thread/socket)eventlogsSpyEyebot(deadprocess)TCPconnectionestablishedbyexplorer.
exeCodeinjectionactivityAnalysisExample:DetectingCodeInjection10Detectingcodeinjection–VolatilityFrameworkmalfind–EnCaseEnScript[7]VadDump–MandiantRedline[8](GUIfront-endforMemoryze[9])ThetoolscheckprotectionflagofVirtualAddressDescriptorMandiantRedline(Memoryze)HBGaryResponderVolatilityFramework2.
0EnCaseEnScirptSupportedWindowsOSAllAllXP/Vista/7/2003/2008XP/7/2003/2008SupportedImageFormatRawRawRawCrashdumpHibernationRawCrashdumpSupportedCPUArchitectureIntelx86AMDx64Intelx86AMDx64Intelx86Intelx86AMDx64Extractingdeadprocess/closedconnectionNoNoYesYesNoteMalwareRiskIndex,MemD5DigitalDNA,codegraphingOpensource,richpluginsMultilingualsearch,EntropyComparisonofMemoryAnalysisTools11PREVIOUSWORKS:ANTIMEMORYFORENSICS12ShadowWalkerisproposedbySherriSparksandJamieButlertohidemaliciousmemoryregions–Installedpagefaulthandlermakesde-synchronizedDTLB/ITLBdataaccess->randomgarbagedataexecuteaccess->rootkitcodeMemoryacquisitiontoolscannotpreventShadowWalkerfromhidingmemorypages–ButAnalysistoolscandetecttheIDThooking13AntiAcquisitionMethods:ShadowWalker[10]Proofofconceptscript–killingspecifiedprocessesorpreventingdriverloadingswiththeaimofmemoryacquisitionfailureVeryeasytoimplement–Theevasionisalsoeasy(e.
g.
,randomname)–Preventingdriverloadingshasanimpactontherunningsystem14AntiAcquisitionMethods:MeterpreterAntiMemoryForensicsScript[11]Objectcarvingisonetechniquetoextractkernelobjectinformation–e.
g.
,processobject(_EPROCESS)PTFinder:Type/Sizein_DISPATCHER_HEADERVolatilityFramework:PoolTagin_POOL_HEADERBrendanDolan-Gavittetal.
warnedanattackercouldchangethevaluestohideaspecifiedobject[12]–Instead,theyproposedrobustsignaturescausingBSODorfunctionalityfailuresifthevaluesarechanged15AntiAnalysisMethod:AntiObjectCarvingmodifyingheadervaluesofcmd.
exeClosed-sourceanalysistoolscanfindthehiddenprocess–HowdotheyfinditOtherthanobjectcarving,thereareseveralkeyoperationsforanalyzingmemoryimage–TheoperationsarerobustLet'scheckit!
16AntiAnalysisMethod:AntiObjectCarving(Cont.
)MemoryzeHBGaryResponderPROPOSEDANTIANALYSISMETHOD17Researchedimplementationsofthreemajortools–VolatilityFramework2.
0–MandiantMemoryze2.
0–HBGaryResponderCommunityEdition2.
0Foundthreeoperationsexecutedinmemoryanalysisincludeafewunconsideredassumptions–Proposedmethodmodifiesone-byteofdatarelatedtotheoperationsThedataisdefinedas"AbortFactor"–Itcan'thidespecificobjects,butcanabortanalyses–NoimpactontherunningsystemNoBSOD,noerrorsforafewdaysto2weeks18AbstractofProposedMethodVirtualaddresstranslationinkernelspaceGuessingOSversionandArchitectureGettingkernelobjects–traversinglinkedlistsorbinarytrees–objectcarving19SensitiveThreeOperationsinMemoryAnalysisVirtualaddresstranslationinkernelspaceGuessingOSversionandArchitectureGettingkernelobjects–traversinglinkedlistsorbinarytrees–objectcarving20SensitiveThreeOperationsinMemoryAnalysisOSswitchesitscontextbyloadingDirectoryTableBase(DTB)ofeachprocess–DTBisstoredineachprocessobject(_EPROCESS)Initially,analysistoolsmustgetDTBvalueforkernelspaceTwoprocesseshavethekernelDTB–PsInitialSystemProcess(Systemprocess)–PsIdleProcess(Idleprocess)21VirtualAddressTranslationinKernelSpaceOSloadsDirectoryTableBase(Startphysicaladdressforaddresstranslation)intoControlRegister(CR3)x86AddressTranslation-HowPAEX86Workshttp://technet.
microsoft.
com/en-us/library/cc736309(WS.
10).
aspx22VirtualAddressTranslationinKernelSpace:ProcessObjectStructure_POOL_HEADER_OBJECT_HEADER_EPROCESS_KPROCESS_DISPATCHER_HEADERPoolTag:"Pro"TypeandSizeDTBImageFileName:"System"or"Idle"FlagsSearch_DISPATCHER_HEADERtoget_EPROCESSCheckwhethertheImageFileNameis"Idle"–IftheprocessisIdle,getDTBvaluein_KPROCESS23VirtualAddressTranslationinKernelSpace:VolatilityFramework_DISPATCHER_HEADER(e.
g.
,"x03x00x1bx00")ImageFileNameSearch"System"tofindImageFileNamein_EPROCESSofPsInitialSystemProcessValidatebyusing_DISPATCHER_HEADERinthe_KPROCESS–All_DISPATCHER_HEADERpatternsarechecked24VirtualAddressTranslationinKernelSpace:MandiantMemoryzeOSversion_DISPATCHER_HEADERByteSequenceXP32bit03001B00200332bit03001E00200364bit03002E00Vista32bit03002000Vista64bit03003000732bit03002600764bit03005800Validatebyusingthefollowingvalues–Flagsin_OBJECT_HEADERThedistancebetweenPoolTagand_EPROCESSiscalculatedaccordingtothevalue–PoolTagin_POOL_HEADERSearchPoolTagfrom_EPROCESSpositionandcheckwhetherthesearchhitoffsetisequaltothecalculateddistanceIfalldataisvalid,gettheDTBvalue25VirtualAddressTranslationinKernelSpace:MandiantMemoryze(Cont.
)Search_DISPATCHER_HEADERstoget_EPROCESSGetDTBvaluefromtheresultandvalidateitResponderseemstobeequippedwiththealgorithmguessingkernelDTB–IfDTBsofPsInitialSystemProcessandPsIdleProcessarenotfound,aguessedDTBvalueisused26VirtualAddressTranslationinKernelSpace:HBGaryResponder27VirtualAddressTranslationinKernelSpace:RelatedDataToolRelatedDataAbortFactorRemarksVolatilityFramework_DISPATCHER_HEADERXPsIdleProcessImageFileNamein_EPROCESSXMandiantMemoryze_DISPATCHER_HEADERXPsInitialSystemProcessPoolTagin_POOL_HEADERXFlagsin_OBJECT_HEADERXImageFileNamein_EPROCESSXHBGaryResponder_DISPATCHER_HEADERoriginalguessingalgorithmVirtualaddresstranslationinkernelspaceGuessingOSversionandArchitectureGettingKernelObjects–traversinglinkedlistsorbinarytrees–objectcarving28SensitiveThreeOperationsinMemoryAnalysisSizeanddefinitionofkerneldatastructuresdifferaccordingto–OSversion(e.
g.
,XPSP2/SP3,7SP0/SP1)–architecture(x86andx64)Allanalysistoolsguesstheversionusingdebugstructures29GuessingOSversionandArchitectureOSversion_EPROCESSsize(bytes)WindowsXPSP332bit0x260Windows7SP032bit0x2C0Windows7SP064bit0x4D0WindowsVistaSP232bit0x270WindowsVistaSP264bit0x3E830GuessingOSversionandArchitecture:DebugStructuresandKeyValues_KPCR_DBGKD_GET_VERSION64_KDDEBUGGER_DATA64KdVersionBlockDebuggerDataListHeaderCmNtCSDVersion_DBGKD_DEBUG_DATA_HEADER64OwnerTag:"KDBG"SizeKernBaseKernBasePrcbDataPsActiveProcessHeadPsLoadedModuleList_KPRCBCurrentThreadUsersmustspecifyOSversionandArchitecture–e.
g.
,--profile=WinXPSP2x86Iftheversionisunknown,imageinfocommandcanguessit–scan_DBGKD_DEBUG_DATA_HEADER64[13]31GuessingOSversionandArchitecture:VolatilityFrameworkOwnerTag:"KDBG"SizeSupposedlydetermineOSandarchitecturebasedon_DISPATCHER_HEADERValidatethembyusinganoffsetvalueofImageFileNamein_EPROCESS32GuessingOSversionandArchitecture:MandiantMemoryzeOSversionoffsetvalueofImageFileNameXP32bit0x174200332bitSP00x154200332bitSP1/SP20x164XP/200364bit0x268Vista32bit0x14CVista64bit0x238732bit0x16C7/200864bit0x2E0TrytotranslateavirtualaddressofThreadListHeadin_KPROCESS–Ifpossible,theOSversionandarchitecturearecorrectGetSPversionfromCmNtCSDVersionin_KDDEBUGGER_DATA6433GuessingOSversionandArchitecture:MandiantMemoryze(Cont.
)GetKernBasevalue–_DBGKD_GET_VERSION64or_KDDEBUGGER_DATA64ValidatethePEheadersignatures–DOSheader"MZ"andNTheader"PE"GetOSversion–OperatingSystemVersionsinOptionalHeadere.
g.
,Windows7–MajorOperatingSystemVersion=6–MinorOperatingSystemVersion=1Getmorespecificversion–TimeDataStampinFileheader34GuessingOSversionandArchitecture:HBGaryResponder35GuessingOSversionandArchitecture:RelatedDataToolRelatedDataAbortFactorRemarksVolatilityFramework_DBGKD_DEBUG_DATA_HEADER64XMandiantMemoryze_DISPATCHER_HEADERXPsInitialSystemProcessoffsetvalueofImageFileNameXThreadListHeadin_KPROCESSCmNtCSDVersionin_KDDEBUGGER_DATA64HBGaryResponderKernBasein_DBGKD_GET_VERSION64or_KDDEBUGGER_DATA64PEHeaderofWindowskernelPEheadersignatures"MZ"/"PE"OperatingSystemVersioninOptionalHeaderXTimeDataStampinFileHeaderVirtualaddresstranslationinkernelspaceGuessingOSversionandArchitectureGettingKernelObjects–traversinglinkedlistsorbinarytrees–objectcarving36SensitiveThreeOperationsinMemoryAnalysisTraversinglinkedlistsorbinarytrees–Generally,usespeciallead/rootaddressesPsActiveProcessHeadforprocesslistPsLoadedModuleListforkernelmodulelistVadRootforVirtualAddressDescriptortreeObjectcarving–Generally,usefixedvaluesinheaders_POOL_HEADER_DISPATCHER_HEADERMyresearchfocusedongetting_EPROCESS37GettingKernelObjectsProcesslististwo-waylink–Each_EPROCESSincludesActiveProcessLinks_LIST_ENTRY(FlinkandBlink)–PsActiveProcessHeadandPsInitialSystemProcessarebounduptogether38GettingKernelObjects:ProcessLinkedListPsActiveProcessHead_EPROCESS"System"_EPROCESS"smss.
exe"_EPROCESS"win32dd.
exe"FLINKBLINKFLINKBLINKFLINKBLINKFLINKBLINK.
.
.
.
.
.
.
.
.
Traversinglinkedlistsorbinarytrees–Search_DBGKD_DEBUG_DATA_HEADER64–getPsActiveProcessHeadin_KDDEBUGGER_DATA64Objectcarving–usePoolTagin_POOL_HEADER39GettingKernelObjects:VolatilityFrameworkExecutingKDBGScannerGetting_DBGKD_DEBUG_DATA_HEADER64(=_KDDEBUGGER_DATA64)addressObjectcarving–find_EPROCESSusingaddressvaluese.
g.
,–DTBis0x20-bytesaligned–(Peb&0x7ffd0000)==0x7ffd0000–(ActiveProcessLinks.
Flink&0x80000000)==0x80000000–similartorobustsignaturesproposedbyBrendanDolan-Gavittetal.
[12]40GettingKernelObjects:MandiantMemoryzeTraversinglinkedlistsorbinarytrees–getCurrentThreadin_KPRCB–get_EPROCESSfromthethreade.
g.
,ApcState.
Processin_KTHREAD(XP)–starttotraverseprocesslistfromthe_EPROCESS"System"stringiscomparedwithImageFileNameof_EPROCESS–foridentifyingPsActiveProcessHead–fordetectinghiddenprocess41GettingKernelObjects:HBGaryResponder42GettingKernelObjects:RelatedDataToolRelatedDataAbortFactorRemarksVolatilityFramework_DBGKD_DEBUG_DATA_HEADER64XPsActiveProcessHeadin_KDDEBUGGER_DATA64XPoolTagin_POOL_HEADERMandiantMemoryzeaddressvaluesin_EPROCESS(DTB,Peb,etc.
)HBGaryResponderCurrentThreadin_KPRCBPsInitialSystemProcess_EPROCESSpointerin_KTHREADImageFileNamein_EPROCESSX43AbortFactorsToolVirtualAddressTranslationinKernelSpaceGuessingOSversionandArchitectureGettingKernelObjectsVolatilityFramework2factors:_DISPATCHER_HEADERandImageFileName(PsIdleProcess)1factor:_DBGKD_DEBUG_DATA_HEADER642factors:_DBGKD_DEBUG_DATA_HEADER64andPsActiveProcessHeadMandiantMemoryze4factors:_DISPATCHER_HEADER,PoolTag,FlagsandImageFileName(PsInitialSystemProcess)2factors:_DISPATCHER_HEADERandoffsetvalueofImageFileName(PsInitialSystemProcess)NoneHBGaryResponderNone1factor:OperatingSystemVersionofkernelheader1factor:ImageFileName(PsInitialSystemProcess)Loadakerneldriverintox86XPVM–Thedrivermodifies1byteofthefollowingdataSizein_DISPATCHER_HEADERofPsIdleProcessPoolTagin_POOL_HEADERofPsInitialSystemProcessMajorOperatingSystemVersioninPEheaderofWindowskernelCheckthemodificationusingWinDbgAcquirethememoryimageusingLiveCloudKd[14]Analysisusingthreetools44DemousingPoCDriver(Video)IMPROVEMENTPLANS45GuessingbasedonaddressvaluesMinimumguessingSeparatingimplementationstogetkernelobjects46ImprovementPlansThemodificationofaddressvaluesoftencausesBSODorfunctionfailures–_EPROCESSobjectcarvingbyMemoryze–_KPCRobjectcarvingbyVolatilityFramework[15]47GuessingBasedonAddressValues_KPCRaddress==SelfPcrand_KPRCBaddress==PrcbSupportcrashdumpformat–Registervaluescannotbemodified48Minimumguessing(1)DataincrashdumpheaderExtractedfrom(Win32ddimplementation)AbortFactorDTBCR3registerOSversionnt!
NtBuildNumberXPAEenabledCR4registerPsActiveProcessHead_KDDEBUGGER_DATA64XPsLoadedModuleList_KDDEBUGGER_DATA64XSupportargumentpassingoptionsaboutDTBandOSversion–VolatilityFrameworksupportsthemspecifyOSversionbyusing"--profile"optionspecifyDTBvaluebyusing"--dtb"option49Minimumguessing(2)IfDTBvaluecannotbeacquired,displaytheresultminimally-extractedbyobjectcarving50SeparatingimplementationstogetkernelobjectsGettingtheseinformationdoesn'tneedDTBvalueWRAP-UP51Proposedantianalysismethodcanabortmemoryanalysistoolsbymodifyingonlyone-byte–ThemethodiseffectiveformemoryimagesofallOSversionsandarchitectures–Abouttheimpactontherunningsystem,longtermevaluationsmaybeneededIhope–Developersimprovetheimplementations–Usersfigureoutinternalsofmemoryanalysisanddealwithanalysiserrors52Wrap-up53Questions(twitter:@cci_forensics)PleasecompletetheSpeakerFeedbackSurveys!
[1]HBGaryFastDumpPro[2]EnCaseWinEn(build-intoolofEnCase)[3]MoonSolsWindowsMemoryToolkit[4]ReservedAddressSpaceinWindowsPhysicalMemory[5]VolatilityFramework[6]timelinerplugin[7]Update:MemoryForensicEnScript[8]MandiantRedline[9]MandiantMemoryze[10]"SHADOWWALKER"RaisingTheBarForRootkit[11]MeterpreterAntiMemoryForensics(Memoryze)Script[12]RobustSignaturesforKernelDataStructures[13]IdentifyingMemoryImages[14]YOURCLOUDISINMYPOCKET[15]FindingObjectRootsinVista(KPCR)54References
老鹰主机HawkHost是个人比较喜欢的海外主机商,如果没有记错的话,大约2012年左右的时候算是比较早提供支付宝付款的主机商。当然这个主机商成立时间更早一些的,由于早期提供支付宝付款后,所以受众用户比较青睐,要知道我们早期购买海外主机是比较麻烦的,信用卡和PAYPAL还没有普及,大家可能只有银联和支付宝,很多人选择海外主机还需要代购。虽然如今很多人建站少了,而且大部分人都用云服务器。但是老鹰主机...
ucloud6.18推出全球大促活动,针对新老用户(个人/企业)提供云服务器促销产品,其中最低配快杰云服务器月付5元起,中国香港快杰型云服务器月付13元起,最高可购3年,有AMD/Intel系列。当然这都是针对新用户的优惠。注意,UCloud全球有31个数据中心,29条专线,覆盖五大洲,基本上你想要的都能找到。注意:以上ucloud 618优惠都是新用户专享,老用户就随便看看!点击进入:uclou...
Webhosting24是一家始于2001年的意大利商家,提供的产品包括虚拟主机、VPS、独立服务器等,可选数机房包括美国洛杉矶、迈阿密、纽约、德国慕尼黑、日本、新加坡、澳大利亚悉尼等。商家VPS主机采用AMD Ryzen 9 5950X CPU,NVMe磁盘,基于KVM架构,德国机房不限制流量,网站采用欧元计费,最低年付15欧元起。这里以美国机房为例,分享几款套餐配置信息。CPU:1core内存...
spaceos为你推荐
8080端口路由器如何开8080端口站酷zcool谁能介绍几个矢量图的网站?嘀动网在炫动网买鞋怎么样,是真的吗丑福晋大福晋比正福晋大么www.55125.cnwww95599cn余额查询avtt4.comwww.51kao4.com为什么进不去啊?www.se222se.comhttp://www.qqvip222.com/555sss.com不能在线播放了??555干支论坛天干地支常识?酒仙琐事酒鬼变酒仙诗词
虚拟主机软件 免费网站域名注册 域名商 国外bt 浙江独立 卡巴斯基免费试用版 raid10 视频服务器是什么 php服务器 宿迁服务器 广东服务器托管 锐速 xshell5注册码 新网dns accountsuspended cx域名 zencart安装 easypanel blaze 以下 更多