Memory Forensics Using the Volatility Framework

Professor K
17 Nov 202018:24

Summary

TLDR本视频展示了如何使用易变性框架对感染了Crydex恶意软件的Windows XP机器的内存转储进行分析。教授K通过创建文件夹、下载恶意软件样本、使用不同插件(如ps list、ps tree、conscan、netscan和sockets)来识别运行中的进程、隐藏的进程、活动套接字和开放的连接。通过分析,发现了一个可疑的进程reader_underscoresl.exe,它与explorer.exe有关联,并且通过POST请求与特定IP地址通信。通过VirusTotal网站的在线检查确认了该可执行文件为恶意软件。进一步的注册表分析揭示了恶意软件通过修改启动注册表项来实现每次启动时自动运行。

Takeaways

  • 🔍 使用Volatility框架进行内存分析,可以帮助识别和分析恶意软件。
  • 💻 实验室演示使用了Windows XP机器的内存转储,感染了名为Crydex的恶意软件。
  • 📂 创建一个文件夹用于存放和分析内存转储文件,例如在桌面创建名为'memdump'的文件夹。
  • 🔗 通过开源位置下载Crydex恶意软件样本,以便进行分析。
  • 🖥️ 使用CSI或Linying等工具来分析内存样本。
  • 🛠️ 利用Volatility框架的'pslist'和'pstree'插件来查看运行中的进程。
  • 🔎 识别可疑进程,如'reader_underscoresl.exe',它可能与恶意软件有关。
  • 🌐 使用'conscan', 'netscan'和'sockets'插件来检查运行中的套接字和开放的连接。
  • 📊 通过命令行插件查看在内存转储期间执行的命令,以追踪可疑活动。
  • 🔒 使用'strings'命令来检查内存中特定进程的数据,寻找潜在的恶意行为证据。
  • 📋 通过在线服务如VirusTotal来验证可疑文件是否为恶意软件。
  • 🔄 分析注册表,确定恶意软件如何被启动,以及如何通过修改启动项来持续存在。

Q & A

  • 本次视频中使用的记忆分析工具是什么?

    -本次视频中使用的记忆分析工具是Volatility框架。

  • 教授K在视频中分析的恶意软件样本名称是什么?

    -教授K在视频中分析的恶意软件样本名称是CryDex。

  • 在进行记忆分析之前,教授K首先创建了一个名为什么的文件夹?

    -在进行记忆分析之前,教授K首先创建了一个名为'memdump'的文件夹。

  • 教授K是如何获取到CryDex恶意软件样本的?

    -教授K通过访问开源位置的网站,从该网站下载了CryDex恶意软件样本。

  • 在Volatility框架中,教授K使用了哪个插件来获取关于内存转储的详细信息?

    -在Volatility框架中,教授K使用了'imageinfo'插件来获取关于内存转储的详细信息。

  • 在分析过程中,教授K发现了哪个可疑进程?

    -在分析过程中,教授K发现了一个名为'reader_underscoresl.exe'的可疑进程。

  • 教授K使用了哪些Volatility插件来检查运行中的套接字和开放的连接?

    -教授K使用了'conscan'、'netscan'和'sockets'三个Volatility插件来检查运行中的套接字和开放的连接。

  • 在检查注册表时,教授K发现了哪个启动项可能是恶意的?

    -在检查注册表时,教授K发现'kb0020787.exe'可能是恶意的启动项。

  • 教授K如何确认reader_underscoresl.exe是恶意软件?

    -教授K通过使用在线网站VirusTotal来检查reader_underscoresl.exe,并确认它是恶意软件。

  • 教授K在视频中提到,如果不及时清除恶意软件的启动项,会有什么后果?

    -如果不及时清除恶意软件的启动项,每次系统启动时,恶意软件都会被重新生成或替换,导致病毒扫描器无法彻底清除。

  • 教授K在视频中建议如何彻底删除CryDex恶意软件?

    -教授K建议除了删除恶意执行文件外,还需要清除启动注册表项,以防止恶意软件在每次启动时重新生成。

Outlines

00:00

🔍 实验室准备与Volatility框架介绍

本段介绍了实验室的准备工作,包括创建工作文件夹、使用CSI工具(或类似的工具)进行内存分析。教授K将使用Volatility框架来分析一个感染了CryDex恶意软件的Windows XP机器的内存转储。首先,教授K指导如何在桌面创建一个名为'memdump'的文件夹,并展示了如何下载恶意软件样本和提取到指定文件夹。接着,通过终端启动Volatility框架,并使用'volatility -f'命令结合'imageinfo'插件来获取内存转储的详细信息,确定其来源。

05:01

📋 分析进程列表与识别可疑进程

在这一段中,教授K继续操作Volatility框架,使用'pslist'和'pstree'插件来查看Windows XP机器上运行的进程。他指出,虽然有些进程是正常的Windows操作系统功能,但有些如'explorer.exe'和未知的'reader_sl.exe'等进程需要特别注意。通过'psxview'插件,教授K检查是否有进程试图隐藏。虽然没有发现隐藏进程,但他通过'conscan'、'netscan'和'sockets'插件检查了运行中的套接字和开放的连接,发现了两个使用PID 1484的连接。

10:02

🔎 深入分析可疑进程与恶意软件确认

在这一部分,教授K通过命令行插件'cmdline'和内存转储插件'dump'来分析与'sreader_sl.exe'进程相关联的命令。他发现'explorer.exe'与'reader_sl.exe'有关联,并通过'strings'命令进一步分析了该进程的内存内容,揭示了该进程试图通过POST请求将信息发送到IP地址41.168.5.140。为了确认'sreader_sl.exe'是否为恶意软件,教授K建议使用在线服务如VirusTotal进行检测。结果显示,32个病毒扫描器中的72个将其识别为恶意软件。

15:03

🛠️ 恶意软件启动机制分析与解决方案

最后一段中,教授K探讨了如何通过分析注册表来确定恶意软件的启动机制。他使用'hivelist'插件列出了目标机器上的注册表蜂巢,并通过'-k'参数查看了启动时运行的键值。他发现了'kb0020787.exe'在启动时被注册表指定运行,这可能是恶意软件重新加载的原因。通过进一步分析,教授K确认了'kb0020787.exe'与PID 1640的进程有关联,揭示了恶意软件如何每次启动时重新加载。他总结了如何从受感染的机器上删除此恶意软件,并结束了这段关于使用Volatility框架进行内存分析的视频演示。

Mindmap

Keywords

💡挥发性框架(Volatility Framework)

挥发性框架是一个开源的内存分析工具,用于从操作系统内存转储中提取信息。在视频中,教授使用该框架来分析感染了Crydex恶意软件的Windows XP机器的内存转储。这个工具可以帮助确定内存转储的来源,并提取有关进程、网络连接等的信息,对于数字取证和恶意软件分析至关重要。

💡内存转储(Memory Dump)

内存转储是指操作系统内存的快照,包含了某一时刻所有进程和系统状态的信息。在视频中,教授分析了一个从感染了Crydex恶意软件的Windows XP机器上捕获的内存转储。内存转储对于理解系统在特定时间点的状态非常有用,尤其是在安全事件响应和恶意软件分析中。

💡Crydex恶意软件

Crydex是一种恶意软件,它通过感染计算机系统并执行恶意活动来危害用户。在视频中,教授分析了一个感染了Crydex的系统内存转储,目的是识别和理解这种恶意软件的行为。

💡进程列表(Process List)

进程列表显示了在操作系统中当前运行的所有进程。在视频中,教授使用挥发性框架的ps list插件来查看Windows XP机器在内存转储捕获时所有运行的进程。这有助于识别可能的恶意进程或异常行为。

💡注册表(Registry)

注册表是Windows操作系统中一个关键的数据库,用于存储系统设置和配置信息。在视频中,教授探讨了如何检查注册表以确定恶意软件如何设置自身在系统启动时自动运行。

💡恶意软件分析(Malware Analysis)

恶意软件分析是指对恶意软件的行为、特征和影响进行研究的过程。在视频中,教授通过分析内存转储来识别和理解Crydex恶意软件的行为,这是恶意软件分析的一个实际应用。

💡数字取证(Digital Forensics)

数字取证是使用科学的方法和技术来收集、分析电子数据以用于法律诉讼或其他调查目的的过程。在视频中,教授进行的内存分析是数字取证的一个组成部分,旨在从内存转储中提取有关安全事件的信息。

💡网络扫描(Netscan)

网络扫描是一种安全技术,用于评估网络的安全性,通过扫描网络中的设备和服务来发现潜在的安全漏洞。在视频中,教授尝试使用挥发性框架的netscan插件来分析内存转储中的网络连接,但由于配置文件不支持,未能成功执行。

💡字符串命令(Strings Command)

字符串命令是一种在二进制文件中提取可打印字符串的工具,常用于逆向工程和恶意软件分析。在视频中,教授使用strings命令来查看从内存转储中提取的可疑可执行文件的内容,以寻找可能的线索。

💡病毒总计(VirusTotal)

病毒总计是一个在线服务,允许用户上传文件以检测是否包含恶意软件。在视频中,教授使用病毒总计来确认从内存转储中提取的可执行文件是否为恶意软件。

💡启动项(Startup Entries)

启动项是指在操作系统启动时自动运行的程序或服务。在视频中,教授通过分析注册表中的启动项来确定Crydex恶意软件是如何在系统每次启动时重新加载的。

Highlights

使用易挥发性框架(Volatility Framework)进行内存分析

分析从感染了Crydex恶意软件的Windows XP机器上捕获的内存转储

使用CSI Lining或其他内存分析工具进行实验室演示

创建工作文件夹并下载恶意软件样本

使用Volatility框架提取内存转储文件

确定内存转储的配置文件,这里是Windows XP SP2

使用ps list插件查看运行中的进程列表

识别可疑进程,如reader_underscoresl.exe

使用ps tree插件进一步分析进程树

检查隐藏进程,但没有发现任何试图隐藏的进程

使用conscan、netscan和sockets插件检查运行中的套接字和开放的连接

发现使用PID 1484的两个连接和套接字

使用命令行插件查看CLI上运行的命令

揭示explorer.exe与reader_underscoresl.exe之间的关联

使用strings命令检查可疑可执行文件的内存内容

发现可疑可执行文件与特定IP地址的POST请求通信

通过VirusTotal确认reader_underscoresl.exe是恶意软件

探索注册表以确定恶意软件如何在启动时被加载

发现kb0020787.exe在启动时被加载,与PID 1640相关联

总结了如何使用Volatility Framework进行内存分析的步骤

Transcripts

00:00

greetings i'm professor k and in this

00:03

short video presentation

00:04

we'll be doing a memory analysis using

00:07

the

00:07

volatility framework and in this lab we

00:11

will use the volatility framework to

00:13

analyze a memory dump captured

00:15

from a windows xp machine infected with

00:17

malware known as crydex

00:19

for this lab demonstration i will be

00:21

using csi lining so cali linings could

00:24

also be used

00:25

the steps in the lab are the same

00:27

regardless

00:29

so the first thing we want to do is just

00:30

go ahead and make a folder that we can

00:32

work in

00:33

to do this i'm just going to right click

00:35

on my desktop here i'm going to select

00:36

create folder and i'm going to call this

00:39

memdump

00:40

just like that go ahead and create leave

00:43

that there

00:44

and let's go on up to our linings quick

00:46

launch

00:47

and from here we're going to launch our

00:49

web browser in the address bar

00:51

i'm going to input the address for the

00:54

open source location for different

00:56

memory samples go ahead and hit enter

01:00

now once you're on the site just scroll

01:02

on down until you come to

01:04

the option to download the malware

01:07

cridex

01:08

sample let's go ahead and double click

01:10

it

01:11

and it downloads very quickly the next

01:14

thing you want to do is just go on over

01:15

here to your preferences

01:16

open that up and from your preferences

01:19

select

01:20

to view your downloads and from your

01:23

downloads

01:24

you're going to see that you have

01:25

downloaded the memory dump

01:28

but we need to go ahead and keep it so

01:31

go ahead and select that option to keep

01:33

then it's going to ask you one more time

01:35

you're going to say keep anyway

01:37

and now you can show in folder now once

01:40

you have

01:41

the memory dump in the download folder

01:44

available to you just right click on it

01:46

and from the context menu you're going

01:48

to select the option to

01:50

extract to from here you're going to

01:52

select the location for your desktop

01:55

and then from there you're going to

01:56

select the location for that new

01:58

directory we've created

02:00

called memdump just go ahead and double

02:01

click that or open it up

02:04

and then scroll on down over here to the

02:06

bottom right and click on the button

02:07

that says extract

02:09

once you've done that you can close out

02:11

everything return to your desktop

02:13

now what you can do is right click on

02:16

that directory we created

02:17

earlier called memdumps just right click

02:20

on it and you're going to select open

02:22

terminal here let's go ahead and make

02:25

that full screen

02:26

to launch our volatility framework at

02:29

the prompt i'm just going to type in

02:31

the letters v o l

02:34

and then i'm going to hit my tab key one

02:36

time

02:37

and that's going to give me the options

02:40

that i can choose from

02:42

that are available to me to complete the

02:45

spelling of the tool that i need to

02:47

access

02:47

in this case is volatility so now i'm

02:50

just going to add an

02:50

a and now i'm going to press tab one

02:53

more time

02:54

and the command is completed once i have

02:58

the name for

02:58

volatility at the prompt i'm just going

03:01

to

03:02

finish off the command by pasting the

03:04

following

03:05

dash f which stands for use the

03:07

following file

03:08

and the file i want to use is critex.vm

03:13

and space image info so we want to get

03:16

as much information about this memory

03:18

dump that we're going to analyze as we

03:20

possibly can

03:22

in this case i want to establish where

03:24

the memory dump came from

03:25

and any other information i can have

03:28

that will help fill out

03:29

the profile i'm going to go ahead and

03:31

hit enter

03:33

and in just a moment it comes back with

03:35

the

03:36

determination of the profile from which

03:39

our memory dump came from now in this

03:42

case

03:42

we're looking at a windows xp machine

03:45

with service pack

03:46

2. so for most of the remainder of the

03:49

lab

03:50

i will be just bringing up the previous

03:53

command

03:54

with my up arrow and i will be putting

03:57

in another plug-in

03:58

image info for example is a plug-in that

04:01

is used with

04:03

the volatility framework and that's what

04:06

we're going to be replacing as we go

04:08

through this lab

04:08

is the plugin so i've got my command

04:12

all established here and i've typed in a

04:14

volatility

04:15

again dash f for use the following file

04:18

but i've also added the profile and so i

04:21

want the profile

04:23

that is going to be used against this

04:25

memory dump

04:26

so that it can find the information that

04:28

we're looking for

04:30

so i've typed in dash dash profile

04:32

equals

04:33

that's just the name of the profile that

04:36

volatility believes belongs to our

04:39

memory dump

04:40

give it a space and the first thing we

04:42

want to look at is the process list

04:44

so i've typed in ps list go ahead and

04:47

hit enter

04:49

and so you can see at the time that this

04:50

memory dump was captured

04:52

all the processes that were running on

04:54

this windows xp machine

04:56

and as you scroll through this list of

04:58

processes you have to be aware

05:00

of any that catch your attention some of

05:03

these are just going to be normal

05:05

processes that are going to run

05:07

and that's just the way windows

05:10

operating system

05:11

functions but when we see processes that

05:14

are running such as explorer

05:16

and an unknown processor called

05:19

readerunderscoresl.exe

05:21

these are the processes that you need to

05:25

give your attention to i've cleared my

05:28

screen

05:29

and another plug-in that we can use to

05:32

view the processes running on our

05:33

windows xp

05:34

machine is ps tree

05:38

go ahead and run that real quick now

05:41

you'll notice

05:41

there's something peculiar here and you

05:44

gotta take a look at it

05:45

is it's that this root process

05:48

right here for explorer has another

05:51

process

05:52

running just beneath it called the

05:54

reader underscore sl.exe

05:57

let's go ahead and clear our screen one

06:00

way we can determine if something may be

06:02

malicious on our computer when we're

06:04

doing this memory scan

06:06

is to see if there's any processes that

06:08

are

06:09

currently trying to hide so to do this

06:11

i've typed in

06:12

p s x view and this will show us any

06:16

processes

06:17

that are trying to hide and not be

06:19

discovered

06:21

now we have to look at the first two

06:23

columns the ps list

06:25

and the ps scan if any of those register

06:28

as false then that process is attempting

06:32

to hide

06:33

in our case we don't see anything that

06:36

tells us

06:37

that any process is currently trying to

06:39

hide from our view

06:41

i'm going to go ahead and clear my

06:42

screen now that we have identified our

06:44

running processes

06:46

we can next check for any running

06:47

sockets and open connections

06:50

to do this we will call upon three

06:52

different volatility plug-ins

06:54

conscan netscan and sockets now the

06:57

first plugin we're going to run

06:59

is the con scan go ahead and hit enter

07:01

with that

07:02

give it a moment and it comes up and it

07:05

tells us

07:05

that during this processing of capturing

07:08

this memory dump

07:10

there were two connections that were

07:12

currently running

07:13

using the pid of 1484.

07:16

we next want to look at any running

07:18

sockets that are currently available

07:20

during the capture of this memory dump

07:22

so i've just replaced the

07:24

plug-in con scan with the plug-in

07:27

sockets i'm going to go ahead and hit

07:29

enter

07:30

and it comes back and it shows us all of

07:33

the sockets that are currently running

07:35

and what process id is currently

07:38

involved

07:39

and so what draws our attention here to

07:41

the sockets is

07:42

the one that is using process id of 1484

07:47

running on port 1038 using tcp

07:51

we can attempt to run the netscan module

07:54

against this memory dump but the problem

07:57

we're going to run into

07:58

is that this profile is too new

08:02

and the memory dump is probably too old

08:04

and therefore it probably won't work

08:08

and it comes back that this command does

08:10

not support the profile

08:12

of a windows xp machine running service

08:14

pack 2.

08:16

let's go ahead and clear our screen and

08:19

now we're going to switch on over to

08:20

three other plug-ins

08:22

that we need to run across this memory

08:24

dump and the first one is going to be

08:26

command line we want to see what

08:28

commands were ran from the cli

08:30

on this particular memory dump so let's

08:33

take a look at that real quick

08:35

so far we know that the explorer.exe

08:38

with a process id of

08:40

1484 we see that right here in the

08:42

command line

08:44

is directly associated with the

08:47

process id 1640 which is running the

08:51

reader underscore sl.exe program

08:54

and we see that here so now that we have

08:58

identified a link between explorer.exe

09:01

and the readerunderscoresl.exe

09:04

and how they are associated with each

09:05

other and now that we have

09:08

the complete path for how these two

09:11

programs are

09:12

actually being brand we're starting to

09:15

look at this readerunderscoreasl.exe

09:17

with a little bit more scrutiny

09:20

so let's go ahead and clear our screen

09:22

using the following command i'm able to

09:25

dump out the memory area that runs this

09:28

executable

09:30

up inside of this memory dump and we can

09:32

take a closer look at

09:34

exactly what's going on behind this

09:37

process

09:38

of 1640 running the reader underscore

09:41

sl exe executable now what i'm telling

09:45

it here to do is to dump out that part

09:47

of the process

09:48

from the memory dump and put it into the

09:51

root directory that's what the period

09:53

does

09:54

and so this first command we created a

09:56

dump of the executable

09:59

called 1640 for lack of a better term

10:02

and we now have that up inside of our

10:04

root folder

10:06

we next need to look at the addressable

10:07

memory that was being utilized

10:10

by the executable so in this example

10:13

what we're doing is we're pulling out

10:15

all the available information we can

10:18

about the process id 1640 that is

10:21

running

10:22

and is associated with that executable

10:26

readerunderscoresl.exe

10:29

go ahead and hit enter and so now we're

10:32

hoping that we'll be able to look

10:34

closer at what was going on inside of

10:38

the

10:38

memory where this reader underscore

10:41

asl.exe

10:43

was running now to do this we're going

10:45

to use a strings command

10:47

that is pretty common inside of linings

10:51

so i've typed in the following command

10:53

strings

10:54

space the name of the file 1640.dmp

10:59

and that's the dump file that we just

11:00

created

11:02

whoops i gotta take out that dollar sign

11:04

let me use my up arrow

11:05

and let's get rid of that all right

11:08

let's get back up here to the front

11:10

and we're gonna hit enter we use the

11:13

correct command combined with the dash

11:16

capital c followed by the number to get

11:19

the previous and next lines

11:21

thus giving us more context for the

11:23

information that was found

11:25

here we can clearly see that the

11:27

executable readerunderscoresl.exe

11:30

is communicating towards the destination

11:32

ip address

11:34

of 41.168.5.140

11:38

using post request potentially

11:40

exfiltrating

11:42

information from the victim's computer

11:44

now this memory dump that we created for

11:46

process id 1640

11:48

has a lot of information going on inside

11:50

of it so

11:51

we're going to have to go through it one

11:53

page at a time

11:54

now to do this we can also use the

11:57

strings command

11:58

and we're going to tell it what dump or

12:00

what file we want to look at and we're

12:02

going to give it a space a pipe

12:04

and then we're going to use the less

12:05

command when we use the less command

12:07

we're saying

12:08

show me the information one page at a

12:11

time

12:12

so we're going to go ahead and hit enter

12:14

and we can scroll through this

12:15

information one page at a time just by

12:17

using our space bar

12:19

on our keyboard so there's another page

12:21

there's another page

12:22

and we come down to this long list of

12:24

banking urls

12:26

so we've got a lot of suspicions going

12:28

on here about this reader underscore

12:30

asl.exe

12:31

but we need to confirm our suspicions by

12:34

seeing if this is actually a piece of

12:36

malware

12:37

now to do this we could either reverse

12:39

engineer

12:40

the executable which none of us have the

12:43

expertise to do

12:44

or we can just use an online website

12:47

such as virustotal

12:48

to examine it for us and give us back

12:50

the information we're

12:52

seeking so let's just go ahead and

12:54

minimize our terminal

12:55

and now we're going to go over here to

12:57

our lining quick launch and we're going

12:59

to launch a web browser

13:01

in the address bar of our browser we're

13:03

just going to tell it to go to

13:04

virustotal.com

13:06

and we're going to hit enter and once

13:08

we're out here at the virustotal.com

13:10

site we're just going to make sure that

13:11

we've got files selected

13:13

and then we're going to use the upload

13:15

option so go ahead and

13:16

click on the upload option click on your

13:19

desktop

13:21

make sure you go into your working

13:23

folder which is memdumps

13:25

and find that executable that we created

13:28

from our memory dump and that was

13:31

executable.1640.exe

13:33

just go ahead and double click it and in

13:35

just a moment it comes back and it tells

13:37

you

13:38

that 32 out of 72 virus scanners

13:42

found this to be malicious so we have

13:44

determined that the executable

13:46

reader underscore sl.exe is a piece of

13:49

malware

13:50

but what's launching it that's the trick

13:53

so now we're going to delve into the

13:55

registry and see if we can find out

13:57

how this is being launched at startup

14:00

let's go ahead and close out our browser

14:02

let's stream back up our terminal now to

14:05

get out of here all i have to do is just

14:08

press q for quit and i'm back to my

14:10

prompt

14:12

so most malware will look to see if the

14:14

infected files are still present

14:16

at every system startup sophisticated

14:19

malware will also communicate

14:21

with the executable every few minutes to

14:23

ensure that it is still present

14:24

and it has not been removed if it has

14:27

been removed they will

14:28

rebuild the executable but this time

14:31

often they'll use a different name

14:33

if you remove the executable without