MEMORY ANALYSIS TOOLS


I have been teaching myself how to analyze memory dumps from various window machines.  Memory analysis has come a long way in a very short period of time and there are tools out there that do a very good job of parsing through these memory dumps.  So I thought I would provide a little information to the community on what tools are out there and some basic uses of these tools. 

 

Acquistion of Memory

 

win32dd-This is the easiest of the command line tools and probably one of the most used “open source” tools out there.  The basic syntax is as follows:

 

win32dd (output file)

 

That’s it, all you need to do is provide the name of the output file and where you want it saved.

 

There are also some “commercial” products out there like (Encase and FTK) but I will only be discussing “open source” tools in this blog.

 

Analysis of Memory

The following tools are the ones that I have used in the past and I realize there are probably more out there.

 

Memparser-This is a python script and can be found in the SANS Sift Workstation and is only used against Windows 2000 machines.

Memoryze-This tool was created by Kevin Mandia’s company “Mandiant” and is a free dowload.  This tool will only work on Windows XP SP2 and SP3, Windows Vista and Windows 2003 SP2.  There is a very good paper out there on how to use this tool at http://www.issa.org/Library/Journals/2009/February/McRee-toolsmith.pdf.

Volatility 1.3-This is a command line tool and is open source and contains “plugins” written by the community to parse through Windows XP SP2 and SP3 memory dump only.  This tool can be downloaded using SVN and the url is http://volatiltiy.googlecode.com.

Volatility 1.4_RC1-This is the latest version of volatility and has not been officially released yet but it can still be downloaded and used against Window 7 memory dumps only.  There is no documentation as of yet but should be available this summer.

 

Basic Use of Volatility

 

Once you have it downloaded the tool you will need to also download all the 3rd party plugins.  A bash script is available that will download all the plugins and place them in the appropriate folder.  It will also download the most current released version of volatility and install all perl modules needed to ensure the tool works properly.  This script can be dowloaded HERE.  Once all that is done then you can execute the following syntax to get a listing of available plugins:

 

python volatility –help

 

Plugin Description Primary Maintainer Core Vote
apihooks Find API hooks MHL .
bioskbd Reads the keyboard buffer from Real Mode memory MA Yes
connections Print list of open connections . Yes
connscan2 Scan Physical memory for TCPT_OBJECT objects (tcp connections) . Yes
crashdump Dumps the crashdump file to a raw file . Yes
crashinfo Dump crash-dump information . Yes
csrpslist Find hidden processes with csrss handles and CsrRootProcess MHL .
datetime Get date/time information for image MA Yes
dlllist Print list of loaded dlls for each process . Yes
dlldump Dump a DLL from a process address space MHL Yes (in contrib folder)
driverirp Driver IRP hook detection MHL .
driverscan Scan for driver objects DRIVER_OBJECT . .
files Print list of open files for each process . Yes
filescan Scan Physical memory for FILE_OBJECT pool allocations . .
getsids Print the SIDs owning each process moyix Yes
hashdump Dumps passwords hashes (LM/NTLM) from memory moyix Yes
hibdump Dumps the hibernation file to a raw file . Yes
hibinfo Dump hibernation file information . Yes
hivedump Prints out a hive moyix Yes
hivelist Print list of registry hives. moyix Yes
hivescan Scan Physical memory for CMHIVE objects (registry hives) moyix Yes
idt Display Interrupt Descriptor Table MHL .
imageinfo Identify information for the image MA Yes
impscan Scan a module for imports (API calls) MHL .
ldrmodules Detect unlinked DLLs MHL .
kpcrscan Search for and dump potential KPCR values scudette Yes
lsadump Dump (decrypted) LSA secrets from the registry moyix Yes
malfind Find hidden and injected code MHL .
memdump Dump the addressable memory for a process . Yes
memmap Print the memory map . Yes
moddump Dump out a kernel module (aka driver) . Yes (in contrib folder)
modscan2 Scan Physical memory for LDR_DATA_TABLE_ENTRY objects . Yes
modules Print list of loaded modules MA .
mutantscan Scan for mutant objects KMUTANT . .
mutantscandb mutantscan extension for highlighting suspicious mutexes MHL .
notifyroutines Print system-wide notification routines MHL .
orphanthread Locate hidden threads MHL .
patcher Patches memory based on page scans MA Yes
printkey Print a registry key, and its subkeys and values moyix Yes
procexedump Dump a process to an executable file sample . Yes
procmemdump Dump a process to an executable memory sample . Yes
pslist print all running processes by following the EPROCESS lists . Yes
psscan Scan Physical memory for EPROCESS objects . Yes
pstree Print process list as a tree scudette Yes
regobjkeys Print list of open regkeys for each process MA .
sockets Print list of open sockets . Yes
sockscan Scan Physical memory for ADDRESS_OBJECT objects (tcp sockets) . Yes
ssdt Display SSDT entries moyix Yes
ssdt_by_threads SSDT hooks by thread MHL .
ssdt_ex SSDT Hook Explorer for IDA Pro (and SSDT by thread) MHL .
strings Match physical offsets to virtual addresses (may take a while, VERY verbose) . .
svcscan Scan for Windows services MHL .
thrdscan Scan Physical memory for ETHREAD objects . Yes
thrdscan2 Scan physical memory for ETHREAD objects . Yes
vaddump Dumps out the vad sections to a file . .
vadinfo Dump the VAD info . .
vadtree Walk the VAD tree and display in tree format . .
vadwalk Walk the VAD tree . .

 

The above table shows all the current plugins for Volatility 1.4.

 


Plugin Author URL Description Status Supported OSes Core Vote
bioskbd AB & MA url Reads the keyboard buffer from Real Mode memory . . Yes
cryptoscan JesseK url Finds Truecrypt passphrases . . No
DriverIRP MHL url Prints driver IRP function addresses . . Yes
driverscan Andreas Schuster url Scan for kernel _DRIVER_OBJECTs. (Note: If running the SVN version of Volatility, just install the plugin file from this archive.) . . Yes
dmp2raw . . Convert a crash dump to a raw dump . . .
fileobjscan AKA filescan (1.4 branch) Andreas Schuster url File object -> process linkage, including hidden files. (Note: If running the SVN version of Volatility, just install the plugin file from this archive.) . . Yes
getsids Moyix url Get information about what user (SID) started a process. . . Yes
IDT MHL url Prints the Interrupt Descriptor Table (IDT) addresses for one processor . . Yes
kernel_hooks MHL url Detects IAT, EAT, and in-line hooks in kernel drivers instead of usermode modules . . Yes
keyboardbuffer Andreas Schuster url Extracts keyboard buffer used by the BIOS, which may contain BIOS or disk encryption passwords. . . (Above)
kpcrscan Bradley Schatz url Finds potential KPCR addresses . . .
malfind2 MHL url Automates the process of finding and extracting (usually malicious) code injected into another process . . Yes
moddump Moyix url Dump out a kernel module (aka driver) . . Yes
mutantscan Andreas Schuster url Extracts mutexes from the Windows kernel.(Note: If running the SVN version of Volatility, just install the plugin file from this archive.) . . No
objtypescan Andreas Schuster url Enumerates Windows kernel object types. (Note: If running the SVN version of Volatility, just install the plugin file from this archive) . . Yes
orphan_threads MHL url Detects hidden system/kernel threads . . No
patcher MA url Patches memory based on page scans . . Yes
psscan3 Moyix url Scans the physical address space looking for memory resident data structures associated with processes. . . Yes
pstree Scudette url Produces a tree-style listing of processes . . Yes
raw2dmp . . Convert a raw dump to a crash dump . . .
Registry Tools Moyix url A suite of plugins for accessing data from the registry, including password hashes, LSA secrets, and arbitrary registry keys . . Yes
Modified Regripper & Glue Code Moyix url Code to run a modified RegRipper against the registry hives embedded in a memory dump. Note that due to a dependency on Inline::Python, this only works on Linux. . . No
sqlite3 Gleeda url Allows one to place Volatility output into a SQLite3 Database . . As example
ssdt Moyix url List entries in the system call table. Can be used to detect certain rootkits that hook system calls by replacing entries in this table . . Yes
suspicious JesseK url Identify suspicious processes. This version counts any command line running Truecrypt or any command line that starts with a lower case drive letter as suspicious . . No
symlinkobjscan Andreas Schuster url Extracts symbolic link objects from the Windows kernel.(Note: If running the SVN version of Volatility, just install the plugin file from this archive.) . . Yes
threadqueues Moyix url Enumerates window messages pending for each thread on the system. Window messages are the mechanism used to send things like button presses, mouse clicks, and other events to GUI programs. . . No
usermode_hooks MHL url Detect IAT/EAT/Inline rootkit hooks . . Yes
verinfo MA url Prints out the version information from PE images . . NO
Volatility Analyst Pack 0.1 MHL url A pack which contains updates to many of the listed modules . . (included above)
volshell Moyix url Creates a python shell can be used with the framework . . No

 

The above table shows all the plugins available for Volatiltiy 1.3.  There are also plenty of documentation on how to use this product, in fact, I wrote the manual on the use of this product which is located in the document library on this forum.  To view this manual click HERE.

 

One of the questions I always get from someone that is just starting out using this tool is “Which plugins do I use first and in what order.”  There is no right and wrong answer here but here is a list of some basic plugins I use just to see what is going on.

 

Date/TIme-This will give you the date and time of when the memory image was taken.

Ident-This will tell you about what operating system it came from.

Connscan-This will list the connections.

pstree and pslist-This will list all the processes in use at the time of the memory dump.  This is where you need to pay attention to the PID numbers and what service spawned what.  Once you find a suspected file or malware being spawned by for example “services.exe” then you would move on to the next plugin.

procdump-This will dump the process (exe) of the PID that you provide, so you need to make sure you give it the right PID number.

 

As with anything this tool requires the user to practice and become familiar with the plugins and what they can do.  Please take a look at some of the external links on the Training wiki to forensic challenges.

 

The last thing I want to discuss is the hiberfil.sys file.  This file will be found on a laptop computer that has gone into “hibernation mode” at some point.  The contents of the memory is dumped into the file in a compressed state.  So you need a tool to uncompress the memory so you can run these tools against it.  And it so happens that Volatility has a plugin that will do that for you.  That plugin is Hibinfo and the syntax is as follows: 

 

Python volatility hibinfo -f (path to image) -d (path and name of the output file ie memory.dd)

 

Once that is done then you can use volatility or whatever tool you like against the dump file.

Rebuilding Executable Images From Memory


One of the questions I initially had when I started analyzing memory images with Volatility was how do I extract the malicious executable from memory that the RE guys will be able to analyze. I kept running into the problem of not getting all the API functions with the executable and the RE guys kept telling me they could not do a complete analysis since they did not have all the functions.

So I picked up the book “Malware Analyst’s Cookbook and DVD” because there are 4 chapters dedicated to Volatility and one of those chapters (Chapter 16, Recipe 16-7) specifically deals with extracting the executable along with the API functions. So the following is a summarized excerpt of that recipe for those of you who do not have the above referenced book. This discussion will assume the reader has installed the latest version of Volatility from http://volatility.googlecode.com and installed all the available plugins and dependencies required. There are excellent walk-thru’s on the volatility website for that.

In general, to rebuild an executable from memory, you need to parse the PE section headers to learn the addresses and sizes of the PE sections. Then, you can carve out the appropriate amount of data from memory and re-combine the sections into a file on disk according to their original positions. There are references that provide a much deeper understanding of this process and are listed as follows:

http://computer.forensikblog.de/en/2006/04/reconstructing_a_binary.html (Andreas Schuster)

http://windowsir.blogspot.com/2006/07/automatic-binary-reassembly-from-ram.html (Harlan Carvey)

http://jessekornblum.com/presentation/dodcc07.html (Jesse Kornblum)

The methods described in the above publications rely on information in the PE header and do not attempt to reconstruct the Import Address Table (IAT). Malware samples that erase the entire PE header, relocate the IAT, or that use run-time dynamic linking cause significant problems. You still will be able to dump the binary using the base address and size information from the PE header (if it exists) or the base address and size information from the VAD; however, you will not be able to tell which API functions the malware calls. The following excerpt will explain methods to work around these anti-analysis techniques based on scanning the process address space for API calls, without relying on data in the IAT.

The first step is to use pslist or psscan to generate list of processes. Once you know the PID or _EPROCESS offset for the process that you want to dump, then you can pass it to procexedump or simply the leave off the -p parameter to dump all the processes. The syntax would be as follows:

python volatility.py pslist -f laqma.vmem (whatever the name of your memory image is) -p PID number

I would suggest at this point you download your favorite PE viewer and if you do not have one then I would suggest downloading CFF Explorer. Once you have dumped your process out then open it up using CFF Explorer and see if the IAT contains the right information. If it is a legitimate file it probably will but if not it will probably be missing the imported function names. At this point, you cold load the dumped file in IDA Pro and try your best to determine its capabilities without IAT information. Or you could scan the file with multiple anti-virus engines to see if they detect anything in the unpacked process image. However, what you typically want to do is perform a more thorough reverse-engineering tasks, which requires information about the imported functions.

Scanning For Imported Functions with IMPSCAN

The reason you should be concerned with an incomplete IAT is that it will hinder your ability to perform a thorough code analysis. If you try to examine the instructions in the dumped file using IDA Pro, then you will see placeholders instead of API calls. Since IDA does not have access to the entire process’s memory, it cannot determine what APIs exist at those addresses in order to label them. The impscan plug-in for Volatility aims to solve the problem of incomplete import tables. It is very unlikely that the dumped program will match the original or even execute on another machine. That is fine because all you really need to complete a thorough analysis of the malware’s capabilities is to be able to see which API functions it is calling in the disassembly. Therefore, impscan does not attempt to produce a patched version of the dumped file as Import REConstructor does for live systems. Instead, it simply provides labels that you can import into IDA Pro. Below is the syntax for impscan to scan a process for imported functions:

python volatility.py impscan -p 920 -f laqma.vmem –dump-dir=outdir

impscan works by determining the base address and size of all DLLs in a process. Using pefile, it parses the Export Address Table (EAT) of the DLLs to determine the offsets and names of exported functions. Then, using pydasm, it scans the process executable (or any memory range in the process address space as specified with the -a and -s flags) looking for call or jmp instructions. If the destination of one of the call or jmp instructions leads to an API, them impscan records the address of the instruction and the corresponding API function name. Impscan produces MakeName statements, which you can transfer into IDA Pro. These statements contain the missing information that IDA needs to link the placeholders presented earlier with the name of the API function stored at that address.

To apply the labels, click File → IDC Command, paste in the MakeName statements, and click OK. Once you have clicked OK, you will immediately see changes applied throughout the program. You can get even more information out of IDA by choosing to re-analyze the program. Now that IDA can tell which API functions the program is calling, IDA can label arguments accordingly. To do this, Click Options → General → Analysis → Reanalyze Program. Once this is complete then you can save your work through IDA Pro and then give that file to your RE guys for a detailed analysis. This will make their life a little easier and they will be much more receptive in handling executables from memory.

This process will create two files (bin file and a bin.idc) so if you are not an RE guy then you can take these two files along with the executable and give those to your RE guys who will know how to import them into IDA.

The impscan is not part of the volatility install but is a python script found on the DVD of the above referenced book.  I have uploaded this script to the library for everyone’s use.  The file is called “malware.py” and contains numerous scripts in one and the impscan script is part of that.