网络主机内存取证和分析

advertisement
网络主机内存取证和分析
华中科技大学 李伟明
1.内存取证介绍
• 网络主机被攻击后,容易被植入恶意代码和
后门程序
• 如何发现这些恶意代码和后门?
• 如何检查被修改的系统信息?
HUST
1.内存取证介绍
• 内存取证和分析技术是非常有力的手段
• 内存取证主要分为两个步骤:
1)获得内存镜像;2)分析;
HUST
1.内存取证介绍
内存取证和分析优点:
•
•
•
•
•
相对硬盘,数据量小,一般小于4G
恶意代码活动必然在内存留下痕迹
恶意代码在内存中经常是unpacked的
内核和应用层内存空间都可以保留,便于多角度分析
便于事后复杂分析
HUST
1.内存取证介绍
举例,Windows进程结构:
HUST
1.内存取证介绍
1.(仅限于内核模式)调用PsGetCurrentProcess取得一个指向当前进程的
_EPROCESS指针.遍历其中的ActiveProcessLists这个LIST_ENTRY成员即可
获得当前运行的进程.
2.用户模式下可以调用原生模式的API函数,比如使用
SystemProcessInformation类调用NtQuerySystemInformation函数,
3.直接使用win32 API比如CreateToolHelp32Snapshot或者EnumProcess得到
进程列表
以上只是最基本的方法,如果从LIST_ENTRY中摘除某个_EPROCESS,以上
方法全部失效。
HUST
1.内存取证介绍
Volatility中pslist正是使用遍历双向链表的方法检测进程(检测强度不够).
Volatility中还提供了psxview:
1.遍历_EPROCESS中的LIST_ENTRY
2.遍历CSRSS进程中的process列表
3.通过PspCidTable中的handle检测进程,PspCidTable 表保存着所有进程和
线程对象的指针
4.内存暴力搜索_EPROCESS对象.(在内存中搜索特征符合_EPROCESS的内存
区域)
HUST
2.获得内存镜像
• Linux
– dd命令,On older Linux systems, the program dd
can be used to read the contents of physical memory
from the device file /dev/mem.
– LiME (formerly DMD) is a Loadable Kernel Module
(LKM), which allows the acquisition of volatile
memory from Linux and Linux-based devices, such as
those powered by Android.
HUST
2.获得内存镜像
•
Linux LiME :
– $ tar -xvzf lime-forensics-1.1-r14.tar.gz
– $ cd lime-forensics-1.1-r14/src
– $ make
– ....
– CC [M] /home/mhl/Downloads/src/tcp.o
– CC [M] /home/mhl/Downloads/src/disk.o
– ....
– $ sudo insmod lime-3.2.0-23-generic.ko "path=/home/mhl/ubuntu.lime format=lime"
– $ ls -alh /home/mhl/ubuntu.lime
– -r--r--r-- 1 root root 2.0G Aug 17 19:37 /home/mhl/ubuntu.lime
LiME可以用于Andriod的系统,比Volatility自带的pmem要好。
HUST
2.获得内存镜像
• Windows
– Windows 自带的Crash dump 方式;
– The Sysinternals tool LiveKd can be used to create an
image of physical memory on a live machine in crash
dump format.
HUST
2.获得内存镜像
•
Windows 自带的Crash dump 方式;
–
–
–
–
•
Windows Crash的时候可以产生三种不同的dump文件:
完全内存dump
内核内存dump(windows\memory.dmp)
迷你内存dump(64-256KB)(默认,windows\minidump\)
强制生成Crash dump,右Ctrl+ScrollLock+ScrollLock
–
–
–
–
–
–
启动注册表编辑器。找到以下注册表子项:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters
在“编辑”菜单上,单击“添加值”,然后添加以下注册表项:
名称:CrashOnCtrlScroll
数据类型:REG_DWORD值:1
退出注册表编辑器,然后重新启动计算机。
HUST
3.分析内存镜像
Linux 内存分析工具:
• Volatility Framework is a collection of tools,
implemented in Python;
• The Red Hat Crash Utility is an extensible Linux
kernel core dump analysis program
• Rekall Framework
HUST
3.分析内存镜像
Windows 内存分析工具:
• Volatility Framework ;
• Windows 自带的WinDBG;
• Rekall Framework
HUST
5.实例:Volatility分析后门程序
VirusTotal检测
该后门程序的
结果
HUST
5.实例:Volatility分析后门程序
文件B超检测结果
HUST
5.实例:Volatility分析后门程序
C:\Python27\Scripts>python vol.py -f e:\exemplar13.vmem --profile WinXPSP3x86 psxview
Volatility Foundation Volatility Framework 2.3.1
Offset(P) Name
PID pslist psscan thrdproc pspcid csrss session
deskthrd
---------- -------------------- ------ ------ ------ -------- ------ ----- ------- ------0x016ee9a0 lsass.exe
668 True
True
True
True
True True
True
0x016aa3c0 svchost.exe
1232 True
True
True
True
True True
True
0x018bc988 wscntfy.exe
1048 True
True
True
True
True True
True
0x01b0cd50 svchost.exe
1304 True
True
True
True
True True
True
0x019db628 svchost.exe
1020 True
True
True
True
True True
True
0x0183c388 svchost.exe
888 True
True
True
True
True True
True
0x01a41860 wmiprvse.exe
224 True
True
True
True
True True
True
0x016e3020 spoolsv.exe
1516 True
True
True
True
True True
True
0x01690920 explorer.exe
1928 True
True
True
True
True True
True
0x018068b0 svchost.exe
984 True
True
True
True
True True
True
0x01859b38 services.exe
656 True
True
True
True
True True
True
0x017df020 msiexec.exe
412 True
True
True
True
True True
True
0x01b2d2d8 winlogon.exe
612 True
True
True
True
True True
True
0x01a3d020 alg.exe
408 True
True
True
True
True True
True
0x016d38c8 ud32.exe
464 True
True
True
True
True True
True
0x016fa390 ud32.exe
1040 True
True
False
True
False False
False
0x01b12170 csrss.exe
588 True
True
True
True
False True
True
0x0180f600 smss.exe
516 True
True
True
True
False False
False
0x01bcc7f8 System
4 True
True
True
True
False False
False
HUST
5.实例:Volatility分析后门程序
C:\Python27\Scripts>python vol.py -f e:\exemplar13.vmem --profile WinXPSP3x86 pstree
Volatility Foundation Volatility Framework 2.3.1
Name
Pid
PPid
Thds
Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ---0x817cc7f8:System
4
0
53
251 1970-01-01
. 0x8140f600:smss.exe
516
4
3
21 2009-01-08
.. 0x81712170:csrss.exe
588
516
9
338 2009-01-08
.. 0x8172d2d8:winlogon.exe
612
516
22
604 2009-01-08
... 0x81459b38:services.exe
656
612
16
256 2009-01-08
.... 0x812aa3c0:svchost.exe
1232
656
6
83 2009-01-08
.... 0x8163d020:alg.exe
408
656
5
98 2009-01-08
.... 0x815db628:svchost.exe
1020
656
18
197 2009-01-08
..... 0x81641860:wmiprvse.exe
224
1020
4
141 2009-01-08
.... 0x814068b0:svchost.exe
984
656
84
1544 2009-01-08
..... 0x814bc988:wscntfy.exe
1048
984
1
27 2009-01-08
.... 0x8143c388:svchost.exe
888
656
9
233 2009-01-08
.... 0x813df020:msiexec.exe
412
656
5
104 2009-01-08
.... 0x812e3020:spoolsv.exe
1516
656
14
115 2009-01-08
.... 0x8170cd50:svchost.exe
1304
656
13
202 2009-01-08
... 0x812ee9a0:lsass.exe
668
612
19
326 2009-01-08
0x81290920:explorer.exe
1928
2000
15
377 2009-01-08
. 0x812d38c8:ud32.exe
464
1928
5
66 2009-01-08
. 0x812fa390:ud32.exe
1040
1928
0 ------ 2009-01-08
00:00:00
01:46:50
01:46:56
01:46:56
01:46:59
01:47:55
01:48:23
01:47:02
01:48:17
01:47:02
01:49:13
01:47:02
01:49:22
01:47:56
01:47:56
01:46:59
01:49:12
01:53:09
01:53:09
UTC+0000
UTC+0000
UTC+0000
UTC+0000
UTC+0000
UTC+0000
UTC+0000
UTC+0000
UTC+0000
UTC+0000
UTC+0000
UTC+0000
UTC+0000
UTC+0000
UTC+0000
UTC+0000
UTC+0000
UTC+0000
UTC+0000
HUST
5.实例:Volatility分析后门程序
C:\Python27\Scripts>python vol.py -f e:\exemplar13.vmem --profile WinXPSP3x86 connscan
Volatility Foundation Volatility Framework 2.3.1
Offset(P) Local Address
Remote Address
Pid
---------- ------------------------- ------------------------- --0x017fc4c0 192.168.30.128:1050
72.10.166.195:80
1928
0x017fc8e0 192.168.30.128:1049
72.10.166.195:80
1928
0x017fcd00 192.168.30.128:1039
204.160.105.126:80
1404
0x01889390 192.168.30.128:1048
67.215.11.138:7000
1928
C:\Python27\Scripts>python vol.py -f e:\exemplar13.vmem --profile WinXPSP3x86 connections
Volatility Foundation Volatility Framework 2.3.1
Offset(V) Local Address
Remote Address
Pid
---------- ------------------------- ------------------------- --0x813fc8e0 192.168.30.128:1049
72.10.166.195:80
1928
0x813fc4c0 192.168.30.128:1050
72.10.166.195:80
1928
0x81489390 192.168.30.128:1048
67.215.11.138:7000
1928
HUST
5.实例:Volatility分析后门程序
在所有的内存区域中,用字符串搜索,发现敏感字符串:“http://zonetech.info/skpz.exe”
C:\Python27\Scripts>python vol.py -f e:\exemplar13.vmem --profile WinXPSP3x86 -p 1928 vaddump --dump-dir
e:\temp
Volatility Foundation Volatility Framework 2.3.1
Pid
Process
Start
End
Result
---------- -------------------- ---------- ---------- -----1928 explorer.exe
0x01a50000 0x01a52fff e:\temp\explorer.exe.1690920.0x01a50000-0x01a52fff.dmp
1928 explorer.exe
0x019e0000 0x019e0fff e:\temp\explorer.exe.1690920.0x019e0000-0x019e0fff.dmp
1928 explorer.exe
0x01970000 0x01970fff e:\temp\explorer.exe.1690920.0x01970000-0x01970fff.dmp
1928 explorer.exe
0x01900000 0x01900fff e:\temp\explorer.exe.1690920.0x01900000-0x01900fff.dmp
……………很多
HUST
5.实例:Volatility分析后门程序
C:\Python27\Scripts>python vol.py -f e:\exemplar13.vmem --profile WinXPSP3x86 handles -p 1928 -t File
Volatility Foundation Volatility Framework 2.3.1
Offset(V)
Pid
Handle
Access Type
Details
---------- ------ ---------- ---------- ---------------- ------0x81705028
1928
0xc
0x100020 File
\Device\HarddiskVolume1\Documents and Settings\foo
0x812768f0
1928
0x330
0x120116 File
\Device\Tcp
0x815c01c0
1928
0x338
0x100020 File
\Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.Windows.CommonControls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
0x81276858
1928
0x340
0x1200a0 File
\Device\Ip
0x814b4500
1928
0x34c
0x1200a0 File
\Device\Tcp
0x81279df0
1928
0x350
0x100001 File
\Device\HarddiskVolume1\Documents and
Settings\foo\Start Menu
0x813de228
1928
0x354
0x100001 File
\Device\HarddiskVolume1\Documents and Settings\All
Users\Start Menu
0x812767c0
1928
0x36c
0x100003 File
\Device\Ip
0x81276728
1928
0x370
0x1200a0 File
\Device\Ip
0x814b2dc0
1928
0x39c
0x100001 File
\Device\HarddiskVolume1\Documents and
Settings\foo\NetHood
0x814b1cd0
1928
0x3a4
0x100020 File
\Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.Windows.CommonControls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
0x813ff750
1928
0x3b0
0x120089 File
\Device\HarddiskVolume1\RECYCLER\S-1-5-211482476501-1644491937-682003330-1013\sys32.exe
HUST
6.实例: Stuxnet's Footprint in Memory
Stuxnet是攻击伊朗核设施的恶意代码,是APT攻
击的典型代表
HUST
6.实例:Volatility分析stuxnet镜像
• pstree
异常情况,多个
lsass.exe实际上
应该只有一个。
PPID分析,真正
的lsass.exe应该
是winlogon的子
进程,那么其余
的两个是假的
HUST
6.实例:Volatility分析stuxnet镜像
• threads查看每个进程的线程,680:19个,868:2个,
1928:4个
• vol.py -f e:\stuxnet.vmem --profile WinXPSP3x86 threads -p
1928 --output-file e:\1928.txt
发现680的线程BasePriority: 0x9
发现868的线程BasePriority: 0x8
发现1928的线程BasePriority: 0x8
• Windows给每个线程一个调度优先级,从0到31,系统线
程会高一些,因此也可以判断哪个是真实的lsass.exe
HUST
6.实例:Volatility分析stuxnet镜像
• vol.py -f e:\stuxnet.vmem --profile WinXPSP3x86 dlllist -p 680,868,1928 -output-file e:\dll.txt
• 查看每个进程的dll,发现868和1928缺少几个跟认证相关的dll:
• 0x71cf0000 0x4c000
0x2 C:\WINDOWS\system32\kerberos.dll
• 0x77a80000 0x95000
0x9 C:\WINDOWS\system32\CRYPT32.dll
• 0x743e0000 0x2f000
0x1 C:\WINDOWS\system32\ipsecsvc.dll
• 0x776c0000 0x12000
0x1 C:\WINDOWS\system32\AUTHZ.dll
• 0x75d90000 0xd0000
0x1 C:\WINDOWS\system32\oakley.DLL
• 但是这三个进程都是从“C:\WINDOWS\\system32\\lsass.exe”执行的,
那么为什么有的成为了恶意进程?
HUST
6.实例:Volatility分析stuxnet镜像
• malfind
• vol.py -f e:\stuxnet.vmem --profile WinXPSP3x86 malfind -D e:\out
• No non-Microsoft DLLs show up in the loaded-module lists for
Services.exe, Lsass.exe or Explorer.exe, so they are probably hosting
injected executable code. [....] Sure enough, the legitimate Lsass has no
executable data regions
• 系统服务进程Services.exe,Lsass.exe,explorer.exe如果包含非Microsoft
的DLL基本上不正常的。另外Lsass.exe中不包含可执行的数据区域
• 在e:\out目录生成发现的可能malware
HUST
6.实例:Volatility分析stuxnet镜像
Name
Pid Start
End
Tag Hits Protect
lsass.exe
868 0x00080000 0x000F9FFF Vad
0
6 (MM_EXECUTE_READWRITE)
Dumped to: out/lsass.exe.1e498c8.00080000-000f9fff.dmp
0x00080000 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 ..............
0x00080010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
0x00080020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00080030 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 ................
0x00080040 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 ........!..L.!Th
0x00080050 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f is program canno
0x00080060 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 t be run in DOS
0x00080070 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 mode....$.......
lsass.exe
1928 0x00080000 0x000F9FFF Vad
0
6 (MM_EXECUTE_READWRITE)
Dumped to: out/lsass.exe.1e47c00.00080000-000f9fff.dmp
0x00080000 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 ..............
0x00080010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
0x00080020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00080030 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 ................
0x00080040 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 ........!..L.!Th
0x00080050 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f is program canno
0x00080060 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 t be run in DOS
0x00080070 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 mode....$.......
在可执行内存区域中还发现了PE
文件中的MZ头部,判断是注入了
可执行代码
HUST
6.实例:Volatility分析stuxnet镜像
通过vadinfo插件分析该内存区域,发现没有:
FileObject @823df198, Name: \WINDOWS\system32\ntdll.dll
之类描述,表示这个区域不是用loadlibrary从文件装载的,是inject的
vol.py -f e:\stuxnet.vmem --profile WinXPSP3x86 vadinfo -p 868 --output-file=vadinfo.txt
VAD node @ 0x822e7e70 Start 0x00080000 End 0x000f9fff Tag Vad
Flags: Protection: 6
Protection: PAGE_EXECUTE_READWRITE
ControlArea @81de9890 Segment e2b7dbf0
Dereference list: Flink 00000000, Blink 00000000
NumberOfSectionReferences:
0 NumberOfPfnReferences:
NumberOfMappedViews:
1 NumberOfUserReferences:
WaitingForDeletion Event: 00000000
Control Flags: Commit: 1, HadUserReference: 1
First prototype PTE: e2b7dc30 Last contiguous PTE: e2b7dff8
Flags2: Inherit: 1
0
1
HUST
6.实例:Volatility分析stuxnet镜像
1928 lsass.exe
0x00080000 False False False
1928 lsass.exe
0x7c900000 True True True \WINDOWS\system32\ntdll.dll
1928 lsass.exe
0x773d0000 True True True
\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_xww_35d4ce83\comctl32.dll
1928 lsass.exe
0x77f60000 True True True \WINDOWS\system32\shlwapi.dll
1928 lsass.exe
0x771b0000 True True True \WINDOWS\system32\wininet.dll
1928 lsass.exe
0x77a80000 True True True \WINDOWS\system32\crypt32.dll
1928 lsass.exe
0x77fe0000 True True True \WINDOWS\system32\secur32.dll
1928 lsass.exe
0x77c00000 True True True \WINDOWS\system32\version.dll
1928 lsass.exe
0x01000000 True False True
1928 lsass.exe
0x5b860000 True True True \WINDOWS\system32\netapi32.dll
1928 lsass.exe
0x77e70000 True True True \WINDOWS\system32\rpcrt4.dll
1928 lsass.exe
0x71ab0000 True True True \WINDOWS\system32\ws2_32.dll
1928 lsass.exe
0x71ad0000 True True True \WINDOWS\system32\wsock32.dll
1928 lsass.exe
0x774e0000 True True True \WINDOWS\system32\ole32.dll
1928 lsass.exe
0x7e410000 True True True \WINDOWS\system32\user32.dll
1928 lsass.exe
0x77f10000 True True True \WINDOWS\system32\gdi32.dll
1928 lsass.exe
0x77120000 True True True \WINDOWS\system32\oleaut32.dll
1928 lsass.exe
0x76d60000 True True True \WINDOWS\system32\iphlpapi.dll
1928 lsass.exe
0x769c0000 True True True \WINDOWS\system32\userenv.dll
1928 lsass.exe
0x7c800000 True True True \WINDOWS\system32\kernel32.dll
1928 lsass.exe
0x76bf0000 True True True \WINDOWS\system32\psapi.dll
1928 lsass.exe
0x77c10000 True True True \WINDOWS\system32\msvcrt.dll
1928 lsass.exe
0x77dd0000 True True True \WINDOWS\system32\advapi32.dll
1928 lsass.exe
0x7c9c0000 True True True \WINDOWS\system32\shell32.dll
1928 lsass.exe
0x00870000 True True True
1928 lsass.exe
0x76f20000 True True True \WINDOWS\system32\dnsapi.dll
1928 lsass.exe
0x5d090000 True True True \WINDOWS\system32\comctl32.dll
1928 lsass.exe
0x71aa0000 True True True \WINDOWS\system32\ws2help.dll
1928 lsass.exe
0x77b20000 True True True \WINDOWS\system32\msasn1.dll
vol.py -f e:\stuxnet.vmem --profile
WinXPSP3x86 ldrmodules
• 可以列出一个进程所有加载的模
块,包括exe和dll,并且根据PEB
中三个链表判断是否有隐藏的dll
HUST
6.实例:Volatility分析stuxnet镜像
用-v参数可以进一步的搜索内存,发现隐藏的镜像文件
可以通过 procexedump or procmemdump 导出lsass.exe镜像文件然后跟正确的进行比较,会发现不一致
ldrmodules -p 1928 -v
Volatile Systems Volatility Framework 2.0
Pid
Process
Base InLoad InInit InMem Path
1928 lsass.exe
0x00080000
0
0
01928 lsass.exe
0x01000000
1
0
1Load Path: C:\WINDOWS\system32\lsass.exe : lsass.exe
Mem Path: C:\WINDOWS\system32\lsass.exe : lsass.exe
1928 lsass.exe
0x00870000
1
1
1Load Path: C:\WINDOWS\system32\KERNEL32.DLL.ASLR.0360b7ab : KERNEL32.DLL.ASLR.0360b7ab
Init Path: C:\WINDOWS\system32\KERNEL32.DLL.ASLR.0360b7ab : KERNEL32.DLL.ASLR.0360b7ab
Mem Path: C:\WINDOWS\system32\KERNEL32.DLL.ASLR.0360b7ab : KERNEL32.DLL.ASLR.0360b7ab
HUST
7.科研方向
1. 每一次内存镜像可以看
成对内存的一次照片,
那么通过多次快照,形
成网络主机的内存活动
“电影” 。
2. 提取内存中关键数据结
构的,采用大数据分析
技术,可以细微的观察
到恶意代码或者后门程
序的各种行为。
HUST
Download