pv204 security technologies
play

PV204 Security technologies In-Memory Malware Analysis Vclav Lorenc - PowerPoint PPT Presentation

May 24, 2023 •262 likes •847 views

PV204 Security technologies In-Memory Malware Analysis Vclav Lorenc Senior Security Analyst, Oracle + NetSuite Agenda Basic intro No assembly required No malware (de)obfuscation magic How does the OS look inside?

  1. PV204 Security technologies In-Memory Malware Analysis Václav Lorenc Senior Security Analyst, Oracle + NetSuite

  2. Agenda • Basic intro – No assembly required – No malware (de)obfuscation magic • How does the OS look “inside”? – Processes and other data structures – How the memory is organized • Common tools used for analysis • Searching for system “oddities” – What are the important system indicators? • Real samples discussed and analyzed! (Labs) 2 | PV204 In-Memory Malware Analysis

  3. Why memory analysis? • It’s fun! • Acquiring evidence for legal investigations – It used to be different in the past • Incident response activities – Easy way how to learn more about the attackers – Malicious binary may only be present in memory • Technical simplification of reverse engineering – No binary obfuscation present – the code has to run 3 | PV204 In-Memory Malware Analysis

  4. 4 | PV204 In-Memory Malware Analysis

  5. Challenges in Reverse Engineering (RE) • Assembly language (for multiple platforms) – Plus undocumented instructions (or behavior) • Anti-debugging tricks – Exceptions, interrupts, PE manipulations, time checking, ... • Anti-VM tricks – Uncommon behavior of known instructions – Registry detections, HW detections • Code obfuscation/packing – The most challenging to overcome, mostly 5 | PV204 In-Memory Malware Analysis

  6. PE File Format 6 | PV204 In-Memory Malware Analysis

  7. PDF File Format 7 | PV204 In-Memory Malware Analysis

  8. MEMORY ANALYSIS… ‘cause reverse engineering ninjas are busy 8 | PV204 In-Memory Malware Analysis

  9. x86/x64 Memory organization • Physical memory – RAM; what we really have installed • Virtual memory – Separation of logical process memory from the physical – Logical address space > physical (e.g. swap) – Address space shared by several processes, yet separated • Paging vs. Segmentation – Possible memory organization approaches 9 | PV204 In-Memory Malware Analysis

  10. Paging Segmentation Physical Address 10 | PV204 In-Memory Malware Analysis

  11. Win32 Address Space 11 | PV204 In-Memory Malware Analysis

  12. Linux Address Space 12 | PV204 In-Memory Malware Analysis

  13. Operating System Data Structures • How the OS knows about processes, files, …? – A lot of ‘metadata’ for important data – Based on C/C++ data structures (see MSDN documentation) • (Double-)linked list – Another common data structure (not only in OS) – Method for implementing lists in computer memory • Direct Kernel Object Manipulation (DKOM) – Used for manipulating the structures to hide malicious stuff 13 | PV204 In-Memory Malware Analysis

  14. Double Linked Lists 14 | PV204 In-Memory Malware Analysis

  15. DKOM – Direct Kernel Object Manipulation • Dozens of various (double-)linked lists in Win32 – Maintained by kernel – Processes, threads, opened files, memory allocations, … • DKOM is used by rootkits – Hiding from the sight of the user • Rootkit paradox – Rootkits need to run on the system – … and need to remain hidden at the same time • Memory analysis can help to discover DKOM – Anti-analysis techniques are known as well 15 | PV204 In-Memory Malware Analysis

  16. Windows Process Structures 16 | PV204 In-Memory Malware Analysis

  17. Interesting OS Structures • Suspicious Memory Pages • Processes • Threads • Sockets (Connections) • Handles (Files) • Modules/Libraries • Mutexes • LSA (Local Security Authority) • Registry • … 17 | PV204 In-Memory Malware Analysis

  18. Memory Pages • Various ‘flags’ – Read/write/executable pages – Helping OS to organize memory efficiently • Executable + Writable pages – Why is it bad? • Process Injection technique – Allocating a memory that can be modified (unpacked, decoded, decrypted) and executed. – Used by legitimate processes too (Windows OLE) 18 | PV204 In-Memory Malware Analysis

  19. DLL/Process Injection So that Internet Explorer behaves like a malicious process… 19 | PV204 In-Memory Malware Analysis

  20. And now something completely… PRACTICAL 20 | PV204 In-Memory Malware Analysis

  21. Memory (re)sources • Live RAM – The most common source for analysis – Easier to obtain from virtualized hosts • Paging file/Swap – Used by operating systems to allocate more memory then available RAM • Hibernation file • Memory crash dumps – Very limited analysis options 21 | PV204 In-Memory Malware Analysis

  22. Memory Dump Yes Memory Acquisition VM? Snapshot Clone No Hibernation File No Running? Page File (Swap) Crash Dumps Yes Dumping locally Yes Remote access? Got root? Cost / Benefits Tool Footprint No FireWire PCI Probes 22 | PV204 In-Memory Malware Analysis

  23. Memory Acquisition • Virtual Machines – VMWare, VirtualBox, … – VirtualBox –dbg –startvm “MalwareVM” (and .pgmphystofile command) • Directly from the system! (if we have system rights to do that) – windd , fastdump , memoryze – Or we can hibernate the system (hiberfil.sys) • Remotely – Encase Enterprise, Mandiant Intelligent Response, Access Data FTK • Common issues – Unsupported OS (Linux, MacOS; 32bit/64bit) – Swap (portions of memory on drive) – Malware not running inside a virtual machine 23 | PV204 In-Memory Malware Analysis

  24. Memory Acquisition (2) • Local memory acquisition notes – Unless you have plenty of money, try to get root/admin access to the host – Better to acquire to external storage (USB, network) – The lower tool’s memory footprint, the better – If you run malware in VM, better have less RAM • Faster analysis • .. And configure no swap for the system too 24 | PV204 In-Memory Malware Analysis

  25. Memory Acquisition (3) • Remote memory acquisition – Very useful for fast Incident Response – Requires enterprise licenses for the commercial tools – Acquisition is done over network – Agents already in memory, no extra memory demands • Open source alternative? – GRR (Google Rapid Response) – Still in development, primarily Incident Response tool – Allows remote memory acquisition 25 | PV204 In-Memory Malware Analysis

  26. Memory Analysis Tools • Mandiant Redline – Free, available for Windows • HBGary Responder (CE/Pro) – Community Edition available against registration • Volatility Framework – Open source, no GUI • Rekall – Open source, ‘Volatility done right’, GUI – Google supported (part of GRR agent) 26 | PV204 In-Memory Malware Analysis

  27. Mandiant/FireEye Redline • Free tool for Incident Response – Not open-source, though – .NET executable (runs only under Windows) • Nice and simple user interface – Very nice analysis workflow – Perfect for searching for string information – Rates the level of suspiciousness over processes • Sad things – Memory analysis not reliable, process rating as well 27 | PV204 In-Memory Malware Analysis

  28. Redline: Start

  29. Redline: Timeline

  30. Redline: Time Wrinkles

  31. HBGary Responder (Pro/CE) • Professional Tool – Very expensive – Yet not very well maintained in the last few years • Windows only – .NET written, supports only Windows images • ‘Killer’ features – Digital DNA • automatic rating of suspicious processes – Visual ‘Canvas’ debugger • Supports the analysis of (unpacked) binaries 31 | PV204 In-Memory Malware Analysis

  32. HBGary Responder Pro -- DDNA • Examples of the ‘reasoning’ behind DDNA – Does the process communicate over TCP/IP? – Does it manipulate with registry? – Did the analysis reveal any known bad stuff (strings, IPs, mutexes?) – Does the process access any other process in the system? – Does it access some system-critical process? – Did the analysis find any evidence of obfuscation? – … 32 | PV204 In-Memory Malware Analysis

  33. Responder Pro: DDNA

  34. Responder Pro: DDNA

  35. Responder Pro: Canvas

  36. Volatility Framework • Open source tool – GPL licensed • Written in Python – Available for variety of platforms (Linux, Windows, Mac OS) – Can be automated; many contributed plugins • Supports analysis of memory dumps from various OSs – Windows, Linux, MacOS, Android – Both 32-bit and 64-bit versions • Command-line driven • Two (experimental) web GUIs

  37. Google Rekall • Another open source tool • Supported by Google – Included as a part of GRR (Google Rapid Response) agent • Originally based on the code of Volatility – Shared commands – Different architectural concepts • Proof-of-concept GUI – Better workflows 37 | PV204 In-Memory Malware Analysis

  38. Additional Important Tools • Strings – Both *nix and Windows – Extracts strings information from the file – Can be used in cooperation with Volatility/Rekall – Beware of text encoding! (ascii, utf-8, …) • Foremost – Forensic tool – Can extract various data files from an image (or process) • Images, executables, documents, … 38 | PV204 In-Memory Malware Analysis

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Security Technologies and Hierarchical Trust Security Technologies and Hierarchical Trust Today

Security Technologies and Hierarchical Trust Security Technologies and Hierarchical Trust Today

Security Technologies and Hierarchical Trust Security Technologies and Hierarchical Trust Today Today 1. Review/Summary of security technologies Crypto and certificates 2. Combination of techniques in SSL The basis for secure HTTP, ssh

564 views • 40 slides
1 Figure 7.3 Figure 7.3 Messages with both Authenticity and Secrecy Messages with both

1 Figure 7.3 Figure 7.3 Messages with both Authenticity and Secrecy Messages with both

Today Today 1. Review/Summary of security technologies Crypto and certificates 2. Combination of techniques in SSL Security Technologies and Hierarchical Trust Security Technologies and Hierarchical Trust The basis for secure HTTP, ssh

269 views • 7 slides
What, exactly, is different or new about MOBILE mobile security? SECURITY TECHNOLOGIES 2017

What, exactly, is different or new about MOBILE mobile security? SECURITY TECHNOLOGIES 2017

What, exactly, is different or new about MOBILE mobile security? SECURITY TECHNOLOGIES 2017 Dan S. Wallach , Rice University tl;dr The computers inside the computer Every chip has one or more CPUs inside; they have exploitable bugs

1.23k views • 87 slides
Advanced Research Issues In Security: Securing Key Internet Technologies CS 236 On-Line MS

Advanced Research Issues In Security: Securing Key Internet Technologies CS 236 On-Line MS

Advanced Research Issues In Security: Securing Key Internet Technologies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 18 Page 1 CS 236 Online Outline Routing security DNS security Lecture 18 Page 2

556 views • 31 slides
RISC V and Security: How, When and Why Helena Handschuh Rambus Security Technologies Fellow

RISC V and Security: How, When and Why Helena Handschuh Rambus Security Technologies Fellow

RISC V and Security: How, When and Why Helena Handschuh Rambus Security Technologies Fellow RISCV Security Standing Committee Chair CHES 2019 @ Atlanta 08/26/2019 Outline RISCV Foundation Security Standing Committee Creation and

350 views • 33 slides
Java Technologies Java EE Security Securing Applications Software Security - Protecting

Java Technologies Java EE Security Securing Applications Software Security - Protecting

Java Technologies Java EE Security Securing Applications Software Security - Protecting applications against malicious / unauthorized actions Desktop What kind of code is executed by the application, on the client machine? Where

702 views • 33 slides
Docker Security Workshop Goals of this Workshop Understand and get Understand and get

Docker Security Workshop Goals of this Workshop Understand and get Understand and get

Docker Security Workshop Goals of this Workshop Understand and get Understand and get comfortable with Docker comfortable with Linux security technologies security technologies Swarm Mode Security AppArmor Secrets Management seccomp

1.94k views • 147 slides
Importance of Open Discussion on Adversarial Analyses for Mobile Security Technologies --- A

Importance of Open Discussion on Adversarial Analyses for Mobile Security Technologies --- A

ITU-T Workshop on Security, Seoul Importance of Open Discussion on Adversarial Analyses for Mobile Security Technologies --- A Case Study for User Identification --- 14 May 2002 Tsutomu Matsumoto Graduate School of Environment and Information

619 views • 33 slides
The Cloud-y Future of Security Technologies Adam J. ODonnell, Ph.D. Director, Cloud

The Cloud-y Future of Security Technologies Adam J. ODonnell, Ph.D. Director, Cloud

The Cloud-y Future of Security Technologies Adam J. ODonnell, Ph.D. Director, Cloud Engineering Immunet, Inc. Monday, August 22, 2011 The Cloud-y Future of Security Technologies Adam J. ODonnell, Ph.D. Chief Architect, Cloud

848 views • 68 slides
Using Cloud Native Technologies to Solve Complex Application Security Challenges in Kubernetes

Using Cloud Native Technologies to Solve Complex Application Security Challenges in Kubernetes

Using Cloud Native Technologies to Solve Complex Application Security Challenges in Kubernetes Deployments Cequence Security: A Cloud Native Approach to Application Security Venture-backed start-up bringing much-needed innovation to

304 views • 17 slides
The Security State of Open Source PHP Applications Dr. Johannes Dahse, RIPS Technologies GmbH

The Security State of Open Source PHP Applications Dr. Johannes Dahse, RIPS Technologies GmbH

The Security State of Open Source PHP Applications Dr. Johannes Dahse, RIPS Technologies GmbH Introduction About Johannes Dahse Master IT Security at RUB, Germany (2006 - 2012) Capture The Flag (CTF) Contests Security Consultant

673 views • 64 slides
BBC Technologies: Our LATAM Experience Who are BBC Technologies? BBC Technologies Where we are

BBC Technologies: Our LATAM Experience Who are BBC Technologies? BBC Technologies Where we are

BBC Technologies: Our LATAM Experience Who are BBC Technologies? BBC Technologies Where we are today Technology World leaders in Advance Processing Technologies for small fruits and vegetables. R&D Strong focus on research

383 views • 17 slides
Food and Water Security Islamabad- Pakistan 11 - 15 March, 2013 Food Security Monitoring Using

Food and Water Security Islamabad- Pakistan 11 - 15 March, 2013 Food Security Monitoring Using

United Nations/Pakistan International Workshop on Integrated Use of Space Technologies for Food and Water Security Islamabad- Pakistan 11 - 15 March, 2013 Food Security Monitoring Using Space Technologies in Sudan Enaas Ismail Abdalla

291 views • 28 slides
Ellidiss Technologies w w w . e l l i d i s s . c o m Ellidiss Scope Technologies w w w . e l

Ellidiss Technologies w w w . e l l i d i s s . c o m Ellidiss Scope Technologies w w w . e l

Combined Real-Time, Safety and Security Model Analysis ERTS 2020 Toulouse, 29 Jan 2020 P. Dissaux 1 , F. Singhoff 2 , L. Lemarchand 2 , H.N. Tran 2 , I. Atchadam 2 1: Ellidiss Technologies, 24, quai de la douane, 29200 Brest, France 2:

632 views • 17 slides
Quantum Communications (and their implications for Information Security) The Quantum

Quantum Communications (and their implications for Information Security) The Quantum

Quantum Communications (and their implications for Information Security) The Quantum Communications Hub Director: Professor Tim Spiller New Quantum Technologies Quantum technologies form a whole new technology sector. These technologies

222 views • 11 slides
ARF WORK PLAN on Security of and in the Use of Information and Communications Technologies (ICT)

ARF WORK PLAN on Security of and in the Use of Information and Communications Technologies (ICT)

ASEAN Regional Forum (ARF) Seminar on Operationalizing Cyber Confidence Building Measures (CBMs) 21 22 October 2015 Singapore ARF WORK PLAN on Security of and in the Use of Information and Communications Technologies (ICT) ARF CYBER CBM

238 views • 6 slides
ASSURE Authentication Scheme for SecURE Energy Efficient Non-Volatile Memories Joydeep Rakshit

ASSURE Authentication Scheme for SecURE Energy Efficient Non-Volatile Memories Joydeep Rakshit

ASSURE Authentication Scheme for SecURE Energy Efficient Non-Volatile Memories Joydeep Rakshit Kartik Mohanram Non-Volatile Memories Workshop March 12, 2018 San Diego, CA Electrical and Computer Engineering University of Pittsburgh

971 views • 50 slides
Graph Analytics on Massively Parallel Processing Databases Frank McQuillan Feb 2017 MPP

Graph Analytics on Massively Parallel Processing Databases Frank McQuillan Feb 2017 MPP

Graph Analytics on Massively Parallel Processing Databases Frank McQuillan Feb 2017 MPP databases effective for graph analytics at scale in the enterprise 2 Database Engine Popularity http://db-engines.com/en/ranking 3 Graph Engine Trends

583 views • 46 slides
Hunting For Memory Resident Malware Memhunter tool Marcos Oviedo | McAfee Endpoint Software

Hunting For Memory Resident Malware Memhunter tool Marcos Oviedo | McAfee Endpoint Software

Hunting For Memory Resident Malware Memhunter tool Marcos Oviedo | McAfee Endpoint Software Architect 1 Agenda Problem Description Fileless Attacks Overview Common Injection Techniques Current Challenges with memory

870 views • 22 slides
WHY ATTACKER TOOLSETS DO WHAT THEY DO (or.. Reasons they just keep working) Matt McCormack

WHY ATTACKER TOOLSETS DO WHAT THEY DO (or.. Reasons they just keep working) Matt McCormack

WHY ATTACKER TOOLSETS DO WHAT THEY DO (or.. Reasons they just keep working) Matt McCormack OVER THE LAST YEAR 50+ engagements Good chunk of different verticals, industries, etc. Varying qualities and effectiveness of defenses Collective

725 views • 56 slides
Revisiting iOS Kernel (In)Security: Attacking the Early Random PRNG Tarjei Mandt CanSecWest 2014

Revisiting iOS Kernel (In)Security: Attacking the Early Random PRNG Tarjei Mandt CanSecWest 2014

Revisiting iOS Kernel (In)Security: Attacking the Early Random PRNG Tarjei Mandt CanSecWest 2014 tm@azimuthsecurity.com @kernelpool About Me Senior Security Researcher at Azimuth Security Masters degree in Information Security

1.24k views • 76 slides
A Sentence is a Sentence is a Sentence? Zarah Weiss Introduction Parallels and Differences

A Sentence is a Sentence is a Sentence? Zarah Weiss Introduction Parallels and Differences

Segmenting Oral and Historical Language Data A Sentence is a Sentence is a Sentence? Zarah Weiss Introduction Parallels and Differences between the Defining Sentences Written Language Bias Segmentation of Oral and Historical Defining

1.44k views • 110 slides
Yongdae Kim KAIST Admin q Student Information Survey https://goo.gl/forms/VnjAyN5N1bmswLNP2 q

Yongdae Kim KAIST Admin q Student Information Survey https://goo.gl/forms/VnjAyN5N1bmswLNP2 q

EE817/IS893 Blockchain and Cryptocurrency Peer-to-Peer Systems Yongdae Kim KAIST Admin q Student Information Survey https://goo.gl/forms/VnjAyN5N1bmswLNP2 q Paper Presentation Survey https://goo.gl/forms/pGhbDPJqBr4MNff92 q Paper

393 views • 24 slides
Attacking a Big Data Developer Dr. Olaf Flebbe of t oflebbe.de ApacheCon Bigdata Europe

Attacking a Big Data Developer Dr. Olaf Flebbe of t oflebbe.de ApacheCon Bigdata Europe

Attacking a Big Data Developer Dr. Olaf Flebbe of t oflebbe.de ApacheCon Bigdata Europe 16.Nov.2016 Seville About me PhD in computational physics Former projects: Minix68k (68k FP Emulation), Linux libm.so.5 (High Precision FP), perl and

1.12k views • 56 slides

More recommend