In his Open Memory Forensic Workshop 2012 presentation "The Analysis of Process Token Privileges", Cem Gurkok (@CGurkok) discussed a plugin for Volatility that shows which privileges are enabled in each process. This can be useful for a number of reasons, including detecting code-injecting malware (SeDebugPrivilege) and kernel rootkits (SeLoadDriverPrivilege) in addition to scanning for Token related DKOM (see Cesar Cerrudo's Easy Local Windows Kernel Exploitation).
As shown below, the privs plugin tells you which privileges are present in the process's token, which have been enabled, and which were enabled by default. If any privileges are enabled by not enabled by default, you know they were explicitly set (usually through the AdjustPrivilegeToken API). If any privileges are enabled but not present, that's a strong indicator of DKOM.
$ python vol.py -f mem.dmp privs -p 1096 [snip] 1096 explorer.exe 23 SeChangeNotifyPrivilege Present,Enabled,Default Receive notifications of changes to files or directories 1096 explorer.exe 19 SeShutdownPrivilege Present Shut down the system 1096 explorer.exe 25 SeUndockPrivilege Present,Enabled Remove computer from docking station 1096 explorer.exe 8 SeSecurityPrivilege Present Manage auditing and security log 1096 explorer.exe 17 SeBackupPrivilege Present Backup files and directories 1096 explorer.exe 18 SeRestorePrivilege Present Restore files and directories 1096 explorer.exe 12 SeSystemtimePrivilege Present Change the system time 1096 explorer.exe 24 SeRemoteShutdownPrivilege Present Force shutdown from a remote system 1096 explorer.exe 9 SeTakeOwnershipPrivilege Present Take ownership of files/objects 1096 explorer.exe 20 SeDebugPrivilege Present,Enabled Debug programs 1096 explorer.exe 22 SeSystemEnvironmentPrivilege Present Edit firmware environment values 1096 explorer.exe 11 SeSystemProfilePrivilege Present Profile system performance 1096 explorer.exe 13 SeProfileSingleProcessPrivilege Present Profile a single process 1096 explorer.exe 14 SeIncreaseBasePriorityPrivilege Present Increase scheduling priority 1096 explorer.exe 10 SeLoadDriverPrivilege Present,Enabled Load and unload device drivers 1096 explorer.exe 15 SeCreatePagefilePrivilege Present Create a pagefile
Internet Explorer History
The iehistory plugin was introduced on this blog a while back - see HowTo: Scan for Internet Cache/History and URLs. Since then, it has been used in various investigations and from what we hear - rather successfully. Although this plugin has been available in Volatility's development branch for a while, it makes its first major release debut in 2.3.
A Windows service of type SERVICE_WIN32_SHARE_PROCESS is essentially a DLL that runs inside a shared host process (svchost.exe). This is a commonly used persistence mechanism among malicious code (see How malware hides and is installed as a service).
Volatility's svcscan plugin scans for and reports on service record structures found in the memory of the service control manager (services.exe). In previous releases it only identified the driver name (i.e. \Driver\Tcpip) if the service was for a kernel driver, or it showed the path to an executable file if the service was a standalone or shared process. Starting with Volatility 2.3, you can also now query for the service DLL when you provide the --verbose argument to svcscan.
Here's an example of the output.
$ python vol.py -f mem.dmp svcscan -p 1096 [snip] Offset: 0x383c90 Order: 55 Process ID: 1024 Service Name: ERSvc Display Name: Error Reporting Service Service Type: SERVICE_WIN32_SHARE_PROCESS Service State: SERVICE_RUNNING Binary Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
As you can see, by supplying --verbose, you not only see svchost.exe, but the full path on disk to ersvc.dll is included. The full path to the DLL comes from the registry. Assuming malware overwrote the registry key's value and changed the path to ersvc.dll (pointing it at a malicious DLL), you would be better equipped to detect and respond to this behavior.
The dumpfiles plugin that we introduced previously (see Cache Rules Everything Around Me(Mory)) will make its debut release in Volatility 2.3. This will be one of the more useful plugins you've ever experienced - with the ability to extract cached files from all Windows memory dumps, including raw registry hives, executables, and documents.
Duqu Style API Hooks
Volatility's apihooks plugin can detect IAT hooks, EAT hooks, Inline hooks, and various others. In the category of inline hooks (also referred to as detours or trampoline hooks), we look for changes of the function prologue - specifically ones that CALL or JMP to another module or unknown code location. Since we don't emulate code, subtle changes in assembly instructions or uncommon sequences of instructions can evade the hook detection engine. Duqu, often referred to as a cousin of Stuxnet, used a simple technique of moving the hook address into a register and then jumping to the register. For example:
MOV EAX, ADDRESS
It's nothing special per se, but previously we didn't check for this type of instruction combination. Starting with Volatility 2.3, we now include checks for this type of memory modification. Here's an example:
$ python vol.py -f duqu.dmp apihooks -p 1176 --quick Hook mode: Usermode Hook type: Inline/Trampoline Process: 1176 (lsass.exe) Victim module: ntdll.dll (0x7c900000 - 0x7c9af000) Function: ntdll.dll!ZwQuerySection at 0x7c90d8b0 Hook address: 0x980a02 Hooking module:
Disassembly(0): 0x7c90d8b0 b8020a9800 MOV EAX, 0x980a02 0x7c90d8b5 ffe0 JMP EAX 0x7c90d8b7 03fe ADD EDI, ESI 0x7c90d8b9 7fff JG 0x7c90d8ba 0x7c90d8bb 12c2 ADC AL, DL 0x7c90d8bd 1400 ADC AL, 0x0 0x7c90d8bf 90 NOP 0x7c90d8c0 b8a8000000 MOV EAX, 0xa8
Although the main objective(s) for the 2.3 release were Mac OSX and Linux/Android, we didn't want to neglect Windows. Thus, this post summarizes a few of the interesting new and improved plugins for Windows systems.