MALWARES AND INCIDENTS THROUGH THE MEMORY · PDF fileNational Congress of Criminalistics 2017...
Transcript of MALWARES AND INCIDENTS THROUGH THE MEMORY · PDF fileNational Congress of Criminalistics 2017...
1
National Congress of Criminalistics 2017
By Alexandre Borges
http://www.blackstormsecurity.com
MEMORY ANALYSIS: UNDERSTANDING
MALWARES AND INCIDENTS THROUGH THE
MEMORY
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
PROFILE AND TOC
TOC:
• Introduction
• Memory Acquisition
• Memory Analysis
• Example 1
• Example 2
• Thank you.
• Malware and Security Researcher.
• Consultant, Instructor and Speaker on Malware
Analysis, Memory Analysis, Digital Forensics,
Rootkits and Software Exploitation.
• Instructor at Oracle, (ISC)2 and EC-Council. Ex-
instructor at Symantec.
• Member of Digital Law and Compliance Committee
(CDDC / SP)
• Member of the CHFI Advisory Board in EC-Council.
• Reviewer member of the The Journal of Digital
Forensics, Security and Law
• Refereer on Digital Investigation:The International
Journal of Digital Forensics & Incident Response
• Author of “Oracle Solaris Advanced Administration
book” 2
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
3
INTRODUCTION
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
INTRODUCTION
• While handling an infection case, we could perform the
following approach:
• Interview and photos of the physical environment
• Memory acquisition
• Incident Response commands
• Disk image acquisition
• Network packets gathering
• Analysis
• Report
4
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
INTRODUCTION
5
• Malware Analysis:
• Basic Static Analysis
• Basic Dynamic Analysis
• Memory Analysis
• Advanced Static and Dynamic Analysis (IDA PRO
/ RADARE2 + DEBUGGING ring 3 and 0)
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
INTRODUCTION
6
• Unfortunately, there are several Anti-Forensic techniques that make our analysis more complicated, such as:
• Anti-VM
• Anti-Disassembling
• Packers
• Instruction Virtualization
• Anti-debugging
• Obfuscation
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
INTRODUCTION
7
• Nevertheless, while working on real
incidents, the main question still is:
Where is the malware?
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
INTRODUCTION
• Hidden and terminated processes
• Hidden services
• Hidden DLLs
• hidden sockets
• Kernel modules
• Internet history
• Registry keys existing only on the memory
• Passwords
• Shell history
8
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
INTRODUCTION
flink
101
blink
flink
102
blink
flink
103
blink
flink
103
blink
flink
102
blink
flink
101
blink
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
INTRODUCTION
• Listening sockets and established connections.
10
inserted
deleted
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
INTRODUCTION
• Why should we use memory forensic analysis?
• Most time, we don’t know where the malware is.
• Most information that can be recovered from the
memory is neither on disk nor network.
• On the memory, malwares have few protections.
• Modern malwares operate only on the memory
(Duqu 2)
11
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
12
MEMORY ACQUISTION
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ACQUISITION
• There are interesting sources of information such
as:
• RAM
• Hibernation Files
• Crash Dump (complete)
• Page Files
HTTP://ALEXANDREBORGES.ORG 13
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ACQUISITION
• Page Files
• Do you know how to list all pages files from a Windows
system? (remember: up to 16 pages files on Windows)
• Hibernation Files
• Compressed we need to uncompress it (raw memory
– no headers and CPU registers/state)
• Usually it is enabled
• Sometimes it is not zeroed out after a lapstop
resuming.
14
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ACQUISITION
15
• Crash Dump
• It should be a complete memory dump (not kernel memory or small dump).
• Usually, it does not include device memory region.
• Usually, it does not include first physical page (MBR).
• it may be subverted by a malware that registered bug check callback (KeRegisterBugCheckCallback function)
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ACQUISITION
• Excellent tools for Memory Acquisition are:
• Surge Collect Pro from Volexity (mainly
Win10 and Win2016)
• F-Response
• KnTDD from KnTTool package
(unfortunately, George M. Garner Jr. passed
away last July. He was 61.)
16
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ACQUISITION
17
• Memoryze
• FTK Imager
• Belkasoft Live RAM Capturer
• MoonSools
• LiME – Linux Memory Extractor
• Hardware devices
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ACQUISITION
Acquire memory and other important files by
running the following command:
E:\dumps> kntdd.exe -v -o win7mem.bin --log --
cryptsum sha_512 --pagefiles --force_pagefiles --
4gplus --cert alexandre.borges.cer --comp gzip --
case alex001
18
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ACQUISITION
• Where:
• -v verbose mode.
• -o output file.
• --log sends the log output to a file.
• --cryptsum generates checksums for image
using the specified algorithm. This case we
used sha512.
• --pagefiles acquires system pagefiles.
19
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ACQUISITION
20
• --force_pagefiles acquires all system pagefiles
including that report zero current and peak usage.
• --4gplus acquires “unmanaged” memory above 4
GB.
• --comp compresses the output (possible values:
zlib, gzip, bzip2, lznt1, zlib+, gzip+, lznt1+)
• --cert digital certificate
• --case case number
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ACQUISITION
E:\Dumps\{40D335F2-A504-4A68-97AB-49A8F72F8DA5}\> dir
09/30/2017 06:37 PM 934
win7mem.bin.dumpheader.gz.kpg
09/30/2017 06:37 PM 1,112,025,286 win7mem.bin.gz.kpg
09/30/2017 06:37 PM 7,734 win7mem.log.kpg
09/30/2017 06:37 PM 1,021,030 win7mem.user_system_state.xml.kpg
09/30/2017 06:37 PM 7,558 win7mem.xml.kpg
09/30/2017 06:37 PM <DIR> WINDOWS
21
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ACQUISITION
• The KnTDD has acquired physical memory dump, page
files, log, user system state and hashes.
• Few critical OS files such as ntoskrnl.exe, ndis.sys,
tcpip.sys, etc, are also usually collected.
• On the forensic workstation, decrypt the files by using
the following command:
C:\> kntencrypt.exe -v -d --cert alexandre.borges.cer
“E:\Dumps\{40D335F2-A504-4A68-97AB-
49A8F72F8DA5}\*"
22
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ACQUISITION
• Uncompress the evidence files by running the following command:
C:\> dd.exe -v if=“E:\Dumps\{40D335F2-A504-4A68-97AB-49A8F72F8DA5}\*" of=decompressed\ --decomp gzip --sparse –localwrt
Where:
if files to be decompressed
of directory to save decompressed files
--decomp algorithm used to decompress files
--sparse files are recompressed using NTFS file compression
--localwrt enables writing output to a local fixed drive.
23
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ACQUISITION
Using RamCapture by Belkasoft:
C:\RamCapturer> dir
09/29/2017 05:29 AM 148,192 RamCapture64.exe
09/29/2017 05:29 AM 13,344
RamCaptureDriver64.sys
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ACQUISITION
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
26
MEMORY ANALYSYS
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS
• Developed by Michael Ligh, Jamie Levy, Andrew
Case and Aaron Walters.
• Windows, Linux, Mac (32 bits and 64 bits)
• Four methods to install it:
• standalone
• python
• source code
• git clone
https://github.com/volatilityfoundation/volatility.git
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 1
29
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 1
30
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 1
31
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 1
32
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 1
33
root@kali:~# /root/volatility26/vol.py -f /mnt/hgfs/VMs/MALWARE1.vmem
apihooks
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 1
34
• When a driver has finished all processing for a given IRP, it calls IoCompleteRequest. The I/O manager checks the IRP to determine whether any higher-level drivers have set up an IoCompletion routine for the IRP. If so, each IoCompletion routine is called, in turn, until every layered driver in the chain has completed the IRP.
VOID IoCompleteRequest(
_In_ PIRP Irp,
_In_ CCHAR PriorityBoost
);
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 1
35
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 1
36
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 1
37
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 1
38
root@kali:/tmp# strings -el driver.8643b000.sys
\Driver
svchost.exe
\DosDevices\%s
\Device\%s
{9DD6AFA1-8646-4720-836B-EDCB1085864A}
RulesData
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 1
39
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 1
40
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 1
41
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 1
42
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 1
43
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 1
44
root@kali:~# /root/volatility26/vol.py -f /mnt/hgfs/VMs/MALWARE1.vmem rootkitscanner
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 1
45
root@kali:~# /root/volatility26/vol.py -f /mnt/hgfs/VMs/MALWARE1.vmem svcscan -v | grep -B5 -A4 -i hqyigk
Offset: 0x38bb98
Order: 280
Start: SERVICE_AUTO_START
Process ID: -
Service Name: hqyigk
Display Name: hqyigk
Service Type: SERVICE_KERNEL_DRIVER
Service State: SERVICE_STOPPED
Binary Path: -
ServiceDll:
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 1
46
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 1
47
We have gotten the driver module for a possible analysis using IDA
PRO...
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 1
48
• Callbacks are a kind of “modern hooks” because they tell
us the kernel module that will be called when an specified
event occurs. Additionally, they are safe for multicore
systems.
• For example, PsSetCreateThreadNotifyRoutine indicates a
routine that is called every time when a thread starts or
ends.
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 1
49
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 1
50
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 1
51
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 1
52
root@kali:/tmp/vaddump# ls | grep f80000
svchost.exe.661e6e8.0x00f80000-0x00f88fff.dmp
root@kali:/tmp/vaddump# strings -a svchost.exe.661e6e8.0x00f80000-
0x00f88fff.dmp > /tmp/strings.txt
root@kali:/tmp/vaddump# strings -el svchost.exe.661e6e8.0x00f80000-
0x00f88fff.dmp >> /tmp/strings.txt
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 1
53
root@kali:/tmp# cat strings.txt
cmd.exe /C
\drivers\
main.dll
.bdata
POST
Content-Type: application/x-www-form-urlencoded
rexec
lexec
http
xWINXP_380EED8C
C:\WINDOWS\system32\drivers\str.sys
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 1
54
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 1
55
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 1
56
INT 2E SYSENTER
KiSystemService()
SSDT #1
(ntoskrnl.exe)
SSDT #3 (not used)
Counter Table
Service Table
Service Limit
Service Table
Counter Table
Service Limit
Arguments Table
Arguments Table
Function 1
Function 2
Function ...
Function n
Function 1
Function 2
Function ...
Function n
ntoskrnl.exe
win32k.sys
User Mode
Kernel Mode
SSDT #2
(win32k.sys)
SSDT #4 (not used)
Native SSDT
GUI SSDT
Native Functions Table
GUI Functions Table
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
SSDT (System Service Descriptor Table) picture
MEMORY ANALYSIS – EXAMPLE 1
57
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 1
58
• We should remember that since Windows 8.1 x64 there is not
_ETHREAD.Tcb.ServiceTable member anymore (as there was in
Windows XP 32-bits).
• Therefore, to enumerate the SSDT, it’s necessary to disassembly
the nt!KeAddSystemServiceTable function and extract the RVAs
(relative virtual addresses) for KeServiceDescriptorTable and
KeServiceDescriptorTableShadow symbols.
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 1
59
RVA for KeServiceDescriptorTable
RVA for
KeServiceDescriptorTableShadow
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 2
61
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 2
62
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 2
63
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 2
64
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 2
65
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 2
66
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 2
67
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 2
68
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 2
69
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 2
71
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 2
72
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 2
73
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 2
74
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 2
75
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 2
76
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 2
77
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 2
78
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 2
79
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 2
80
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 2
81
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 2
82
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 2
83
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 2
84
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 2
85
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 2
86
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 2
87
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 2
88
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 2
89
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 2
90
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 2
91
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 2
92
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 2
93
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
MEMORY ANALYSIS – EXAMPLE 2
94
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
REMEMBER
95
We are always in CONTROL...
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
ALMOST FINISHING....
96
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.
THANK YOU FOR ATTENDING MY LECTURE!
LinkedIn: http://www.linkedin.com/in/aleborges
Twitter: @ale_sp_brazil
Site: http://www.blackstormsecurity.com
E-mail: [email protected]
• Malware and Security Researcher.
• Consultant, Instructor and Speaker on Malware
Analysis, Memory Analysis, Digital Forensics,
Rootkits and Software Exploitation.
• Instructor at Oracle, (ISC)2 and EC-Council. Ex-
instructor at Symantec.
• Member of the CHFI Advisory Board in EC-Council.
• Reviewer member of the The Journal of Digital
Forensics, Security and Law
• Refereer on Digital Investigation:The International
Journal of Digital Forensics & Incident Response
• Author of “Oracle Solaris Advanced Administration
book”
97
AL
EX
AN
DR
E B
OR
GE
S –
IT
IS
NO
T A
LL
OW
ED
TO
CO
PY
OR
RE
PR
OD
UC
E T
HIS
SL
IDE
.