Windows Memory Analysis
Analyzing Stuxnet
vol.py -f stuxnet.vmem imageinfo
If the correct profile is not available, pull the latest release from github
vol.py -f stuxnet.vmem --profile=WinXPSP2x86 pstree
svchost.exe should live only in Windows system32 and it should have a parent of services.exe
lsass.exe : Local Security Authorities SubSystem service
Handles authentication and password related functions on Windows box
There should be only one lsass.exe
On WinXP or older systems it should have a parent of winlogon.exe and on Vista and newer systems the parent should be wininit.exe
pstree | egrep 'lsass|winlogon|services'
2 lsass.exe has a parent of services.exe, so take note of those PIDs.
pslist
Equivalent of running windows task manager on a live computer
This follows a doubly linked list whereby each process points to the entry before it and the entry after it within the list, effectively creating this chain of processes
Rootkits can unlink themselves from this chain and hide
psscan
Looks for the EPROCESS block (memory structure associated with Windows processes) within a memory image, instead of trusting the doubly linked list
This will find the hidden and unlinked processes
Diff the results of
psscan
(in-depth) andpslist
(higher level) to find the differences.
malfind -p 1928,868 | more
Malfind shows hidden or injected code / DLLs in user mode memory
Without options, this will give the two identified malicious processes along with some other processes that are likely also compromised
The result shows Protection as PAGE_EXECUTE_READWRITE (process has execute, read, and write permissions. Typically, memory sections shouldn't be executable and writable simultaneously)
The fact that it showed up in malfind, and that those permissions are associated with it, is a red flag
Malfind on a legit lsass.exe PID returns nothing as it found nothing evil about that PID
hollowfind
Process Hollowing / Hollow Process Injection takes a legit process, duplicates it in suspended state, replaces executable memory within that process with malicious code, resumes process, maintaining the name, path and other characteristics, whereas Process Injection injects malicious code into an already running process, resulting in that process executing that code
VAD - Virtual Address Descriptor - lives in kernel memory
PEB - Process Environment Block - lives in process memory
This plugin compares VAD and PEB and looks for discrepancies that may indicate process hollowing
In the result, the process path is missing under VAD but present under PEB and it also shows PAGE_EXECUTE_READWRITE - executable area of memory that has no associated mapped file on disk
It says, Invalid EXE Memory Protection (which is PAGE_EXECUTE_READWRITE) and Process Path Discrepancy (process path is blank)
So the identifies 2 processes must be evil
procdump -p 1928,868 --dump-dir=./
Dumps the process (the executable) out of memory onto the disk to perform further analysis
run
file
against the dumped processes and you can see they are executables
sha2565sum *.exe
This generates SHA256 hash for both the files
Use the hash and look it over at Virustotal.
Volatility 3 commands
imageinfo : vol.py -f {mem file} windows.info
pstree | pslist | psscan : vol.py -f {mem file} windows.pstree|pslist|psscan
malfind : vol.py -f {mem file} windows.malfind
procudump : vol.py -f {mem file} windows.pslist --pid {pid} --dump
Last updated