Beruflich Dokumente
Kultur Dokumente
877.791.9571 |
SUBMIT
Tweet Like
Memory forensic is a skill to find out all the artefacts in the memory that is present in the running computer. It is an
interesting method to find out what are the running process, open network connections, registry handles, kernel
modules etc. It looks rosy when you hear all the features of memory forensics but strong knowledge on windows is a
prerequisite to this technology.
Memory forensics is very useful to a security analyst to carry out investigation whenever there is any computer security
incident. It is also used by Malware researchers to find out the properties of malware behaviour. To start first with
analysing the memory we need to obtain Computer memory dump from the machine. There are a set of tools to achieve
this staring from the free ones to the paid.
Memory Analyser
I would like to showcase how we can do memory forensics, here I am running a malware that I got from kernelinfo.com
(free malware samples are available for download in kernel info after user registration)
Out of these tools I recommend using tool Volatility and Memoryze (Mandiant) for analysing the dump which is
collected.
Volatility is an open source memory forensic tool that is written in Python. Unlike other tool that only runs on windows
and requires .NET installations Volatility is free to run on windows, Linux and mac to carry out analysis. Volatility also
http://resources.infosecinstitute.com/the-hunt-for-memory-malwares/?utm_source=Newsle... 11/7/2013
Page 2 of 12
gives power to go beyond the normal functionality by building customized web interface. Volatility has the efficient
algorithm to analyse RAW dumps from large system where normal tools will lead to system crash. It also helps in
analysing different file format like crash dumps, hibernation files, VMware saved state and suspended state
(.vmss/.vmsn) and many more. You can download volatility from (https://code.google.com/p/volatility/downloads/list)
Even though Memoryze don’t support Linux it is one of the tools that is commonly used by malware researchers as it
supports all the flavours of windows. The preferred way to launch Memoryze is to use the user interfaces built for
Memoryze called Redline.
It is recommended to use third part tools to take memory dumps of the whole system. Windows has features to take
memory dumps of a process however If you need a memory dump of a whole system, it’s better to rely on third party
tools.
Imageinfo>Before we go ahead, Volatility needs to know what type of system your memory dump came from, so it knows
which data structures, algorithms, and symbols to use.
kdbgscan >is designed to positively identify the correct profile and the correct KDBG address. so if you already know the
correct profile (or if you have a profile suggestion from image info), then make sure you use it.
Command:
volatility-2.1.standalone.exe -f C:\Users\ADMIN\Desktop\forensics\ADMIN-PC-20130625-061209.raw –
profile=Win7SP1x64 kdbgscan
https://code.google.com/p/volatility/source/browse/branches/scudette/docs/blogg_posts/scudette/kdbg.txt?r=2805
http://resources.infosecinstitute.com/the-hunt-for-memory-malwares/?utm_source=Newsle... 11/7/2013
Page 3 of 12
Command:
C:\Users\ADMIN\Desktop\forensics\ADMIN-PC-20130625-061209.raw –profile=Win7SP1x64 -
-kdbg=0xf800027f0070 pslist
Once I have run the pslist command I have taken the Windows task manager to see whether both PIDS of CMD.exe are
184.Y
To see the processes that are inactive or processes that have been hidden or unlinked by a rootkit run psscan command.
Command:
http://resources.infosecinstitute.com/the-hunt-for-memory-malwares/?utm_source=Newsle... 11/7/2013
Page 4 of 12
To see the what all dll’s that an exe calls use dlllist command
Command:
Command:
http://resources.infosecinstitute.com/the-hunt-for-memory-malwares/?utm_source=Newsle... 11/7/2013
Page 5 of 12
In the result pane you can see how successful the extraction of these dll dump in dll folder is. There are also chances
that the extraction is a failure, due to paging. Now you can find the md5 value of each dll and classify whether it is
malicious or not. Other way is to upload it in virustotal.com to check its malicious behaviour presence.
Viewing handles
Related Mini Courses
Command:
View All Mini Courses
C:\Users\ADMIN\Desktop\forensics\ADMIN-PC-20130625-061209.raw –profile=Win7SP1x64 handles -p 2576 Full Length Online Courses
Information Security
Information Assurance
IT Audit
Microsoft
Cisco
CompTIA
Linux
Project Management
Albert Fruz
Search
http://resources.infosecinstitute.com/the-hunt-for-memory-malwares/?utm_source=Newsle... 11/7/2013
Page 6 of 12
Search ...
+ Categories
Find us on Facebook
InfoSec Institute
It shows no attached process exits. Like
If you want to see the environmental variables 6,745 people like InfoSec Institute.
Command:
We can dump all the exe from the image to a folder by giving procmemdump command
Command:
Now we can see the svhosts.exe process as executable.2576 in the target folder.
http://resources.infosecinstitute.com/the-hunt-for-memory-malwares/?utm_source=Newsle... 11/7/2013
Page 7 of 12
Commands like connections, connscan,sockets, sockscan are also useful for viewing network connections but it only
applies to windows XP and windows server 2003 server.
Command:
Command:
Command:
http://resources.infosecinstitute.com/the-hunt-for-memory-malwares/?utm_source=Newsle... 11/7/2013
Page 8 of 12
Malfind is used to find the hidden dlls.In the below,I have given pslist to see all the process.For each process I am
checking any presence of hidden dlls by issuing the malfind command.
Command:
You can see the windows services in the RAM by issuing svsscan.In my scenerio I don’t have any suspicious running out
here.
http://resources.infosecinstitute.com/the-hunt-for-memory-malwares/?utm_source=Newsle... 11/7/2013
Page 9 of 12
Cracking passwords.
Now lets see how we can crack the password using the memory forensic tool Volatility.I don’t think volatility can be
used to crack passwords of windows 7 operating system.But for Windows XP we can.
Hivelist: Is used to find the virtual address of registry hives in the memory.To crack password we need to bother about
the virtual address of SAM and SYSTEM hive.
http://resources.infosecinstitute.com/the-hunt-for-memory-malwares/?utm_source=Newsle... 11/7/2013
Page 10 of 12
Once we have located the virtual address of the registry hives, we need to dump the hashes to a text file for further
analysis.
Here -y0xe1035b60 and -s 0xe147bb60 are the virtual address of SECURITY and SAM hives.
Once the Dump is created, we can use other third party tools like Cain and Abel, Rainbow tables to bruteforce the dump
file. It may take days to months’ time depending upon the complexity and length of the password.
References:
http://code.google.com/p/volatility/wiki/CommandReference#
www.volatility.com
http://cyberarms.wordpress.com/2011/11/04/memory-forensics-how-to-pull-passwords-from-a-memory-dump/
www.youtube.com/watch?v=8HsZLge0wWc
http://resources.infosecinstitute.com/the-hunt-for-memory-malwares/?utm_source=Newsle... 11/7/2013
Page 11 of 12
Albert has five years experience in the information security field, encompassing SIEM, malware
analysis, investigating security incidents, ISO 27001 audits and hardening of various devices. He has
also carried out rule-based auditing for firewall forensics as well as PCI dss audits.
One Comment
awesome post :)
Beginners can learn how and where to start.
Leave A Comment
Comment...
POST COMMENT
http://resources.infosecinstitute.com/the-hunt-for-memory-malwares/?utm_source=Newsle... 11/7/2013
Page 12 of 12
penetration testingreverse
engineeringreversingsecurity
security awarenesssocial media sql
injectionTORtraining video
vulnerabilities vulnerability wapt
wordpress
http://resources.infosecinstitute.com/the-hunt-for-memory-malwares/?utm_source=Newsle... 11/7/2013