网络主机内存取证和分析 华中科技大学 李伟明 1.内存取证介绍 • 网络主机被攻击后,容易被植入恶意代码和 后门程序 • 如何发现这些恶意代码和后门? • 如何检查被修改的系统信息? HUST 1.内存取证介绍 • 内存取证和分析技术是非常有力的手段 • 内存取证主要分为两个步骤: 1)获得内存镜像;2)分析; HUST 1.内存取证介绍 内存取证和分析优点: • • • • • 相对硬盘,数据量小,一般小于4G 恶意代码活动必然在内存留下痕迹 恶意代码在内存中经常是unpacked的 内核和应用层内存空间都可以保留,便于多角度分析 便于事后复杂分析 HUST 1.内存取证介绍 举例,Windows进程结构: HUST 1.内存取证介绍 1.(仅限于内核模式)调用PsGetCurrentProcess取得一个指向当前进程的 _EPROCESS指针.遍历其中的ActiveProcessLists这个LIST_ENTRY成员即可 获得当前运行的进程. 2.用户模式下可以调用原生模式的API函数,比如使用 SystemProcessInformation类调用NtQuerySystemInformation函数, 3.直接使用win32 API比如CreateToolHelp32Snapshot或者EnumProcess得到 进程列表 以上只是最基本的方法,如果从LIST_ENTRY中摘除某个_EPROCESS,以上 方法全部失效。 HUST 1.内存取证介绍 Volatility中pslist正是使用遍历双向链表的方法检测进程(检测强度不够). Volatility中还提供了psxview: 1.遍历_EPROCESS中的LIST_ENTRY 2.遍历CSRSS进程中的process列表 3.通过PspCidTable中的handle检测进程,PspCidTable 表保存着所有进程和 线程对象的指针 4.内存暴力搜索_EPROCESS对象.(在内存中搜索特征符合_EPROCESS的内存 区域) HUST 2.获得内存镜像 • Linux – dd命令,On older Linux systems, the program dd can be used to read the contents of physical memory from the device file /dev/mem. – LiME (formerly DMD) is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. HUST 2.获得内存镜像 • Linux LiME : – $ tar -xvzf lime-forensics-1.1-r14.tar.gz – $ cd lime-forensics-1.1-r14/src – $ make – .... – CC [M] /home/mhl/Downloads/src/tcp.o – CC [M] /home/mhl/Downloads/src/disk.o – .... – $ sudo insmod lime-3.2.0-23-generic.ko "path=/home/mhl/ubuntu.lime format=lime" – $ ls -alh /home/mhl/ubuntu.lime – -r--r--r-- 1 root root 2.0G Aug 17 19:37 /home/mhl/ubuntu.lime LiME可以用于Andriod的系统,比Volatility自带的pmem要好。 HUST 2.获得内存镜像 • Windows – Windows 自带的Crash dump 方式; – The Sysinternals tool LiveKd can be used to create an image of physical memory on a live machine in crash dump format. HUST 2.获得内存镜像 • Windows 自带的Crash dump 方式; – – – – • Windows Crash的时候可以产生三种不同的dump文件: 完全内存dump 内核内存dump(windows\memory.dmp) 迷你内存dump(64-256KB)(默认,windows\minidump\) 强制生成Crash dump,右Ctrl+ScrollLock+ScrollLock – – – – – – 启动注册表编辑器。找到以下注册表子项: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters 在“编辑”菜单上,单击“添加值”,然后添加以下注册表项: 名称:CrashOnCtrlScroll 数据类型:REG_DWORD值:1 退出注册表编辑器,然后重新启动计算机。 HUST 3.分析内存镜像 Linux 内存分析工具: • Volatility Framework is a collection of tools, implemented in Python; • The Red Hat Crash Utility is an extensible Linux kernel core dump analysis program • Rekall Framework HUST 3.分析内存镜像 Windows 内存分析工具: • Volatility Framework ; • Windows 自带的WinDBG; • Rekall Framework HUST 5.实例:Volatility分析后门程序 VirusTotal检测 该后门程序的 结果 HUST 5.实例:Volatility分析后门程序 文件B超检测结果 HUST 5.实例:Volatility分析后门程序 C:\Python27\Scripts>python vol.py -f e:\exemplar13.vmem --profile WinXPSP3x86 psxview Volatility Foundation Volatility Framework 2.3.1 Offset(P) Name PID pslist psscan thrdproc pspcid csrss session deskthrd ---------- -------------------- ------ ------ ------ -------- ------ ----- ------- ------0x016ee9a0 lsass.exe 668 True True True True True True True 0x016aa3c0 svchost.exe 1232 True True True True True True True 0x018bc988 wscntfy.exe 1048 True True True True True True True 0x01b0cd50 svchost.exe 1304 True True True True True True True 0x019db628 svchost.exe 1020 True True True True True True True 0x0183c388 svchost.exe 888 True True True True True True True 0x01a41860 wmiprvse.exe 224 True True True True True True True 0x016e3020 spoolsv.exe 1516 True True True True True True True 0x01690920 explorer.exe 1928 True True True True True True True 0x018068b0 svchost.exe 984 True True True True True True True 0x01859b38 services.exe 656 True True True True True True True 0x017df020 msiexec.exe 412 True True True True True True True 0x01b2d2d8 winlogon.exe 612 True True True True True True True 0x01a3d020 alg.exe 408 True True True True True True True 0x016d38c8 ud32.exe 464 True True True True True True True 0x016fa390 ud32.exe 1040 True True False True False False False 0x01b12170 csrss.exe 588 True True True True False True True 0x0180f600 smss.exe 516 True True True True False False False 0x01bcc7f8 System 4 True True True True False False False HUST 5.实例:Volatility分析后门程序 C:\Python27\Scripts>python vol.py -f e:\exemplar13.vmem --profile WinXPSP3x86 pstree Volatility Foundation Volatility Framework 2.3.1 Name Pid PPid Thds Hnds Time -------------------------------------------------- ------ ------ ------ ------ ---0x817cc7f8:System 4 0 53 251 1970-01-01 . 0x8140f600:smss.exe 516 4 3 21 2009-01-08 .. 0x81712170:csrss.exe 588 516 9 338 2009-01-08 .. 0x8172d2d8:winlogon.exe 612 516 22 604 2009-01-08 ... 0x81459b38:services.exe 656 612 16 256 2009-01-08 .... 0x812aa3c0:svchost.exe 1232 656 6 83 2009-01-08 .... 0x8163d020:alg.exe 408 656 5 98 2009-01-08 .... 0x815db628:svchost.exe 1020 656 18 197 2009-01-08 ..... 0x81641860:wmiprvse.exe 224 1020 4 141 2009-01-08 .... 0x814068b0:svchost.exe 984 656 84 1544 2009-01-08 ..... 0x814bc988:wscntfy.exe 1048 984 1 27 2009-01-08 .... 0x8143c388:svchost.exe 888 656 9 233 2009-01-08 .... 0x813df020:msiexec.exe 412 656 5 104 2009-01-08 .... 0x812e3020:spoolsv.exe 1516 656 14 115 2009-01-08 .... 0x8170cd50:svchost.exe 1304 656 13 202 2009-01-08 ... 0x812ee9a0:lsass.exe 668 612 19 326 2009-01-08 0x81290920:explorer.exe 1928 2000 15 377 2009-01-08 . 0x812d38c8:ud32.exe 464 1928 5 66 2009-01-08 . 0x812fa390:ud32.exe 1040 1928 0 ------ 2009-01-08 00:00:00 01:46:50 01:46:56 01:46:56 01:46:59 01:47:55 01:48:23 01:47:02 01:48:17 01:47:02 01:49:13 01:47:02 01:49:22 01:47:56 01:47:56 01:46:59 01:49:12 01:53:09 01:53:09 UTC+0000 UTC+0000 UTC+0000 UTC+0000 UTC+0000 UTC+0000 UTC+0000 UTC+0000 UTC+0000 UTC+0000 UTC+0000 UTC+0000 UTC+0000 UTC+0000 UTC+0000 UTC+0000 UTC+0000 UTC+0000 UTC+0000 HUST 5.实例:Volatility分析后门程序 C:\Python27\Scripts>python vol.py -f e:\exemplar13.vmem --profile WinXPSP3x86 connscan Volatility Foundation Volatility Framework 2.3.1 Offset(P) Local Address Remote Address Pid ---------- ------------------------- ------------------------- --0x017fc4c0 192.168.30.128:1050 72.10.166.195:80 1928 0x017fc8e0 192.168.30.128:1049 72.10.166.195:80 1928 0x017fcd00 192.168.30.128:1039 204.160.105.126:80 1404 0x01889390 192.168.30.128:1048 67.215.11.138:7000 1928 C:\Python27\Scripts>python vol.py -f e:\exemplar13.vmem --profile WinXPSP3x86 connections Volatility Foundation Volatility Framework 2.3.1 Offset(V) Local Address Remote Address Pid ---------- ------------------------- ------------------------- --0x813fc8e0 192.168.30.128:1049 72.10.166.195:80 1928 0x813fc4c0 192.168.30.128:1050 72.10.166.195:80 1928 0x81489390 192.168.30.128:1048 67.215.11.138:7000 1928 HUST 5.实例:Volatility分析后门程序 在所有的内存区域中,用字符串搜索,发现敏感字符串:“http://zonetech.info/skpz.exe” C:\Python27\Scripts>python vol.py -f e:\exemplar13.vmem --profile WinXPSP3x86 -p 1928 vaddump --dump-dir e:\temp Volatility Foundation Volatility Framework 2.3.1 Pid Process Start End Result ---------- -------------------- ---------- ---------- -----1928 explorer.exe 0x01a50000 0x01a52fff e:\temp\explorer.exe.1690920.0x01a50000-0x01a52fff.dmp 1928 explorer.exe 0x019e0000 0x019e0fff e:\temp\explorer.exe.1690920.0x019e0000-0x019e0fff.dmp 1928 explorer.exe 0x01970000 0x01970fff e:\temp\explorer.exe.1690920.0x01970000-0x01970fff.dmp 1928 explorer.exe 0x01900000 0x01900fff e:\temp\explorer.exe.1690920.0x01900000-0x01900fff.dmp ……………很多 HUST 5.实例:Volatility分析后门程序 C:\Python27\Scripts>python vol.py -f e:\exemplar13.vmem --profile WinXPSP3x86 handles -p 1928 -t File Volatility Foundation Volatility Framework 2.3.1 Offset(V) Pid Handle Access Type Details ---------- ------ ---------- ---------- ---------------- ------0x81705028 1928 0xc 0x100020 File \Device\HarddiskVolume1\Documents and Settings\foo 0x812768f0 1928 0x330 0x120116 File \Device\Tcp 0x815c01c0 1928 0x338 0x100020 File \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.Windows.CommonControls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9 0x81276858 1928 0x340 0x1200a0 File \Device\Ip 0x814b4500 1928 0x34c 0x1200a0 File \Device\Tcp 0x81279df0 1928 0x350 0x100001 File \Device\HarddiskVolume1\Documents and Settings\foo\Start Menu 0x813de228 1928 0x354 0x100001 File \Device\HarddiskVolume1\Documents and Settings\All Users\Start Menu 0x812767c0 1928 0x36c 0x100003 File \Device\Ip 0x81276728 1928 0x370 0x1200a0 File \Device\Ip 0x814b2dc0 1928 0x39c 0x100001 File \Device\HarddiskVolume1\Documents and Settings\foo\NetHood 0x814b1cd0 1928 0x3a4 0x100020 File \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.Windows.CommonControls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9 0x813ff750 1928 0x3b0 0x120089 File \Device\HarddiskVolume1\RECYCLER\S-1-5-211482476501-1644491937-682003330-1013\sys32.exe HUST 6.实例: Stuxnet's Footprint in Memory Stuxnet是攻击伊朗核设施的恶意代码,是APT攻 击的典型代表 HUST 6.实例:Volatility分析stuxnet镜像 • pstree 异常情况,多个 lsass.exe实际上 应该只有一个。 PPID分析,真正 的lsass.exe应该 是winlogon的子 进程,那么其余 的两个是假的 HUST 6.实例:Volatility分析stuxnet镜像 • threads查看每个进程的线程,680:19个,868:2个, 1928:4个 • vol.py -f e:\stuxnet.vmem --profile WinXPSP3x86 threads -p 1928 --output-file e:\1928.txt 发现680的线程BasePriority: 0x9 发现868的线程BasePriority: 0x8 发现1928的线程BasePriority: 0x8 • Windows给每个线程一个调度优先级,从0到31,系统线 程会高一些,因此也可以判断哪个是真实的lsass.exe HUST 6.实例:Volatility分析stuxnet镜像 • vol.py -f e:\stuxnet.vmem --profile WinXPSP3x86 dlllist -p 680,868,1928 -output-file e:\dll.txt • 查看每个进程的dll,发现868和1928缺少几个跟认证相关的dll: • 0x71cf0000 0x4c000 0x2 C:\WINDOWS\system32\kerberos.dll • 0x77a80000 0x95000 0x9 C:\WINDOWS\system32\CRYPT32.dll • 0x743e0000 0x2f000 0x1 C:\WINDOWS\system32\ipsecsvc.dll • 0x776c0000 0x12000 0x1 C:\WINDOWS\system32\AUTHZ.dll • 0x75d90000 0xd0000 0x1 C:\WINDOWS\system32\oakley.DLL • 但是这三个进程都是从“C:\WINDOWS\\system32\\lsass.exe”执行的, 那么为什么有的成为了恶意进程? HUST 6.实例:Volatility分析stuxnet镜像 • malfind • vol.py -f e:\stuxnet.vmem --profile WinXPSP3x86 malfind -D e:\out • No non-Microsoft DLLs show up in the loaded-module lists for Services.exe, Lsass.exe or Explorer.exe, so they are probably hosting injected executable code. [....] Sure enough, the legitimate Lsass has no executable data regions • 系统服务进程Services.exe,Lsass.exe,explorer.exe如果包含非Microsoft 的DLL基本上不正常的。另外Lsass.exe中不包含可执行的数据区域 • 在e:\out目录生成发现的可能malware HUST 6.实例:Volatility分析stuxnet镜像 Name Pid Start End Tag Hits Protect lsass.exe 868 0x00080000 0x000F9FFF Vad 0 6 (MM_EXECUTE_READWRITE) Dumped to: out/lsass.exe.1e498c8.00080000-000f9fff.dmp 0x00080000 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 .............. 0x00080010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@....... 0x00080020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00080030 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 ................ 0x00080040 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 ........!..L.!Th 0x00080050 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f is program canno 0x00080060 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 t be run in DOS 0x00080070 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 mode....$....... lsass.exe 1928 0x00080000 0x000F9FFF Vad 0 6 (MM_EXECUTE_READWRITE) Dumped to: out/lsass.exe.1e47c00.00080000-000f9fff.dmp 0x00080000 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 .............. 0x00080010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@....... 0x00080020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00080030 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 ................ 0x00080040 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 ........!..L.!Th 0x00080050 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f is program canno 0x00080060 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 t be run in DOS 0x00080070 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 mode....$....... 在可执行内存区域中还发现了PE 文件中的MZ头部,判断是注入了 可执行代码 HUST 6.实例:Volatility分析stuxnet镜像 通过vadinfo插件分析该内存区域,发现没有: FileObject @823df198, Name: \WINDOWS\system32\ntdll.dll 之类描述,表示这个区域不是用loadlibrary从文件装载的,是inject的 vol.py -f e:\stuxnet.vmem --profile WinXPSP3x86 vadinfo -p 868 --output-file=vadinfo.txt VAD node @ 0x822e7e70 Start 0x00080000 End 0x000f9fff Tag Vad Flags: Protection: 6 Protection: PAGE_EXECUTE_READWRITE ControlArea @81de9890 Segment e2b7dbf0 Dereference list: Flink 00000000, Blink 00000000 NumberOfSectionReferences: 0 NumberOfPfnReferences: NumberOfMappedViews: 1 NumberOfUserReferences: WaitingForDeletion Event: 00000000 Control Flags: Commit: 1, HadUserReference: 1 First prototype PTE: e2b7dc30 Last contiguous PTE: e2b7dff8 Flags2: Inherit: 1 0 1 HUST 6.实例:Volatility分析stuxnet镜像 1928 lsass.exe 0x00080000 False False False 1928 lsass.exe 0x7c900000 True True True \WINDOWS\system32\ntdll.dll 1928 lsass.exe 0x773d0000 True True True \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_xww_35d4ce83\comctl32.dll 1928 lsass.exe 0x77f60000 True True True \WINDOWS\system32\shlwapi.dll 1928 lsass.exe 0x771b0000 True True True \WINDOWS\system32\wininet.dll 1928 lsass.exe 0x77a80000 True True True \WINDOWS\system32\crypt32.dll 1928 lsass.exe 0x77fe0000 True True True \WINDOWS\system32\secur32.dll 1928 lsass.exe 0x77c00000 True True True \WINDOWS\system32\version.dll 1928 lsass.exe 0x01000000 True False True 1928 lsass.exe 0x5b860000 True True True \WINDOWS\system32\netapi32.dll 1928 lsass.exe 0x77e70000 True True True \WINDOWS\system32\rpcrt4.dll 1928 lsass.exe 0x71ab0000 True True True \WINDOWS\system32\ws2_32.dll 1928 lsass.exe 0x71ad0000 True True True \WINDOWS\system32\wsock32.dll 1928 lsass.exe 0x774e0000 True True True \WINDOWS\system32\ole32.dll 1928 lsass.exe 0x7e410000 True True True \WINDOWS\system32\user32.dll 1928 lsass.exe 0x77f10000 True True True \WINDOWS\system32\gdi32.dll 1928 lsass.exe 0x77120000 True True True \WINDOWS\system32\oleaut32.dll 1928 lsass.exe 0x76d60000 True True True \WINDOWS\system32\iphlpapi.dll 1928 lsass.exe 0x769c0000 True True True \WINDOWS\system32\userenv.dll 1928 lsass.exe 0x7c800000 True True True \WINDOWS\system32\kernel32.dll 1928 lsass.exe 0x76bf0000 True True True \WINDOWS\system32\psapi.dll 1928 lsass.exe 0x77c10000 True True True \WINDOWS\system32\msvcrt.dll 1928 lsass.exe 0x77dd0000 True True True \WINDOWS\system32\advapi32.dll 1928 lsass.exe 0x7c9c0000 True True True \WINDOWS\system32\shell32.dll 1928 lsass.exe 0x00870000 True True True 1928 lsass.exe 0x76f20000 True True True \WINDOWS\system32\dnsapi.dll 1928 lsass.exe 0x5d090000 True True True \WINDOWS\system32\comctl32.dll 1928 lsass.exe 0x71aa0000 True True True \WINDOWS\system32\ws2help.dll 1928 lsass.exe 0x77b20000 True True True \WINDOWS\system32\msasn1.dll vol.py -f e:\stuxnet.vmem --profile WinXPSP3x86 ldrmodules • 可以列出一个进程所有加载的模 块,包括exe和dll,并且根据PEB 中三个链表判断是否有隐藏的dll HUST 6.实例:Volatility分析stuxnet镜像 用-v参数可以进一步的搜索内存,发现隐藏的镜像文件 可以通过 procexedump or procmemdump 导出lsass.exe镜像文件然后跟正确的进行比较,会发现不一致 ldrmodules -p 1928 -v Volatile Systems Volatility Framework 2.0 Pid Process Base InLoad InInit InMem Path 1928 lsass.exe 0x00080000 0 0 01928 lsass.exe 0x01000000 1 0 1Load Path: C:\WINDOWS\system32\lsass.exe : lsass.exe Mem Path: C:\WINDOWS\system32\lsass.exe : lsass.exe 1928 lsass.exe 0x00870000 1 1 1Load Path: C:\WINDOWS\system32\KERNEL32.DLL.ASLR.0360b7ab : KERNEL32.DLL.ASLR.0360b7ab Init Path: C:\WINDOWS\system32\KERNEL32.DLL.ASLR.0360b7ab : KERNEL32.DLL.ASLR.0360b7ab Mem Path: C:\WINDOWS\system32\KERNEL32.DLL.ASLR.0360b7ab : KERNEL32.DLL.ASLR.0360b7ab HUST 7.科研方向 1. 每一次内存镜像可以看 成对内存的一次照片, 那么通过多次快照,形 成网络主机的内存活动 “电影” 。 2. 提取内存中关键数据结 构的,采用大数据分析 技术,可以细微的观察 到恶意代码或者后门程 序的各种行为。 HUST