Tuesday, July 6, 2010

Plugin Post: Robust Process Scanner

It's pretty well known, in memory forensics circles, that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are two common ways of finding processes in memory images: list-walking, which traverses cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 kernel's linked list of process data structures, and scanning, which does a sweep over memory, looking for byte patterns that match cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 data found in a process data structure.

Having two different ways of finding processes can be very handy, especially when we suspect that someone may be trying to hide processes. One common way of hiding processes in Windows is called DKOM (Direct Kernel Object Manipulation); this technique works by just unlinking cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 process you want to hide from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 kernel's list, like so:
This makes it invisible from programs such as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 task manager, as well as memory forensic tools that use list-walking (including Volatility's pslist). However, such hidden processes can still be found by scanning memory using a signature for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 process data structure; this is what psscan2 does.

Unfortunately, it's been known since at least 2007 (as mentioned in AAron Walters and Nick Petroni's Blackhat DC talk, and more recently in a presentation by Jesse Kornblum) that even signature scans can be evaded by crafty attackers. Signatures typically rely on "magic" values found in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 process data structure. For example, in Windows XP, process data structures always begin with "\x03\x00\x1b\x00", which makes it pretty easy to find cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m in memory images.

But is that magic value really essential to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 correct functioning of a process in Windows? What if an attacker just overwrites those four bytes with zeroes? As it turns out, Windows will be perfectly happy to keep running cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 process! At cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same time, it will be completely hidden from existing forensic tools. What's more, as I demonstrated in my paper for CCS 2009 (Robust Signatures for Kernel Data Structures), around 51 fields in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 process data structure can be manipulated by attackers in this way – including nearly all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fields currently used to find processes.

So what's a forensic analyst to do? Luckily, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are some parts of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 process data structure that are hard for an attacker to mess with without causing one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se:

So if we can build a signature based on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se fields, we can find processes that existing signature scanners might miss.

And that's just what I've done. Here, for your consideration and consumption, is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 creatively-named psscan3 (just drop it into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 memory_plugins directory of Volatility 1.3.2). It uses a only fields that have been identified as "robust" to locate processes in Windows memory. It's a bit slower than cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 existing scanners, right now, because it's checking for more things.

If you want to try it out, you might also want to download this sample memory image, which has a hidden process at offset 0x01a4bc20. In Volatility, pslist, psscan, and psscan2 all miss cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 process, but psscan3 detects it, as shown in this exciting screenshot (click to enlarge; cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 windows show, from left to right, psscan, psscan2, and psscan3) [EDIT: Blogger is for some reason refusing to link to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 larger size; click here to view it]:

If you'd like a copy of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rootkit that hid this process (which is based on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FU Rootkit), send me an e-mail (but be warned that I probably won't be able to dig up cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 source until this fall).

So that's it! If you want to find out more about what went into this plugin, you're encouraged to check out my paper, or browse cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 slides from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 talk at CCS 2009.

8 comments:

Network Forensics said...

I can run pscan2 successfully against your image but I get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following error when I run psscan3:

$ python volatility psscan3 -f /g/ds_fuzz_hidden_proc.img
YARA is not installed, see http://code.google.com/p/yara-project/
c:\Python26\lib\site-packages\Crypto\Hash\MD5.py:6: DeprecationWarning: cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 md5
module is deprecated; use hashlib instead
from md5 import *
PID PPID Time created Time exited Offset PDB
Remarks
------ ------ ------------------------ ------------------------ ---------- -----
----- ----------------
Scanner () on Offset 0 Error: pop from empt
y list
Traceback (most recent call last):
File "volatility", line 219, in
main()
File "volatility", line 215, in main
command.execute()
File "c:\Volatility\Volatility\memory_plugins/psscan3.py", line 169, in execut
e
scan_addr_space(search_space,scanners)
File "c:\Volatility\Volatility\forensics\win32\scan2.py", line 218, in scan_ad
dr_space
o.process(chunk,as_offset+poffset, metadata=metadata)
File "c:\Volatility\Volatility\forensics\win32\scan2.py", line 148, in process

self.process_buffer(buf,self.offset,metadata)
File "c:\Volatility\Volatility\memory_plugins/psscan3.py", line 53, in process
_buffer
match_count = self.check_addr(buf, i)
File "c:\Volatility\Volatility\memory_plugins/psscan3.py", line 39, in check_a
ddr
val = func(buff,found)
File "c:\Volatility\Volatility\memory_plugins/psscan3.py", line 99, in check_v
adroot
val = read_obj_from_buf(buf, types, field, found)
File "c:\Volatility\Volatility\forensics\object.py", line 250, in read_obj_fro
m_buf
(offset, current_type) = get_obj_offset(data_types,member_list)
File "c:\Volatility\Volatility\forensics\object.py", line 204, in get_obj_offs
et
current_type = member_list.pop()
IndexError: pop from empty list

any ideas??

Brendan Dolan-Gavitt said...

Hi,

What version of Volatility are you using? I've tested cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 plugin with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most recent stable version of Volatility (1.3.2), which you can get by doing:

svn checkout http://volatility.googlecode.com/svn/tags/Volatility-1.3.2

Network Forensics said...

I am using volatiltiy 1.2.3 and I updated to version 309 using svn. I have tried it on my windows machines as well as my ubuntu machine. I just don't know if I did not update it correctly or what.

Network Forensics said...

That should say 1.3.2 for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 version of volatility.

Jamie Butler said...

Great blog post. Memoryze has always used some extra, secondary sanity checks ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than DISPATCHER_HEADER, but we obviously rely on that one too much.

I am curious if by adding cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se new checks for process discovery do you no longer identify some processes that have exited, which may violate some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 assumptions or rules because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OS has freed or zeroed out those parts of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 EPROCESS?

Brendan Dolan-Gavitt said...

Network Forensics,

Can you try using this with a clean copy of Volatility 1.3.2 (i.e., check out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 source to a new directory, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n drop psscan3 in memory_plugins), and let me know if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem persists?

Thanks,
Brendan

Brendan Dolan-Gavitt said...

Jamie,

Great point! This is one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 things we mention in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 paper. The signature used in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 scanner I posted was trained on live processes. When a process exits, one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 things that gets zeroed out is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ObjectTable member, which is used in this signature. You can actually just comment out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 check:

self.add_constraint(self.check_object_table)

This doesn't introduce any false positives, but it does allow exited processes to be found. And cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 whole thing remains as robust as before :)

Unknown said...

I just did a svn checkout on 1.3.2 and dropped in psscan3 and I get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following errors

spaz:memory_plugins larry$ ls
example1.py example2.py example3.py example4.py
example1.pyc example2.pyc example3.pyc example4.pyc
spaz:memory_plugins larry$ cp ../../Volatility-1.3_Beta/memory_plugins/psscan3.py .
spaz:memory_plugins larry$ cd ..
spaz:Volatility-1.3.2 larry$ python volatility psscan3Traceback (most recent call last):
File "volatility", line 219, in
main()
File "volatility", line 215, in main
command.execute()
File "/Volumes/Shared/vola/Volatility-1.3.2/memory_plugins/psscan3.py", line 164, in execute
space = FileAddressSpace(self.opts.filename)
File "/Volumes/Shared/vola/Volatility-1.3.2/forensics/addrspace.py", line 44, in __init__
self.fhandle = open(fname, mode)
TypeError: coercing to Unicode: need string or buffer, NoneType found