Process Privileges
In his Open Memory Forensic Workshop 2012 presentation "The Analysis of Process Token Privileges", Cem Gurkok (@CGurkok) discussed a plugin for Volatility that shows which privileges are enabled in each process. This can be useful for a number of reasons, including detecting code-injecting malware (SeDebugPrivilege) and kernel rootkits (SeLoadDriverPrivilege) in addition to scanning for Token related DKOM (see Cesar Cerrudo's Easy Local Windows Kernel Exploitation).
As shown below, the privs plugin tells you which privileges are present in the process's token, which have been enabled, and which were enabled by default. If any privileges are enabled by not enabled by default, you know they were explicitly set (usually through the AdjustPrivilegeToken API). If any privileges are enabled but not present, that's a strong indicator of DKOM.
$ python vol.py -f mem.dmp privs -p 1096
[snip]
1096 explorer.exe 23 SeChangeNotifyPrivilege Present,Enabled,Default Receive notifications of changes to files or directories
1096 explorer.exe 19 SeShutdownPrivilege Present Shut down the system
1096 explorer.exe 25 SeUndockPrivilege Present,Enabled Remove computer from docking station
1096 explorer.exe 8 SeSecurityPrivilege Present Manage auditing and security log
1096 explorer.exe 17 SeBackupPrivilege Present Backup files and directories
1096 explorer.exe 18 SeRestorePrivilege Present Restore files and directories
1096 explorer.exe 12 SeSystemtimePrivilege Present Change the system time
1096 explorer.exe 24 SeRemoteShutdownPrivilege Present Force shutdown from a remote system
1096 explorer.exe 9 SeTakeOwnershipPrivilege Present Take ownership of files/objects
1096 explorer.exe 20 SeDebugPrivilege Present,Enabled Debug programs
1096 explorer.exe 22 SeSystemEnvironmentPrivilege Present Edit firmware environment values
1096 explorer.exe 11 SeSystemProfilePrivilege Present Profile system performance
1096 explorer.exe 13 SeProfileSingleProcessPrivilege Present Profile a single process
1096 explorer.exe 14 SeIncreaseBasePriorityPrivilege Present Increase scheduling priority
1096 explorer.exe 10 SeLoadDriverPrivilege Present,Enabled Load and unload device drivers
1096 explorer.exe 15 SeCreatePagefilePrivilege Present Create a pagefileInternet Explorer History
The iehistory plugin was introduced on this blog a while back - see HowTo: Scan for Internet Cache/History and URLs. Since then, it has been used in various investigations and from what we hear - rather successfully. Although this plugin has been available in Volatility's development branch for a while, it makes its first major release debut in 2.3.
Service DLLs
A Windows service of type SERVICE_WIN32_SHARE_PROCESS is essentially a DLL that runs inside a shared host process (svchost.exe). This is a commonly used persistence mechanism among malicious code (see How malware hides and is installed as a service).
Volatility's svcscan plugin scans for and reports on service record structures found in the memory of the service control manager (services.exe). In previous releases it only identified the driver name (i.e. \Driver\Tcpip) if the service was for a kernel driver, or it showed the path to an executable file if the service was a standalone or shared process. Starting with Volatility 2.3, you can also now query for the service DLL when you provide the --verbose argument to svcscan.
Here's an example of the output.
$ python vol.py -f mem.dmp svcscan -p 1096 [snip] Offset: 0x383c90 Order: 55 Process ID: 1024 Service Name: ERSvc Display Name: Error Reporting Service Service Type: SERVICE_WIN32_SHARE_PROCESS Service State: SERVICE_RUNNING Binary Path: C:\WINDOWS\System32\svchost.exe -k netsvcsServiceDll: %SystemRoot%\System32\ersvc.dll
As you can see, by supplying --verbose, you not only see svchost.exe, but the full path on disk to ersvc.dll is included. The full path to the DLL comes from the registry. Assuming malware overwrote the registry key's value and changed the path to ersvc.dll (pointing it at a malicious DLL), you would be better equipped to detect and respond to this behavior.
Cached Files
The dumpfiles plugin that we introduced previously (see Cache Rules Everything Around Me(Mory)) will make its debut release in Volatility 2.3. This will be one of the more useful plugins you've ever experienced - with the ability to extract cached files from all Windows memory dumps, including raw registry hives, executables, and documents.
Duqu Style API Hooks
Volatility's apihooks plugin can detect IAT hooks, EAT hooks, Inline hooks, and various others. In the category of inline hooks (also referred to as detours or trampoline hooks), we look for changes of the function prologue - specifically ones that CALL or JMP to another module or unknown code location. Since we don't emulate code, subtle changes in assembly instructions or uncommon sequences of instructions can evade the hook detection engine. Duqu, often referred to as a cousin of Stuxnet, used a simple technique of moving the hook address into a register and then jumping to the register. For example:
MOV EAX, ADDRESS
JMP EAX
It's nothing special per se, but previously we didn't check for this type of instruction combination. Starting with Volatility 2.3, we now include checks for this type of memory modification. Here's an example:
$ python vol.py -f duqu.dmp apihooks -p 1176 --quick
Hook mode: Usermode
Hook type: Inline/Trampoline
Process: 1176 (lsass.exe)
Victim module: ntdll.dll (0x7c900000 - 0x7c9af000)
Function: ntdll.dll!ZwQuerySection at 0x7c90d8b0
Hook address: 0x980a02
Hooking module:
Disassembly(0):
0x7c90d8b0 b8020a9800 MOV EAX, 0x980a02
0x7c90d8b5 ffe0 JMP EAX
0x7c90d8b7 03fe ADD EDI, ESI
0x7c90d8b9 7fff JG 0x7c90d8ba
0x7c90d8bb 12c2 ADC AL, DL
0x7c90d8bd 1400 ADC AL, 0x0
0x7c90d8bf 90 NOP
0x7c90d8c0 b8a8000000 MOV EAX, 0xa8 Conclusion
Although the main objective(s) for the 2.3 release were Mac OSX and Linux/Android, we didn't want to neglect Windows. Thus, this post summarizes a few of the interesting new and improved plugins for Windows systems.
No comments:
Post a Comment