SlideShare a Scribd company logo

Hunting Rootkit From the Dark Corners Of Memory

Download as PPTX, PDF
securityxploded
securityxploded

Presented by Monnappa in SecurityXploded cyber security meet. visit: http://www.securitytrainings.net for more information.

Related slideshows

Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1
 
Anatomy of Exploit Kits
Anatomy of Exploit KitsAnatomy of Exploit Kits
Anatomy of Exploit Kits
 
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
 
1 of 13
Hunting Rootkit From the Dark Corners Of Memory
Monnappa KA  Info Security Investigator @ Cisco  Member of SecurityXploded  Reverse Engineering, Malware Analysis, Memory Forensics  Email: monnappa22@gmail.com  Twitter: @monnappa22  Blog: http://malware-unplugged.blogspot.in  Linkedin: http://in.linkedin.com/pub/monnappa-ka-grem-ceh/42/45a/1b8
 What is a Rootkit  User Mode Rootkits  Kernel Mode Rootkits  Why Memory Forensics  Steps in Memory Forensics  Memory Acquistion Tools  Volatility  Volatility commands  Video Demo (TDSS Rootkit Analysis)
 Program that perform system hooking or modifies functionality of OS  Hide files, processes, other objects to conceal its presence  Intercepts and alters the normal execution flow  Can contain both user mode and kernel mode components  Some rootkits can install as device drivers  Types: User Mode and Kernel Mode Rootkits
 Runs in Ring 3  Hooking in user space or application space  Some common user mode Rootkit techniques: - IAT (Import Address Table) hooking - Inline API hooking
 Runs in Ring 0  System hooking or modification in kernel space  Some Kernel mode Rootkit techniques: - SSDT (System Service Descriptor Table) hooking - DKOM (Direct Kernel Object Manipulation) - IDT (Interrupt Descriptor Table) hooking - Installing as Device Drivers - Driver IRP hooking
 Finding and extracting forensic artifacts  Helps in malware analysis  Determining process, network, registry activities  Reconstructing original state of the system  Assists with unpacking, rootkit detection and reverse engineering  Sophisticated actors  Critical data exists in memory
 Memory acquisition - Dumping the memory of a target machine  Memory analysis - Analyzing the memory dump for forensic artifacts
Process of Acquiring Volatile memory to non volatile storage On Physical Machines(Tools):  KnTTools  F-Response  Mandiant Memoryze  HBGary FastDump  MoonSols Windows Memory Toolkit(DumpIt) On Virtual Machines:  Suspend the VM (.vmem)
 Advanced memory Forensics Framework written in python  Runs on multiple platforms  Open source  Extensible API  Coverage of multiple file formats  Powerful community  Used in incident response and forensics
Installation details: http://www.volatilityfoundation.org/ Basic commands ==============  python vol.py -h  python vol.py -f <mem image> --profile=<profile name> plugin [args]
Determining profile ===================  python vol.py -f <mem image> imageinfo  python vol.py -f <mem image> kdbgscan Displaying help ===============  python vol.py -h --> gives help for the default profile WinXPSP2x86  python vol.py --profile=<profile name> -h --> gives the help for specific profile
Hunting Rootkit From the Dark Corners Of Memory

More Related Content

Hunting Rootkit From the Dark Corners Of Memory

  • 2. Monnappa KA  Info Security Investigator @ Cisco  Member of SecurityXploded  Reverse Engineering, Malware Analysis, Memory Forensics  Email: monnappa22@gmail.com  Twitter: @monnappa22  Blog: http://malware-unplugged.blogspot.in  Linkedin: http://in.linkedin.com/pub/monnappa-ka-grem-ceh/42/45a/1b8
  • 3.  What is a Rootkit  User Mode Rootkits  Kernel Mode Rootkits  Why Memory Forensics  Steps in Memory Forensics  Memory Acquistion Tools  Volatility  Volatility commands  Video Demo (TDSS Rootkit Analysis)
  • 4.  Program that perform system hooking or modifies functionality of OS  Hide files, processes, other objects to conceal its presence  Intercepts and alters the normal execution flow  Can contain both user mode and kernel mode components  Some rootkits can install as device drivers  Types: User Mode and Kernel Mode Rootkits
  • 5.  Runs in Ring 3  Hooking in user space or application space  Some common user mode Rootkit techniques: - IAT (Import Address Table) hooking - Inline API hooking
  • 6.  Runs in Ring 0  System hooking or modification in kernel space  Some Kernel mode Rootkit techniques: - SSDT (System Service Descriptor Table) hooking - DKOM (Direct Kernel Object Manipulation) - IDT (Interrupt Descriptor Table) hooking - Installing as Device Drivers - Driver IRP hooking
  • 7.  Finding and extracting forensic artifacts  Helps in malware analysis  Determining process, network, registry activities  Reconstructing original state of the system  Assists with unpacking, rootkit detection and reverse engineering  Sophisticated actors  Critical data exists in memory
  • 8.  Memory acquisition - Dumping the memory of a target machine  Memory analysis - Analyzing the memory dump for forensic artifacts
  • 9. Process of Acquiring Volatile memory to non volatile storage On Physical Machines(Tools):  KnTTools  F-Response  Mandiant Memoryze  HBGary FastDump  MoonSols Windows Memory Toolkit(DumpIt) On Virtual Machines:  Suspend the VM (.vmem)
  • 10.  Advanced memory Forensics Framework written in python  Runs on multiple platforms  Open source  Extensible API  Coverage of multiple file formats  Powerful community  Used in incident response and forensics
  • 11. Installation details: http://www.volatilityfoundation.org/ Basic commands ==============  python vol.py -h  python vol.py -f <mem image> --profile=<profile name> plugin [args]
  • 12. Determining profile ===================  python vol.py -f <mem image> imageinfo  python vol.py -f <mem image> kdbgscan Displaying help ===============  python vol.py -h --> gives help for the default profile WinXPSP2x86  python vol.py --profile=<profile name> -h --> gives the help for specific profile