Praise for The Art of MeMory Forensics “The best, most complete technical book I have read in years” —Jack crook, Incident Handler “The authoritative guide to memory forensics” —Bruce Dang, Microsoft “An in-depth guide to memory forensics from the pioneers of the field” —Brian carrier, Basis Technology The Art of Memory Forensics Detecting Malware and Threats in Windows, Linux, and Mac Memory Michael Hale Ligh Andrew Case Jamie Levy AAron Walters The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory Published by John Wiley & Sons, Inc 10475 Crosspoint Boulevard Indianapolis, IN 46256 www.wiley.com Copyright © 2014 by John Wiley & Sons, Inc., Indianapolis, Indiana Published simultaneously in Canada ISBN: 978-1-118-82509-9 ISBN: 978-1-118-82504-4 (ebk) ISBN: 978-1-118-82499-3 (ebk) Manufactured in the United States of America 10 No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600 Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http:// www.wiley.com/go/permissions Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose No warranty may be created or extended by sales or promotional materials The advice and strategies contained herein may not be suitable for every situation This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services If professional assistance is required, the services of a competent professional person should be sought Neither the publisher nor the author shall be liable for damages arising herefrom The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or website may provide or recommendations it may make Further, readers should be aware that Internet websites listed in this work may have changed or disappeared between when this work was written and when it is read For general information on our other products and services please contact our Customer Care Department within the United States at (877) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002 Wiley publishes in a variety of print and electronic formats and by print-on-demand Some material included with standard print versions of this book may not be included in e-books or in print-on-demand If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com For more information about Wiley products, visit www.wiley.com Library of Congress Control Number: 2014935751 Trademarks: Wiley and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc and/or its affiliates, in the United States and other countries, and may not be used without written permission All other trademarks are the property of their respective owners John Wiley & Sons, Inc is not associated with any product or vendor mentioned in this book To my three best friends: Suzanne, Ellis, and Miki If I could take back the time it took to write this book, I’d spend every minute with you Looking forward to our new house! —Michael Hale Ligh I would like to thank my wife, Jennifer, for her patience during my many sleepless nights and long road trips I would also like to thank my friends and family, both in the physical and digital world, who have helped me get to where I am today —Andrew Case To my family, who made me the person I am today, and especially to my husband, Tomer, the love of my life, without whose support I wouldn’t be here —Jamie Levy To my family for their unconditional support; to my wife, Robyn, for her love and understanding; and to Addisyn and Declan for reminding me what is truly important and creating the only memories that matter —AAron Walters Credits Executive Editor Vice President and Executive Group Publisher Carol Long Richard Swadley Project Editor Associate Publisher T-Squared Document Services Jim Minatel Technical Editors Project Coordinator, Cover Golden G Richard III Nick L Petroni, Jr Patrick Redmond Production Editor Compositor Maureen Forys, Happenstance Type-O-Rama Christine Mugnolo Copy Editor Proofreaders Nancy Sixsmith Jennifer Bennett Josh Chase Manager of Content Development and Assembly Indexer Mary Beth Wakefield Johnna VanHoose Dinse Director of Community Marketing Cover Designer David Mayhew © iStock.com/Raycat Marketing Manager Cover Image Dave Allen Wiley Business Manager Amy Knies About the Authors Michael Hale Ligh (@iMHLv2) is author of Malware Analyst’s Cookbook and secretarytreasurer of the Volatility Foundation As both a developer and reverse engineer, his focus is malware cryptography, memory forensics, and automated analysis He has taught advanced malware and memory forensics courses to students around the world Andrew Case (@attrc) is digital forensics researcher for the Volatility Project responsible for projects related to memory, disk, and network forensics He is the co-developer of Registry Decoder (a National Institute of Justice–funded forensics application) and was voted Digital Forensics Examiner of the Year in 2013 He has presented original memory forensics research at Black Hat, RSA, and many others Jamie Levy (@gleeda) is senior researcher and developer with the Volatility Project Jamie has taught classes in computer forensics at Queens College and John Jay College She is an avid contributor to the open-source computer forensics community, and has authored peer-reviewed conference publications and presented at numerous conferences on the topics of memory, network, and malware forensics analysis AAron Walters (@4tphi) is founder and lead developer of the Volatility Project, president of the Volatility Foundation, and chair of the Open Memory Forensics Workshop AAron’s research led to groundbreaking developments that helped shape how digital investigators analyze RAM He has published peer-reviewed papers in IEEE and Digital Investigation journals, and presented at Black Hat, DoD Cyber Crime Conference, and American Academy of Forensic Sciences About the Technical Editors Golden G Richard III (@nolaforensix) is currently Professor of Computer Science and Director of the Greater New Orleans Center for Information Assurance at the University of New Orleans He also owns Arcane Alloy, LLC, a private digital forensics and computer security company Nick L Petroni, Jr., Ph.D., is a computer security researcher in the Washington, DC metro area He has more than a decade of experience working on problems related to low-level systems security and memory forensics Acknowledgments W e would like to thank the memory forensics community at large: those who spend their weekends, nights, and holidays conducting research and creating free, opensource code for practitioners This includes developers and users, both past and present, that have contributed unique ideas, plugins, and bug fixes to the Volatility Framework Specifically, for their help on this book, we want to recognize the following: • Dr Nick L Petroni for his invaluable comments during the book review process and whose innovative research inspired the creation of Volatility • Dr Golden G Richard III for his expertise and commitment as technical editor • Mike Auty for his endless hours helping to maintain and shepherd the Volatility source code repository • Bruce Dang and Brian Carrier for taking time out of their busy schedules to review our book • Brendan Dolan-Gavitt for his numerous contributions to Volatility and the memory forensics field that were highlighted in the book • George M Garner, Jr (GMG Systems, Inc.) for his insight and guidance in the memory acquisition realm • Matthieu Suiche (MoonSols) for reviewing the Windows Memory Toolkit section and for his advancements in Mac OS X and Windows Hibernation analysis • Matt Shannon (Agile Risk Management) for this review of the F-Response section of the book • Jack Crook for reviewing our book and for providing realistic forensics challenges that involve memory samples and allowing people to use them to become better analysts • Wyatt Roersma for providing memory samples from a range of diverse systems and for helping us test and debug issues • Andreas Schuster for discussions and ideas that helped shape many of the memory forensics topics and techniques • Robert Ghilduta, Lodovico Marziale, Joe Sylve, and Cris Neckar for their review of the Linux chapters and research discussions of the Linux kernel • Cem Gurkok for his Volatility plugins and research into Mac OS X • Dionysus Blazakis, Andrew F Hay, Alex Radocea, and Pedro Vilaỗa for their help with the Mac OS X chapters, including providing memory captures, malware samples, research notes, and chapter reviews We also want to thank Maureen Tullis (T-Squared Document Services), Carol Long, and the various teams at Wiley that helped us through the authoring and publishing process 874 Index NextID, 267 Nirsoft, kernel modules, 372 NKEs (Network Kernel Extensions), 836 IP filters, 837 socket filters, 837–838 noatime mount option, 679 nodev mount option, 679 nodiratime mount option, 679 noexec mount option, 679 norelatime mount option, 679 nosuid mount option, 679 Notepad, heap, 223–226 notepad.exe, text in, 224–225 notification routines See kernel callbacks notifier_block, 736–739 notify function, 737–738 NSCreateObjectFileImageFromFile, 824 NSCreateObjectFileImageFromMemory, 824 NSCreateObjectFileImageFromMemory API, 825 NSLinkModule, 824 NtAllocateVirtualMemory, 192 NtEnumerateValueKey, 394 NTFS (New Technology File System), 477 metadata, TrueCrypt and, 506–507 NtLoadDriver, 346, 354 kernel modules, 370 NtQueryDirectoryFile, 394 NtQuerySystemInformation, 394 NtSetSystemInformation, kernel modules, 370–371 NtUnloadDriver function, 391 NumberOfBytes argument, 127 NumberOfHistoryBuffers, 529 NumStrings, 267 O ObCreateObject function, 127 object headers, 119–121 optional, 121 object type objects, 122–124 _OBJECT_HEADER, 119 _OBJECT_HEADER_CREATOR_INFO, 121 _OBJECT_HEADER_HANDLE_INFO, 121 _OBJECT_HEADER_NAME_INFO, 121 _OBJECT_HEADER_PROCESS_INFO, 121 _OBJECT_HEADER_QUOTA_INFO, 121 objects driver objects, scanning for, 382 shared, virtual shared objects, 598 Volatility, 54–55 _OBJECT_SYMBOLIC_LINK, 118 _OBJECT_TYPE, 119 one-dimensional arrays, 30 open file handles, 626–630 OpenClipboard, 419 openfiles variable, 639 OpenProcessToken API, 167 OpenPyxl, 50 operating systems, 3–4 privileges, separation, 17–18 protection rings, 17–18 system calls, 18 optional headers, 121 orphan threads, 379–380 rootkits, 380 osession.evt log, 269 OSXPmem, 780–781, 783–784 OTR (Off-the-Record) instant messages, 845 overlays, 53–54 overwriting code, 699–700 P packed binaries, 245–246 64-bit DLLs, 248–251 ELF, 595 malware, 246–248 unpacking issues, 248 packets capture data, timelines and, 545–546 queued, 643–646 PAE (Physical Address Extension), 8, 13–14 memory allocation, 700 page directory pointer table, 13 page files, 21–22 analysis, 110–113 recovering, 109–110 page swaps, 21–22 page tables, 193 memdump plugin, 194–197 memmap plugin, 194–197 paged address spaces, Volatility, 56 PAGE_EXECUTE_WRITECOPY, 237–238 page_is_ram function, 657 paging, 9–11 bit flags, 12 demand paging, 21–22 PagingFiles, 109–110 parent windows, 438–439 parent/child relationships, 615 parsing, PE headers, 240–242 Index _PARTITION, 330–331 partition tables, Next Generation TCP/IP Stack, 330–332 PartitionTable module, 330–331 passwords browser memory, 209–210 caching, 504–505 hashes, 304–305 Patchguard, 395 PATH environment variable, 227–228 PATHTEXT environment variable, 227–228 PaX-kernel-hardening patches, 700 PC architecture CPU address translation, 11–13 addresses spaces, 7–8 IA-32 architecture, 8, 13–14 IDT, 16–17 Intel 64 architecture, 14–16 paging, 9–11 registers, segmentation, 8–9 physical organization, CPU, 4–5 DMA (direct memory access), MMU, northbridge, RAM, 6–7 southbridge, TLB, PE files, 238–239 caveats, 244–245 global variables, 239 headers, parsing, 240–242 IAT patching, 238 inaccessible sections, 239 plugins, extraction, 242–244 self-modifying code, 239 slack space, 239–240 workarounds, 244–245 Peb, 153 _PEB BeingDebugged, 221 ImageBaseAddress, 221 Ldr, 221 NumberOfHeaps, 222 ProcessHeap, 222 ProcessHeaps, 222 ProcessParameters, 221 875 PEB (Process Environment Block), 190–191, 219–223 data structures, 220–221 _PEB_LDR_DATA, 222–223 _PEB.ProcessParameters.Environment, 226–227 permissions, memory allocation, 192–193 persistence, registry, 183–184 PFN database, process memory enumeration, 194 Phalanx2, 755–756 analysis setup, 756 installation, 756–757 memory baseline analysis, 759–760 binary path, 761 kernel tampering, 757–758 socket files, 761–762 Xnest process, 760–762 reverse engineering infection detection, 766–767 kernel module, 763–766 symlink, 770–772 strace, 767–770 phishing, email artifacts, 547–548 physical addresses, 7–8 Volatility, 56–57 physical memory linked lists, 39 maps, 657–661 data structures, 658 hardware resources, 658–660 physical organization of PC architecture, CPU, 4–5 DMA (direct memory access), MMU, northbridge, RAM, 6–7 southbridge, TLB, PID hash table, 616 PIL (Python Imaging Library), 50 ping.exe, 140 PLT (procedure linkage table), 601–603 GOT/PLT overwrites and, 716–717 GOTs, 599–600 plugins apihooks, 501 atoms, 410 atomscan, 410, 431–432 auditpol, 269–270 bigpools, 144–145 callbacks, 396 876 Index clipboard, 460 CmdScan, 531–532 connections, 315–318 Consoles, 532–535 crashinfo, 96 deskscan, 130, 410, 424–425 dlldump, 242 dlllist, 235–236 driverirp, 383 driverscan, 130, 402–403 dumpfiles, 497–503, 540 envars, 229–230 ethscan, 324–325 eventhooks, 410, 460 evtlogs, 268–269 exportfile, 497 filescan, 130 gahti, 410 gditimers, 410 hashdump, 304–305 hibinfo, 96 hivelist, 285–286 hpakinfo, 96 iehistory, 336–339, 522 imagecopy, 79, 106, 513 ldrmodules, 237–238 limeinfo, 661 linpktscan, 323–324 linux_apihooks, 719 linux_arp, 652–654 linux_bash, 631–633 linux_bash_hash, 633–635 linux_check_afinfo, 744–745, 757–758 linux_check_fop, 733, 749–752 linux_check_inline_kernel, 752–754 linux_check_kernel_inline, 734–735 linux_check_syscall, 663, 734–735, 757–758 linux_check_tty, 735–736, 741 linux_dentry_cache, 689–690 linux_dmesg, 665, 759–760 linux_dump_maps, 621 linux_enumerate_files, 683–684 linux_env, 634–635 linux_find_file, 693–695 linux_hidden_modules, 725–726, 738 linux_hollow_process, 701–703 linux_ifconfig, 648–649 linux_info_regs, 630 linux_iomem, 658–661 linux_kernel_opened_files, 727 linux_keyboard_notifier, 737–739 linux_keyboard_notifiers, 735–736 linux_ldrmodules, 708–709 linux_librarydump, 710–712 linux_library_list, 708 linux_list_raw, 649 linux_lsmod, 604–605, 669 linux_lsof, 638 linux_malfind, 701–703, 710 linux_moddump, 670–672, 723–724 linux_mount, 677–679 linux_netfilter, 748 linux_netstat, 638 linux_pidhashtable, 729 linux_pkt_queues, 644–646 linux_plthook, 718 linux_procdump, 710–712 linux_process_hollow, 704 linux_process_stack, 630 linux_process_syscall, 630 linux_proc_maps, 619 linux_psaux, 621–622 linux_pslist, 614 linux_pstree plugin, 760–761 linux_psxview, 728–729 linux_recover_filesystem, 686–690, 811 linux_route_cache, 652 linux_strings, 516 linux_threads, 630 mac_apihooks, 827 mac_arp, 819 mac_bash, 819 mac_bash_env, 819 mac_bash_hash, 819 mac_check_syscalls, 831–832 mac_check_trap_table, 831–832 mac_dead_procs, 810–811 mac_dead_sockets, 811 mac_dead_vnodes, 811 mac_dmesg, 819 mac_dump_file, 813–814 mac_dump_maps, 802 mac_dyld_maps, 803–804 mac_find_aslr_shift, 778 machoinfo, 96, 791 mac_ifconfig, 819 Macintosh, 793 mac_ip_filters, 837 mac_keychaindump, 847 mac_list_files, 813–814, 843–844 Index mac_list_sessions, 819 mac_list_zones, 809–811 mac_losf, 818 mac_mount, 814, 819 mac_netstat, 806–808 mac_notifiers, 833 mac_proc_maps, 801–802 mac_psaux, 818 mac_pstree, 798 mac_psxview, 796–797, 829–830 mac_recover_filesystem, 814 mac_route, 819 mac_strings, 516 mac_trustedbsd, 834–835 mac_volshell, 850–852 malfind, 253–258 messagehooks, 410, 456–459 mftparser, 479–482, 544 moddump, 242, 372 modscan, 368, 372 modules, 372, 373 mutantscan, 130 netscan, 328–329 PE file extraction, 242–244 printkey, 289, 292, 548–551 procdump, 242 psscan, 130 screenshot, 410, 439–441 sessions, 410 shellbags, 299–300 sockets, 315–318 strings, 518–519 svcscan, 352–353 symlinkscan, 130 thrdscan, 130 threads, 379–380 timeliner, 539–541 timers, 400–401 truecryptsummary, 505–506 unloadedmodules, 374–375 userhandles, 410, 465–466 VAD, 204–207 vadtree, 198 vboxinfo, 96 vmwareinfo, 96 Volatility, 58–59 output control, 66 volshell, 354, 385–386 windows, 410 wintree, 410, 438–439 877 wndscan, 130, 410 yarascan, 210–213 pointer data type, 28 pointer type, 28 PointerCount, 120 pointers, SSDT attack, 393–394 Poison Ivy, 262–263 PO_MEMORY_IMAGE header, 98–99 pool scanning, 129 alternatives, 146–148 building a pool scanner, 136–140 limitations, 140–142 pool tag sources, 130–131 PoolMon utility, 132–134 pooltag file, 131–132 pool tracker tables, 134–135 _POOL_HEADER, 125, 142–143 PoolScanner class, 136 PoolTag, 126 pooltag.txt file, 131 _POOL_TRACKER_BIG_PAGES, 143–144 _POOL_TRACKER_TABLE, 134–135, 143–144 PoolTrackTable, 134 PoolType, 126 port pools, Next Generation TCP/IP Stack, 332–333 _PORT_ASSIGNMENT, 332–333 ports, hidden, 313 POSIX (Portable Operating System Interface), 793 postgres config file, 622 PostMessage API, 442 postprocessing dumped code, 262–263 Prefetch files, 487–488, 517 preload variables, LD_PRELOAD, 714–715 printing, keys (Windows registry), 288–289 printkey plugin, 289, 292, 548–551 printtest application, 601–603 PrivilegeCount ingeter, 167 privileges, 170–171 Average Coder rootkit, 732–733 credential hijack, 732–733 enabling, 171–172 explicit, 171–172 explicit, 172–173 inheritance and, 171 kernel mode rootkits, 730–733 separation, 17–18 tokens, Volshell attack simulation and, 173–175 Privileges ingeter, 167 proc, 795 proc file system, 678 878 Index procdump plugin, 242 procedure calls, deferred, 400 process, 51 Process Explorer, 234 kernel modules, 371 process file descriptors, 806–807 Process Hacker, 234 process handles enumeration, Zeus and, 181–183 kernel handles, 177–178 lifetime, 176–177 reference counts, 177–178 tables, 178–180 process heaps, 191, 223 Notepad, 223–226 process hollowing, detection, 703–705 process memory address space, layout, 190–191 address spaces application data, 191 DLLs (dynamic linked libraries), 190 environment variables, 190 executables, 191 files, mapped, 191 heaps, 191 mapped files, 191 PEB (Process Environment Block), 190–191 process heaps, 191 thread stacks, 191 variables, environment variables, 190 enumeration page tables, 193, 194–197 PFN database, 194 VADs, 193–194, 197–217 working set list, 194 scanning, 351–352 Process object, 118 process tokens, 164–165 accessing, 167–168 data structures, 165–166 lateral movement, detecting, 169–170 Volshell attack simulation and, 173–175 processes, 149, 611–612 activity analysis, 156–158 address space, 616–624 alternate process listings, 156–157, 162–163 analysis, Macintosh, 794–798 command-line arguments analyzing, 621–622 manipulating, 623–624 context switching, 19 CPU scheduling, 19 data structures, 151–152 DKOM, 151 detection, 160–164 DLLs enumeration on live systems, 234 hiding, 234 listing, 235–236 loading, 233 enumerating, 613–614 active process list, 614–616 Macintosh analysis, 796–797 PID hash table, 616 environment variables, 226–227, 625–626 attacks, 227–228 Coreflood, 228–230 scopes, 227 sources, 227 foreign, 701 hidden kernel mode rootkits, 728–730 kernel rootkits, 829–830 hollow process injection, 252, 258–261 internals, 150 linking to users, 614–615 listing, 728–729 mappings, 618–621 memory and, 154 multiprogramming, 18 organization, 153–154 parent/child relationships, 615 postprocessing dumped code, 262–263 process address space, 18–19 ptrace, 699 recovering sections of memory, 621 registry persistence, 183–184 relationships, Macintosh analysis, 798 resources, 150 shellcode, 701 standard handles, 230–232 system processes, 154–156 system resources, 19–20 threads, 19 tree visualizations, 158–160 validity checks, 435 visualizations, 150–151 ProcessList, 412 process_vm_readv, 701 process_vm_writev, 701 Index procfs, 609 /proc/kcore, 583 proc_pid_cmdline function, 623–624 profiles, Volatility Framework, 55, 61–63 selecting, 63–65 program headers, ELF, 595–597 Prolaco, DKOM attack detection, 160–162 protection rings, 17–18 PsCreateSystemThread, 378–380 PServiceRecordListHead, 351–352 pslist command, 156 example, 156–157 PsLoadedModuleList, 367, 372 psscan command, 156 graph output, 159 psscan plugin, 130 PsService utility (Sysinternals), 349 PsSetCreateProcessNotifyRoutine API, 396 PsSetCreateThreadNotifyRoutine API, 396 PsSetLoadImageNotifyroutine API, 396 pstree command, 156 psxview, DKOM attack detection, 163–164 psxview command, 156 ptrace, 578, 699 PyCrypto, 50 Python, 46 VADs and, 208–209 Q QEMU, 104 queued network packets, 643–646 R radix trees, 605 RAM (random access memory), 6–7 Macintosh memory acquisition, 780–781 random access, 30 raw memory dump, 96 raw sockets, 325–327, 649 RDP, remote user detection, 413–416 rdpclip.exe, 413 RDPDD.dll driver, 413 readelf command, 591, 717 displaying sections, 593–594 output, 594 reconstructing attacker activity, 551–553 RecordLength, 267 RecordNumber, 267 records, arrays, 32–34 recovering file systems, 811–814 Recycle Bin, MFT, 485–486 red-black trees, 606 reference counts, process handles, 177–178 reflective DLL injection, 252, 257 detection, 257 RegCreateKey command, 346 RegDecoder, 349 register_keyboard_notifier function, 736–738 registers, GDTR, LDTR, RegisterWindowMessage, 430 RegisterWindowMessage API, 433 registry, 281–282 addresses, translations, 286–288 auto-start programs, 283 BaseBlock, 283 data contained, 283–284 FileFullPath, 283 FileUserName, 283 hardware, 284 Hive, 283 HiveList, 283 HiveRootPath, 283 hives, 285–286 keys printing, 288–289 Shellbags, 298–304 Shimcache, 297–298 LSA secrets, 305–307 malware persistence detection, 289–292 Shimcache keys, 297–298 malware configurations, 284 password hashes, 304–305 persistence, 183–184 profiles, querying, 108–109 Signature, 283 stable data, 284–285 Storage, 283 system information, 284 timelines, scripting, 545 timestamps, 539 timestomping, 303–304 TrueCrypt volumes, 300–303 user account information, 284 values, printing, 288–289 volatile data, 284–285 Registry API, 292–295 879 880 Index registry-based service hijacks, 356–357 RegRipper, 349 RegRipper, 290 RegSetValue command, 346 ReInfectSystem, 451 relatime mount option, 679 relationships parent/child, 615 processes, Macintosh analysis, 798 remote acquisition, 78 remote code injection, 252, 253 remote connections, suspicious, 313 remote DLL injection, 251, 252 remote file shares, mapping, 554–555 remote mapped drives, 184–186 remote users, detecting, over RDP, 413–416 remotemem.py, 91 resident attributes, 478 resource, 658 resources processes, 150 system resources, 19–20 ring buffers, 268 ro mount option, 679 robust signature scans, 147–148 rogue listeners, 313 Rootkits, network, 323 rootkits hook detection, 382–386 hooking, 382–384 inline hooks, 718–719 kernel hidden extensions, 828–829 hidden processes, 829–830 IOKit notifiers, 832–834 IPC handlers, 835–836 LogKext, 833–834 NKEs (Network Kernel Extensions), 836–838 shadow system call tables, 832 sysctl, 830–831 TrustedBSD subsystem, 834–835 kernel mode, 721 Average Coder, 732–733 file operations, 748–752 hidden kernel modules, 722–728 hidden processes, 728–730 inline hooking, 752–754 keyboard notifiers, 735–739 Netfilter hooks, 745–748 network protocol structures, 742–745 privilege elevation, 730–733 suterusu, 723 system call handler hooks, 734–735 TTY handlers, 739–742 LD_PRELOAD detecting, 713–715 GOT/PLT, 715 hooking functions, 712–713 orphan threads and, 380 shellcode injection, 698–703 detection, 701–703 foreign process execution, 701 memory allocation, 699–700 processes, 701 shared libraries, 705–712 userland API hooks, 826–828 code injection, 823–826 executable extraction, 826 hooking, 826–828 route cache, 650–652 RPC servers, 835–836 RTDL (run-time dynamic linking), 233 rt_hash_mask global variable, 651 rt_hash_table global variable, 651 _RTL_ATOM_TABLE, 430 _RTL_DYNAMIC_HASH_TABLE, 330–331 _RTL_PROCESS_PARAMETERS, 222 runtime interrogation, 79 F-Response, 89–91 Runtime Process Infection, 706 Rustock, kernel callbacks and, 397–399 RW (read, write) files, 239 rw mount option, 679 RX (read, execute) files, 239 S sampling, 69 saved state, 630 sc create command, 345 sc start command, 345 Scalpel, 494 scanning process memory, 351–352 Yara, 210–213 schedule jobs, timelines and, 555–558 SCM (Service Control Manager), 344–345 kernel modules, loading, 370 screen shots, from memory dumps, 439–441 Index _SCREEN_INFORMATION, 525, 528 screenshot plugin, 410, 439–441 scripting, registry timelines, 545 search_process_memory( ) API, 223 search_process_memory( ) function, 209–210 SeBackupPrivilege, 171 SeChangeNotPrivilege, 172 section objects, 495 SectionObjectPointer, 495 SecurityDescriptor, 120 SeDebugPrivilege, 171 segmentation, 8–9 segment_command, 788–789 segment_command_64, 788–789 self-balancing binary tree, 42 SeLoadDriverPrivilege, 172 SendMessage API, 442 server sockets, 309 _SERVICE_HEADER, 351 _SERVICE_RECORD, 350 services.exe, 155 event logs and, 267–268 ServiceTable, 393 SeShutdownPrivilege, 172 Session, 152 session space, GUI subsystem, 411–416 SessionId, 412 SessionProcessLinks, 152 sessions plugin, 410 SetClipboardData, 419 SetClipboardViewer, 419–420 SetMACE, 492 SetWindowsHookEx function, 454–455 SetWinEventHook, 467 shadow SSDT, 391 shadow system call tables, 832 shared libraries ELF, loading, 598 shellcode injection, 705–706 from disk, 706–709 shared memory, 22–23 shared objects, virtual, 598 shared pages, detecting, 519–523 SharedCacheMap, 496–497 Shellbags (registry), 298–304 shellbags plugin, 299–300 shellcode, injection, 698–703 detection, 701–703 foreign processes, 701 memory allocation, 699–700 881 processes, 701 shared libraries, 705–712 Shimcache registry keys, 297–298 short type, 28 SIDs extracting, 168–169 mapping string to username, 168 translating, 168–169 User SIDS, 168 signature scans, 147–148 signed char type, 28 singly linked lists, 37–38 SLAB allocator, 729 Macintosh, 808–811 slack space, PE files, 239–240 Sleep, 400 SMB (Server Message Block), 78 smss.exe, 154 SMTP (Simple Mail Transfer Protocol), 851–852 sniffers, 325–327 sock_common, 641 socket, 310–314 socket filters, 837–838 socket_alloc, 606, 639 socketcall, 758–759 sockets, 309 active, 315–318 client, 309 creating, 309 inactive, 321–322 raw, 325–327, 649 server sockets, 309 Winsock, 310–314 sockets plugin, 315–318 SOCK_RAW, 649 sockscan command, 321–322 source device object, 387 SrvAddConsoleAlias, 525 SrvAllocConsole, 525 SSDT (System Service Dispatch Table), 369, 390–391 APIs, undocumented, 395 attacking inline hooking, 394 pointer replacement, 393–394 table duplication, 394–395 duplicate entries, 395 enumerating, 391–393 hooking disadvantages, 395 multiple cores, 395 882 Index Patchguard and, 395 shadow SSDT, 391 stack frames, 23 stacked architecture, 386–387 stacks, 23–24 standard handles, processes, 230–232 StartService command, 345 state, saved, 630 strace, 767–770 strings, 35–37 C-style, 35–36 event reconstruction, 511–512 extracting, 512–515 string-based analysis, 516–523 translating strings, 515–516 extracting, 512–515 free memory, 518–519 Gh0st, 562 grep command, 517–518 IOCs proximity, 517–518 strings command, 513–514 strings plugin, 518–519 strings.exe, 513 Stuxnet kernel callbacks and, 397–399 malicious devices, 389–390 subclassing, malicious, 450–452 SubsectionBase, 496 suid mount option, 679 suterusu rootkit, 723 svchost.exe, 155 svcscan plugin, 352–353 swapper_pg_dir, 608 swapping, compressed swaps, 610 SymbolicLink object, 118 symlink, Phalanx2, 770–772 symlinkscan plugin, 130 sysctl, 830–831 sysfs, 609 hidden kernel modules, 723 sysfs file system, 678 sys_symlink, 770–772 system call tables, 831–832 system calls, 18 handler hooks, 734–735 System process, 154 system processes, 154–156 system resources, 19–20 system6.bat script, 560 T tables hash tables, 39–40 MajorFunction, 31 shadow system call tables, 832 system call tables, 831–832 trap tables, 831–832 tagCLIP, 469 tagCLIPDATA, 469 tagDESKTOP, 118, 423 tagHOOK structure, 456–459 tagSHAREDINFO structure, 462–464 tagWINDOWSTATION, 118, 416–417 target device object, 387 task, 795 task_struct, 611–613, 710–712 task_struct_cachep, 611 _TCBTable, 327–333 TCP connections, 641–643 _TCP_ENDPOINT, 330–331 TCP/IP, Next Generation TCP/IP Stack, 327–333 Tcpip driver, 383–384 TcpStartPartitionModule function, 330–331 _TCPT_OBJECT, 314 TDL3, kernel callbacks and, 397–399 temporal reconstruction See timelining temporary file systems, mounted, 680–681 TerminateProcess, 347 text, clipboard recovery, 471 TEXT segment, 788–789 The Sleuth Kit, 518–519 this_module, 722 thrdscan plugin, 130 Thread object, 118 thread stacks, 191 ThreadListHead, 152 threads, 19 kernel mode, 378–380 orphan threads, 379–380 threads plugin, 379–380 Tigger, kernel callbacks and, 397–399 time, TrayClockWClass, 438 TimeGenerated, 267 timeline, traffic, 567–572 timeline.py, 540–541, 545 timeliner plugin, 539–541 output, 541 timelines, 537–538 6to4 service, 548–551 activity reconstruction, 551–553 Index attack artifacts, 558–561 initial infection vector phishing email artifacts, 547–548 tracking executed programs, 546–547 log2timeline, 540 mactime and, 541–542 metadata extraction and, 689–690 network data, 561–567 packet capture data, 545–546 Prefetch files, 543 registry, scripting, 545 remote file shares, mapping, 554–555 scheduled jobs, 555–558 timeliner plugin, 539–541 timer objects, 400 timers, kernel See kernel timers timers plugin, 400–401 timestamps DosDate, 538 FILETIME, 538 formats, 538 registry, 539 sources, 538–539 timestomping, 303–304 timestomping, 303–304 MFT (Master File Table), 492 TimeWritten, 267 TLB (translation lookaside buffer), tmpfs file system, 678, 680 _TOKEN, 118, 165 Token object, 118 TotalNumberOfHandles, 122 TotalNumberOfObjects, 122 tpos, 605 tracking executed programs, 546–547 users, keychain recovery, 845–848 traffic, timeline, 567–572 translating strings, 515–516 translation, addresses, 11–13 trap tables, 831–832 TrayClockWClass class, 438 trees, 605–606 analyzing in memory, 41–42 hierarchical, 41 red-black, 606 self-balancing binary tree, 42 TrueCrypt disk encryption, 503 AES, master key extraction, 507–508 883 cache manager and, 506–507 encrypted volume identification, 505–506 non-default algorithms, 508–510 NTFS metadata, 506–507 password caching, 504–505 TrueCrypt volumes (registry), 300–303 truecryptsummary plugin, 505–506 truecrypt.sys, 505 TrustedBSD subsystem, 834–835 TSK (The Sleuth-Kit), 108 TTY input handlers, 739–742 tty_struct, 740–742 Type object, 119 TYPE_CLIPDATA objects, 462 TypeIndex, 120 TypeInfo, 122–123 TYPE_TIMER objects, 462 TYPE_WINDOW objects, 462 U UDP connections, 641–643 _UNICODE_STRING, 36–37 UniqueProcessID, 152 Unix, sockets, recovering, 643 Unix/Linux, F-Response, 90–91 UnixTimeStamp, 538 unlinked DLLs, 236–238 unloadedmodules, 372, 374–375 unsigned char type, 28 unsigned int type, 28 unsigned long long type, 28 unsigned long type, 28 unsigned short type, 28 UPX, program headers, ELF, 597 URLs (Uniform Resource Locator), brute force scans, 338–339 usbuhci service, 353 USER handles, 459 data structures, 460 object types, 461–462 sessions, 465–466 table entries, 464–465 tagSHAREDINFO structure, 462–464 user tracking, keychain recovery, 845–846 breaking keychains, 846–848 chainbreaker, 846 volafox, 846 UserAndGroupCount integer, 166 884 Index UserAndGroups integer, 166 Userassist keys (registry), 295–296 userhandles plugin, 410, 465–466 userland address space split, 777 Macintosh design, 775–776 memory acquisition and, 780–784 rootkits API hooks, 826–828 code injection, 823–826 executable extraction, 826 hooking, 826–828 users, logged-in, hiding, 751–752 utilities kntencrypt.exe, 86–87 mactime, 541–542, 547 vmss2core.exe, 106 V VAD (virtual address descriptor), 42 data structures, 198–201 flags, 202 CommitChange field, 203 PrivateMemory field, 204 Protection field, 203–204 memory-mapped files, 198 OS versions, 199 process memory enumeration, 193–194 processes, 150 Python and, 208–209 tags, 201–202 vadtree plugin, 198 Volatility, plugins, 204–207 vaddump plugin, 205–207, 223 vadinfo plugin, 204 VadRoot, 153 vadtree plugin, 198, 204 vboxinfo plugin, 96 VFS (Virtual File System), 681–683 vfsmount, 676–677 virtual shared objects, 598 VirtualAlloc API, 192–193 VirtualAllocEx API, 193 VirtualBox, 103–104 visualizations, processes, 158–160 VM (virtual machine), 70–71 vm_area_struct, 618–619 vmss2core.exe utility, 106 VMware, 101–103 _VMWARE_GROUP, 102 _VMWARE_HEADER, 102 vmwareinfo plugin, 96 volatile memory crash dumps, files, 113 disks, hibernation files, 107–108 page file recovery, 109–110 registry profiles, 108–109 Volatility Framework AS (address space), 56–57 stacking, 57 benefits, 45–46 classes, 54–55 commands, 59–60 alternatives to command-line, 65–66 help, 60–61 filenames, 65 installation code repository, 49–50 dependencies, 50 development branch, 49–50 Github, 49–50 gzip/tarball source package, 48–49 Python Module Installer, 48 Windows executable, 47–48 zip source package, 48–49 Linux profiles, 583–589 locations, 65 naming conventions, 65 objects, 54–55 overlays, 53–54 persistence, 66 plugins, 58–59 core, 59 file format metadata, 96 output control, 66 profiles, 55, 61–63 selecting, 63–65 Registry API, 292–295 VAD plugins, 204–207 VTypes, 51–52 volatility/plugins directory, 58 volatilityrc file, 66 volshell, 240–242 Volshell, attack simulation and, 173–175 volshell plugin, 354, 385–386 VTypes, 51–52 generating, 52–53 Vtypes, Linux profiles, 584–585 Index W WerSvc (Windows Error Reporting Service), 347 WinDefend (Windows Defender Service), 347 Windows 7, event logs, 270–272 2000, event logs, 267–270 2003, event logs, 267–270 2008, event logs, 270–272 APIs, 345–346 command architecture, 524–525 console functions, 525 console modules, 525 data structures, 525–529 default settings, 529–530 Configuration Manager, address translations, 286–288 data types, 29 executive objects, 117 allocation APIs, 126–129 headers, 119–121 kernel pool allocations, 125–126 object type, 122–124 hibernation files, 98–99 strings, extracting, 513 Vista, event logs, 270–272 XP, event logs, 267–270 windows anti-monitoring software, 435–436 attacks dismissing alerts/prompts, 443–444 KAV, 442–443 keystroke simulation, 444–447 mouse movement simulation, 444–447 Shatter Attacks, 441–442 chm files, 438–439 hh.exe viewer, 438 classes, name detection, 429, 432 data structures, 436 IEFrame class, 437 KAV and, 442–443 local time, 438 message hooks, 453–454 DLL injection, 456–459 installation, 454–456 messages, registered, 433 metadata, 436 parent, 438–439 procedure callbacks, 447–449 process validity, 435 subclassing, 450–452 885 Windows cache manager, 494–497 Windows crash dump, 96–98 Windows GUI, subsystem See GUI subsystem windows plugin, 410 Windows registry, 281–282 addresses, translations, 286–288 auto-start programs, 283 BaseBlock, 283 data stable, 284–285 volatile, 284–285 data contained, 283–284 FileFullPath, 283 FileUserName, 283 hardware, 284 Hive, 283 HiveList, 283 HiveRootPath, 283 hives, 285–286 keys printing, 288–289 Shellbags, 298–304 Shimcache, 297–298 Userassist, 295–296 LSA secrets, 305–307 malware persistence detection, 289–292 Shimcache keys, 297–298 malware configurations, 284 password hashes, 304–305 Signature, 283 Storage, 283 system information, 284 timestomping, 303–304 TrueCrypt volumes, 300–303 user account information, 284 values, printing, 288–289 Windows Security Center, 364 Windows services, 343 AFD, 353 architecture, 343–345 data structures, 350 Get-Service command, 348 hidden, 362–366 hijacked disk-based, 357–362 registry-based, 356–357 installation, 345–346 investigating activity, 347–349 MMC and, 347–348 886 Index MRxCls, 355 MRxNet, 355 recently created, 353–356 RegCreateKey command, 346 RegDecoder, 349 RegRipper, 349 RegSetValue command, 346 usbuhci, 353 WSearch, 353 Windows Sockets API See Winsock Windows Stations AddClipboardFormatListener, 419–420 clipboard listeners, 419–420 viewers, 419–420 clipboard snooping, 416 clipboardic.exe and, 419, 420–421 detecting, 419–422 clipboard usage, 416 frequency analysis, 418–419 data structures, 416–417 InsideClipboard, 419 listeners, 419–420 SetClipboardViewer, 419–420 snooping detection, 419–422 usage frequency, 418–419 viewers, 419–420 WM_DRAWCLIPBOARD, 419 WindowStation object, 118 WinINet API, 334–339 Winlogon desktop, 425 winlogon.exe, 155 Winpmem, 83 WinRAR, 571–572 Winsock, 310–314 Ethernet frames, 323–325 IP packets, 323–325 WinTimeStamp, 538 wintree plugin, 410, 438–439 WM_DRAWCLIPBOARD, 419 WM_HTML_GETOBJECT, 433 WMI (Windows Management Instrumentation), kernel modules and, 371–372 WM_KEYDOWN, 442, 453–454 wndscan plugin, 130, 410 working directories, environment variables, 626 working sets, process memory enumeration, 194 WriteKernelMemory, 161 WriteProcessMemory, 253 Wscsvc (Windows Security Center Service), 347 WSearch service, 353 Wuauserv (Windows Automatic Update Service), 347 X Xen/KVM, 105 Xnest, 760–762 Y Yara, 50, 210–213 yarascan plugin, 210–213 Z ZeroAccess, kernel callbacks and, 397–399 Zeus, process handle enumeration, 181–183 Zeus Encryption Keys, 213–217 ZwSystemDebugControl, 161 ... in- depth guide to memory forensics from the pioneers of the field” —Brian carrier, Basis Technology The Art of Memory Forensics Detecting Malware and Threats in Windows, Linux, and Mac Memory Michael... Hale Ligh Andrew Case Jamie Levy AAron Walters The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory Published by John Wiley & Sons, Inc 10475 Crosspoint Boulevard... covers the most recent Windows, Linux, and Mac OS X operating systems In particular, Windows 8.1 and Server 2012 R2, Linux kernels up to 3.14, and Mac OS X Mavericks, including the 64-bit editions