Y R O. Memory Forensics: A Volatility Primer M E M. Mariano Graziano. Security Day - Lille1 University January Lille, France

Transcription

1 emory Forensics: A Volatility Primer ariano Graziano Security Day - Lille1 University January Lille, France

2 whoami Ph.D student at urecom (France) sc from Politecnico di Torino (Italy) ain topics: alware analysis, emory forensics Wasted the best years on IC Interests: xploitation techniques, *Nix Kernel hacking, CTFs

3 utline emory forensics Volatility Windows Linux Virtualization Support Hypervisor Structures Virtual achines Analysis Future Work

4 emory Forensics Process of capturing a copy of the system memory (A) to extract a number of evidences that are useful for an investigation Steps: Take the memory dump Locate raw data structures xtract information (encryption keys, passwords, etc) New field (~2005) and very active research area

5 Pros emory is smaller than hard-drives very attack has a memory footprint Advanced samples reside only in memory

6 Cons S diversity: Data structures Semantic Gap emory changes: Content authenticity Acquisition paradox

7 utline emory forensics Volatility Windows Linux Virtualization Support Hypervisor Structures Virtual achines Analysis Future Work

8 emory Analysis etrieve specific information (processes, IP addresses, etc) Fill the Semantic Gap equire S internals knowledge (the more, the better)

9 xisting Frameworks Don't reinvent the wheel! Volatility (Volatility Foundation) emoryze (andiant) ekall (Google)

10 Framework Internals They all share the same concepts Step 1: Locating structures Fixed offsets Data structures walking Linear scanning emember the S diversity

11 Interesting Structures Depend on the S Define your interest Processes? PCSS, KPCSS, PB, etc task_struct, mm_struct, etc

12 _PCSS _PCSS: 'Pcb': 0x0, '_KPCSS', 'ProcessLock' : 0x98, '_X_PUSH_LCK', 'ActiveProcessLinks' : 0xb8,... 'Peb' : 0x1a8, '_PB', 'PrefetchTrace' : 0x1ac, '_X_FAST_F',... Flink && Blink '_KPCSS' 'Header' : 0x0, '_DISPATCH_HAD',... 'DirectoryTableBase' : 0x18, 'LdtDescriptor' : 0x1c, '_KGDTNT',...

13 Interesting Process Information PCSS: PB: Creation and xit Time PID && PPID Pointer to the handler table VAD etc Pointer to the Image Base Address Pointer to the DLLs loaded Heap Size etc

14 Volatility pen Source emory analysis framework born in 2007 Python Current version 2.4 (August 2014) FATKit volution (by Petroni and Walters, DFI Journal 2006)

15 Volatility 2.4 Windows (XP, Vista, 7, 2003, 2008, 8, 8.1) Linux 32 and 64 bit acsx 10.5 to Android It works with crash dumps, hibernation files, V snapshots, Lime format and plain raw dumps.

16 Volatility Plugins Volatility is highly modular asy to add new features/supports ~160 plugins for ~25 profiles Several plugins for malware analysis python vol.py --info

17 Bootstrap the Analysis Linux: /boot/system.map-$(uname -r) Windows: ekall: Volatility: Scan the memory to find SDS signature xtract GUID and PDB filename Query the icrosoft public symbols server From the PDB file extracts of many symbols Scan the memory to find the KDBG to locate PsActiveProcessHead (Prone to Anti-forensics) Drawback: Locate KDBG: XP/Vista via KPC Win8 encoded

18 Processes Pslist: Walk the PCSS objects list Pstree: Like pslist but it prints out the tree Psscan: Scan the memory for the PCSS signature (find hidden and terminated processes as well)

19 Address Translation Do you remember the Semantic Gap? All the pointers we have found are Virtual Addresses and we have a physical memory dump We need to emulate the U work Volatility solution: Address Spaces (IA-32, IA-32 PA, IA-32e, A, etc)

20 Address Translation IA-32

21 utline emory forensics Volatility Windows Linux Virtualization Support Hypervisor Structures Virtual achines Analysis Future Work

22 The problem Virtualization is everywhere No support to analyze: Virtual achines Hypervisors Nested configurations

23 The solution Actaeon core: VCS layout extractor Hyperls Virtual achine Introspection patch

24 Warning Actaeon IS NT: A tool to dump the physical memory A real time detector for malicious hypervisors A malware detector

25 VCS Virtual achine Control Structure Intel VX structure to handle VX transistions emory structure containing information for keeping the state of the system Fields listed in the Intel anual but the layout is implementation specific

26 VCS Simple reverse algorithm based on an pen Source hypervisor (HyperDbg): VCS fields are associated with a 32 bits value (encoding) that is used by VAD/VWIT instructions The position is derived from the encoding in the processor microcode so we filled the VCS region with 16 bit incremental numbers We rebuilt the position of every field in the VCS by associating the encoding value to the generated value

27 Hypervisor Discovery Four heuristics on VCS fields: VISIN_ID: Determine the VCS memory layout. ust match the value of S 0x480 (IA32 VX_BASIC_S) VX_ABT_INDICAT: ust be zero. It is the second entry of the VCS area. VCS_LINK_PINT: Two consecutive words. They must be 0xFFFFFFFF HST_C4: The 13th bit indicates if VX support is enabled or not.

28 PT xtended Page Tables Provide memory isolation among virtual machines arked in a field in the VCS (Secondary Based xecution Control) Provide an additional layer of translation (remember U?) transparent and in hardware Translation from a GPA to an HPA Translation has four stages (PL4, PDPT, PD, PT)

29 VI Virtual achine Introspection via PT Locate VCS and extract the PT pointer Simulate PT translation Patch the Volatility core to add the PT support

30 utline emory forensics Volatility Windows Linux Virtualization Support Hypervisor Structures Virtual achines Analysis Future Work

31 Actaeon Integration in Volatility x86-64 support Full Hyper-V support ore testing for nested environments VCS Shadowing support Find reliable solution to dump type-1 hypervisors

32 emory Forensics ore research effort to enhance/ease malware analysis ore communication among researchers Leverage memory forensics Lack of support for: Net/pen/Free/BSD Solaris/SPAC mulators (Qemu/Bochs/etc) Containers (LXC/penVZ/Docker/etc)

33 Contact ail: graziano <at> eurecom <dot> fr IC: emdel/emd3l (Freenode/fnet/W3challs) We are looking for motivated and skilled Ph.D students. Feel free to contact me.