recent advances in memory forensics€¦ · recent advances in memory forensics zisc 2010 september...
TRANSCRIPT
![Page 1: Recent Advances in Memory Forensics€¦ · Recent Advances in Memory Forensics ZISC 2010 September 13, 2010 Andreas Schuster](https://reader030.vdocuments.mx/reader030/viewer/2022040717/5e224f7a98678a6dc6740169/html5/thumbnails/1.jpg)
Recent Advancesin
Memory Forensics
ZISC 2010
September 13, 2010
Andreas Schuster
![Page 2: Recent Advances in Memory Forensics€¦ · Recent Advances in Memory Forensics ZISC 2010 September 13, 2010 Andreas Schuster](https://reader030.vdocuments.mx/reader030/viewer/2022040717/5e224f7a98678a6dc6740169/html5/thumbnails/2.jpg)
The Most Important Advancement...
![Page 3: Recent Advances in Memory Forensics€¦ · Recent Advances in Memory Forensics ZISC 2010 September 13, 2010 Andreas Schuster](https://reader030.vdocuments.mx/reader030/viewer/2022040717/5e224f7a98678a6dc6740169/html5/thumbnails/3.jpg)
Memory Analysis has made its way into well-known digital forensic tools!
The Most Important Advancement ...
![Page 4: Recent Advances in Memory Forensics€¦ · Recent Advances in Memory Forensics ZISC 2010 September 13, 2010 Andreas Schuster](https://reader030.vdocuments.mx/reader030/viewer/2022040717/5e224f7a98678a6dc6740169/html5/thumbnails/4.jpg)
Takahiro Haruyama has ported Volatility to EnCase
The Most Important Advancement ...
![Page 5: Recent Advances in Memory Forensics€¦ · Recent Advances in Memory Forensics ZISC 2010 September 13, 2010 Andreas Schuster](https://reader030.vdocuments.mx/reader030/viewer/2022040717/5e224f7a98678a6dc6740169/html5/thumbnails/5.jpg)
Takahiro Haruyama, Blog post "PsEntropyPEB Matching Mode", August 5, 2010http://cci.cocolog-nifty.com/blog/files/MemoryForensicToolkit_Ver1.83.zip
The Most Important Advancement ...Rererences
![Page 6: Recent Advances in Memory Forensics€¦ · Recent Advances in Memory Forensics ZISC 2010 September 13, 2010 Andreas Schuster](https://reader030.vdocuments.mx/reader030/viewer/2022040717/5e224f7a98678a6dc6740169/html5/thumbnails/6.jpg)
Apple Mac OS X
![Page 7: Recent Advances in Memory Forensics€¦ · Recent Advances in Memory Forensics ZISC 2010 September 13, 2010 Andreas Schuster](https://reader030.vdocuments.mx/reader030/viewer/2022040717/5e224f7a98678a6dc6740169/html5/thumbnails/7.jpg)
Retrieval of symbols from binaries
Translation between virtual and physical addresses:
assume KPA = KVA
retrieve IdlePDPT, IdlePDPT64, IdlePML4, and IdlePTD at known address to reconstruct kernel address space
Apple Mac OS XGetting started
![Page 8: Recent Advances in Memory Forensics€¦ · Recent Advances in Memory Forensics ZISC 2010 September 13, 2010 Andreas Schuster](https://reader030.vdocuments.mx/reader030/viewer/2022040717/5e224f7a98678a6dc6740169/html5/thumbnails/8.jpg)
Apple Mac OS XRefresher: VA to PA translation
!"#$$$%&'($)
*+*,-.$/0123,-1,40-$5%-0%3-6
!"#$%&'()(*''+,-.&/)0&1&2'3&#"-.&%-'456'74.4'+.%$8.$%&-'"5'9:);(&'<=6&
!"#$%&'()#*+,-"*.$/%(&0!'.1
234235236237
238 9%"/$%&'()#*+,-"*.$/%(&09'.1
:;-(**<,-&'()#*+,-"*.$/%(&0:'.1
:'.3
9'.3
:;-(**<,-&9$-(
.*$,&9$-(
!'.&'()#=
.>>&'()#=
2"?(>-$#@
2"?(>-$#@
2"?(>-$#@
2<**(;-&.>>2"?(
>-$#@
:;-(**=&A$;?%(*
:;-(**<,-&A$;?%(*
BC#(,-+";&A$;?%(*
D*"-(#-(?&D*"#(?<*(
.3
2$%%E9$-(>(FG(;-&>(%(#-"*
!+;($*&H??*())
DI!7
DI!7=
!+;($*&H??*())&>,$#(
!+;($*&H??*=
8
>(F=&'()#=>(FG(;-&>(%=
2"?(J&'$-$&"*&>-$#@&>(FG(;-&0K$)(&L81
:;-(**<,-M(#-"*
>(F=&'()#=
>(F=&'()#=
NO!!
2$%%&9$-(
.$)@E>-$-(>(FG(;-&0.>>1
>(F=&'()#=
NO!!
NO!!
>(FG(;-&>(%(#-"*
!+;($*&H??*())
.$)@&3(F+)-(*
236P
D$F(
!'.3
.Q+)&,$F(&G$,,+;F&(C$G,%(&+)&R"*&7ESKT-(&,$F()$;?&78E/+-&,QT)+#$%&$??*())&)+U(=
3(F+)-(*
PDQT)+#$%&H??*())
DQT)+#$%&H??*())
23V2";-*"%&3(F+)-(*
3W!H9>
XRR)(-.$/%('+*(#-"*T
D$F(&.$/%(
B;-*T
DQT)+#$%H??*=D$F(&./%
B;-*T
D$F(&'+*=DF=&'+*=&D-*=&
DI!7 '+*=&D"+;-(*
DF=&'+*=B;-*T
:;-(**<,-&9$-(:>.
Y238&0YWBI1
Image: Intel
![Page 9: Recent Advances in Memory Forensics€¦ · Recent Advances in Memory Forensics ZISC 2010 September 13, 2010 Andreas Schuster](https://reader030.vdocuments.mx/reader030/viewer/2022040717/5e224f7a98678a6dc6740169/html5/thumbnails/9.jpg)
Machine informationCPUs, memory, kernel version
Kernel modulesunexpected/suspicious extensions?
System callshooks, redirection
BSD Processesparent-child relation, ownership, timestamp
Mounted file systemstype, mount point, media
Apple Mac OS XIn-depth analysis
![Page 10: Recent Advances in Memory Forensics€¦ · Recent Advances in Memory Forensics ZISC 2010 September 13, 2010 Andreas Schuster](https://reader030.vdocuments.mx/reader030/viewer/2022040717/5e224f7a98678a6dc6740169/html5/thumbnails/10.jpg)
Matthieu Suiche / NFI. Advanced Mac OS X Physical Memory Analysis. Black Hat Briefings DC, 2010
http://www.blackhat.com/presentations/bh-dc-10/Suiche_Matthieu/Blackhat-DC-2010-Advanced-Mac-OS-X-Physical-Memory-Analysis-wp.pdf (Paper)
http://www.blackhat.com/presentations/bh-dc-10/Suiche_Matthieu/Blackhat-DC-2010-Advanced-Mac-OS-X-Physical-Memory-Analysis-slides.pdf (Slides)
Apple Mac OS XReferences
![Page 11: Recent Advances in Memory Forensics€¦ · Recent Advances in Memory Forensics ZISC 2010 September 13, 2010 Andreas Schuster](https://reader030.vdocuments.mx/reader030/viewer/2022040717/5e224f7a98678a6dc6740169/html5/thumbnails/11.jpg)
Linux kmem_cache
![Page 12: Recent Advances in Memory Forensics€¦ · Recent Advances in Memory Forensics ZISC 2010 September 13, 2010 Andreas Schuster](https://reader030.vdocuments.mx/reader030/viewer/2022040717/5e224f7a98678a6dc6740169/html5/thumbnails/12.jpg)
Cache facility to support system memory allocator
Provides quick access to data structures of the same size
Example:
task_struct_cachep = kmem_cache_create("task_struct",sizeof(struct task_struct), ARCH_MIN_TASKALIGN, SLAB_PANIC, NULL);
Linux kmem_cacheUsage
![Page 13: Recent Advances in Memory Forensics€¦ · Recent Advances in Memory Forensics ZISC 2010 September 13, 2010 Andreas Schuster](https://reader030.vdocuments.mx/reader030/viewer/2022040717/5e224f7a98678a6dc6740169/html5/thumbnails/13.jpg)
Uniform access to in-memory data of terminated objects
Processes
File handles (meta-data)
Memory mappings (shared memory, file contents)
Filesystem inode cache
Sockets (meta-data)
Socket buffers (contents)
Netfilter NAT table
Linux kmem_cacheForensic value
![Page 14: Recent Advances in Memory Forensics€¦ · Recent Advances in Memory Forensics ZISC 2010 September 13, 2010 Andreas Schuster](https://reader030.vdocuments.mx/reader030/viewer/2022040717/5e224f7a98678a6dc6740169/html5/thumbnails/14.jpg)
Andrew Case, Lodovico Marziale, Cris Neckar, Golden G. Richard III, Treasure and tragedy in kmem_cache mining for live forensics investigation, Digital Investigation, Volume 7, Supplement 1, The Proceedings of the Tenth Annual DFRWS Conference, August 2010, pp. S41-S47, ISSN 1742-2876, DOI:10.1016/j.diin.2010.05.006
http://www.dfrws.org/2010/proceedings/2010-305.pdf (Paper)
http://www.dfrws.org/2010/proceedings/richard2.pdf (Presentation)
Linux kmem_cacheReferences
![Page 15: Recent Advances in Memory Forensics€¦ · Recent Advances in Memory Forensics ZISC 2010 September 13, 2010 Andreas Schuster](https://reader030.vdocuments.mx/reader030/viewer/2022040717/5e224f7a98678a6dc6740169/html5/thumbnails/15.jpg)
Robust Signatures
![Page 16: Recent Advances in Memory Forensics€¦ · Recent Advances in Memory Forensics ZISC 2010 September 13, 2010 Andreas Schuster](https://reader030.vdocuments.mx/reader030/viewer/2022040717/5e224f7a98678a6dc6740169/html5/thumbnails/16.jpg)
Robust SignaturesList walking
flinkblink
PsActiveProcessHead
smrss
flinkblink
rk
flinkblink
explorer
![Page 17: Recent Advances in Memory Forensics€¦ · Recent Advances in Memory Forensics ZISC 2010 September 13, 2010 Andreas Schuster](https://reader030.vdocuments.mx/reader030/viewer/2022040717/5e224f7a98678a6dc6740169/html5/thumbnails/17.jpg)
Robust SignaturesList walking
flinkblink
flinkblink
PsActiveProcessHead
smrss
flinkblink
rk explorer
flinkblink
rk
![Page 18: Recent Advances in Memory Forensics€¦ · Recent Advances in Memory Forensics ZISC 2010 September 13, 2010 Andreas Schuster](https://reader030.vdocuments.mx/reader030/viewer/2022040717/5e224f7a98678a6dc6740169/html5/thumbnails/18.jpg)
Describe an object by a set of constraintsconstantsrange/set of valuescomplex conditions
Scan whole memory imagefinds active and „visible“ objectsfinds active and hidden objectsfinds terminated objects
Is the signature based on essential data?
kd> dt 812927c0 nt!_DISPATCHER_HEADER +0x000 Type : 0x3 // „process“ +0x001 Absolute : 0 +0x002 Size : 0x1b +0x003 Inserted : 0
Robust SignaturesPower and weakness of scanners
![Page 19: Recent Advances in Memory Forensics€¦ · Recent Advances in Memory Forensics ZISC 2010 September 13, 2010 Andreas Schuster](https://reader030.vdocuments.mx/reader030/viewer/2022040717/5e224f7a98678a6dc6740169/html5/thumbnails/19.jpg)
Dolan-Gavitt (2009): Fuzzing of EPROCESS221 member fields in structure nt!_EPROCESS32 were never accessed (bad candidates)72 were accessed for every examined application (good candidates)fuzzing: manipulating field, waiting for process to crashthe more crashes there are, the harder is it to temper with the field
Robust SignaturesFuzzing
Image: Dolan-Gavitt et al. (2009)
![Page 20: Recent Advances in Memory Forensics€¦ · Recent Advances in Memory Forensics ZISC 2010 September 13, 2010 Andreas Schuster](https://reader030.vdocuments.mx/reader030/viewer/2022040717/5e224f7a98678a6dc6740169/html5/thumbnails/20.jpg)
Dolan-Gavitt, B., Srivastava, A., Traynor, P., and Giffin, J. 2009. Robust signatures for kernel data structures. In Proceedings of the 16th ACM Conference on Computer and Communications Security (Chicago, Illinois, USA, November 09 - 13, 2009). CCS '09. ACM, New York, NY, 566-577. DOI:10.1145/1653662.1653730
Robust SignaturesReferences
![Page 21: Recent Advances in Memory Forensics€¦ · Recent Advances in Memory Forensics ZISC 2010 September 13, 2010 Andreas Schuster](https://reader030.vdocuments.mx/reader030/viewer/2022040717/5e224f7a98678a6dc6740169/html5/thumbnails/21.jpg)
The List of Lists
![Page 22: Recent Advances in Memory Forensics€¦ · Recent Advances in Memory Forensics ZISC 2010 September 13, 2010 Andreas Schuster](https://reader030.vdocuments.mx/reader030/viewer/2022040717/5e224f7a98678a6dc6740169/html5/thumbnails/22.jpg)
nt!_KPCR +0x000 NtTib : _NT_TIB +0x01c SelfPcr : Ptr32 _KPCR +0x020 Prcb : Ptr32 _KPRCB +0x024 Irql : UChar +0x028 IRR : Uint4B +0x02c IrrActive : Uint4B +0x030 IDR : Uint4B +0x034 KdVersionBlock : Ptr32 Void +0x038 IDT : Ptr32 _KIDTENTRY +0x03c GDT : Ptr32 _KGDTENTRY +0x040 TSS : Ptr32 _KTSS +0x044 MajorVersion : Uint2B +0x046 MinorVersion : Uint2B +0x048 SetMember : Uint4B +0x04c StallScaleFactor : Uint4B +0x050 DebugActive : UChar +0x051 Number : UChar +0x052 Spare0 : UChar +0x053 SecondLevelCacheAssociativity : UChar +0x054 VdmAlert : Uint4B +0x058 KernelReserved : [14] Uint4B +0x090 SecondLevelCacheSize : Uint4B +0x094 HalReserved : [16] Uint4B +0x0d4 InterruptMode : Uint4B +0x0d8 Spare1 : UChar +0x0dc KernelReserved2 : [17] Uint4B +0x120 PrcbData : _KPRCB
The List of ListsKernel Processor Control Region
![Page 23: Recent Advances in Memory Forensics€¦ · Recent Advances in Memory Forensics ZISC 2010 September 13, 2010 Andreas Schuster](https://reader030.vdocuments.mx/reader030/viewer/2022040717/5e224f7a98678a6dc6740169/html5/thumbnails/23.jpg)
nt!_KPRCB +0x000 MinorVersion : Uint2B +0x002 MajorVersion : Uint2B +0x004 CurrentThread : Ptr32 _KTHREAD +0x008 NextThread : Ptr32 _KTHREAD +0x00c IdleThread : Ptr32 _KTHREAD +0x010 Number : Char +0x011 Reserved : Char +0x012 BuildType : Uint2B +0x014 SetMember : Uint4B +0x018 CpuType : Char +0x019 CpuID : Char +0x01a CpuStep : Uint2B +0x01c ProcessorState : _KPROCESSOR_STATE... +0x8c0 CallDpc : _KDPC +0x8e0 ChainedInterruptList : Ptr32 Void +0x8e4 LookasideIrpFloat : Int4B +0x8e8 SpareFields0 : [6] Uint4B +0x900 VendorString : [13] UChar +0x90d InitialApicId : UChar +0x90e LogicalProcessorsPerPhysicalProcessor : UChar +0x910 MHz : Uint4B +0x914 FeatureBits : Uint4B +0x918 UpdateSignature : _LARGE_INTEGER +0x920 NpxSaveArea : _FX_SAVE_AREA +0xb30 PowerState : _PROCESSOR_POWER_STATE
The List of ListsKernel Processor Control Block
![Page 24: Recent Advances in Memory Forensics€¦ · Recent Advances in Memory Forensics ZISC 2010 September 13, 2010 Andreas Schuster](https://reader030.vdocuments.mx/reader030/viewer/2022040717/5e224f7a98678a6dc6740169/html5/thumbnails/24.jpg)
Windows XP (and earlier versions): KPCR is at a fixed kernel virtual address (0xffdff000)
Vista (and later versions):Address space layout randomization (ASLR)
Damien Aumaitre (2009): KPCR is self-refencing
kd> dt ffdff000 _KPCRnt!_KPCR +0x000 NtTib : _NT_TIB +0x01c SelfPcr : 0xffdff000 _KPCR +0x020 Prcb : 0xffdff120 _KPRCB...
The List of ListsHow to locate the KPCR?
![Page 25: Recent Advances in Memory Forensics€¦ · Recent Advances in Memory Forensics ZISC 2010 September 13, 2010 Andreas Schuster](https://reader030.vdocuments.mx/reader030/viewer/2022040717/5e224f7a98678a6dc6740169/html5/thumbnails/25.jpg)
Zhang et al. (2010)
proposed a KPCR signature
• [x + 0x1c] == x
• [x + 0x20] == x + 0x120
proposed combination of scanning for KPCR, followed by walking of thread/process lists
Schatz (2010) wrote a plug-in for Volatility to scan for KPCR structures and adopted other plug-ins to use values from the KPCR.
The List of ListsCombination of scanning and list-walking
![Page 26: Recent Advances in Memory Forensics€¦ · Recent Advances in Memory Forensics ZISC 2010 September 13, 2010 Andreas Schuster](https://reader030.vdocuments.mx/reader030/viewer/2022040717/5e224f7a98678a6dc6740169/html5/thumbnails/26.jpg)
Damien Aumaitre, "A little journey inside Windows memory", Journal in Computer Virology, pp. 105-117, 2009http://archive.hack.lu/2008/2008-hack.lu-aumaitre.pdf
Ruichao Zhang, Lianhai Wang, Shuhui Zhang, "Windows Memory Analysis Based on KPCR", International Symposium on Information Assurance and Security, pp. 677-680, 2009 Fifth International Conference on Information Assurance and Security, 2009
Bradley Schatz, Blog post "Finding Object Roots in Vista (KPCR)", July 7, 2010 http://blog.schatzforensic.com.au/2010/07/finding-object-roots-in-vista-kpcr/
The List of ListsRererences
![Page 27: Recent Advances in Memory Forensics€¦ · Recent Advances in Memory Forensics ZISC 2010 September 13, 2010 Andreas Schuster](https://reader030.vdocuments.mx/reader030/viewer/2022040717/5e224f7a98678a6dc6740169/html5/thumbnails/27.jpg)
Questions and Answers