Notespaceos
spaceos 时间:2021-03-28 阅读:()
One-byteModificationforBreakingMemoryForensicAnalysisTakahiroHaruyama/HiroshiSuzukiInternetInitiativeJapanInc.
forsubmissionMemoryForensicsOverview–MemoryAcquisition–MemoryAnalysisPreviousWorks:AntiMemoryForensicsProposedAntiAnalysisMethodImprovementPlansWrap-upSummary2MEMORYFORENSICSOVERVIEW3Analyzingvolatiledataisimportanttodetectthreatsquickly–increasingamountsofdiskdata–antidiskforensicmethodsusedbymalwaresMemoryforensicsbecamepopularoverthelastfewyears2stepsformemoryforensics–memoryacquisitionandmemoryanalysis4What'sMemoryForensicsTargetMachineInvestigator'sMachineMemoryImageFile1.
AcquireRAMdataasanimagefile2.
ParseandanalyzetheimageofflineOfflineparsingamemoryimagedoesn'tusesystemAPIsMemoryforensicscanget–unallocateddata(e.
g.
,terminatedprocess)–datahiddenbymalware(e.
g.
,hiddenprocess)5WhyMemoryForensicsLiveResponseToolMemoryForensicAnalysisToolRunningProcessHiddenProcessTerminatedProcessAllocatedUnallocatedWindowsAPIParsebinaryimageandextractinformationfromitGetinformationthroughsystemAPIRawImageAcquisition–HBGaryFastDumpPro[1]–GuidanceWinEn[2]–MoonSolsWindd[3]CrashDumpImageAcquisition–MoonSolsWinddMemoryImageConversion–MoonSolsWindowsMemoryToolkit[3]6SomeFormats/AcquisitonToolsMemoryImageFileCPURegisterIncludedCrashDumpHibernationNotIncludedRawDifferencebetweenRawImageandCrashDumpCrashdumpfiledoesn'tinclude–1stPage–PagesreservedbydevicesRun[0]BasePage=0x1,PageCount=0x9eRun[1]BasePage=0x100,PageCount=0xeffRun[2]BasePage=0x1000,PageCount=0xeef0Run[3]BasePage=0xff00,PageCount=0x1001stPage(BIOSReserved)AddressSpaceReservedbyDevices(NotIncludedincrashdump)PhysicalMemoryAddressSpace(e.
g.
,256MBRAM)7EvaluationofMemoryAcquisitionToolsCanrawimageacquisitiontoolsget1stpageanddevice-reservedpages[4]–WinEn–Win32dd/c0MemoryContent(/c)option–Caution:/c0optionmaycauseBSODonx64machineWinEnFDProWin32dd/c0Win32dd/c1Win32dd/c21stPageDevicereservedpages8AnalysisExample:MakingObjectCreationTimeline9VolatilityFramework[5]–timelinerplugin[6]usedkernelobjects(process/thread/socket)eventlogsSpyEyebot(deadprocess)TCPconnectionestablishedbyexplorer.
exeCodeinjectionactivityAnalysisExample:DetectingCodeInjection10Detectingcodeinjection–VolatilityFrameworkmalfind–EnCaseEnScript[7]VadDump–MandiantRedline[8](GUIfront-endforMemoryze[9])ThetoolscheckprotectionflagofVirtualAddressDescriptorMandiantRedline(Memoryze)HBGaryResponderVolatilityFramework2.
0EnCaseEnScirptSupportedWindowsOSAllAllXP/Vista/7/2003/2008XP/7/2003/2008SupportedImageFormatRawRawRawCrashdumpHibernationRawCrashdumpSupportedCPUArchitectureIntelx86AMDx64Intelx86AMDx64Intelx86Intelx86AMDx64Extractingdeadprocess/closedconnectionNoNoYesYesNoteMalwareRiskIndex,MemD5DigitalDNA,codegraphingOpensource,richpluginsMultilingualsearch,EntropyComparisonofMemoryAnalysisTools11PREVIOUSWORKS:ANTIMEMORYFORENSICS12ShadowWalkerisproposedbySherriSparksandJamieButlertohidemaliciousmemoryregions–Installedpagefaulthandlermakesde-synchronizedDTLB/ITLBdataaccess->randomgarbagedataexecuteaccess->rootkitcodeMemoryacquisitiontoolscannotpreventShadowWalkerfromhidingmemorypages–ButAnalysistoolscandetecttheIDThooking13AntiAcquisitionMethods:ShadowWalker[10]Proofofconceptscript–killingspecifiedprocessesorpreventingdriverloadingswiththeaimofmemoryacquisitionfailureVeryeasytoimplement–Theevasionisalsoeasy(e.
g.
,randomname)–Preventingdriverloadingshasanimpactontherunningsystem14AntiAcquisitionMethods:MeterpreterAntiMemoryForensicsScript[11]Objectcarvingisonetechniquetoextractkernelobjectinformation–e.
g.
,processobject(_EPROCESS)PTFinder:Type/Sizein_DISPATCHER_HEADERVolatilityFramework:PoolTagin_POOL_HEADERBrendanDolan-Gavittetal.
warnedanattackercouldchangethevaluestohideaspecifiedobject[12]–Instead,theyproposedrobustsignaturescausingBSODorfunctionalityfailuresifthevaluesarechanged15AntiAnalysisMethod:AntiObjectCarvingmodifyingheadervaluesofcmd.
exeClosed-sourceanalysistoolscanfindthehiddenprocess–HowdotheyfinditOtherthanobjectcarving,thereareseveralkeyoperationsforanalyzingmemoryimage–TheoperationsarerobustLet'scheckit!
16AntiAnalysisMethod:AntiObjectCarving(Cont.
)MemoryzeHBGaryResponderPROPOSEDANTIANALYSISMETHOD17Researchedimplementationsofthreemajortools–VolatilityFramework2.
0–MandiantMemoryze2.
0–HBGaryResponderCommunityEdition2.
0Foundthreeoperationsexecutedinmemoryanalysisincludeafewunconsideredassumptions–Proposedmethodmodifiesone-byteofdatarelatedtotheoperationsThedataisdefinedas"AbortFactor"–Itcan'thidespecificobjects,butcanabortanalyses–NoimpactontherunningsystemNoBSOD,noerrorsforafewdaysto2weeks18AbstractofProposedMethodVirtualaddresstranslationinkernelspaceGuessingOSversionandArchitectureGettingkernelobjects–traversinglinkedlistsorbinarytrees–objectcarving19SensitiveThreeOperationsinMemoryAnalysisVirtualaddresstranslationinkernelspaceGuessingOSversionandArchitectureGettingkernelobjects–traversinglinkedlistsorbinarytrees–objectcarving20SensitiveThreeOperationsinMemoryAnalysisOSswitchesitscontextbyloadingDirectoryTableBase(DTB)ofeachprocess–DTBisstoredineachprocessobject(_EPROCESS)Initially,analysistoolsmustgetDTBvalueforkernelspaceTwoprocesseshavethekernelDTB–PsInitialSystemProcess(Systemprocess)–PsIdleProcess(Idleprocess)21VirtualAddressTranslationinKernelSpaceOSloadsDirectoryTableBase(Startphysicaladdressforaddresstranslation)intoControlRegister(CR3)x86AddressTranslation-HowPAEX86Workshttp://technet.
microsoft.
com/en-us/library/cc736309(WS.
10).
aspx22VirtualAddressTranslationinKernelSpace:ProcessObjectStructure_POOL_HEADER_OBJECT_HEADER_EPROCESS_KPROCESS_DISPATCHER_HEADERPoolTag:"Pro"TypeandSizeDTBImageFileName:"System"or"Idle"FlagsSearch_DISPATCHER_HEADERtoget_EPROCESSCheckwhethertheImageFileNameis"Idle"–IftheprocessisIdle,getDTBvaluein_KPROCESS23VirtualAddressTranslationinKernelSpace:VolatilityFramework_DISPATCHER_HEADER(e.
g.
,"x03x00x1bx00")ImageFileNameSearch"System"tofindImageFileNamein_EPROCESSofPsInitialSystemProcessValidatebyusing_DISPATCHER_HEADERinthe_KPROCESS–All_DISPATCHER_HEADERpatternsarechecked24VirtualAddressTranslationinKernelSpace:MandiantMemoryzeOSversion_DISPATCHER_HEADERByteSequenceXP32bit03001B00200332bit03001E00200364bit03002E00Vista32bit03002000Vista64bit03003000732bit03002600764bit03005800Validatebyusingthefollowingvalues–Flagsin_OBJECT_HEADERThedistancebetweenPoolTagand_EPROCESSiscalculatedaccordingtothevalue–PoolTagin_POOL_HEADERSearchPoolTagfrom_EPROCESSpositionandcheckwhetherthesearchhitoffsetisequaltothecalculateddistanceIfalldataisvalid,gettheDTBvalue25VirtualAddressTranslationinKernelSpace:MandiantMemoryze(Cont.
)Search_DISPATCHER_HEADERstoget_EPROCESSGetDTBvaluefromtheresultandvalidateitResponderseemstobeequippedwiththealgorithmguessingkernelDTB–IfDTBsofPsInitialSystemProcessandPsIdleProcessarenotfound,aguessedDTBvalueisused26VirtualAddressTranslationinKernelSpace:HBGaryResponder27VirtualAddressTranslationinKernelSpace:RelatedDataToolRelatedDataAbortFactorRemarksVolatilityFramework_DISPATCHER_HEADERXPsIdleProcessImageFileNamein_EPROCESSXMandiantMemoryze_DISPATCHER_HEADERXPsInitialSystemProcessPoolTagin_POOL_HEADERXFlagsin_OBJECT_HEADERXImageFileNamein_EPROCESSXHBGaryResponder_DISPATCHER_HEADERoriginalguessingalgorithmVirtualaddresstranslationinkernelspaceGuessingOSversionandArchitectureGettingKernelObjects–traversinglinkedlistsorbinarytrees–objectcarving28SensitiveThreeOperationsinMemoryAnalysisSizeanddefinitionofkerneldatastructuresdifferaccordingto–OSversion(e.
g.
,XPSP2/SP3,7SP0/SP1)–architecture(x86andx64)Allanalysistoolsguesstheversionusingdebugstructures29GuessingOSversionandArchitectureOSversion_EPROCESSsize(bytes)WindowsXPSP332bit0x260Windows7SP032bit0x2C0Windows7SP064bit0x4D0WindowsVistaSP232bit0x270WindowsVistaSP264bit0x3E830GuessingOSversionandArchitecture:DebugStructuresandKeyValues_KPCR_DBGKD_GET_VERSION64_KDDEBUGGER_DATA64KdVersionBlockDebuggerDataListHeaderCmNtCSDVersion_DBGKD_DEBUG_DATA_HEADER64OwnerTag:"KDBG"SizeKernBaseKernBasePrcbDataPsActiveProcessHeadPsLoadedModuleList_KPRCBCurrentThreadUsersmustspecifyOSversionandArchitecture–e.
g.
,--profile=WinXPSP2x86Iftheversionisunknown,imageinfocommandcanguessit–scan_DBGKD_DEBUG_DATA_HEADER64[13]31GuessingOSversionandArchitecture:VolatilityFrameworkOwnerTag:"KDBG"SizeSupposedlydetermineOSandarchitecturebasedon_DISPATCHER_HEADERValidatethembyusinganoffsetvalueofImageFileNamein_EPROCESS32GuessingOSversionandArchitecture:MandiantMemoryzeOSversionoffsetvalueofImageFileNameXP32bit0x174200332bitSP00x154200332bitSP1/SP20x164XP/200364bit0x268Vista32bit0x14CVista64bit0x238732bit0x16C7/200864bit0x2E0TrytotranslateavirtualaddressofThreadListHeadin_KPROCESS–Ifpossible,theOSversionandarchitecturearecorrectGetSPversionfromCmNtCSDVersionin_KDDEBUGGER_DATA6433GuessingOSversionandArchitecture:MandiantMemoryze(Cont.
)GetKernBasevalue–_DBGKD_GET_VERSION64or_KDDEBUGGER_DATA64ValidatethePEheadersignatures–DOSheader"MZ"andNTheader"PE"GetOSversion–OperatingSystemVersionsinOptionalHeadere.
g.
,Windows7–MajorOperatingSystemVersion=6–MinorOperatingSystemVersion=1Getmorespecificversion–TimeDataStampinFileheader34GuessingOSversionandArchitecture:HBGaryResponder35GuessingOSversionandArchitecture:RelatedDataToolRelatedDataAbortFactorRemarksVolatilityFramework_DBGKD_DEBUG_DATA_HEADER64XMandiantMemoryze_DISPATCHER_HEADERXPsInitialSystemProcessoffsetvalueofImageFileNameXThreadListHeadin_KPROCESSCmNtCSDVersionin_KDDEBUGGER_DATA64HBGaryResponderKernBasein_DBGKD_GET_VERSION64or_KDDEBUGGER_DATA64PEHeaderofWindowskernelPEheadersignatures"MZ"/"PE"OperatingSystemVersioninOptionalHeaderXTimeDataStampinFileHeaderVirtualaddresstranslationinkernelspaceGuessingOSversionandArchitectureGettingKernelObjects–traversinglinkedlistsorbinarytrees–objectcarving36SensitiveThreeOperationsinMemoryAnalysisTraversinglinkedlistsorbinarytrees–Generally,usespeciallead/rootaddressesPsActiveProcessHeadforprocesslistPsLoadedModuleListforkernelmodulelistVadRootforVirtualAddressDescriptortreeObjectcarving–Generally,usefixedvaluesinheaders_POOL_HEADER_DISPATCHER_HEADERMyresearchfocusedongetting_EPROCESS37GettingKernelObjectsProcesslististwo-waylink–Each_EPROCESSincludesActiveProcessLinks_LIST_ENTRY(FlinkandBlink)–PsActiveProcessHeadandPsInitialSystemProcessarebounduptogether38GettingKernelObjects:ProcessLinkedListPsActiveProcessHead_EPROCESS"System"_EPROCESS"smss.
exe"_EPROCESS"win32dd.
exe"FLINKBLINKFLINKBLINKFLINKBLINKFLINKBLINK.
.
.
.
.
.
.
.
.
Traversinglinkedlistsorbinarytrees–Search_DBGKD_DEBUG_DATA_HEADER64–getPsActiveProcessHeadin_KDDEBUGGER_DATA64Objectcarving–usePoolTagin_POOL_HEADER39GettingKernelObjects:VolatilityFrameworkExecutingKDBGScannerGetting_DBGKD_DEBUG_DATA_HEADER64(=_KDDEBUGGER_DATA64)addressObjectcarving–find_EPROCESSusingaddressvaluese.
g.
,–DTBis0x20-bytesaligned–(Peb&0x7ffd0000)==0x7ffd0000–(ActiveProcessLinks.
Flink&0x80000000)==0x80000000–similartorobustsignaturesproposedbyBrendanDolan-Gavittetal.
[12]40GettingKernelObjects:MandiantMemoryzeTraversinglinkedlistsorbinarytrees–getCurrentThreadin_KPRCB–get_EPROCESSfromthethreade.
g.
,ApcState.
Processin_KTHREAD(XP)–starttotraverseprocesslistfromthe_EPROCESS"System"stringiscomparedwithImageFileNameof_EPROCESS–foridentifyingPsActiveProcessHead–fordetectinghiddenprocess41GettingKernelObjects:HBGaryResponder42GettingKernelObjects:RelatedDataToolRelatedDataAbortFactorRemarksVolatilityFramework_DBGKD_DEBUG_DATA_HEADER64XPsActiveProcessHeadin_KDDEBUGGER_DATA64XPoolTagin_POOL_HEADERMandiantMemoryzeaddressvaluesin_EPROCESS(DTB,Peb,etc.
)HBGaryResponderCurrentThreadin_KPRCBPsInitialSystemProcess_EPROCESSpointerin_KTHREADImageFileNamein_EPROCESSX43AbortFactorsToolVirtualAddressTranslationinKernelSpaceGuessingOSversionandArchitectureGettingKernelObjectsVolatilityFramework2factors:_DISPATCHER_HEADERandImageFileName(PsIdleProcess)1factor:_DBGKD_DEBUG_DATA_HEADER642factors:_DBGKD_DEBUG_DATA_HEADER64andPsActiveProcessHeadMandiantMemoryze4factors:_DISPATCHER_HEADER,PoolTag,FlagsandImageFileName(PsInitialSystemProcess)2factors:_DISPATCHER_HEADERandoffsetvalueofImageFileName(PsInitialSystemProcess)NoneHBGaryResponderNone1factor:OperatingSystemVersionofkernelheader1factor:ImageFileName(PsInitialSystemProcess)Loadakerneldriverintox86XPVM–Thedrivermodifies1byteofthefollowingdataSizein_DISPATCHER_HEADERofPsIdleProcessPoolTagin_POOL_HEADERofPsInitialSystemProcessMajorOperatingSystemVersioninPEheaderofWindowskernelCheckthemodificationusingWinDbgAcquirethememoryimageusingLiveCloudKd[14]Analysisusingthreetools44DemousingPoCDriver(Video)IMPROVEMENTPLANS45GuessingbasedonaddressvaluesMinimumguessingSeparatingimplementationstogetkernelobjects46ImprovementPlansThemodificationofaddressvaluesoftencausesBSODorfunctionfailures–_EPROCESSobjectcarvingbyMemoryze–_KPCRobjectcarvingbyVolatilityFramework[15]47GuessingBasedonAddressValues_KPCRaddress==SelfPcrand_KPRCBaddress==PrcbSupportcrashdumpformat–Registervaluescannotbemodified48Minimumguessing(1)DataincrashdumpheaderExtractedfrom(Win32ddimplementation)AbortFactorDTBCR3registerOSversionnt!
NtBuildNumberXPAEenabledCR4registerPsActiveProcessHead_KDDEBUGGER_DATA64XPsLoadedModuleList_KDDEBUGGER_DATA64XSupportargumentpassingoptionsaboutDTBandOSversion–VolatilityFrameworksupportsthemspecifyOSversionbyusing"--profile"optionspecifyDTBvaluebyusing"--dtb"option49Minimumguessing(2)IfDTBvaluecannotbeacquired,displaytheresultminimally-extractedbyobjectcarving50SeparatingimplementationstogetkernelobjectsGettingtheseinformationdoesn'tneedDTBvalueWRAP-UP51Proposedantianalysismethodcanabortmemoryanalysistoolsbymodifyingonlyone-byte–ThemethodiseffectiveformemoryimagesofallOSversionsandarchitectures–Abouttheimpactontherunningsystem,longtermevaluationsmaybeneededIhope–Developersimprovetheimplementations–Usersfigureoutinternalsofmemoryanalysisanddealwithanalysiserrors52Wrap-up53Questions(twitter:@cci_forensics)PleasecompletetheSpeakerFeedbackSurveys!
[1]HBGaryFastDumpPro[2]EnCaseWinEn(build-intoolofEnCase)[3]MoonSolsWindowsMemoryToolkit[4]ReservedAddressSpaceinWindowsPhysicalMemory[5]VolatilityFramework[6]timelinerplugin[7]Update:MemoryForensicEnScript[8]MandiantRedline[9]MandiantMemoryze[10]"SHADOWWALKER"RaisingTheBarForRootkit[11]MeterpreterAntiMemoryForensics(Memoryze)Script[12]RobustSignaturesforKernelDataStructures[13]IdentifyingMemoryImages[14]YOURCLOUDISINMYPOCKET[15]FindingObjectRootsinVista(KPCR)54References
forsubmissionMemoryForensicsOverview–MemoryAcquisition–MemoryAnalysisPreviousWorks:AntiMemoryForensicsProposedAntiAnalysisMethodImprovementPlansWrap-upSummary2MEMORYFORENSICSOVERVIEW3Analyzingvolatiledataisimportanttodetectthreatsquickly–increasingamountsofdiskdata–antidiskforensicmethodsusedbymalwaresMemoryforensicsbecamepopularoverthelastfewyears2stepsformemoryforensics–memoryacquisitionandmemoryanalysis4What'sMemoryForensicsTargetMachineInvestigator'sMachineMemoryImageFile1.
AcquireRAMdataasanimagefile2.
ParseandanalyzetheimageofflineOfflineparsingamemoryimagedoesn'tusesystemAPIsMemoryforensicscanget–unallocateddata(e.
g.
,terminatedprocess)–datahiddenbymalware(e.
g.
,hiddenprocess)5WhyMemoryForensicsLiveResponseToolMemoryForensicAnalysisToolRunningProcessHiddenProcessTerminatedProcessAllocatedUnallocatedWindowsAPIParsebinaryimageandextractinformationfromitGetinformationthroughsystemAPIRawImageAcquisition–HBGaryFastDumpPro[1]–GuidanceWinEn[2]–MoonSolsWindd[3]CrashDumpImageAcquisition–MoonSolsWinddMemoryImageConversion–MoonSolsWindowsMemoryToolkit[3]6SomeFormats/AcquisitonToolsMemoryImageFileCPURegisterIncludedCrashDumpHibernationNotIncludedRawDifferencebetweenRawImageandCrashDumpCrashdumpfiledoesn'tinclude–1stPage–PagesreservedbydevicesRun[0]BasePage=0x1,PageCount=0x9eRun[1]BasePage=0x100,PageCount=0xeffRun[2]BasePage=0x1000,PageCount=0xeef0Run[3]BasePage=0xff00,PageCount=0x1001stPage(BIOSReserved)AddressSpaceReservedbyDevices(NotIncludedincrashdump)PhysicalMemoryAddressSpace(e.
g.
,256MBRAM)7EvaluationofMemoryAcquisitionToolsCanrawimageacquisitiontoolsget1stpageanddevice-reservedpages[4]–WinEn–Win32dd/c0MemoryContent(/c)option–Caution:/c0optionmaycauseBSODonx64machineWinEnFDProWin32dd/c0Win32dd/c1Win32dd/c21stPageDevicereservedpages8AnalysisExample:MakingObjectCreationTimeline9VolatilityFramework[5]–timelinerplugin[6]usedkernelobjects(process/thread/socket)eventlogsSpyEyebot(deadprocess)TCPconnectionestablishedbyexplorer.
exeCodeinjectionactivityAnalysisExample:DetectingCodeInjection10Detectingcodeinjection–VolatilityFrameworkmalfind–EnCaseEnScript[7]VadDump–MandiantRedline[8](GUIfront-endforMemoryze[9])ThetoolscheckprotectionflagofVirtualAddressDescriptorMandiantRedline(Memoryze)HBGaryResponderVolatilityFramework2.
0EnCaseEnScirptSupportedWindowsOSAllAllXP/Vista/7/2003/2008XP/7/2003/2008SupportedImageFormatRawRawRawCrashdumpHibernationRawCrashdumpSupportedCPUArchitectureIntelx86AMDx64Intelx86AMDx64Intelx86Intelx86AMDx64Extractingdeadprocess/closedconnectionNoNoYesYesNoteMalwareRiskIndex,MemD5DigitalDNA,codegraphingOpensource,richpluginsMultilingualsearch,EntropyComparisonofMemoryAnalysisTools11PREVIOUSWORKS:ANTIMEMORYFORENSICS12ShadowWalkerisproposedbySherriSparksandJamieButlertohidemaliciousmemoryregions–Installedpagefaulthandlermakesde-synchronizedDTLB/ITLBdataaccess->randomgarbagedataexecuteaccess->rootkitcodeMemoryacquisitiontoolscannotpreventShadowWalkerfromhidingmemorypages–ButAnalysistoolscandetecttheIDThooking13AntiAcquisitionMethods:ShadowWalker[10]Proofofconceptscript–killingspecifiedprocessesorpreventingdriverloadingswiththeaimofmemoryacquisitionfailureVeryeasytoimplement–Theevasionisalsoeasy(e.
g.
,randomname)–Preventingdriverloadingshasanimpactontherunningsystem14AntiAcquisitionMethods:MeterpreterAntiMemoryForensicsScript[11]Objectcarvingisonetechniquetoextractkernelobjectinformation–e.
g.
,processobject(_EPROCESS)PTFinder:Type/Sizein_DISPATCHER_HEADERVolatilityFramework:PoolTagin_POOL_HEADERBrendanDolan-Gavittetal.
warnedanattackercouldchangethevaluestohideaspecifiedobject[12]–Instead,theyproposedrobustsignaturescausingBSODorfunctionalityfailuresifthevaluesarechanged15AntiAnalysisMethod:AntiObjectCarvingmodifyingheadervaluesofcmd.
exeClosed-sourceanalysistoolscanfindthehiddenprocess–HowdotheyfinditOtherthanobjectcarving,thereareseveralkeyoperationsforanalyzingmemoryimage–TheoperationsarerobustLet'scheckit!
16AntiAnalysisMethod:AntiObjectCarving(Cont.
)MemoryzeHBGaryResponderPROPOSEDANTIANALYSISMETHOD17Researchedimplementationsofthreemajortools–VolatilityFramework2.
0–MandiantMemoryze2.
0–HBGaryResponderCommunityEdition2.
0Foundthreeoperationsexecutedinmemoryanalysisincludeafewunconsideredassumptions–Proposedmethodmodifiesone-byteofdatarelatedtotheoperationsThedataisdefinedas"AbortFactor"–Itcan'thidespecificobjects,butcanabortanalyses–NoimpactontherunningsystemNoBSOD,noerrorsforafewdaysto2weeks18AbstractofProposedMethodVirtualaddresstranslationinkernelspaceGuessingOSversionandArchitectureGettingkernelobjects–traversinglinkedlistsorbinarytrees–objectcarving19SensitiveThreeOperationsinMemoryAnalysisVirtualaddresstranslationinkernelspaceGuessingOSversionandArchitectureGettingkernelobjects–traversinglinkedlistsorbinarytrees–objectcarving20SensitiveThreeOperationsinMemoryAnalysisOSswitchesitscontextbyloadingDirectoryTableBase(DTB)ofeachprocess–DTBisstoredineachprocessobject(_EPROCESS)Initially,analysistoolsmustgetDTBvalueforkernelspaceTwoprocesseshavethekernelDTB–PsInitialSystemProcess(Systemprocess)–PsIdleProcess(Idleprocess)21VirtualAddressTranslationinKernelSpaceOSloadsDirectoryTableBase(Startphysicaladdressforaddresstranslation)intoControlRegister(CR3)x86AddressTranslation-HowPAEX86Workshttp://technet.
microsoft.
com/en-us/library/cc736309(WS.
10).
aspx22VirtualAddressTranslationinKernelSpace:ProcessObjectStructure_POOL_HEADER_OBJECT_HEADER_EPROCESS_KPROCESS_DISPATCHER_HEADERPoolTag:"Pro"TypeandSizeDTBImageFileName:"System"or"Idle"FlagsSearch_DISPATCHER_HEADERtoget_EPROCESSCheckwhethertheImageFileNameis"Idle"–IftheprocessisIdle,getDTBvaluein_KPROCESS23VirtualAddressTranslationinKernelSpace:VolatilityFramework_DISPATCHER_HEADER(e.
g.
,"x03x00x1bx00")ImageFileNameSearch"System"tofindImageFileNamein_EPROCESSofPsInitialSystemProcessValidatebyusing_DISPATCHER_HEADERinthe_KPROCESS–All_DISPATCHER_HEADERpatternsarechecked24VirtualAddressTranslationinKernelSpace:MandiantMemoryzeOSversion_DISPATCHER_HEADERByteSequenceXP32bit03001B00200332bit03001E00200364bit03002E00Vista32bit03002000Vista64bit03003000732bit03002600764bit03005800Validatebyusingthefollowingvalues–Flagsin_OBJECT_HEADERThedistancebetweenPoolTagand_EPROCESSiscalculatedaccordingtothevalue–PoolTagin_POOL_HEADERSearchPoolTagfrom_EPROCESSpositionandcheckwhetherthesearchhitoffsetisequaltothecalculateddistanceIfalldataisvalid,gettheDTBvalue25VirtualAddressTranslationinKernelSpace:MandiantMemoryze(Cont.
)Search_DISPATCHER_HEADERstoget_EPROCESSGetDTBvaluefromtheresultandvalidateitResponderseemstobeequippedwiththealgorithmguessingkernelDTB–IfDTBsofPsInitialSystemProcessandPsIdleProcessarenotfound,aguessedDTBvalueisused26VirtualAddressTranslationinKernelSpace:HBGaryResponder27VirtualAddressTranslationinKernelSpace:RelatedDataToolRelatedDataAbortFactorRemarksVolatilityFramework_DISPATCHER_HEADERXPsIdleProcessImageFileNamein_EPROCESSXMandiantMemoryze_DISPATCHER_HEADERXPsInitialSystemProcessPoolTagin_POOL_HEADERXFlagsin_OBJECT_HEADERXImageFileNamein_EPROCESSXHBGaryResponder_DISPATCHER_HEADERoriginalguessingalgorithmVirtualaddresstranslationinkernelspaceGuessingOSversionandArchitectureGettingKernelObjects–traversinglinkedlistsorbinarytrees–objectcarving28SensitiveThreeOperationsinMemoryAnalysisSizeanddefinitionofkerneldatastructuresdifferaccordingto–OSversion(e.
g.
,XPSP2/SP3,7SP0/SP1)–architecture(x86andx64)Allanalysistoolsguesstheversionusingdebugstructures29GuessingOSversionandArchitectureOSversion_EPROCESSsize(bytes)WindowsXPSP332bit0x260Windows7SP032bit0x2C0Windows7SP064bit0x4D0WindowsVistaSP232bit0x270WindowsVistaSP264bit0x3E830GuessingOSversionandArchitecture:DebugStructuresandKeyValues_KPCR_DBGKD_GET_VERSION64_KDDEBUGGER_DATA64KdVersionBlockDebuggerDataListHeaderCmNtCSDVersion_DBGKD_DEBUG_DATA_HEADER64OwnerTag:"KDBG"SizeKernBaseKernBasePrcbDataPsActiveProcessHeadPsLoadedModuleList_KPRCBCurrentThreadUsersmustspecifyOSversionandArchitecture–e.
g.
,--profile=WinXPSP2x86Iftheversionisunknown,imageinfocommandcanguessit–scan_DBGKD_DEBUG_DATA_HEADER64[13]31GuessingOSversionandArchitecture:VolatilityFrameworkOwnerTag:"KDBG"SizeSupposedlydetermineOSandarchitecturebasedon_DISPATCHER_HEADERValidatethembyusinganoffsetvalueofImageFileNamein_EPROCESS32GuessingOSversionandArchitecture:MandiantMemoryzeOSversionoffsetvalueofImageFileNameXP32bit0x174200332bitSP00x154200332bitSP1/SP20x164XP/200364bit0x268Vista32bit0x14CVista64bit0x238732bit0x16C7/200864bit0x2E0TrytotranslateavirtualaddressofThreadListHeadin_KPROCESS–Ifpossible,theOSversionandarchitecturearecorrectGetSPversionfromCmNtCSDVersionin_KDDEBUGGER_DATA6433GuessingOSversionandArchitecture:MandiantMemoryze(Cont.
)GetKernBasevalue–_DBGKD_GET_VERSION64or_KDDEBUGGER_DATA64ValidatethePEheadersignatures–DOSheader"MZ"andNTheader"PE"GetOSversion–OperatingSystemVersionsinOptionalHeadere.
g.
,Windows7–MajorOperatingSystemVersion=6–MinorOperatingSystemVersion=1Getmorespecificversion–TimeDataStampinFileheader34GuessingOSversionandArchitecture:HBGaryResponder35GuessingOSversionandArchitecture:RelatedDataToolRelatedDataAbortFactorRemarksVolatilityFramework_DBGKD_DEBUG_DATA_HEADER64XMandiantMemoryze_DISPATCHER_HEADERXPsInitialSystemProcessoffsetvalueofImageFileNameXThreadListHeadin_KPROCESSCmNtCSDVersionin_KDDEBUGGER_DATA64HBGaryResponderKernBasein_DBGKD_GET_VERSION64or_KDDEBUGGER_DATA64PEHeaderofWindowskernelPEheadersignatures"MZ"/"PE"OperatingSystemVersioninOptionalHeaderXTimeDataStampinFileHeaderVirtualaddresstranslationinkernelspaceGuessingOSversionandArchitectureGettingKernelObjects–traversinglinkedlistsorbinarytrees–objectcarving36SensitiveThreeOperationsinMemoryAnalysisTraversinglinkedlistsorbinarytrees–Generally,usespeciallead/rootaddressesPsActiveProcessHeadforprocesslistPsLoadedModuleListforkernelmodulelistVadRootforVirtualAddressDescriptortreeObjectcarving–Generally,usefixedvaluesinheaders_POOL_HEADER_DISPATCHER_HEADERMyresearchfocusedongetting_EPROCESS37GettingKernelObjectsProcesslististwo-waylink–Each_EPROCESSincludesActiveProcessLinks_LIST_ENTRY(FlinkandBlink)–PsActiveProcessHeadandPsInitialSystemProcessarebounduptogether38GettingKernelObjects:ProcessLinkedListPsActiveProcessHead_EPROCESS"System"_EPROCESS"smss.
exe"_EPROCESS"win32dd.
exe"FLINKBLINKFLINKBLINKFLINKBLINKFLINKBLINK.
.
.
.
.
.
.
.
.
Traversinglinkedlistsorbinarytrees–Search_DBGKD_DEBUG_DATA_HEADER64–getPsActiveProcessHeadin_KDDEBUGGER_DATA64Objectcarving–usePoolTagin_POOL_HEADER39GettingKernelObjects:VolatilityFrameworkExecutingKDBGScannerGetting_DBGKD_DEBUG_DATA_HEADER64(=_KDDEBUGGER_DATA64)addressObjectcarving–find_EPROCESSusingaddressvaluese.
g.
,–DTBis0x20-bytesaligned–(Peb&0x7ffd0000)==0x7ffd0000–(ActiveProcessLinks.
Flink&0x80000000)==0x80000000–similartorobustsignaturesproposedbyBrendanDolan-Gavittetal.
[12]40GettingKernelObjects:MandiantMemoryzeTraversinglinkedlistsorbinarytrees–getCurrentThreadin_KPRCB–get_EPROCESSfromthethreade.
g.
,ApcState.
Processin_KTHREAD(XP)–starttotraverseprocesslistfromthe_EPROCESS"System"stringiscomparedwithImageFileNameof_EPROCESS–foridentifyingPsActiveProcessHead–fordetectinghiddenprocess41GettingKernelObjects:HBGaryResponder42GettingKernelObjects:RelatedDataToolRelatedDataAbortFactorRemarksVolatilityFramework_DBGKD_DEBUG_DATA_HEADER64XPsActiveProcessHeadin_KDDEBUGGER_DATA64XPoolTagin_POOL_HEADERMandiantMemoryzeaddressvaluesin_EPROCESS(DTB,Peb,etc.
)HBGaryResponderCurrentThreadin_KPRCBPsInitialSystemProcess_EPROCESSpointerin_KTHREADImageFileNamein_EPROCESSX43AbortFactorsToolVirtualAddressTranslationinKernelSpaceGuessingOSversionandArchitectureGettingKernelObjectsVolatilityFramework2factors:_DISPATCHER_HEADERandImageFileName(PsIdleProcess)1factor:_DBGKD_DEBUG_DATA_HEADER642factors:_DBGKD_DEBUG_DATA_HEADER64andPsActiveProcessHeadMandiantMemoryze4factors:_DISPATCHER_HEADER,PoolTag,FlagsandImageFileName(PsInitialSystemProcess)2factors:_DISPATCHER_HEADERandoffsetvalueofImageFileName(PsInitialSystemProcess)NoneHBGaryResponderNone1factor:OperatingSystemVersionofkernelheader1factor:ImageFileName(PsInitialSystemProcess)Loadakerneldriverintox86XPVM–Thedrivermodifies1byteofthefollowingdataSizein_DISPATCHER_HEADERofPsIdleProcessPoolTagin_POOL_HEADERofPsInitialSystemProcessMajorOperatingSystemVersioninPEheaderofWindowskernelCheckthemodificationusingWinDbgAcquirethememoryimageusingLiveCloudKd[14]Analysisusingthreetools44DemousingPoCDriver(Video)IMPROVEMENTPLANS45GuessingbasedonaddressvaluesMinimumguessingSeparatingimplementationstogetkernelobjects46ImprovementPlansThemodificationofaddressvaluesoftencausesBSODorfunctionfailures–_EPROCESSobjectcarvingbyMemoryze–_KPCRobjectcarvingbyVolatilityFramework[15]47GuessingBasedonAddressValues_KPCRaddress==SelfPcrand_KPRCBaddress==PrcbSupportcrashdumpformat–Registervaluescannotbemodified48Minimumguessing(1)DataincrashdumpheaderExtractedfrom(Win32ddimplementation)AbortFactorDTBCR3registerOSversionnt!
NtBuildNumberXPAEenabledCR4registerPsActiveProcessHead_KDDEBUGGER_DATA64XPsLoadedModuleList_KDDEBUGGER_DATA64XSupportargumentpassingoptionsaboutDTBandOSversion–VolatilityFrameworksupportsthemspecifyOSversionbyusing"--profile"optionspecifyDTBvaluebyusing"--dtb"option49Minimumguessing(2)IfDTBvaluecannotbeacquired,displaytheresultminimally-extractedbyobjectcarving50SeparatingimplementationstogetkernelobjectsGettingtheseinformationdoesn'tneedDTBvalueWRAP-UP51Proposedantianalysismethodcanabortmemoryanalysistoolsbymodifyingonlyone-byte–ThemethodiseffectiveformemoryimagesofallOSversionsandarchitectures–Abouttheimpactontherunningsystem,longtermevaluationsmaybeneededIhope–Developersimprovetheimplementations–Usersfigureoutinternalsofmemoryanalysisanddealwithanalysiserrors52Wrap-up53Questions(twitter:@cci_forensics)PleasecompletetheSpeakerFeedbackSurveys!
[1]HBGaryFastDumpPro[2]EnCaseWinEn(build-intoolofEnCase)[3]MoonSolsWindowsMemoryToolkit[4]ReservedAddressSpaceinWindowsPhysicalMemory[5]VolatilityFramework[6]timelinerplugin[7]Update:MemoryForensicEnScript[8]MandiantRedline[9]MandiantMemoryze[10]"SHADOWWALKER"RaisingTheBarForRootkit[11]MeterpreterAntiMemoryForensics(Memoryze)Script[12]RobustSignaturesforKernelDataStructures[13]IdentifyingMemoryImages[14]YOURCLOUDISINMYPOCKET[15]FindingObjectRootsinVista(KPCR)54References
JUSTG(5.99美元/月)最新5折优惠,KVM虚拟虚拟512Mkvm路线
Justg是一家俄罗斯VPS云服务器提供商,主要提供南非地区的VPS服务器产品,CN2高质量线路网络,100Mbps带宽,自带一个IPv4和8个IPv6,线路质量还不错,主要是用户较少,带宽使用率不高,比较空闲,不拥挤,比较适合面向非洲、欧美的用户业务需求,也适合追求速度快又需要冷门的朋友。justg的俄罗斯VPS云服务器位于莫斯科机房,到美国和中国速度都非常不错,到欧洲的平均延迟时间为40毫秒,...
Hostodo:4款便宜美国vps七折优惠低至$13/年;NVMe阵列1Gbps带宽,免费DirectAdmin授权
hostodo怎么样?快到了7月4日美国独立日,hostodo现在推出了VPS大促销活动,提供4款Hostodo美国独立日活动便宜VPS,相当于7折,低至$13/年,续费同价。Hostodo美国独立日活动结束时间不定,活动机售完即止。Hostodo商家支持加密数字货币、信用卡、PayPal、支付宝、银联等付款。Hostodo美国独立日活动VPS基于KVM虚拟,NVMe阵列,1Gbps带宽,自带一个...
蓝速数据(58/年)秒杀服务器独立1核2G 1M
蓝速数据金秋上云季2G58/年怎么样?蓝速数据物理机拼团0元购劲爆?蓝速数据服务器秒杀爆产品好不好?蓝速数据是广州五联科技信息有限公司旗下品牌云计算平台、采用国内首选Zkeys公有云建设多种开通方式、具有IDC、ISP从业资格证IDC运营商新老用户值得信赖的商家。我司主要从事内地的枣庄、宿迁、深圳、绍兴、成都(市、县)。待开放地区:北京、广州、十堰、西安、镇江(市、县)。等地区数据中心业务,均KV...
spaceos为你推荐
-
美国互联网瘫痪美国是否有能力关闭全球互联网以及中国互联网,还有美国有没能力关闭某个网站,比如淘宝,天涯,网易等www.228gg.comwww.a8tb.com这个网站该如何改善百度指数词为什么百度指数里有写词没有指数,还要购买www.kaspersky.com.cn现在网上又有病毒了?ww.66bobo.com谁知道11qqq com被换成哪个网站www.175qq.com求带名字的情侣网名!bk乐乐bk乐乐和CK是什么关系?www.jizzbo.comwww.toubai.com是什么网站dpscycleDPScycle插件为什么没有猎人模块 最好详细点本冈一郎本冈一郎到底有效果吗?有人用过吗?