Monnappa KA  Info Security Cisco  Member of SecurityXploded  Reverse Engineering, Malware Analysis, Memory Forensics 

Slides:



Advertisements
Similar presentations
Operating Systems Manage system resources –CPU scheduling –Process management –Memory management –Input/Output device management –Storage device management.
Advertisements

Monnappa KA  Info Security Cisco  Core Member of SecurityXploded  Focus on Threat Intelligence  Reverse Engineering, Malware Analysis,
VICE – Catch the hookers! (Plus new rootkit techniques)
Operating System Security : David Phillips A Study of Windows Rootkits.
Operating System Structure
How an attacker can maintain control over their victim’s system without being discovered.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Windows Rootkits – Userland API Hooking Robert Vinson – IT Security Analyst – University of Iowa 09/06/06.
ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.
Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz.
Memory Forensics During Incident Response
DEPARTMENT OF COMPUTER ENGINEERING
Windows Security and Rootkits Mike Willard January 2007.
2: OS Structures 1 Jerry Breecher OPERATING SYSTEMS STRUCTURES.
Mobile Application Development
Cs238 Lecture 3 Operating System Structures Dr. Alan R. Davis.
ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.
Copyright John “Four” Flynn This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
Asst.Prof.Dr.Ahmet Ünveren SPRING Computer Engineering Department Asst.Prof.Dr.Ahmet Ünveren SPRING Computer Engineering Department.
Forensic Artifacts From A Pass The Hash (PtH) Attack
Why you should never use the internet. Overview  The Situation  Infiltration  Characteristics  Techniques  Detection  Prevention.
Windows Memory Forensics and Direct Kernel Object Manipulation Jesse Kornblum.
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Damien Leake. Definition To examine digital media to identify and analyze information so that it can be used as evidence in court cases Involves many.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Vijay Krishnan Avinesh Dupat. A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Rootkits in Windows XP  What they are and how they work.
Copyright Security-Assessment.com 2006 Defeating Live Forensics in the Windows Kernel Presented by Darren Bilby AUSCERT 2006.
Chapter 2: Operating-System Structures. 2.2 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts Chapter 2: Operating-System Structures Operating.
Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:
1 Outspect: Unified Memory Forensic Toolset for Virtual Machines AVTokyo, 31-10/2009 Nguyen Anh Quynh, Kuniyasu Suzaki, Ruo Ando.
Mathieu Castets October 17th,  What is a rootkit?  History  Uses  Types  Detection  Removal  References 2/11.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Hidden Processes: The Implication for Intrusion Detection
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
A. Frank - P. Weisberg Operating Systems Structure of Operating Systems.
Computer virus Speaker : 蔡尚倫.  Introduction  Infection target  Infection techniques Outline.
Mastering Windows Network Forensics and Investigation Chapter 17: The Challenges of Cloud Computing and Virtualization.
Lecture 7 Rootkits Hoglund/Butler (Chapter 5-6). Avoiding detection Two ways rootkits can avoid detection –Modify execution path of operating system to.
VMM Based Rootkit Detection on Android
Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).
Lecture 8 Rootkits Hoglund/Butler (Chapter 7-8). Avoiding detection Two ways rootkits can avoid detection –Modify execution path of operating system to.
Mastering Windows Network Forensics and Investigation Chapter 6: Live Analysis Techniques.
By Adam Reimel. Outline Introduction Platform Architecture Future Conclusion.
“Enterprise Malware Detection”
Computer System Structures
Advanced Endpoint Security Data Connectors-Charlotte January 2016
Botnets A collection of compromised machines
Company Overview.
Malware Reverse Engineering Process
Defeat Tomorrow’s Threats Today
Malware Reverse Engineering Process
CS490 Windows Internals Quiz 2 09/27/2013.
Oracle Solaris Zones Study Purpose Only
CMPE419 Mobile Application Development
Botnets A collection of compromised machines
Malware Analysis with Volatility
Chapter 3: Windows7 Part 1.
Hidden Processes: The Implication for Intrusion Detection
Analysis of Mixed-mode Malware
Virtualization Layer Virtual Hardware Virtual Networking
B.Ramamurthy Chapter 2 : Appendix
Rootkits Jonathan Hobbs.
OPERATING SYSTEMS STRUCTURES
Memory Forensics Part I
CMPE419 Mobile Application Development
Memory Forensics Josh Mpere.
Presentation transcript:

Monnappa KA  Info Security Cisco  Member of SecurityXploded  Reverse Engineering, Malware Analysis, Memory Forensics    Blog:  Linkedin:

 What is a Rootkit  User Mode Rootkits  Kernel Mode Rootkits  Why Memory Forensics  Steps in Memory Forensics  Memory Acquistion Tools  Volatility  Volatility commands  Video Demo (TDSS Rootkit Analysis)

 Program that perform system hooking or modifies functionality of OS  Hide files, processes, other objects to conceal its presence  Intercepts and alters the normal execution flow  Can contain both user mode and kernel mode components  Some rootkits can install as device drivers  Types: User Mode and Kernel Mode Rootkits

 Runs in Ring 3  Hooking in user space or application space  Some common user mode Rootkit techniques: - IAT (Import Address Table) hooking - Inline API hooking

 Runs in Ring 0  System hooking or modification in kernel space  Some Kernel mode Rootkit techniques: - SSDT (System Service Descriptor Table) hooking - DKOM (Direct Kernel Object Manipulation) - IDT (Interrupt Descriptor Table) hooking - Installing as Device Drivers - Driver IRP hooking

 Finding and extracting forensic artifacts  Helps in malware analysis  Determining process, network, registry activities  Reconstructing original state of the system  Assists with unpacking, rootkit detection and reverse engineering  Sophisticated actors  Critical data exists in memory

 Memory acquisition - Dumping the memory of a target machine  Memory analysis - Analyzing the memory dump for forensic artifacts

Process of Acquiring Volatile memory to non volatile storage On Physical Machines(Tools):  KnTTools  F-Response  Mandiant Memoryze  HBGary FastDump  MoonSols Windows Memory Toolkit(DumpIt) On Virtual Machines:  Suspend the VM (.vmem)

 Advanced memory Forensics Framework written in python  Runs on multiple platforms  Open source  Extensible API  Coverage of multiple file formats  Powerful community  Used in incident response and forensics

Installation details: Basic commands ==============  python vol.py -h  python vol.py -f --profile= plugin [args]

Determining profile ===================  python vol.py -f imageinfo  python vol.py -f kdbgscan Displaying help ===============  python vol.py -h --> gives help for the default profile WinXPSP2x86  python vol.py --profile= -h --> gives the help for specific profile

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.