Fig 6 - available via license: Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International
Content may be subject to copyright.
Source publication
We present a novel approach for the construction and application of cryptographic hashes to user space memory for the purposes of verifying the provenance of code in memory images. Several key aspects of Windows behaviour which influence this process are examined in-depth. Our approach is implemented and evaluated on a selection of malware samples...
Context in source publication
Context 1
... Windows 7, the results in Fig. 6 show that the number of applications that were verified were the same. The overall results between Windows XP and Windows 7 are similar, except that the results from Windows 7 have far fewer unverifiable allocations. One interesting trend however is that some applications that under Windows XP have no executable data pages have ...
Similar publications
In order to thwart dynamic analysis and bypass protection mechanisms, malware have been using several file formats and evasive techniques. While publicly available dynamic malware analysis systems are one of the main sources of information for researchers, security analysts and incident response professionals, they are unable to cope with all types...
As cyber attacks grow more complex and sophisticated, new types of malware become more dangerous and challenging to detect. In particular, fileless malware injects malicious code into the physical memory directly without leaving attack traces on disk files. This type of attack is well concealed, and it is difficult to find the malicious code in the...
![Fig. 1: Obfuscated data [3]](profile/Bassam_Zahran/publication/335703796/figure/fig1/AS:801344994676737@1568066943310/Obfuscated-data-3_Q320.jpg)
![Fig. 2: Revealed data [3]](profile/Bassam_Zahran/publication/335703796/figure/fig2/AS:801344994684928@1568066943358/Revealed-data-3_Q320.jpg)
In this study we are focusing on malware in general and cross platform malware analysis in particular with respect to its ability to transfer among platforms. We covered the basic features and protection mechanisms used to hide identity and protect its existence. Recent studies focus on examining malwares by comparing signatures and features (stati...
Now a days thousands of malware samples are received by anti-malware companies on daily basis. And these large numbers are send for analysis by a number of automated analysis tools. These tool automatically execute a program in a controlled environment and generate a report describing the program's behaviour. This research paper is a contribution t...
Day by day cyber crimes and attacks are growing exponentially, every year companies in worldwide lose billions of dollars due to cyber attacks. It has became very essential to investigate and indentify root of cyber attack. One of the popular techniques of investigating is Memory Forensics, which refers to analysis of volatile data in computer’s me...
Citations
... • Use a forensic framework (Rekall) to analyze the extracted data. [59] Memory-Analysis DLL Injection Comparing Executables and DLLs between memory and disk. [6] Memory-Analysis DLL Injection, Process Hollowing • Identify anomalies. ...
This paper introduces a new approach for examining and analyzing fileless malware artifacts in computer memory. The proposed approach offers the distinct advantage of conducting a comprehensive live analysis of memory without the need for periodic memory dumping. Once a new process arrives, log files are collected by monitoring the Event Tracing for Windows facility as well as listing the executables of the active process for violation detection. The proposed approach significantly reduces detection time and minimizes resource consumption by adopting parallel computing (programming), where the main software (Master) divides the work, organizes the process of searching for artifacts, and distributes tasks to several agents (Slaves). A dataset of 17411 malware samples is used in the assessment of the new approach. It provided satisfactory and reliable results in dealing with at least six different process injection techniques including classic DLL injection, reflective DLL injection, process hollowing, hook injection, registry modifications, and .NET DLL injection. The detection accuracy rate has reached 99.93% with a false-positive rate of 0.068%. Moreover, the accuracy was monitored in the case of launching several malwares using different process injection techniques simultaneously, and the detector was able to detect them efficiently. Also, it achieved a detection time with an average of 0.052 msec per detected malware.
... As a consequence, the attackers then need to resort to other forms of attacks (such as code injection, code reuse that manipulates the existing code within the kernel and in-memory data manipulationbased attacks) in order to achieve their malicious objectives. To trace such attack vectors, a significant number of contributions have been made in the field of memory forensics [6,23,38,48,49,61,65]. At the same time contributions focusing the design of different memory analysis tools to analyze user space memory are also done [5,10,52]. ...
... In [65], the authors presented an approach (implemented as a volatility plugin named hashtest) to detect injected malicious code by checking the executable status of memory regions in Windows systems. The authors in [48,49] proposed their approach (implemented as volatility plugins Psinfo and hollowfind) to detect suspicious processes and process hollowing attack (a code injection attack that tricks live forensics tools. ...
The state-of-the-art contributions in the area of memory forensics are centered around uncovering potentially hidden processes, control flow and code pointer integrity manipulations and detecting malicious code injections done by attackers. At the same time, deployment of memory protection mechanisms like control flow integrity, data execution prevention/no-execute, address space layout randomization and kernel address space layout randomization, have obviated the use of such attack vectors for sensitive information disclosure. Thus, attackers are now adopting various techniques to elude memory protection using memory corruption or memory disclosure attacks inside the operating system (OS). The heavy-dependence of all such advanced prevention and defense mechanisms on memory protection/memory safety attributes are luring attackers to conduct sophisticated data attacks against the OS that leaves no traces in the file system. In this paper, while assessing the security implications of such attack vectors, we propose a mechanism to capture such memory-protection-manipulation-based attack footprints at run time in the form of a utility called PageDumper. While parsing the system virtual address space and page table entries(for the process and kernel address space), it collects the in-memory data attack footprints at run time. Thus, PageDumper can supplement information(s) for the postmortem analysis of run time process and the kernel address space environment, when used in conjunction with memory snapshots taken through memory acquisition tools for a more practical and in-depth memory analysis.
... In order to retrieve the actual executable state of a page and to differentiate yet not allocated memory from currently inaccessible memory, we examine the Page Table Entries which we enumerate via the paging structures, instead of the VADS, as it is faster and more reliable (White et al., 2012). While this work also covers mapped files, our focus is on anonymous memory as mapped files are already mostly covered by White et al. (2013). ...
... This paper can be seen as a supplement of the great work done by White et al. (2013). They presented an approach to automatically compare loaded executables and DLLs in memory with the actual files on disk in order to detect any modifications. ...
... Because our plugin reports all executable pages (with the mentioned exclusions), no matter if they are part of a code injection or benign, it can produce a huge amount of data that would need to be investigated. The main problem are modified pages of mapped image files as described in the work by White et al. (2013). As the plugin supports to omit those, it can be used as an improved malfind plugin (but would miss code injections in mapped image files). ...
Malware utilizes code injection techniques to either manipulate other processes (e.g. done by banking trojans) or hide its existence. With some exceptions, such as ROP gadgets, the injected code needs to be executable by the CPU (at least at some point in time). In this work, we cover and evaluate hiding techniques that prevent executable pages (containing injected code) from being reported by current detection tools. These techniques can either be implemented by malware in order to hide its injected code (as already observed) or can, in one case, unintentionally be taken care of by the operating system through its paging mechanism. In a second step, we present an approach to reveal such pages despite the mentioned hiding techniques by examining Page Table Entries. We implement our approach in a plugin for the memory forensic framework Rekall, which automatically reports any memory region containing executable pages, and evaluate it against own implementations of different hiding techniques, as well as against real-world malware samples.
... In addition, those tasks can achieve a high IO throughput, are good parallelizable and offer a fast access to valuable insights. With the increasing size of memory, methods of data reduction (similar to those for hard drive forensics) are needed [31]. ...
... The research underlines the idiosyncrasies, pitfalls and needed adaptations to apply signatures to this domain. On the other hand, Walters et al. [30] and White et al. [31] proposed the utilization of cryptographic hash functions to perform code integrity checks, tamper detection, and do white-or blacklisting. The authors discuss the process of whitelisting normalized executables on a page level with the help of a golden image baseline. ...
... Thus, our approach does not depend on critical system related structures, the manual adaptation of signatures or the specification of any alignment properties. Using approximate matching for memory forensics is not new and was already discussed where most researchers questioned the applicability and runtime efficiency of those algorithms [9,31,23]. We discuss the application of approximate matching in the scope of memory carving and release a prototype implementation which shows good computational performance. ...
... Process implanting [47] proposed hijacking a process running within the guest from the hypervisor. To provide stealth, the hypervisor does not create a new process within the guest, but rather substitutes the image of an existing process with the image of the program that is injected, a technique also known as process hollowing used by rootkits [126]. As a consequence, whenever the victim process is scheduled, the guest system will actually execute the injected program instead of the original process. ...
Malware is one of the biggest security threat today and deploying effective defensive solutions requires the collection and rapid analysis of a continuously increasing number of samples. The collection and analysis is greatly complicated by the proliferation of metamorphic malware as the efficacy of signature-based static analysis systems is greatly reduced. While honeypots and dynamic malware analysis has been effectively deployed to combat the problem, significant challenges remain. The rapidly increasing number of malware samples poses a particular challenge as it greatly inflates the cost of the hardware required to process the influx. As modern malware also deploys anti-debugging and obfuscation techniques, the time it takes to formulate effective solutions is further exacerbated. There is a clear need for effective scalability in automated malware collection and analysis. At the same time, modern malware can both detect the monitoring environment and hide in unmonitored corners of the system. It has also been observed that malware modifies its run-time behavior to lead the analysis system astray when it detects a monitoring environment. Consequently, it is critical to create a stealthy environment to hide the presence of the data collection from the external attacker. Such systems also need to isolate critical system components from the executing malware sample while keeping the concurrent collection and analysis sessions separate. Furthermore, the fidelity of the collected data is essential for effective dynamic analysis. As rootkits now employ a variety of techniques to hide their presence on a system, the broader the scope of data collection, the more likely the analysis will reveal useful features. Over the last decade hardware virtualization has been proposed to develop such tools with promising results. In this dissertation we present a systematic evaluation of hardware virtualization as an underlying technology to construct effective malware collection and analysis systems. The evaluation is realized via the combination of four distinct objectives such systems need to fulfill: scalability, stealth, fidelity and isolation.
This paper introduces a new approach for examining and analyzing fileless malware artifacts in computer memory. The proposed approach offers the distinct advantage of conducting a comprehensive live analysis of memory without the need for periodic memory dumping. Once a new process arrives, log files are collected by monitoring the Event Tracing for Windows facility as well as listing the executables of the active process for violation detection. The proposed approach significantly reduces detection time and minimizes resource consumption by adopting parallel computing (programming), where the main software (Master) divides the work, organizes the process of searching for artifacts, and distributes tasks to several agents. A dataset of 17411 malware samples is used in the assessment of the new approach. It provided satisfactory and reliable results in dealing with at least six different process injection techniques including classic DLL injection, reflective DLL injection, process hollowing, hook injection, registry modifications, and .NET DLL injection. The detection accuracy rate has reached 99.93%\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$99.93\%$$\end{document} with a false-positive rate of 0.068%\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$0.068\%$$\end{document}. Moreover, the accuracy was monitored in the case of launching several malwares using different process injection techniques simultaneously, and the detector was able to detect them efficiently. Also, it achieved a detection time with an average of 0.052 msec per detected malware.
Memory forensics is useful to provide a fast triage on running processes at the time of memory acquisition in order to avoid unnecessary forensic analysis. However, due to the effects of the execution of the process itself, traditional cryptographic hashes, normally used in disk forensics to identify files, are unsuitable in memory forensics. Similarity digest algorithms allow an analyst to compute a similarity score of inputs that can be slightly different. In this paper, we focus on the issues caused by relocation of Windows processes and system libraries when computing similarities between them. To overcome these issues, we introduce two methods (Guided De-relocation and Linear Sweep De-relocation) to pre-process a memory dump. The goal of both methods is to identify and undo the effect of relocation in every module contained in the dump, providing sanitized inputs to similarity digest algorithms that improve similarity scores between modules. Guided De-relocation relies on specific structures of the Windows PE format, while Linear Sweep De-relocation relies on a disassembling process to identify assembly instructions having memory operands that address to the memory range of the module. We have integrated both methods in a Volatility plugin and evaluated them in different scenarios. Our results demonstrate that pre-processing memory dumps with these methods significantly improves similarity scores between memory modules.
