MEMORY ANALYSIS Advanced malware detection in the enterprise Contents Abstract 3 Introduction 4 Concepts 5 • Code Injection 6 • Standard DLL Injection 7 • Reflective Loading DLL Injection 7 • Process Hollowing 7 • API Hooking 8 • IAT/EAT Hooking 9 • Inline Hooking 9 Using Volatility to Perform Memory Analysis 10 • APIhooks Plugin 11 • Malfind Plugin 13 Problems with Memory Analysis 15 Using Memory Analysis at Scale 16 • Time-Efficient Analysis 20 Conclusion 21 2 Abstract Traditional malware detection and forensic investigation techniques typically focus on detecting malicious native executables on disk, and performing disk forensics to uncover evidence of historical actions on a system. In response, many threat actors have shifted frameworks, such as Volatility, can be used their offensive techniques to avoid writing to disk, to detect evidence of these techniques on staying resident only in memory. In particular, compromised systems. Finally, we will look Metasploit’s Meterpreter payload has adopted this at how we have adopted similar ideas at philosophy for more than a decade. Consequently, Countercept, developing capabilities for the ability to effectively analyze live memory performing targeted live memory analysis at for evidence of compromise and to gather scale. This enables us to detect unknown malware, additional forensic evidence has become making use of these techniques on isolated increasingly important. systems within large enterprise networks. In this paper, we will look at some of the memory resident techniques used by common malware families and how open-source memory analysis 3 Introduction The first question to ask is why memory analysis is important. To answer the question, first consider how Another reason is that many malware much forensically interesting data is never families have moved to using such written to disk. For example, on a default techniques as code injection and API Microsoft Windows build you are unlikely hooking in a stealthy attempt to avoid to see much evidence of historical network traditional security solutions and achieve connections on disk, aside from a few IP certain end goals, such as spying on addresses associated with certain Windows passwords before they are encrypted event logs. You will also miss evidence of using TLS. The 2015 Verizon Data Breach Report found that “malware is part of data contained in unsaved documents, the event chain in virtually every security any runtime code modifications, malware incident”, that “70-90% of malware samples that has been dynamically loaded and much are unique to an organization” and that more besides. On a Microsoft Windows “organizations would need access to all system, you will find that the operating threat intelligence indicators in order for system loads executables from disk into the information to be helpful – a herculean memory and, from that point on, most task”. Given these findings, it is obvious activity occurs purely in memory, unless that having an effective technique for explicit actions or logging functionality discovering previously unseen malware cause evidence to be written to disk. on your network is extremely important Put simply, disk forensics only tells you – and memory analysis can be used to half the story and memory analysis uncover some of the stealth techniques will help to fill in the blanks. used by modern malware families. 70-90% of malware samples are unique to an organization. 4 Concepts While there are many types of data recoverable through memory analysis that could prove useful in detecting compromises and performing a forensic investigation, it’s worth considering two specific techniques that are often used by malware: code injection and API hooking. 5 Code Injection Code injection refers to the technique of placing executable code into the address space of another process and causing it to run. This can be done purely to use the other Technically, code injection can be process as a hosting container to modify implemented purely by the injection of the behavior of the process in ways the shellcode into another process, which developers did not intend or to gain access is often the case in traditional memory to sensitive data used by that process, such corruption exploits. However, in practice it as passwords. There are both legitimate is far more common to see a small shellcode and malicious uses for these techniques. stub used as a stager to load a more fully featured implant that has been implemented In this instance, we are not considering as a DLL. It is much easier to develop exploitation-related code injection complicated code in a high-level language vulnerabilities, such as buffer overflows than to write or compile it entirely as or SQL injection, but rather the post- position-independent shellcode. Hence this exploitation activity of placing malicious is a common solution we see used for both executable code in the address space of legitimate and malicious purposes. a legitimate process on a compromised system. One reason for this is that it’s Code injection on Microsoft Windows considered ‘stealthier’ to ensure no is often achieved using DLL injection additional processes are running on techniques, which generally start by writing a compromised system, plus it avoids some executable code into the address writing code to disk in order to start a new space of another process. Although there process. For example, attackers that have are several methods employed that compromised a Microsoft Windows system achieve the same end result, probably might choose to inject their code into the the most common is using the API function legitimate ‘c:\windows\explorer. exe’ process CreateRemoteThread() to start a new thread that is running a user’s login session, rather in the target process to run the malicious than write their code to an executable file code. This code is often no more than a small on disk and start a new process running execution stub that causes the loading of a that executable file. While a new process full DLL with much richer functionality. is sometimes required to initiate the code injection, this is generally short-lived and can often be achieved using legitimate scripting technologies already installed, such as PowerShell or the Windows Script Host. 6 Standard DLL Injection Reflective Loading DLL Injection This technique uses functionality offered by the More stealthy methods utilize reflective loading Windows LoadLibrary() API function to map an techniques that employ a custom DLL loader injected DLL into the target process memory to avoid writing any code to disk, such as the space, and often uses thread injection via technique used by Metasploit’s Meterpreter based CreateRemoteThread() to force the DLL loading. on Stephen Fewer’s technique. This loader would Occasionally, other techniques are used to help have to replicate the functionality offered natively hide the fact that the DLL has been loaded, such as by Windows, such as loading any dependencies, unlinking its entry from the list of loaded modules resolving indirect function call addresses based on in the process’s Process Environment Block (PEB). the relocation table, and other procedures necessary to allow correct operation of the DLL. This also helps bypass security products monitoring module loads, as the loader is custom and hence the Windows loader process is not invoked. 1 Process B Process A 2 Process B Allocate Memory Process A Copy DLL 3 Process B Process A DLL Execute 4 Process B Process A DLL Process A New Thread Process Hollowing Another related form of code injection is known A legitimate executable as process hollowing. Here, instead of injecting an additional DLL and thread into an existing process is launched in a suspended to run side-by-side with the legitimate code, state, with the core code a legitimate executable is launched in a suspended state, with the core code section for the process section for the process entirely replaced by malicious code before execution is resumed. This approach differs slightly in that entirely replaced by it cannot be used to infect existing processes that malicious code before need to continue operating normally to avoid instability. Consequently, it is not usually a suitable execution is resumed. technique for implementing API hooking, which often requires the use of code injection as a first step. However, despite this, Countercept often sees process hollowing and reflective DLL injection used in combination by malware in the field. 7 API Hooking API hooking is the process of intercepting function calls in order to monitor and/or change the information passing back and forth between them. There are many reasons – both legitimate and There are several hooking techniques, broadly malicious – why this might be desirable. For divided into userland and kernel methods. Of the example, in the case of data loss prevention (DLP) two, kernel hooking is often considered the more software, functions related to writing files and stealthy and powerful, but it’s arguably more difficult sending network traffic might be intercepted to to perform, requires system-level privileges, and monitor for protected information being written to can only be used to inspect API calls that result in external storage, or uploaded to personal webmail system calls to the kernel, hence not all malicious accounts. However, in the case of malware, this is use cases can be achieved with kernel hooking in commonly considered to be ‘rootkit’ functionality isolation. Kernel hooking is usually implemented and the most likely reasons are to hide evidence using a driver and will often either modify the System of its presence on the system from other processes Service Descriptor Table (SSDT) to reroute specific and to spy on sensitive data. Some common system calls to malicious handling code or will use examples are listed below: inline hooking to directly modify the kernel code responsible for implementing the system call itself. • Intercepting communications with the keyboard in order to log keystrokes, including passwords Userland hooking is most commonly achieved using that are typed by a user; either import address table (IAT) hooking, export address table (EAT) hooking, or inline hooking.