Windows Memory Analysis

Analyzing Stuxnet

vol.py -f stuxnet.vmem imageinfo

  • If the correct profile is not available, pull the latest release from github

vol.py -f stuxnet.vmem --profile=WinXPSP2x86 pstree

  • svchost.exe should live only in Windows system32 and it should have a parent of services.exe

  • lsass.exe : Local Security Authorities SubSystem service

    • Handles authentication and password related functions on Windows box

    • There should be only one lsass.exe

    • On WinXP or older systems it should have a parent of winlogon.exe and on Vista and newer systems the parent should be wininit.exe

pstree | egrep 'lsass|winlogon|services'

  • 2 lsass.exe has a parent of services.exe, so take note of those PIDs.

pslist

  • Equivalent of running windows task manager on a live computer

  • This follows a doubly linked list whereby each process points to the entry before it and the entry after it within the list, effectively creating this chain of processes

  • Rootkits can unlink themselves from this chain and hide

psscan

  • Looks for the EPROCESS block (memory structure associated with Windows processes) within a memory image, instead of trusting the doubly linked list

  • This will find the hidden and unlinked processes

  • Diff the results of psscan (in-depth) and pslist (higher level) to find the differences.

malfind -p 1928,868 | more

  • Malfind shows hidden or injected code / DLLs in user mode memory

  • Without options, this will give the two identified malicious processes along with some other processes that are likely also compromised

  • The result shows Protection as PAGE_EXECUTE_READWRITE (process has execute, read, and write permissions. Typically, memory sections shouldn't be executable and writable simultaneously)

  • The fact that it showed up in malfind, and that those permissions are associated with it, is a red flag

  • Malfind on a legit lsass.exe PID returns nothing as it found nothing evil about that PID

hollowfind

  • Process Hollowing / Hollow Process Injection takes a legit process, duplicates it in suspended state, replaces executable memory within that process with malicious code, resumes process, maintaining the name, path and other characteristics, whereas Process Injection injects malicious code into an already running process, resulting in that process executing that code

  • VAD - Virtual Address Descriptor - lives in kernel memory

  • PEB - Process Environment Block - lives in process memory

  • This plugin compares VAD and PEB and looks for discrepancies that may indicate process hollowing

  • In the result, the process path is missing under VAD but present under PEB and it also shows PAGE_EXECUTE_READWRITE - executable area of memory that has no associated mapped file on disk

  • It says, Invalid EXE Memory Protection (which is PAGE_EXECUTE_READWRITE) and Process Path Discrepancy (process path is blank)

  • So the identifies 2 processes must be evil

procdump -p 1928,868 --dump-dir=./

  • Dumps the process (the executable) out of memory onto the disk to perform further analysis

  • run file against the dumped processes and you can see they are executables

sha2565sum *.exe

  • This generates SHA256 hash for both the files

  • Use the hash and look it over at Virustotal.

Volatility 3 commands

imageinfo : vol.py -f {mem file} windows.info

pstree | pslist | psscan : vol.py -f {mem file} windows.pstree|pslist|psscan

malfind : vol.py -f {mem file} windows.malfind

procudump : vol.py -f {mem file} windows.pslist --pid {pid} --dump

PreviousIntro to Memory ForensicsNextWindows Process Genealogy

Last updated