未加星标

Automated Memory Analysis

字体大小 | |
[系统(windows) 所属分类 系统(windows) | 发布者 店小二03 | 时间 2016 | 作者 红领巾 ] 0人收藏点击收藏
catalogue
1. 静态分析、动态分析、内存镜像分析对比
2. Memory Analysis Approach
3. volatility: An advanced memory forensics framework
4. github-djteller-MemoryAnalysis
5. Awesome Malware Analysis Projects
1. 静态分析、动态分析、内存镜像分析对比

0x1: Static Analysis Challenges


1. Time consuming
2. 35%~ of malicious samples are packed*
3. 90%~ of packed files are protected
4. Obfuscation, Cryptors, Encrypted Resources

0x2: Dynamic Analysis Challenges


1. "What you see is what you get"(根据外部传入参数改变恶意文件执行流程是sandbox最难克服的问题)
2. Subverting API functions is easy. APIs Lie.
3. Calling undocumented/native functions
4. Custom WinAPI function implementations
5. Reminder: evading dynamic analysis is out of scope

0x3: Memory Analysis Advantages


1. Discovers system inconsistencies that might indicate a rootkit
2. Collects hidden artifacts that cannot be retrieved using OS-provided API
3. Advanced malware operates solely in memory(delete source file after running)
4. Identifies system activity and overall machine state

0x4: Memory Analysis Disadvantages


1. Current solutions require manual inspection (not scalable)
2. Interpreting analysis tools output requires in-depth knowledge of OS internals
3. Anti-Forensics tools exist* to:
1) Prevent grabbing of memory dumps
2) Plant fake artifacts in memory as decoys
4. Artifacts from a single memory dump lack context, since there is no baseline to compare it with
5. Taking memory dumps requires accurate timing as memory is volatile

0x5: Current Automated Approach


1. Execute a sample in a sandbox
2. Terminate execution after X minutes
3. Grab a memory dump of the machine
4. Analyze the memory dump offline
5. Detect malicious/suspicious artifacts in-memory
6. Revert, Rinse, Repeat
Relevant Link:
https://www.blackhat.com/docs/us-14/materials/arsenal/us-14-Teller-Automated-Memory-Analysis-Slides.pdf

2. Memory Analysis Approach


1. Process Heap Entropy checker
1) Check for entropy changes over time
2. Anti Virus Strings
1) Check for new unpacked strings
3. Hybrid Data Extractor
  1) Comparing code in-memory (dynamic) against the code on disk (static) to detect unpacked code/data
4. Modified PE Header
1) Monitor PE header modification and reconstruct it onthe-fly

0x1: Taking a (memory) Dump


1. Live Memory Introspection (libVMI/pyVMI)
2. Offline Memory Dump (libvirt)
3. volatility: An advanced memory forensics framework

The Volatility Framework is a completely open collection of tools, implemented in python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.

The extraction techniques are performed completely independent of the system being investigated but offer visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.

0x1: Plugins


amcache - Print AmCache information
apihooks - Detect API hooks in process and kernel memory
atoms - Print session and window station atom tables
atomscan - Pool scanner for atom tables
auditpol - Prints out the Audit Policies from HKLM\SECURITY\Policy\PolAdtEv
bigpools - Dump the big page pools using BigPagePoolScanner
bioskbd - Reads the keyboard buffer from Real Mode memory
cachedump - Dumps cached domain hashes from memory
callbacks - Print system-wide notification routines
clipboard - Extract the contents of the windows clipboard
cmdline - Display process command-line arguments
cmdscan - Extract command history by scanning for _COMMAND_HISTORY
connections - Print list of open connections [Windows XP and 2003 Only]
connscan - Pool scanner for tcp connections
consoles - Extract command history by scanning for _CONSOLE_INFORMATION
crashinfo - Dump crash-dump information
deskscan - Poolscaner for tagDESKTOP (desktops)
devicetree - Show device tree
dlldump - Dump DLLs from a process address space
dlllist - Print list of loaded dlls for each process
driverirp - Driver IRP hook detection
drivermodule - Associate driver objects to kernel modules
driverscan - Pool scanner for driver objects
dumpcerts - Dump RSA private and public SSL keys
dumpfiles - Extract memory mapped and cached files
dumpregistry - Dumps registry files out to disk
editbox - Displays information about Edit controls. (Listbox experimental.)
envars - Display process environment variables
eventhooks - Print details on windows event hooks
evtlogs - Extract Windows Event Logs (XP/2003 only)
filescan - Pool scanner for file objects
gahti - Dump the USER handle type information
gditimers - Print installed GDI timers and callbacks
gdt - Display Global Descriptor Table
getservicesids - Get the names of services in the Registry and return Calculated SID
getsids - Print the SIDs owning each process
handles - Print list of open handles for each process
hashdump - Dumps passwords hashes (LM/NTLM) from memory
hibinfo - Dump hibernation file information
hivedump - Prints out a hive
hivelist - Print list of registry hives.
hivescan - Pool scanner for registry hives
hpakextract - Extract physical memory from an HPAK file
hpakinfo - Info on an HPAK file
idt - Display Interrupt Descriptor Table
iehistory - Reconstruct Internet Explorer cache / history
imagecopy - Copies a physical address space out as a raw DD image
imageinfo - Identify information for the image
impscan - Scan for calls to imported functions
joblinks - Print process job link information
kdbgscan - Search for and dump potential KDBG values
kpcrscan - Search for and dump potential KPCR values
ldrmodules - Detect unlinked DLLs
limeinfo - Dump Lime file format information
linux_apihooks - Checks for userland apihooks
linux_arp - Print the ARP table
linux_banner - Prints the Linux banner information
linux_bash - Recover bash history from bash process memory
linux_bash_env - Recover a process' dynamic environment variables
linux_bash_hash - Recover bash hash table from bash process memory
linux_check_afinfo - Verifies the operation function pointers of network protocols
linux_check_creds - Checks if any processes are sharing credential structures
linux_check_evt_arm - Checks the Exception Vector Table to look for syscall table hooking
linux_check_fop - Check file operation structures for rootkit modifications
linux_check_idt - Checks if the IDT has been altered
linux_check_inline_kernel - Check for inline kernel

本文系统(windows)相关术语:三级网络技术 计算机三级网络技术 网络技术基础 计算机网络技术

主题: WindowsLinux静态分析CU动态分析TIPythonRYHead
分页:12
转载请注明
本文标题:Automated Memory Analysis
本站链接:http://www.codesec.net/view/481836.html
分享请点击:


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 系统(windows) | 评论(0) | 阅读(39)