Memory Analysis Part 2

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

3 hours 41 minutes
Video Transcription
Hello, everyone. And welcome to memory analysis, Part two. In this session, we're going to continue learning about the different ways we can perform memory analysis. Using volatility
during the memory analysis process, you should focus on any suspicious processes that are running on the system.
In a live incident situation. You may not really know what the process is you're looking for, so you'll have to do a little bit of hunting. Of course, if you've been analyzing a piece of that where you probably know the process, you want to investigate because you've analyzed it previously in your lab,
volatility offers a few plug ins that allow you to enumerate a process list. The first is P s list. We've seen this in action already, but we also have PS scan and P S X view.
Now you might be asking yourself. Okay, well, why do we have several options to look for processes? Well, the answer is that PS scan this scans the physical memory for the signature of a process object.
Using this technique, volatility can detect terminated processes and hidden processes. Now, typically, I skip P s list altogether and use PS can.
However, in Mawr Advanced Situations Attackers can install a colonel driver to run in the kernel space and modify different memory tax.
By modifying the memory tags, an attacker can prevent the plug ins from working properly. In a sense, it's just another hiding technique
to defeat malware. In these types of situations, we can use PSX view
as you can see in our output. We've used the PSX View Command to enumerate the processes.
Each process is displayed as a single row, and the plug ins that volatility used are displayed as columns containing a value of true or false. A false value in a column means that the process wasn't found using that plug in
the process. We're interested in the second one. That's the mall where Iran was detected by all of the modules.
Once we find a process where interested in weaken, start investigating it, further using the other plug ins that volatility offers.
Now that we've identified our process that we want to know more about, the next thing that we should do is investigate which objects like registry keys, files, etcetera. The processes accessing thes objects will give us an idea of the Knauer components and their function.
For example, a piece of malware may access another process, like power shell, to profile the system and then access a network, a p I to exfiltrate information.
Now, anytime a piece of malware wants to access an object, the malware process first needs to open a handle to that object. For instance, if malware wants to create a file, then malware will open handle to an object and use that handle to performance operations.
The reasons handles are open is because objects like the CPU and other hardware reside in kernel space
process is executed in user space. Don't have access to colonel space? Typically. So to use an object the process needs and user space, the processes presented a handle to that object. By running volatility with handles, plug in, you can get a list of all the handle objects the processes are using.
But to further refine the list, you can use the dash piece, which, with the number of the process I D. You're interested in, you can obtain the process I d using any one of the process in new Marais shin commands we've just reviewed
while reviewing your list. If you're interested in a specific handle type. You can specify it by passing it as a sub option to the handles. Plug in by using a Dashti, followed by the handle type,
for instance. Dashti Mutant to look for mu Texas Dashti file to look for files and dash T key to look for registry keys.
Malicious processes Use deals to implement different malicious functionality. Therefore, another artifact you can analyze and memory are loaded. Libraries
To list loaded modules, execute a bles or DLL so you can use volatilities. DLL list. Plug in the plug in displays the full path associated with the process as well as any loaded DLL.
The way the DLL list plug in works is that it gets information about the modules from the process environment block or the pep.
This is a structure that resides in the process memory.
The PEB resigns in user space, and the structure contains information about where the process is loaded. It's full path on disk and any loaded execute a bles and ordeals.
Another plug in that we can use to look for loaded dll is the L. D. R. Modules. Plugging
this plug in takes information from the PEB in three separate lists and compares it to the information from a data structure residing in kernel space known as the virtual address Descriptors, or VAT.
Virtual address descriptors are way to track which virtual address in the process. Memory is reserved or free by the memory manager.
For each process. The memory manager maintains a set of descriptors for a specific memory region.
If the process memory region contains a map file like a DLL or ah execute herbal, then this descriptor stores information about the loaded files, base address, file path and memory protection.
So, in essence, the plug in works by comparing the virtual address descriptors to the PEB lists. And then any discrepancies are identified and listed by volatility. As you can see in our screenshot, a DLL is listed with E L. D R modules plug in that was not listed with our DLL list. Blufgan
in full disclosure, I missed this deal well when I analyzed this piece of malware using traditional techniques,
but found it when I was performing memory forensics.
One of the cool features I wanted to show you in our lab is how to dump dll as you saw in our previous screenshot. We had a DLL that wasn't listed when we used the DLL list. Blufgan.
But when we run the L. D. R modules plug in, we can see that we have a DLL. That's interesting, and we want to know more about it.
To inspect the DLL, we can use the DLL dumb plug in this dumps the module to the disks so that we can inspect it.
It's fairly simple, and all we need to do is specify a base address by using the Dash B target.
The base address is located here in the base column,
and then we can dump it to a specific location using the Dash Capital D Target. We can just dump it to this directory using period.
Now we can inspect this just like we would any other file.
And if we run strings on this, we can see we've got some a novice skated strings. We've got a P ice, and there are some strings that indicate some key logging functionality.
A malicious process will typically involve the network in some way. This could be to download a second stage, execute herbal exfiltrate data, receive commands from the sea to server or communicate with a back door on the target system.
By looking at work activity, you can determine in what way the malware is using a connection
to look at what type of network connections the malware used you can use. The nets can plug in.
The nets can plug in displays both the network connections and the sockets.
In our example. Here, you can see that are malicious. Process was utilizing Port 80 an attempt to communicate outside the network
while you're hunting for malware. The registry can provide a lot of information, especially when you're looking for persistence methods. Many times, malware programs want to add entries in the registry so that they can survive a reboot.
Now we're also uses the registry to store configuration, data, encryption keys and many other types of information
to inspect the registry. With volatility, we can use the print key plug in by providing the desired registry path using the Dash Capital K argument.
As you can see in our example, we printed the run keys, and we've got a few services that will run at startup.
There's a few other registry keys that store binary information that could be useful when you're performing an investigation.
The volatility plug ins, such as user assist, shell banks and Shim Cash, parse thes register keys and display information in a readable format.
The user assist key contains programs that have been executed and the plug ins Shim cash and shell bags give information about file, folder access, network storage devices and other resource is
all right. So I hope you enjoyed this session on memory Forensics. As you can see, volatility is a pretty powerful tool, and we've Onley really explored several of the many options and features volatility has to offer.
I definitely encourage you to explore the various plug ins on your own and see what kind of artifacts you can extract from the different malware that you play with.
Up Next