Malware Analysis Using Volatility

Malware Analysis Using Volatility - Part 2

THE ARCHITECTURE OF THE GUI WINDOWS SYSTEM FROM THE FORENSICS POINT OF VIEW

In this module:

➡ The use of the Volatility plugins for forensic analysis of the Windows system.

➡ How extract evidence from a Windows GUI subsystem.

➡ Try to identify hidden processes.

➡ Analyzing kernel driver identification.

➡ Exploring the plugins to collect evidence.

To deal with the topics of Module 2 we will explore a classic example of Malware
forensics. Let's find out the profile of the memory sample. And from that point we
will use some Volatility commands and try to understand the flow the Malware infection
causes on the victim machine.

We started considering that we don’t have any information about the image that we
received to analyze. So, let's use imageinfo (can also use the kdbgscan command)

to describe the profile of the operating system associated with this image.

Then we use the pslist command to try to extract evidence from the listed processes in memory. Then we try to identify priority processes or any evidence of infection.

Run pslist

➡ In Windows:
vol.exe pslist --profile=WinXPSP3x86 -f stuxnet.vmem

➡ In Kali Linux 2016.1:
volatility pslist --profile=WinXPSP3 -f /root/forensics/stuxnet.vmem

➡ If you want, set an environment variable (Linux):
export VOLATILITY_LOCATION=file:///root/forensics/stuxnet.vmem
export VOLATILITY_PROFILE=WinXPSP3x86

The _EPROCESS and PEB in Windows Memory (see [2], p. 219)

Pslist output

The output of the plugin pslist shows us some important information. The winlogon.exe process (PID 624) is the parent process (PPID) of lsass.exe (PID 680). But we have two more lsass.exe process (PID 868 and 1928) whose parent process is services.exe process (PPID 668). Windows, in a normal situation, initializes only one instance of lsass.exe created by winlogon.exe. In this case, we have two instances of lsass.exe created by services.exe [1].

Psscan plugin: searching for hidden process

vol.exe psscan --profile=WinXPSP2x86 -f xplaptop.img

The offset address must be used to search for hidden process.

Time exited shows if a processes has terminated.

Windows XP PID and PPID

Malware behavior: stuxnet variation

The output of dlllist for lsass.exe PID 1928:

Haking On Demand_WireShark - Part 5

Detect/Analyze Scanning Traffic Using Wireshark “Wireshark”, the world’s most popular Network Protocol Analyzer is a multipurpose tool. It can be used as a Packet Sniffer, Network Analyser, Protocol Analyser & Forensic tool. Through this article my focus is on how to use Wireshark to detect/analyze any scanning & suspect traffic. Let’s start with Scanning first. As a thief studies surroundings before stealing something from a target, similarly attackers or hackers also perform foot printing and scanning before the actual attack. In this phase, they want to collect all possible information about the target so that they can plan their attack accordingly. If we talk about scanning here they want to collect details like: • Which IP addresses are in use? • Which port/services are active on those IPs? • Which platform (Operating System) is in use? • What are the vulnerabilities & other similar kinds of information. • Now moving to some popular scan methods and ho

Bypassing Web Application Firewall Part - 2

WAF Bypassing with SQL Injection HTTP Parameter Pollution & Encoding Techniques HTTP Parameter Pollution is an attack where we have the ability to override or add HTTP GET/POST parameters by injecting string delimiters. HPP can be distinguished in two categories, client-side and server-side, and the exploitation of HPP can result in the following outcomes: •Override existing hardcoded HTTP parameters •Modify the application behaviors •Access and potentially exploit uncontrollable variables • Bypass input validation checkpoints and WAF rules HTTP Parameter Pollution – HPP WAFs, which is the topic of interest, many times perform query string parsing before applying the filters to this string. This may result in the execution of a payload that an HTTP request can carry. Some WAFs analyze only one parameter from the string of the request, most of the times the first or the last, which may result in a bypass of the WAF filters, and execution of the payload in the server. Let’s e

Bypassing Web Application Firewall Part - 4

Securing WAF and Conclusion DOM Based XSS DOM based XSS is another type of XSS that is also used widely, and we didn’t discuss it in module 3. The DOM, or Document Object Model, is the structural format used to represent documents in a browser. The DOM enables dynamic scripts such as JavaScript to reference components of the document such as a form field or a session cookie, and it is also a security feature that limits scripts on different domains from obtaining cookies for other domains. Now, the XSS attacks based on this is when the payload that we inject is executed as a result of modifying the DOM environment in the victim’s browser, so that the code runs in an unexpected way. By this we mean that in contrast with the other two attacks, here the page that the victim sees does not change, but the injected code is executed differently because of the modifications that have been done in the DOM environment, that we said earlier. In the other XSS attacks, we saw the injected code was

Learn Cyber Security

Search This Blog