Memory Forensics with Vshot and Remnux (rogue process identification,2)

We start this post where we left the first one, we are moving now into the analysis phase once we have parsed the memory dump with Volatility and the Vshot script included in Remnux.

The current script version 4.01 is running 44 plugins against the memory dump. Let’s have a quick look at the plugins before we move into the analysis phase looking at the output of some of these plugins.

You can have a quick look at the plugin list in this link:

https://github.com/volatilityfoundation/volatility/wiki/Command-Reference

Analysis:

1. Rogue process identification

There are multiple plugins we can use to do this, however let’s look at the 2 most common plugins which are pslist and psscan. After looking into these two plugins we will move into more advanced plugins such as psxview and malsysproc

The pslist plugin is like running a task list in your system so if any process is  hidding in the system we will not be able to see it however comparing the output with the psscan plugin we will be able to detect rogue processes hiding in the system. When we are analyzing the output of these 2 plugins it is very important to look for processes which are misspelled or processes that are in the psscan output and not in the pslist output as that would be flagging up a rogue process.

Let’s have a quick look at the output of pslist first:

pslist

From all the processes running in that system the first thing that catches my attention is that there are 3 lsass.exe processes running. The lsass process is the Local Authority Subsystem Service and there can only be one running in a windows system. Why do we have 3? Because the malware created them and it is impersonating a system process. Now it is time to introduce the foundation for memory analysis. Know your critical system’s processes! You need to understand and baseline which processes need to be running in your machine as well as a foundation and knowledge of basics windows processes and its attributes to be able to spot the rogue processes.

What else can be infer from the image above? There are 3 processes lsass.exe running in the system.

  • 0x81e70020 lsass.exe               680    624     19      342      0      0 2010-10-29 17:08:54
  • 0x81c498c8 lsass.exe               868    668      2       23      0      0 2011-06-03 04:26:55
  • 0x81c47c00 lsass.exe              1928    668      4       65      0      0 2011-06-03 04:26:55

Which one is the legitimate windows process?

  • 0x81e70020 lsass.exe               680    624     19      342      0      0 2010-10-29 17:08:54

Why?

The other 2 were spawned at  2011-06-03 04:26:55 and the real system process is always started within seconds of boot time. Let’s compare the lsass start time with the smss.exe process which is the session manager process started by the system process always at boot time.

This system was boot at

  • 0x820df020 smss.exe                376      4      3       19 ——      0 2010-10-29 17:08:53

and 1 second later

  • 0x81e70020 lsass.exe               680    624     19      342      0      0 2010-10-29 17:08:54

It was started so we can conclude that process with PID 680 is legitimate and process with PID 868 and PID 1928 are our rogue processes.

What other plugins can you use with pslist? pstree will also help to identify rogue processes displaying the same information as pslist but showing the parent – child relationships among the processes.

pstree

We can clearly see how processes  868 and 1928 are rogue processes which were started by services.exe PID 668 which is abnormal. Lsass is always started by its parent process winlogon.exe PID 624 in this case we can see PID 680 under PID 624 which is the legitimate lsass process.

Let’s see psscan plugin and how it can help to find processes that have been un-linked from the process list by malware with rootkit capabilities.

psscan_vs_pslist

If we compare pslist output and psscan output we can clearly see that there is a process standing which is 1_docRCDATA_61, it is running in memory but it does not appear in the pslist plugin because it has been un-linked.

It is possible that after running the initial plugins discussed, you still do not see any anomalies, you may be having a bad day…I am just kidding. If this is the situation, you still have other powerful plugin if the threat you are dealing with has advance stealth – rootkit capabilities plugins such as psxview , it will help to pin point your rogue processes.

Psxview (process cross view plugin) it is a powerful plugin that helps the analyst to visually analyse processes in memory through 7 different process list in the operating system. Basically as we saw before process lists can be manipulated by malware however it is unlikely that one malware piece manipulates all of them at the same point since there are more effective ways to hide the process such as code injection.

Let’s have a quick look at the output of this plugin,

psxview

We can see here how the only process hidding is 1_doc_RCData_61. This process is listed in pslist as false however is active in the other lists therefore hidding from system tasklist. The other processes are not relevant since they are exited processes but  they were found in memory.

The next plugin is malsysproc, unfortunately this plugin is not yet in Vshot however it is worth mentioning. Maybe in the future we get an udpate in the script or you can add it to it. This plugin analyzes memory looking to find malware hidding in plaing sight and for that it performs a sanity check of all processes.

  • Correct Image/executable name
  • Correct file location (path)
  • Correct parent process
  • Correct command line and parameters used
  • Sart time information

http://www.invoke-ir.com/2013_10_01_archive.html

Let’s have a quick look at the output,

malsysprocI am sure is completely normal an svchost.exe process runing from \systems32\dllhost 😉

Right now you should have a fair idea of where to start with memory forensics and Vshot. Vshot is an excellent plugin included wisely in another great Linux distro such as Remnux. Vshot safes time when performing memory forensics and it also eliminates the complexity of typing command by command when doing analysis especially for those of you who are new to the field.

If you are looking to get serious in memory forensics I recommend you the following book:

 

This book has been written by the developers of Volatility and it is certainly the best book that I have come across that deals with this subject. If you are looking to take training in this field which I highly recommend it, because today’s threats are becoming more sophisticated you have difference options however I believe the best option is this one:

https://www.memoryanalysis.net/memory-forensics-training

No amount of blog articles or books will get you close to understand the subject as well as getting involved in the atmosphere of a practical course from the hands of their developers.

This course is taught by Andrew Case which is one of the developers of the framework and active researcher and public speaking figure in the security community.

In the next post we will move forward in the process and we will start analyzing the properties of the rogue processes found as well as extracting indicators of compromise from memory.

Additional references:

https://github.com/volatilityfoundation/volatility

https://github.com/volatilityfoundation/volatility/wiki/Memory-Samples

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s