Tuesday, May 28, 2013

MoVP II - 2.5 - New and Improved Windows Plugins

The Volatility 2.3 release will include several new and improved Windows plugins. This post will summarize their purpose, point you to additional information if they've been mentioned in previous blog posts, and show example usage scenarios for the plugins.

Process Privileges

In his Open Memory Forensic Workshop 2012 presentation "The Analysis of Process Token Privileges", Cem Gurkok (@CGurkok) discussed a plugin for Volatility that shows which privileges are enabled in each process. This can be useful for a number of reasons, including detecting code-injecting malware (SeDebugPrivilege) and kernel rootkits (SeLoadDriverPrivilege) in addition to scanning for Token related DKOM (see Cesar Cerrudo's Easy Local Windows Kernel Exploitation).

As shown below, the privs plugin tells you which privileges are present in the process's token, which have been enabled, and which were enabled by default. If any privileges are enabled by not enabled by default, you know they were explicitly set (usually through the AdjustPrivilegeToken API). If any privileges are enabled but not present, that's a strong indicator of DKOM.

$ python vol.py -f mem.dmp privs -p 1096 

[snip]

1096 explorer.exe         23 SeChangeNotifyPrivilege              Present,Enabled,Default  Receive notifications of changes to files or directories
1096 explorer.exe         19 SeShutdownPrivilege                  Present                  Shut down the system
1096 explorer.exe         25 SeUndockPrivilege                    Present,Enabled          Remove computer from docking station
1096 explorer.exe          8 SeSecurityPrivilege                  Present                  Manage auditing and security log
1096 explorer.exe         17 SeBackupPrivilege                    Present                  Backup files and directories
1096 explorer.exe         18 SeRestorePrivilege                   Present                  Restore files and directories
1096 explorer.exe         12 SeSystemtimePrivilege                Present                  Change the system time
1096 explorer.exe         24 SeRemoteShutdownPrivilege            Present                  Force shutdown from a remote system
1096 explorer.exe          9 SeTakeOwnershipPrivilege             Present                  Take ownership of files/objects
1096 explorer.exe         20 SeDebugPrivilege                     Present,Enabled          Debug programs
1096 explorer.exe         22 SeSystemEnvironmentPrivilege         Present                  Edit firmware environment values
1096 explorer.exe         11 SeSystemProfilePrivilege             Present                  Profile system performance
1096 explorer.exe         13 SeProfileSingleProcessPrivilege      Present                  Profile a single process
1096 explorer.exe         14 SeIncreaseBasePriorityPrivilege      Present                  Increase scheduling priority
1096 explorer.exe         10 SeLoadDriverPrivilege                Present,Enabled          Load and unload device drivers
1096 explorer.exe         15 SeCreatePagefilePrivilege            Present                  Create a pagefile

Internet Explorer History

The iehistory plugin was introduced on this blog a while back - see HowTo: Scan for Internet Cache/History and URLs. Since then, it has been used in various investigations and from what we hear - rather successfully. Although this plugin has been available in Volatility's development branch for a while, it makes its first major release debut in 2.3.

Service DLLs

A Windows service of type SERVICE_WIN32_SHARE_PROCESS is essentially a DLL that runs inside a shared host process (svchost.exe). This is a commonly used persistence mechanism among malicious code (see How malware hides and is installed as a service).

Volatility's svcscan plugin scans for and reports on service record structures found in the memory of the service control manager (services.exe). In previous releases it only identified the driver name (i.e. \Driver\Tcpip) if the service was for a kernel driver, or it showed the path to an executable file if the service was a standalone or shared process. Starting with Volatility 2.3, you can also now query for the service DLL when you provide the --verbose argument to svcscan.

Here's an example of the output.

$ python vol.py -f mem.dmp svcscan -p 1096

[snip]

Offset: 0x383c90
Order: 55
Process ID: 1024
Service Name: ERSvc
Display Name: Error Reporting Service
Service Type: SERVICE_WIN32_SHARE_PROCESS
Service State: SERVICE_RUNNING
Binary Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
ServiceDll: %SystemRoot%\System32\ersvc.dll

As you can see, by supplying --verbose, you not only see svchost.exe, but the full path on disk to ersvc.dll is included. The full path to the DLL comes from the registry. Assuming malware overwrote the registry key's value and changed the path to ersvc.dll (pointing it at a malicious DLL), you would be better equipped to detect and respond to this behavior.

Cached Files

The dumpfiles plugin that we introduced previously (see Cache Rules Everything Around Me(Mory)) will make its debut release in Volatility 2.3. This will be one of the more useful plugins you've ever experienced - with the ability to extract cached files from all Windows memory dumps, including raw registry hives, executables, and documents.

Duqu Style API Hooks

Volatility's apihooks plugin can detect IAT hooks, EAT hooks, Inline hooks, and various others. In the category of inline hooks (also referred to as detours or trampoline hooks), we look for changes of the function prologue - specifically ones that CALL or JMP to another module or unknown code location. Since we don't emulate code, subtle changes in assembly instructions or uncommon sequences of instructions can evade the hook detection engine. Duqu, often referred to as a cousin of Stuxnet, used a simple technique of moving the hook address into a register and then jumping to the register. For example:

MOV EAX, ADDRESS
JMP EAX

It's nothing special per se, but previously we didn't check for this type of instruction combination. Starting with Volatility 2.3, we now include checks for this type of memory modification. Here's an example:

$ python vol.py -f duqu.dmp apihooks -p 1176 --quick

Hook mode: Usermode
Hook type: Inline/Trampoline
Process: 1176 (lsass.exe)
Victim module: ntdll.dll (0x7c900000 - 0x7c9af000)
Function: ntdll.dll!ZwQuerySection at 0x7c90d8b0
Hook address: 0x980a02
Hooking module: 

Disassembly(0):
0x7c90d8b0 b8020a9800       MOV EAX, 0x980a02
0x7c90d8b5 ffe0             JMP EAX
0x7c90d8b7 03fe             ADD EDI, ESI
0x7c90d8b9 7fff             JG 0x7c90d8ba
0x7c90d8bb 12c2             ADC AL, DL
0x7c90d8bd 1400             ADC AL, 0x0
0x7c90d8bf 90               NOP
0x7c90d8c0 b8a8000000       MOV EAX, 0xa8

Conclusion

Although the main objective(s) for the 2.3 release were Mac OSX and Linux/Android, we didn't want to neglect Windows. Thus, this post summarizes a few of the interesting new and improved plugins for Windows systems.

No comments:

Post a Comment