Malware Forensic Field Guides: Tool Box 

Chapter 2     Memory Forensics: Analyzing Physical and Process Memory Dumps for Malware Artifacts

In Chapter 2 we discussed approaches to interpreting data structures in memory. There are a number of memory analysis tools that you should be aware of and familiar with. In this section, we explore these tool alternatives, often demonstrating their functionality. This section can also simply be used as a “tool quick reference” or “cheat sheet,” as there will inevitably be times during an investigation where having an additional tool that is useful for a particular function would be beneficial, since you may have little time to conduct research for or regarding the tool(s). It is important to perform your own testing and validation of these tools to ensure that they work as expected in your environment and for your specific needs.


Name:   Encase Enscripts
Page Reference:  113
Author/Distributor:  Guidance Software
Available From:  http://www.guidancesoftware.com/
Description:  Memory analysis capabilities have been developed for EnCase using EnScripts. These are currently maintained at http://cci.cocolog-nifty.com/blog/ and have some basic functions similar to Volatility. The output of the PsScan component of the Memory Forensic EnScript is shown in the following figure:
     





Name:  FTK
Page Reference:  100
Author/Distributor:  AccessData
Available From:  https://www.accessdata.com
Description: FTK has basic memory parsing capabilities, which can be utilized by importing a memory
dump and reviewing the parsed information under the Volatile tab.




|
Name:  Memoryze/AuditViewer
Page Reference:  101
Author/Distributor:  Mandiant
Available From: http://www.mandiant.com/products/free_software/memoryze/
Description:  Memoryze and the associated AuditViewer are used to analyze physical memory
acquired from many versions of Windows. Several batch scripts are provided with Memoryze to facilitate
common analysis tasks.

Process.bat extracts details about processes, including malicious code injection.
DriverSearch.bat extracts details about drivers .
HookDetection.bat looks for common hooking methods .
DriverWalkList.bat provides a linked list of modules and drivers .

These batch scripts rely on XML configuration files and require the command-line options to be
explicity set to true or false to produce desired results in XML format. An example of the
command line for Process.bat is provided here.


C:\>Process.bat -input E:\FuTo-Rootkit.dmp -output E:Analysis -handles true -ports true -sections true -injected true

Customized scripts can be created to perform specific combinations of analysis. Audit Viewer
provides a graphical user interface for examining the XML output created by Memoryze as shown
in the following figure.



Helpful Switches:

Switch

Function

-input

Memory dump to analyze

-output

Directory in which the results will be written

-ports true

List ports associated with processes

-injection true Look for memory injection




l
Name: PTFinder
Page Reference: 102
Author/Distributor:  Andreas Schuster
Available From:  http://computer.forensikblog.de/files/ptfinder/
Description: PTFinder Perl scripts developed by Andreas Schuster to methodically search a memory dump for the signature of EPROCESS and ETHREAD data structures. No conversion between virtual and physical addresses (http://computer.forensikblog.de/en/2006/03/ptfinder_0_2_00.html).

E:\PTFinder>ptfinder_xpsp2.pl --nothreads FUTo-memory-20070909.dd
No. Type PID TID Time created Offset PDB Remarks
---- ---- ------ ------ ------------------- ------------------- ----------
1 Proc 0 0x00544640 0x00039000 Idle
2 Proc 664 2007-09-09 18:12:25 0x0104ab50 0x03f49000 csrss.exe
3 Proc 1852 2007-09-09 18:12:00 0x0104c818 0x0aa13000 logonui.exe
4 Proc 592 2007-09-09 18:12:23 0x0106f788 0x02f2b000 smss.exe
5 Proc 1204 2007-09-09 18:17:32 0x01168a18 0x0001b000 helix.exe
6 Proc 4 0x01218020 0x00039000 System
7 Proc 736 2007-09-09 18:12:29 0x020cd7d8 0x05649000 services.exe
8 Proc 748 2007-09-09 18:12:29 0x02151668 0x05689000 savedump.exe
9 Proc 1808 2007-09-09 18:19:56 0x026c7420 0x0e906000 dd.exe
10 Proc 688 2007-09-09 18:12:27 0x03cf0850 0x04e5f000 winlogon.exe
11 Proc 756 2007-09-09 18:12:29 0x05683da8 0x0566f000 lsass.exe
12 Proc 928 2007-09-09 18:12:34 0x05cc9da8 0x06208000 ibmpmsvc.exe
13 Proc 956 2007-09-09 18:12:34 0x0626bd80 0x06299000 svchost.exe
14 Proc 1080 2007-09-09 18:12:34 0x063d46a0 0x06467000 svchost.exe
15 Proc 1228 2007-09-09 18:12:36 0x06b00020 0x06aec000 svchost.exe
16 Proc 1260 2007-09-09 18:12:36 0x06cb0728 0x06ce5000 svchost.exe
17 Proc 1452 2007-09-09 18:12:38 0x07509da8 0x075a6000 spoolsv.exe
18 Proc 1604 2007-09-09 18:12:44 0x07daec18 0x07d94000 QCONSVC.EXE
19 Proc 0 2007-09-09 18:12:45 0x07e26b50 0x07e8f000 skls.exe
20 Proc 412 2007-09-09 18:13:05 0x08df4da8 0x08ded000 explorer.exe
21 Proc 632 2007-09-09 18:13:07 0x09783c48 0x09897000 igfxtray.exe
22 Proc 280 2007-09-09 18:13:08 0x098b2960 0x098fb000 hkcmd.exe

23 Proc 656 2007-09-09 18:13:08 0x099da6a8 0x09a4a000 LTSMMSG.exe
24 Proc 828 2007-09-09 18:13:08 0x09afb288 0x09b82000 tp4serv.exe
25 Proc 404 2007-09-09 18:14:15 0x09afb508 0x0e27a000 wuauclt.exe
26 Proc 1024 2007-09-09 18:13:08 0x09c3fda8 0x09ba9000 rundll32.exe
27 Proc 1236 2007-09-09 18:13:09 0x09cec2c0 0x09fed000 Qctray.exe
28 Proc 1100 2007-09-09 18:13:09 0x09e4da28 0x09e6d000 TPHKMGR.exe
29 Proc 372 2007-09-09 18:19:56 0x09f05020 0x09774000 cmd.exe
30 Proc 1284 2007-09-09 18:13:09 0x09f6b6a8 0x0a093000 dirx9.exe
31 Proc 0 2007-09-09 18:13:10 0x0a10fbe8 0x0a039000 skl.exe
32 Proc 976 2007-09-09 18:13:16 0x0bc35898 0x0c03b000 msmsgs.exe





Name:    Responder
Page Reference:  103
Author/Distributor:  HBGary
Available From: http://hbgary.com/
Description:  Responder facilitates forensic analysis of physical memory acquired from many versions of Windows by automatically extracting various details. In addition to providing a list of processes and open handles, Responder extracts URLs, usernames, passwords, keys and other information from memory dumps. The graphical user interface enables a digital investigator to navigate memory dumps in various ways, and has a keyword search feature.

The professional version of Responder has some more advanced features for malware analysis, effectively supporting integrated dissassembly of executables in memory dumps. The Digital DNA (DDNA) feature attempts to identify malicious code automatically based on various characteristics and provides associated weight values.
       


Helpful Input Options:

There are two options are available when loading a memory dump into HBGary Responder that can provide additional insight from a forensic perspective:

    -Word list: words relevant to an investigation to search for while parsing the memory dump
   - Binary log:








Name:  Volatility
Page Reference: 99-101; 107-108; 110-111; 114-116; 123
Author/Distributor: Volatile Systems
Available From: https://www.volatilesystems.com/default/volatility
Description Volatility grew out of the FATKit project and is written in Python, with development being led by AAron Walters. Volatility can be used to extract information about processes, network connections, open handles and other system related details. Volatility also supports plugins for customized operations such as detecting malware, extracting Registry information and recovering encryption keys.

C:\>python volatility –f E:\FuTo-Rootkit –psscan
Name Pid PPid Thds Hnds Time
System 4 0 53 265 Thu Jan 01 00:00:00 1970
smss.exe 592 4 3 21 Sun Sep 09 18:12:23 2007
csrss.exe 664 592 11 385 Sun Sep 09 18:12:25 2007
winlogon.exe 688 592 20 502 Sun Sep 09 18:12:27 2007
services.exe 736 688 19 385 Sun Sep 09 18:12:29 2007
savedump.exe 748 688 0 -1 Sun Sep 09 18:12:29 2007
lsass.exe 756 688 19 310 Sun Sep 09 18:12:29 2007
ibmpmsvc.exe 928 736 3 29 Sun Sep 09 18:12:34 2007
svchost.exe 956 736 8 226 Sun Sep 09 18:12:34 2007
svchost.exe 1080 736 72 1025 Sun Sep 09 18:12:34 2007
<edited for length>


A list and description of Volatility plugins is available at http://code.google.com/p/volatility/wiki/Plugins

  Helpful Plugins:

Options:
  --info                Print information about all registered objects
  --tz=TZ               Sets the timezone for displaying timestamps
  -f FILENAME, --filename=FILENAME
                        Filename to use when opening an image
  --output-file=OUTPUT_FILE
                        write output in this file
  -v, --verbose         Verbose information

    Supported Plugin Commands:

        apihooks           [MALWARE] Find API hooks
        bioskbd            Reads the keyboard buffer from Real Mode memory
        connections        Print list of open connections
        connscan2          Scan Physical memory for _TCPT_OBJECT objects (tcp connections)
        crashdump          Dumps the crashdump file to a raw file
        crashinfo          Dump crash-dump information
        csrpslist          [MALWARE] Find hidden processes with csrss handles and CsrRootProcess
        datetime           Get date/time information for image
        dlldump            Dump a DLL from a process address space
        dlllist            Print list of loaded dlls for each process
        driverirp          [MALWARE] Driver IRP hook detection
        driverscan         Scan for driver objects _DRIVER_OBJECT
        files              Print list of open files for each process
        filescan           Scan Physical memory for _FILE_OBJECT pool allocations
        getsids            Print the SIDs owning each process
        hashdump           Dumps passwords hashes (LM/NTLM) from memory
        hibdump            Dumps the hibernation file to a raw file
        hibinfo            Dump hibernation file information
        hivedump           Prints out a hive
        hivelist           Print list of registry hives.
        hivescan           Scan Physical memory for _CMHIVE objects (registry hives)
        idt                [MALWARE] Display Interrupt Descriptor Table
        imageinfo          Identify information for the image
        impscan            [MALWARE] Scan a module for imports (API calls)
        inspectcache       Inspect the contents of a cache
        kpcrscan           Search for and dump potential KPCR values
        ldrmodules         [MALWARE] Detect unlinked DLLs
        lsadump            Dump (decrypted) LSA secrets from the registry
        malfind            [MALWARE] Find hidden and injected code
        memdump            Dump the addressable memory for a process
        memmap             Print the memory map
        moddump            Dump a kernel driver to an executable file sample
        modscan2           Scan Physical memory for _LDR_DATA_TABLE_ENTRY objects
        modules            Print list of loaded modules
        mutantscan         Scan for mutant objects _KMUTANT
        mutantscandb       [MALWARE] mutantscan extension for highlighting suspicious mutexes
        notifyroutines     [MALWARE] Print system-wide notification routines
        orphanthreads      [MALWARE] Locate hidden threads
        patcher            Patches memory based on page scans
        printkey           Print a registry key, and its subkeys and values
        procexedump        Dump a process to an executable file sample
        procmemdump        Dump a process to an executable memory sample
        psdiff             Produce a process diff
        pslist             print all running processes by following the EPROCESS lists
        psscan             Scan Physical memory for _EPROCESS objects
        pstree             Print process list as a tree
        regobjkeys         Print list of open regkeys for each process
        sockets            Print list of open sockets
        sockscan           Scan Physical memory for _ADDRESS_OBJECT objects (tcp sockets)
        ssdt               Display SSDT entries
        ssdt_by_threads    [MALWARE] SSDT hooks by thread
        ssdt_ex            [MALWARE] SSDT Hook Explorer for IDA Pro (and SSDT by thread)
        strings            Match physical offsets to virtual addresses (may take a while, VERY                             verbose)
        svcscan            [MALWARE] Scan for Windows services
        testsuite          Run unit test suit using the Cache
        thrdscan           Scan Physical memory for _ETHREAD objects
        thrdscan2          Scan physical memory for _ETHREAD objects
        vaddump            Dumps out the vad sections to a file
        vadinfo            Dump the VAD info
        vadtree            Walk the VAD tree and display in tree format
        vadwalk            Walk the VAD tree
        verinfo            Prints out the version information from PE images