recent advances in memory forensics -...
Post on 22-Mar-2018
215 Views
Preview:
TRANSCRIPT
Recent Advancesin
Memory Forensics
ZISC 2010
September 13, 2010
Andreas Schuster
The Most Important Advancement...
Memory Analysis has made its way into well-known digital forensic tools!
The Most Important Advancement ...
Takahiro Haruyama has ported Volatility to EnCase
The Most Important Advancement ...
Takahiro Haruyama, Blog post "PsEntropyPEB Matching Mode", August 5, 2010http://cci.cocolog-nifty.com/blog/files/MemoryForensicToolkit_Ver1.83.zip
The Most Important Advancement ...Rererences
Apple Mac OS X
Retrieval of symbols from binaries
Translation between virtual and physical addresses:
assume KPA = KVA
retrieve IdlePDPT, IdlePDPT64, IdlePML4, and IdlePTD at known address to reconstruct kernel address space
Apple Mac OS XGetting started
Apple Mac OS XRefresher: VA to PA translation
!"#$$$%&'($)
*+*,-.$/0123,-1,40-$5%-0%3-6
!"#$%&'()(*''+,-.&/)0&1&2'3&#"-.&%-'456'74.4'+.%$8.$%&-'"5'9:);(&'<=6&
!"#$%&'()#*+,-"*.$/%(&0!'.1
234235236237
238 9%"/$%&'()#*+,-"*.$/%(&09'.1
:;-(**<,-&'()#*+,-"*.$/%(&0:'.1
:'.3
9'.3
:;-(**<,-&9$-(
.*$,&9$-(
!'.&'()#=
.>>&'()#=
2"?(>-$#@
2"?(>-$#@
2"?(>-$#@
2<**(;-&.>>2"?(
>-$#@
:;-(**=&A$;?%(*
:;-(**<,-&A$;?%(*
BC#(,-+";&A$;?%(*
D*"-(#-(?&D*"#(?<*(
.3
2$%%E9$-(>(FG(;-&>(%(#-"*
!+;($*&H??*())
DI!7
DI!7=
!+;($*&H??*())&>,$#(
!+;($*&H??*=
8
>(F=&'()#=>(FG(;-&>(%=
2"?(J&'$-$&"*&>-$#@&>(FG(;-&0K$)(&L81
:;-(**<,-M(#-"*
>(F=&'()#=
>(F=&'()#=
NO!!
2$%%&9$-(
.$)@E>-$-(>(FG(;-&0.>>1
>(F=&'()#=
NO!!
NO!!
>(FG(;-&>(%(#-"*
!+;($*&H??*())
.$)@&3(F+)-(*
236P
D$F(
!'.3
.Q+)&,$F(&G$,,+;F&(C$G,%(&+)&R"*&7ESKT-(&,$F()$;?&78E/+-&,QT)+#$%&$??*())&)+U(=
3(F+)-(*
PDQT)+#$%&H??*())
DQT)+#$%&H??*())
23V2";-*"%&3(F+)-(*
3W!H9>
XRR)(-.$/%('+*(#-"*T
D$F(&.$/%(
B;-*T
DQT)+#$%H??*=D$F(&./%
B;-*T
D$F(&'+*=DF=&'+*=&D-*=&
DI!7 '+*=&D"+;-(*
DF=&'+*=B;-*T
:;-(**<,-&9$-(:>.
Y238&0YWBI1
Image: Intel
Machine informationCPUs, memory, kernel version
Kernel modulesunexpected/suspicious extensions?
System callshooks, redirection
BSD Processesparent-child relation, ownership, timestamp
Mounted file systemstype, mount point, media
Apple Mac OS XIn-depth analysis
Matthieu Suiche / NFI. Advanced Mac OS X Physical Memory Analysis. Black Hat Briefings DC, 2010
http://www.blackhat.com/presentations/bh-dc-10/Suiche_Matthieu/Blackhat-DC-2010-Advanced-Mac-OS-X-Physical-Memory-Analysis-wp.pdf (Paper)
http://www.blackhat.com/presentations/bh-dc-10/Suiche_Matthieu/Blackhat-DC-2010-Advanced-Mac-OS-X-Physical-Memory-Analysis-slides.pdf (Slides)
Apple Mac OS XReferences
Linux kmem_cache
Cache facility to support system memory allocator
Provides quick access to data structures of the same size
Example:
task_struct_cachep = kmem_cache_create("task_struct",sizeof(struct task_struct), ARCH_MIN_TASKALIGN, SLAB_PANIC, NULL);
Linux kmem_cacheUsage
Uniform access to in-memory data of terminated objects
Processes
File handles (meta-data)
Memory mappings (shared memory, file contents)
Filesystem inode cache
Sockets (meta-data)
Socket buffers (contents)
Netfilter NAT table
Linux kmem_cacheForensic value
Andrew Case, Lodovico Marziale, Cris Neckar, Golden G. Richard III, Treasure and tragedy in kmem_cache mining for live forensics investigation, Digital Investigation, Volume 7, Supplement 1, The Proceedings of the Tenth Annual DFRWS Conference, August 2010, pp. S41-S47, ISSN 1742-2876, DOI:10.1016/j.diin.2010.05.006
http://www.dfrws.org/2010/proceedings/2010-305.pdf (Paper)
http://www.dfrws.org/2010/proceedings/richard2.pdf (Presentation)
Linux kmem_cacheReferences
Robust Signatures
Robust SignaturesList walking
flinkblink
PsActiveProcessHead
smrss
flinkblink
rk
flinkblink
explorer
Robust SignaturesList walking
flinkblink
flinkblink
PsActiveProcessHead
smrss
flinkblink
rk explorer
flinkblink
rk
Describe an object by a set of constraintsconstantsrange/set of valuescomplex conditions
Scan whole memory imagefinds active and „visible“ objectsfinds active and hidden objectsfinds terminated objects
Is the signature based on essential data?
kd> dt 812927c0 nt!_DISPATCHER_HEADER +0x000 Type : 0x3 // „process“ +0x001 Absolute : 0 +0x002 Size : 0x1b +0x003 Inserted : 0
Robust SignaturesPower and weakness of scanners
Dolan-Gavitt (2009): Fuzzing of EPROCESS221 member fields in structure nt!_EPROCESS32 were never accessed (bad candidates)72 were accessed for every examined application (good candidates)fuzzing: manipulating field, waiting for process to crashthe more crashes there are, the harder is it to temper with the field
Robust SignaturesFuzzing
Image: Dolan-Gavitt et al. (2009)
Dolan-Gavitt, B., Srivastava, A., Traynor, P., and Giffin, J. 2009. Robust signatures for kernel data structures. In Proceedings of the 16th ACM Conference on Computer and Communications Security (Chicago, Illinois, USA, November 09 - 13, 2009). CCS '09. ACM, New York, NY, 566-577. DOI:10.1145/1653662.1653730
Robust SignaturesReferences
The List of Lists
nt!_KPCR +0x000 NtTib : _NT_TIB +0x01c SelfPcr : Ptr32 _KPCR +0x020 Prcb : Ptr32 _KPRCB +0x024 Irql : UChar +0x028 IRR : Uint4B +0x02c IrrActive : Uint4B +0x030 IDR : Uint4B +0x034 KdVersionBlock : Ptr32 Void +0x038 IDT : Ptr32 _KIDTENTRY +0x03c GDT : Ptr32 _KGDTENTRY +0x040 TSS : Ptr32 _KTSS +0x044 MajorVersion : Uint2B +0x046 MinorVersion : Uint2B +0x048 SetMember : Uint4B +0x04c StallScaleFactor : Uint4B +0x050 DebugActive : UChar +0x051 Number : UChar +0x052 Spare0 : UChar +0x053 SecondLevelCacheAssociativity : UChar +0x054 VdmAlert : Uint4B +0x058 KernelReserved : [14] Uint4B +0x090 SecondLevelCacheSize : Uint4B +0x094 HalReserved : [16] Uint4B +0x0d4 InterruptMode : Uint4B +0x0d8 Spare1 : UChar +0x0dc KernelReserved2 : [17] Uint4B +0x120 PrcbData : _KPRCB
The List of ListsKernel Processor Control Region
nt!_KPRCB +0x000 MinorVersion : Uint2B +0x002 MajorVersion : Uint2B +0x004 CurrentThread : Ptr32 _KTHREAD +0x008 NextThread : Ptr32 _KTHREAD +0x00c IdleThread : Ptr32 _KTHREAD +0x010 Number : Char +0x011 Reserved : Char +0x012 BuildType : Uint2B +0x014 SetMember : Uint4B +0x018 CpuType : Char +0x019 CpuID : Char +0x01a CpuStep : Uint2B +0x01c ProcessorState : _KPROCESSOR_STATE... +0x8c0 CallDpc : _KDPC +0x8e0 ChainedInterruptList : Ptr32 Void +0x8e4 LookasideIrpFloat : Int4B +0x8e8 SpareFields0 : [6] Uint4B +0x900 VendorString : [13] UChar +0x90d InitialApicId : UChar +0x90e LogicalProcessorsPerPhysicalProcessor : UChar +0x910 MHz : Uint4B +0x914 FeatureBits : Uint4B +0x918 UpdateSignature : _LARGE_INTEGER +0x920 NpxSaveArea : _FX_SAVE_AREA +0xb30 PowerState : _PROCESSOR_POWER_STATE
The List of ListsKernel Processor Control Block
Windows XP (and earlier versions): KPCR is at a fixed kernel virtual address (0xffdff000)
Vista (and later versions):Address space layout randomization (ASLR)
Damien Aumaitre (2009): KPCR is self-refencing
kd> dt ffdff000 _KPCRnt!_KPCR +0x000 NtTib : _NT_TIB +0x01c SelfPcr : 0xffdff000 _KPCR +0x020 Prcb : 0xffdff120 _KPRCB...
The List of ListsHow to locate the KPCR?
Zhang et al. (2010)
proposed a KPCR signature
• [x + 0x1c] == x
• [x + 0x20] == x + 0x120
proposed combination of scanning for KPCR, followed by walking of thread/process lists
Schatz (2010) wrote a plug-in for Volatility to scan for KPCR structures and adopted other plug-ins to use values from the KPCR.
The List of ListsCombination of scanning and list-walking
Damien Aumaitre, "A little journey inside Windows memory", Journal in Computer Virology, pp. 105-117, 2009http://archive.hack.lu/2008/2008-hack.lu-aumaitre.pdf
Ruichao Zhang, Lianhai Wang, Shuhui Zhang, "Windows Memory Analysis Based on KPCR", International Symposium on Information Assurance and Security, pp. 677-680, 2009 Fifth International Conference on Information Assurance and Security, 2009
Bradley Schatz, Blog post "Finding Object Roots in Vista (KPCR)", July 7, 2010 http://blog.schatzforensic.com.au/2010/07/finding-object-roots-in-vista-kpcr/
The List of ListsRererences
Questions and Answers
Thank You for Your Attention!
Andreas Schuster
a.schuster@yendor.nethttp://computer.forensikblog.de/
top related