Sometime we have to check our own machine to see if there are any bad virus out there. This should be a step in preventing diseases in our own machine and possible to no infect others with the same problems we already have. I have used Volatility framework for a cold memory analysis and found a lot of interesting stuff that I will try to describe. This is a good test case for experimenting with this type of tool. Volatility is now forked into a new breed of framework, Rekall that I just discovered recently (it looked good, or even better and simpler to use) but it will not be the topic of this post.
I use debian so I can readly use apt-get to install it, but you should check the project repos in https://github.com/volatilityfoundation .
This is the information from volatility with all profiles, the first one was generated for this specific machine Linux Debian8 amd64 following guidelines from the wiki at https://github.com/volatilityfoundation/volatility/wiki/Linux .
Basically it is a 2 step procedure
For the analysis we have to get some memory dump from somewhere, I used LiME https://github.com/504ensicsLabs/LiME for a cold memory dump, you can use another tool or even do a live analysis with fmem for instance or if your kernel support it dd on direct memory access.
I use debian so I can readly use apt-get to install it, but you should check the project repos in https://github.com/volatilityfoundation .
This is the information from volatility with all profiles, the first one was generated for this specific machine Linux Debian8 amd64 following guidelines from the wiki at https://github.com/volatilityfoundation/volatility/wiki/Linux .
Basically it is a 2 step procedure
$ (cd volatility/tools/linux && make )
$ sudo zip volatility/volatility/plugins/overlays/linux/Ubuntu1204.zip volatility/tools/linux/module.dwarf /boot/System.map-3.2.0-23-generic
$ volatility --info
Volatility Foundation Volatility Framework 2.4
Profiles
--------
Linuxdebian8-3_18x64 - A Profile for Linux debian8-3.18 x64
VistaSP0x64 - A Profile for Windows Vista SP0 x64
VistaSP0x86 - A Profile for Windows Vista SP0 x86
VistaSP1x64 - A Profile for Windows Vista SP1 x64
VistaSP1x86 - A Profile for Windows Vista SP1 x86
VistaSP2x64 - A Profile for Windows Vista SP2 x64
VistaSP2x86 - A Profile for Windows Vista SP2 x86
Win2003SP0x86 - A Profile for Windows 2003 SP0 x86
Win2003SP1x64 - A Profile for Windows 2003 SP1 x64
Win2003SP1x86 - A Profile for Windows 2003 SP1 x86
Win2003SP2x64 - A Profile for Windows 2003 SP2 x64
Win2003SP2x86 - A Profile for Windows 2003 SP2 x86
Win2008R2SP0x64 - A Profile for Windows 2008 R2 SP0 x64
Win2008R2SP1x64 - A Profile for Windows 2008 R2 SP1 x64
Win2008SP1x64 - A Profile for Windows 2008 SP1 x64
Win2008SP1x86 - A Profile for Windows 2008 SP1 x86
Win2008SP2x64 - A Profile for Windows 2008 SP2 x64
Win2008SP2x86 - A Profile for Windows 2008 SP2 x86
Win2012R2x64 - A Profile for Windows Server 2012 R2 x64
Win2012x64 - A Profile for Windows Server 2012 x64
Win7SP0x64 - A Profile for Windows 7 SP0 x64
Win7SP0x86 - A Profile for Windows 7 SP0 x86
Win7SP1x64 - A Profile for Windows 7 SP1 x64
Win7SP1x86 - A Profile for Windows 7 SP1 x86
Win8SP0x64 - A Profile for Windows 8 SP0 x64
Win8SP0x86 - A Profile for Windows 8 SP0 x86
Win8SP1x64 - A Profile for Windows 8.1 x64
Win8SP1x86 - A Profile for Windows 8 SP1 x86
WinXPSP1x64 - A Profile for Windows XP SP1 x64
WinXPSP2x64 - A Profile for Windows XP SP2 x64
WinXPSP2x86 - A Profile for Windows XP SP2 x86
WinXPSP3x86 - A Profile for Windows XP SP3 x86
Plugins
-------
apihooks - Detect API hooks in process and kernel memory
atoms - Print session and window station atom tables
atomscan - Pool scanner for atom tables
auditpol - Prints out the Audit Policies from HKLM\SECURITY\Policy\PolAdtEv
bigpools - Dump the big page pools using BigPagePoolScanner
bioskbd - Reads the keyboard buffer from Real Mode memory
cachedump - Dumps cached domain hashes from memory
callbacks - Print system-wide notification routines
clipboard - Extract the contents of the windows clipboard
cmdline - Display process command-line arguments
cmdscan - Extract command history by scanning for _COMMAND_HISTORY
connections - Print list of open connections [Windows XP and 2003 Only]
connscan - Pool scanner for tcp connections
consoles - Extract command history by scanning for _CONSOLE_INFORMATION
crashinfo - Dump crash-dump information
deskscan - Poolscaner for tagDESKTOP (desktops)
devicetree - Show device tree
dlldump - Dump DLLs from a process address space
dlllist - Print list of loaded dlls for each process
driverirp - Driver IRP hook detection
driverscan - Pool scanner for driver objects
dumpcerts - Dump RSA private and public SSL keys
dumpfiles - Extract memory mapped and cached files
envars - Display process environment variables
eventhooks - Print details on windows event hooks
evtlogs - Extract Windows Event Logs (XP/2003 only)
filescan - Pool scanner for file objects
gahti - Dump the USER handle type information
gditimers - Print installed GDI timers and callbacks
gdt - Display Global Descriptor Table
getservicesids - Get the names of services in the Registry and return Calculated SID
getsids - Print the SIDs owning each process
handles - Print list of open handles for each process
hashdump - Dumps passwords hashes (LM/NTLM) from memory
hibinfo - Dump hibernation file information
hivedump - Prints out a hive
hivelist - Print list of registry hives.
hivescan - Pool scanner for registry hives
hpakextract - Extract physical memory from an HPAK file
hpakinfo - Info on an HPAK file
idt - Display Interrupt Descriptor Table
iehistory - Reconstruct Internet Explorer cache / history
imagecopy - Copies a physical address space out as a raw DD image
imageinfo - Identify information for the image
impscan - Scan for calls to imported functions
joblinks - Print process job link information
kdbgscan - Search for and dump potential KDBG values
kpcrscan - Search for and dump potential KPCR values
ldrmodules - Detect unlinked DLLs
limeinfo - Dump Lime file format information
linux_apihooks - Checks for userland apihooks
linux_arp - Print the ARP table
linux_banner - Prints the Linux banner information
linux_bash - Recover bash history from bash process memory
linux_bash_env - Recover bash's environment variables
linux_bash_hash - Recover bash hash table from bash process memory
linux_check_afinfo - Verifies the operation function pointers of network protocols
linux_check_creds - Checks if any processes are sharing credential structures
linux_check_evt_arm - Checks the Exception Vector Table to look for syscall table hooking
linux_check_fop - Check file operation structures for rootkit modifications
linux_check_idt - Checks if the IDT has been altered
linux_check_inline_kernel - Check for inline kernel hooks
linux_check_modules - Compares module list to sysfs info, if available
linux_check_syscall - Checks if the system call table has been altered
linux_check_syscall_arm - Checks if the system call table has been altered
linux_check_tty - Checks tty devices for hooks
linux_cpuinfo - Prints info about each active processor
linux_dentry_cache - Gather files from the dentry cache
linux_dmesg - Gather dmesg buffer
linux_dump_map - Writes selected memory mappings to disk
linux_elfs - Find ELF binaries in process mappings
linux_enumerate_files - Lists files referenced by the filesystem cache
linux_find_file - Lists and recovers files from memory
linux_hidden_modules - Carves memory to find hidden kernel modules
linux_ifconfig - Gathers active interfaces
linux_info_regs - It's like 'info registers' in GDB. It prints out all the
linux_iomem - Provides output similar to /proc/iomem
linux_kernel_opened_files - Lists files that are opened from within the kernel
linux_keyboard_notifiers - Parses the keyboard notifier call chain
linux_ldrmodules - Compares the output of proc maps with the list of libraries from libdl
linux_library_list - Lists libraries loaded into a process
linux_librarydump - Dumps shared libraries in process memory to disk
linux_list_raw - List applications with promiscuous sockets
linux_lsmod - Gather loaded kernel modules
linux_lsof - Lists open files
linux_malfind - Looks for suspicious process mappings
linux_memmap - Dumps the memory map for linux tasks
linux_moddump - Extract loaded kernel modules
linux_mount - Gather mounted fs/devices
linux_mount_cache - Gather mounted fs/devices from kmem_cache
linux_netfilter - Lists Netfilter hooks
linux_netstat - Lists open sockets
linux_pidhashtable - Enumerates processes through the PID hash table
linux_pkt_queues - Writes per-process packet queues out to disk
linux_plthook - Scan ELF binaries' PLT for hooks to non-NEEDED images
linux_proc_maps - Gathers process maps for linux
linux_proc_maps_rb - Gathers process maps for linux through the mappings red-black tree
linux_procdump - Dumps a process's executable image to disk
linux_process_hollow - Checks for signs of process hollowing
linux_psaux - Gathers processes along with full command line and start time
linux_psenv - Gathers processes along with their environment
linux_pslist - Gather active tasks by walking the task_struct->task list
linux_pslist_cache - Gather tasks from the kmem_cache
linux_pstree - Shows the parent/child relationship between processes
linux_psxview - Find hidden processes with various process listings
linux_recover_filesystem - Recovers the entire cached file system from memory
linux_route_cache - Recovers the routing cache from memory
linux_sk_buff_cache - Recovers packets from the sk_buff kmem_cache
linux_slabinfo - Mimics /proc/slabinfo on a running machine
linux_strings - Match physical offsets to virtual addresses (may take a while, VERY verbose)
linux_threads - Prints threads of processes
linux_tmpfs - Recovers tmpfs filesystems from memory
linux_truecrypt_passphrase - Recovers cached Truecrypt passphrases
linux_vma_cache - Gather VMAs from the vm_area_struct cache
linux_volshell - Shell in the memory image
linux_yarascan - A shell in the Linux memory image
lsadump - Dump (decrypted) LSA secrets from the registry
mac_adium - Lists Adium messages
mac_apihooks - Checks for API hooks in processes
mac_apihooks_kernel - Checks to see if system call and kernel functions are hooked
mac_arp - Prints the arp table
mac_bash - Recover bash history from bash process memory
mac_bash_env - Recover bash's environment variables
mac_bash_hash - Recover bash hash table from bash process memory
mac_calendar - Gets calendar events from Calendar.app
mac_check_mig_table - Lists entires in the kernel's MIG table
mac_check_syscall_shadow - Looks for shadow system call tables
mac_check_syscalls - Checks to see if system call table entries are hooked
mac_check_sysctl - Checks for unknown sysctl handlers
mac_check_trap_table - Checks to see if mach trap table entries are hooked
mac_contacts - Gets contact names from Contacts.app
mac_dead_procs - Prints terminated/de-allocated processes
mac_dead_sockets - Prints terminated/de-allocated network sockets
mac_dead_vnodes - Lists freed vnode structures
mac_dmesg - Prints the kernel debug buffer
mac_dump_file - Dumps a specified file
mac_dump_maps - Dumps memory ranges of processes
mac_dyld_maps - Gets memory maps of processes from dyld data structures
mac_find_aslr_shift - Find the ASLR shift value for 10.8+ images
mac_ifconfig - Lists network interface information for all devices
mac_ip_filters - Reports any hooked IP filters
mac_keychaindump - Recovers possbile keychain keys. Use chainbreaker to open related keychain files
mac_ldrmodules - Compares the output of proc maps with the list of libraries from libdl
mac_librarydump - Dumps the executable of a process
mac_list_files - Lists files in the file cache
mac_list_sessions - Enumerates sessions
mac_list_zones - Prints active zones
mac_lsmod - Lists loaded kernel modules
mac_lsmod_iokit - Lists loaded kernel modules through IOkit
mac_lsmod_kext_map - Lists loaded kernel modules
mac_lsof - Lists per-process opened files
mac_machine_info - Prints machine information about the sample
mac_malfind - Looks for suspicious process mappings
mac_memdump - Dump addressable memory pages to a file
mac_moddump - Writes the specified kernel extension to disk
mac_mount - Prints mounted device information
mac_netstat - Lists active per-process network connections
mac_network_conns - Lists network connections from kernel network structures
mac_notesapp - Finds contents of Notes messages
mac_notifiers - Detects rootkits that add hooks into I/O Kit (e.g. LogKext)
mac_pgrp_hash_table - Walks the process group hash table
mac_pid_hash_table - Walks the pid hash table
mac_print_boot_cmdline - Prints kernel boot arguments
mac_proc_maps - Gets memory maps of processes
mac_procdump - Dumps the executable of a process
mac_psaux - Prints processes with arguments in user land (**argv)
mac_pslist - List Running Processes
mac_pstree - Show parent/child relationship of processes
mac_psxview - Find hidden processes with various process listings
mac_recover_filesystem - Recover the cached filesystem
mac_route - Prints the routing table
mac_socket_filters - Reports socket filters
mac_strings - Match physical offsets to virtual addresses (may take a while, VERY verbose)
mac_tasks - List Active Tasks
mac_trustedbsd - Lists malicious trustedbsd policies
mac_version - Prints the Mac version
mac_volshell - Shell in the memory image
mac_yarascan - Scan memory for yara signatures
machoinfo - Dump Mach-O file format information
malfind - Find hidden and injected code
mbrparser - Scans for and parses potential Master Boot Records (MBRs)
memdump - Dump the addressable memory for a process
memmap - Print the memory map
messagehooks - List desktop and thread window message hooks
mftparser - Scans for and parses potential MFT entries
moddump - Dump a kernel driver to an executable file sample
modscan - Pool scanner for kernel modules
modules - Print list of loaded modules
multiscan - Scan for various objects at once
mutantscan - Pool scanner for mutex objects
netscan - Scan a Vista (or later) image for connections and sockets
notepad - List currently displayed notepad text
objtypescan - Scan for Windows object type objects
patcher - Patches memory based on page scans
poolpeek - Configurable pool scanner plugin
pooltracker - Show a summary of pool tag usage
printkey - Print a registry key, and its subkeys and values
privs - Display process privileges
procdump - Dump a process to an executable file sample
pslist - Print all running processes by following the EPROCESS lists
psscan - Pool scanner for process objects
pstree - Print process list as a tree
psxview - Find hidden processes with various process listings
raw2dmp - Converts a physical memory sample to a windbg crash dump
screenshot - Save a pseudo-screenshot based on GDI windows
sessions - List details on _MM_SESSION_SPACE (user logon sessions)
shellbags - Prints ShellBags info
shimcache - Parses the Application Compatibility Shim Cache registry key
sockets - Print list of open sockets
sockscan - Pool scanner for tcp socket objects
ssdt - Display SSDT entries
strings - Match physical offsets to virtual addresses (may take a while, VERY verbose)
svcscan - Scan for Windows services
symlinkscan - Pool scanner for symlink objects
thrdscan - Pool scanner for thread objects
threads - Investigate _ETHREAD and _KTHREADs
timeliner - Creates a timeline from various artifacts in memory
timers - Print kernel timers and associated module DPCs
truecryptmaster - Recover TrueCrypt 7.1a Master Keys
truecryptpassphrase - TrueCrypt Cached Passprhase Finder
truecryptsummary - TrueCrypt Summary
unloadedmodules - Print list of unloaded modules
userassist - Print userassist registry keys and information
userhandles - Dump the USER handle tables
vaddump - Dumps out the vad sections to a file
vadinfo - Dump the VAD info
vadtree - Walk the VAD tree and display in tree format
vadwalk - Walk the VAD tree
vboxinfo - Dump virtualbox information
verinfo - Prints out the version information from PE images
vmwareinfo - Dump VMware VMSS/VMSN information
volshell - Shell in the memory image
windows - Print Desktop Windows (verbose details)
wintree - Print Z-Order Desktop Windows Tree
wndscan - Pool scanner for window stations
yarascan - Scan process or kernel memory with Yara signatures
Scanner Checks
--------------
CheckPoolSize - Check pool block size
CheckPoolType - Check the pool type
KPCRScannerCheck - Checks the self referential pointers to find KPCRs
MultiPrefixFinderCheck - Checks for multiple strings per page, finishing at the offset
MultiStringFinderCheck - Checks for multiple strings per page
PoolTagCheck - This scanner checks for the occurance of a pool tag
Address Spaces
--------------
AMD64PagedMemory - Standard AMD 64-bit address space.
ArmAddressSpace - No docs
FileAddressSpace - This is a direct file AS.
HPAKAddressSpace - This AS supports the HPAK format
IA32PagedMemory - Standard IA-32 paging address space.
IA32PagedMemoryPae - This class implements the IA-32 PAE paging address space. It is responsible
LimeAddressSpace - Address space for Lime
MachOAddressSpace - Address space for mach-o files to support atc-ny memory reader
OSXPmemELF - This AS supports VirtualBox ELF64 coredump format
QemuCoreDumpElf - This AS supports Qemu ELF32 and ELF64 coredump format
VMWareAddressSpace - This AS supports VMware snapshot (VMSS) and saved state (VMSS) files
VMWareMetaAddressSpace - This AS supports the VMEM format with VMSN/VMSS metadata
VirtualBoxCoreDumpElf64 - This AS supports VirtualBox ELF64 coredump format
WindowsCrashDumpSpace32 - This AS supports windows Crash Dump format
WindowsCrashDumpSpace64 - This AS supports windows Crash Dump format
WindowsCrashDumpSpace64BitMap - This AS supports Windows BitMap Crash Dump format
WindowsHiberFileSpace32 - This is a hibernate address space for windows hibernation files.
For the analysis we have to get some memory dump from somewhere, I used LiME https://github.com/504ensicsLabs/LiME for a cold memory dump, you can use another tool or even do a live analysis with fmem for instance or if your kernel support it dd on direct memory access.
insmode lime.ko "path=my-memory-dump.lime format=lime"
Using a simple shell script I ran all plugins from volatility specific to linux. The script gives an output that we can latter check.
for p in linux_apihooks linux_arp linux_banner linux_bash linux_bash_env linux_bash_hash linux_check_afinfo linux_check_creds linux_check_evt_arm linux_check_fop linux_check_idt linux_check_inline_kernel linux_check_modules linux_check_syscall linux_check_syscall_arm linux_check_tty linux_cpuinfo linux_dentry_cache linux_dmesg linux_dump_map linux_elfs linux_enumerate_files linux_find_file linux_hidden_modules linux_ifconfig linux_info_regs linux_iomem linux_kernel_opened_files linux_keyboard_notifiers linux_ldrmodules linux_library_list linux_librarydump linux_list_raw linux_lsmod linux_lsof linux_malfind linux_memmap linux_moddump linux_mount linux_mount_cache linux_netfilter linux_netstat linux_pidhashtable linux_pkt_queues linux_plthook linux_proc_maps linux_proc_maps_rb linux_procdump linux_process_hollow linux_psaux linux_psenv linux_pslist linux_pslist_cache linux_pstree linux_psxview linux_recover_filesystem linux_route_cache linux_sk_buff_cache linux_slabinfo linux_strings linux_threads linux_tmpfs linux_truecrypt_passphrase linux_vma_cache ; do
echo -e "\n[$p]----------------------------------"
volatility --profile Linuxdebian8-3_18x64 -f my-memory-dump.lime $p;
done |tee volatility.memory.analysis.output.txt
While checking the output I observed some weird syscall hooking on my system for 32bit syscalls. You can check yours to see if the same is there.
[linux_check_syscall]----------------------------------
Table Name Index System Call Handler Address Symbol
---------- ----- ------------------------ ------------------ ------------------------------------------------------------
...
32bit 355 0xffffffff8134c760 SyS_getrandom
32bit 356 0xffffffff8110f500 SyS_memfd_create
32bit 357 0xffffffff810742c0 compat_sys_lookup_dcookie
32bit 358 0xffffffff818db1e0 HOOKED: UNKNOWN
32bit 359 0xffffffff818db1e0 HOOKED: UNKNOWN
32bit 360 0xffffffff818db1e0 HOOKED: UNKNOWN
...
As you can see there are something strange on that syscall table. If you have writable direct memory access you can try to do a 4 byte dd over those addresses and see what happens.
Another interesting thing was a hidden module found by volatility linux_hidden_modules plugin.
[linux_hidden_modules]----------------------------------
Offset (V) Name
------------------ ----
0xffffffffa0304800 snd
So we'll stay on this now... Volatility is a powerfull framework, I will try Rekall later as I already described is the new Volatility, and for what I saw it has more plugins, for instance a certificate finder, really usefull for decrypting SSL traffic on a sick machine.... later dudes.
Sem comentários:
Enviar um comentário