Presentation is loading. Please wait.

Presentation is loading. Please wait.

Malware Analysis with Volatility

Published byClifford Rose Modified over 6 years ago

Similar presentations

Presentation on theme: "Malware Analysis with Volatility"— Presentation transcript:

1 Malware Analysis with Volatility
Module 2 Malware Analysis with Volatility - Module 2 29/06/2016

2 In this video we will see:
29/06/2016 In this video we will see: The use of the Volatility plugins for forensic analysis of the Windows system. How extract evidence from a Windows GUI subsystem. Try to identify hidden processes. Analyzing kernel driver identification. Exploring the plugins to collect evidence. Malware Analysis with Volatility - Module 2 29/06/2016

3 A classic example To deal with the topics of Module 2 we will explore a classic example of Malware forensics. Let's find out the profile of the memory sample. And from that point we will use some Volatility commands and try to understand the flow the Malware infection causes on the victim machine. We started considering that we don’t have any information about the image that we received to analyze. So, let's use imageinfo (can also use the kdbgscan command) to describe the profile of the operating system associated with this image. Then we use the pslist command to try to extract evidence from the listed processes in memory. Then we try to identify priority processes or any evidence of infection. Malware Analysis with Volatility - Module 2 29/06/2016

4 Run pslist In Windows: vol.exe pslist --profile=WinXPSP3x86 -f stuxnet.vmem In Kali Linux : volatility pslist --profile=WinXPSP3 -f /root/forensics/stuxnet.vmem If you want, set an environment variable (Linux): export VOLATILITY_LOCATION=file:///root/forensics/stuxnet.vmem export VOLATILITY_PROFILE=WinXPSP3x86 Malware Analysis with Volatility - Module 2 29/06/2016

5 The _EPROCESS and PEB in Windows Memory (see [2], p. 219)
PEB (Process Environment Block) Full PATH to process executable Full command line that starts process Current work directory Pointers to process Heaps Doubly linked full path to dlls Standards handles Malware Analysis with Volatility - Module 2 29/06/2016

6 Pslist output The output of the plugin pslist shows us some important information. The winlogon.exe process (PID 624) is the parent process (PPID) of lsass.exe (PID 680). But we have two more lsass.exe process (PID 868 and 1928) whose parent process is services.exe process (PPID 668). Windows, in a normal situation, initializes only one instance of lsass.exe created by winlogon.exe. In this case, we have two instances of lsass.exe created by services.exe [1]. Malware Analysis with Volatility - Module 2 29/06/2016

7 Psscan plugin: searching for hidden process
Time exited shows if a processes has terminated. vol.exe psscan --profile=WinXPSP2x86 -f xplaptop.img Volatility Foundation Volatility Framework 2.5 The offset address must be used to search for hidden process.

8 Windows XP PID and PPID Services.exe (PID 668) Winlogon.exe (PID 624)
lsass.exe (PID 680) Services.exe (PID 668) lsass.exe (PID 868 ) lsass.exe (PID 1928) Normal instantiation of a clean XP Not normal instantiation of XP. An evidence of infection. Malware Analysis with Volatility - Module 2 29/06/2016

9 Malware behavior: stuxnet variation
The output of dlllist for lsass.exe PID 1928: 0x7c xaf xffff C:\WINDOWS\system32\ntdll.dll 0x7c xf xffff C:\WINDOWS\system32\kernel32.dll 0x77dd x9b xffff C:\WINDOWS\system32\ADVAPI32.dll 0x77e x xffff C:\WINDOWS\system32\RPCRT4.dll 0x77fe x xffff C:\WINDOWS\system32\Secur32.dll 0x7e x xffff C:\WINDOWS\system32\USER32.dll 0x77f x xffff C:\WINDOWS\system32\GDI32.dll 0x x x1 C:\WINDOWS\system32\KERNEL32.DLL.ASLR.0360b7ab Stuxnet calls the ntdll.dll library to implement this file name. This file does not exist in disk [1]. Malware Analysis with Volatility - Module 2 29/06/2016

10 References [1] [2] LIGH, M; CASE, A.; LEVY, J. WALTERS, A. The Art of memory Forensics. Indiana: wiley, 2014. [3] memory.html [4] Symantec. An Analysis of Address Space Layout Randomization on Windows Vista. Malware Analysis with Volatility - Module 2 29/06/2016

Download ppt "Malware Analysis with Volatility"

Similar presentations

Operating System Security : David Phillips A Study of Windows Rootkits.

Operating System Security : David Phillips A Study of Windows Rootkits.
Memory Forensics Key component in DFIR Consider a second hobby (knitting) Get a rocking chair You still want to do this? Fine.....

Memory Forensics Key component in DFIR Consider a second hobby (knitting) Get a rocking chair You still want to do this? Fine.....
Slide 6-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 6 Implementing Processes, Threads, and Resources.

Slide 6-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 6 Implementing Processes, Threads, and Resources.
CS 497C – Introduction to UNIX Lecture 26: - The Process Chin-Chih Chang

CS 497C – Introduction to UNIX Lecture 26: - The Process Chin-Chih Chang
1 UNIX 1 History of UNIX 2 Overview of UNIX 3 Processes in UNIX 4 Memory management in UNIX 5 The UNIX file system 6 Input/output in UNIX.

1 UNIX 1 History of UNIX 2 Overview of UNIX 3 Processes in UNIX 4 Memory management in UNIX 5 The UNIX file system 6 Input/output in UNIX.
Process Management. External View of the OS Hardware fork() CreateProcess() CreateThread() close() CloseHandle() sleep() semctl() signal() SetWaitableTimer()

Process Management. External View of the OS Hardware fork() CreateProcess() CreateThread() close() CloseHandle() sleep() semctl() signal() SetWaitableTimer()
6/24/2015B.RamamurthyPage 1 File System B. Ramamurthy.

6/24/2015B.RamamurthyPage 1 File System B. Ramamurthy.
Process in Unix, Linux and Windows CS-3013 C-term 20081 Processes in Unix, Linux, and Windows CS-3013 Operating Systems (Slides include materials from.

Process in Unix, Linux and Windows CS-3013 C-term Processes in Unix, Linux, and Windows CS-3013 Operating Systems (Slides include materials from.
Chapter 6 Implementing Processes, Threads, and Resources.

Chapter 6 Implementing Processes, Threads, and Resources.
File System Implementation

File System Implementation
7/15/2015B.RamamurthyPage 1 File System B. Ramamurthy.

7/15/2015B.RamamurthyPage 1 File System B. Ramamurthy.
Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.

Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.
Week 4 - Friday.  What did we talk about last time?  Some extra systems programming stuff  Scope.

Week 4 - Friday.  What did we talk about last time?  Some extra systems programming stuff  Scope.
Slide 6-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 6.

Slide 6-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 6.
Chapter 3 Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access.

Chapter 3 Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access.
Chapter 3.1:Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access.

Chapter 3.1:Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access.
Windows Memory Forensics and Direct Kernel Object Manipulation Jesse Kornblum.

Windows Memory Forensics and Direct Kernel Object Manipulation Jesse Kornblum.
Computer Systems 2010-2011 Week 10: File Organisation Alma Whitfield.

Computer Systems Week 10: File Organisation Alma Whitfield.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Process in Unix, Linux, and Windows CS-3013 A-term 20081 Processes in Unix, Linux, and Windows CS-3013 Operating Systems (Slides include materials from.

Process in Unix, Linux, and Windows CS-3013 A-term Processes in Unix, Linux, and Windows CS-3013 Operating Systems (Slides include materials from.

Similar presentations

Ads by Google