Hunting Rootkit From the Dark Corners Of Memory
- 2. Monnappa KA
Info Security Investigator @ Cisco
Member of SecurityXploded
Reverse Engineering, Malware Analysis, Memory Forensics
Email: monnappa22@gmail.com
Twitter: @monnappa22
Blog: http://malware-unplugged.blogspot.in
Linkedin: http://in.linkedin.com/pub/monnappa-ka-grem-ceh/42/45a/1b8
- 3. What is a Rootkit
User Mode Rootkits
Kernel Mode Rootkits
Why Memory Forensics
Steps in Memory Forensics
Memory Acquistion Tools
Volatility
Volatility commands
Video Demo (TDSS Rootkit Analysis)
- 4. Program that perform system hooking or modifies functionality of OS
Hide files, processes, other objects to conceal its presence
Intercepts and alters the normal execution flow
Can contain both user mode and kernel mode components
Some rootkits can install as device drivers
Types: User Mode and Kernel Mode Rootkits
- 5. Runs in Ring 3
Hooking in user space or application space
Some common user mode Rootkit techniques:
- IAT (Import Address Table) hooking
- Inline API hooking
- 6. Runs in Ring 0
System hooking or modification in kernel space
Some Kernel mode Rootkit techniques:
- SSDT (System Service Descriptor Table) hooking
- DKOM (Direct Kernel Object Manipulation)
- IDT (Interrupt Descriptor Table) hooking
- Installing as Device Drivers
- Driver IRP hooking
- 7. Finding and extracting forensic artifacts
Helps in malware analysis
Determining process, network, registry activities
Reconstructing original state of the system
Assists with unpacking, rootkit detection and reverse engineering
Sophisticated actors
Critical data exists in memory
- 8. Memory acquisition - Dumping the memory of a target machine
Memory analysis - Analyzing the memory dump for forensic
artifacts
- 9. Process of Acquiring Volatile memory to non volatile storage
On Physical Machines(Tools):
KnTTools
F-Response
Mandiant Memoryze
HBGary FastDump
MoonSols Windows Memory Toolkit(DumpIt)
On Virtual Machines:
Suspend the VM (.vmem)
- 10. Advanced memory Forensics Framework written in python
Runs on multiple platforms
Open source
Extensible API
Coverage of multiple file formats
Powerful community
Used in incident response and forensics
- 12. Determining profile
===================
python vol.py -f <mem image> imageinfo
python vol.py -f <mem image> kdbgscan
Displaying help
===============
python vol.py -h --> gives help for the default profile WinXPSP2x86
python vol.py --profile=<profile name> -h --> gives the help for specific profile