1. PLANTEAMIENTO DEL PROBLEMA
4.5 SECUENCIA DIDÁCTICA
Volatility provides two methods for listing processes in a memory dump, one that simulates what the operating system would have seen by following the linked list of processes, and the other that scans the entire memory dump for EPROCESS structures.
The pslist option of Volatility walks through the process list, in the same way that the operat-
ing system does, to produce the following output for the FUTo rootkit scenario.
E:\Volatility>E:\Python25\python volatility pslist -f FUTo-memory-20070909.dd Name Pid PPid Thds Hnds Time
System 4 0 53 265 Thu Jan 01 00:00:00 1970 smss.exe 592 4 3 21 Sun Sep 09 18:12:23 2007 csrss.exe 664 592 11 385 Sun Sep 09 18:12:25 2007 winlogon.exe 688 592 20 502 Sun Sep 09 18:12:27 2007 services.exe 736 688 19 385 Sun Sep 09 18:12:29 2007 savedump.exe 748 688 0 -1 Sun Sep 09 18:12:29 2007 lsass.exe 756 688 19 310 Sun Sep 09 18:12:29 2007 ibmpmsvc.exe 928 736 3 29 Sun Sep 09 18:12:34 2007 svchost.exe 956 736 8 226 Sun Sep 09 18:12:34 2007 svchost.exe 1080 736 72 1025 Sun Sep 09 18:12:34 2007
CFO: “I have rebooted a number of times. It is still sluggish.”
Help Desk: “I don’t know what to tell you. Maybe you are just imagining that your laptop is running slower.”
The CFO was irritated with the help desk operator for suggesting he was just imagining the problem, and made a point of bringing the issue to the attention of the Director of Information Security. The fact that the CFO had manually installed soft- ware updates while traveling immediately concerned the Director of Information Security, because she had spent a significant portion of her budget on patch manage- ment so that users did not have to be involved in the process. She immediately had one of her staff acquire volatile data from the system and a forensic duplicate of the hard drive. A preliminary examination of the volatile data revealed that malware was running on the CFO’s computer. In addition to observing several suspicious binaries running in memory, the digital investigator found the FUTo rootkit during an exami- nation of the forensic duplicate. The process of examining a forensic duplicate is detailed in Chapter 4, and an example of a functional reconstruction leading to the discovery of the FUTo rootkit on this system is shown in Figure 4.3. This rootkit hides processes by modifying a structure in memory called PspCidTable (http://www. uninformed.org/?v=3&a=7&t=sumry).
svchost.exe 1228 736 5 70 Sun Sep 09 18:12:36 2007 svchost.exe 1260 736 13 147 Sun Sep 09 18:12:36 2007 spoolsv.exe 1452 736 11 138 Sun Sep 09 18:12:38 2007 QCONSVC.EXE 1604 736 2 28 Sun Sep 09 18:12:44 2007 explorer.exe 412 388 16 394 Sun Sep 09 18:13:05 2007 igfxtray.exe 632 412 4 124 Sun Sep 09 18:13:07 2007 hkcmd.exe 280 412 6 140 Sun Sep 09 18:13:08 2007 LTSMMSG.exe 656 412 1 21 Sun Sep 09 18:13:08 2007 tp4serv.exe 828 412 3 33 Sun Sep 09 18:13:08 2007 rundll32.exe 1024 412 1 27 Sun Sep 09 18:13:08 2007 TPHKMGR.exe 1100 412 2 49 Sun Sep 09 18:13:09 2007 Qctray.exe 1236 412 3 79 Sun Sep 09 18:13:09 2007 dirx9.exe 1284 412 2 143 Sun Sep 09 18:13:09 2007 msmsgs.exe 976 412 4 120 Sun Sep 09 18:13:16 2007 wuauclt.exe 404 1080 6 140 Sun Sep 09 18:14:15 2007 helix.exe 1204 412 10 261 Sun Sep 09 18:17:32 2007
Because the pslist option relies on information in the EPROCESS structures, detailed later in this chapter, to locate the next process in memory, this method can be fooled in the same way that the operating system is tricked by rootkits. To overcome such process hiding techniques, the psscan option methodically scans a memory dump for the signature of an EPROCESS data structure, carves EPROCESS structures out of memory dumps, and produces the following output for the same FUTo rootkit scenario. The offset and PDB columns are excluded from this output for readability, but are explained later in this chapter.
E:\Volatility>E:\Python25\python volatility psscan -f FuTo-memory-20070909.dd Fast
No. PID Time created Time exited Remarks ---- --- --- ---
1 0 Idle 2 664 Sun Sep 09 18:12:25 2007 csrss.exe 3 1852 Sun Sep 09 18:12:00 2007 logonui.exe 4 592 Sun Sep 09 18:12:23 2007 smss.exe 5 1204 Sun Sep 09 18:17:32 2007 helix.exe 6 4 System 7 0 Idle
8 736 Sun Sep 09 18:12:29 2007 services.exe 9 748 Sun Sep 09 18:12:29 2007 Sun Sep 09 18:17:50 2007 savedump.exe 10 1808 Sun Sep 09 18:19:56 2007 dd.exe 11 688 Sun Sep 09 18:12:27 2007 winlogon.exe 12 756 Sun Sep 09 18:12:29 2007 lsass.exe 13 928 Sun Sep 09 18:12:34 2007 ibmpmsvc.exe
14 956 Sun Sep 09 18:12:34 2007 svchost.exe 15 1080 Sun Sep 09 18:12:34 2007 svchost.exe 16 1228 Sun Sep 09 18:12:36 2007 svchost.exe 17 1260 Sun Sep 09 18:12:36 2007 svchost.exe 18 1452 Sun Sep 09 18:12:38 2007 spoolsv.exe 19 1604 Sun Sep 09 18:12:44 2007 QCONSVC.EXE
20 0 Sun Sep 09 18:12:45 2007 skls.exe
21 412 Sun Sep 09 18:13:05 2007 explorer.exe 22 632 Sun Sep 09 18:13:07 2007 igfxtray.exe 23 280 Sun Sep 09 18:13:08 2007 hkcmd.exe 24 656 Sun Sep 09 18:13:08 2007 LTSMMSG.exe 25 828 Sun Sep 09 18:13:08 2007 tp4serv.exe 26 404 Sun Sep 09 18:14:15 2007 wuauclt.exe 27 1024 Sun Sep 09 18:13:08 2007 rundll32.exe 28 1236 Sun Sep 09 18:13:09 2007 Qctray.exe 29 1100 Sun Sep 09 18:13:09 2007 TPHKMGR.exe 30 372 Sun Sep 09 18:19:56 2007 cmd.exe 31 1284 Sun Sep 09 18:13:09 2007 dirx9.exe
32 0 Sun Sep 09 18:13:10 2007 skl.exe
33 976 Sun Sep 09 18:13:16 2007 msmsgs.exe
Comparing the output of these two methods (pslist and psscan) can reveal discrepancies caused by malware, or may reveal anomalies that relate to the behavior of malware. For instance, two processes, “skls.exe” and “skl.exe,” that were not displayed in the pslist output, are visible in the psscan output (shown above in bold), both with a process ID of zero, which is generally reserved for the Windows system Idle process. The setting of the process identifier (PID), to zero is an artifact of the FUTo rootkit (Silberman, & C.H.A.O.S., 2006 (http://www.uninformed.org/?v=3&a=7&t=sumry)).
The above listing also shows the “dd.exe” process, which was used to make the memory dump, but that is not visible in the pslist output. Such discrepancies between the processes displayed,
pslist and psscan, may be due to the process exiting or to the volatile nature of the data being
preserved. If a process is in a state of flux while memory is being captured, memory forensics tools may have difficulty interpreting its state.
Unlike the pslist option, the psscan output provides the date a process exited, when appli- cable. Another memory forensics tool called PTFinder,2 which was developed by Andreas Schuster,
also provides the two dates of when the process was started and stopped. The following PTFinder output from the memory dump in the FUTo rootkit scenario has the exit time columns removed for readability.
E:\PTFinder>ptfinder_xpsp2.pl --nothreads FUTo-memory-20070909.dd
No. Type PID TID Time created Offset PDB Remarks ---- ---- --- --- --- --- --- 1 Proc 0 0x00544640 0x00039000 Idle 2 Proc 664 2007-09-09 18:12:25 0x0104ab50 0x03f49000 csrss.exe 3 Proc 1852 2007-09-09 18:12:00 0x0104c818 0x0aa13000 logonui.exe 4 Proc 592 2007-09-09 18:12:23 0x0106f788 0x02f2b000 smss.exe 5 Proc 1204 2007-09-09 18:17:32 0x01168a18 0x0001b000 helix.exe 6 Proc 4 0x01218020 0x00039000 System 7 Proc 736 2007-09-09 18:12:29 0x020cd7d8 0x05649000 services.exe 8 Proc 748 2007-09-09 18:12:29 0x02151668 0x05689000 savedump.exe 9 Proc 1808 2007-09-09 18:19:56 0x026c7420 0x0e906000 dd.exe 10 Proc 688 2007-09-09 18:12:27 0x03cf0850 0x04e5f000 winlogon.exe 11 Proc 756 2007-09-09 18:12:29 0x05683da8 0x0566f000 lsass.exe 12 Proc 928 2007-09-09 18:12:34 0x05cc9da8 0x06208000 ibmpmsvc.exe 13 Proc 956 2007-09-09 18:12:34 0x0626bd80 0x06299000 svchost.exe 14 Proc 1080 2007-09-09 18:12:34 0x063d46a0 0x06467000 svchost.exe 15 Proc 1228 2007-09-09 18:12:36 0x06b00020 0x06aec000 svchost.exe 16 Proc 1260 2007-09-09 18:12:36 0x06cb0728 0x06ce5000 svchost.exe 17 Proc 1452 2007-09-09 18:12:38 0x07509da8 0x075a6000 spoolsv.exe 18 Proc 1604 2007-09-09 18:12:44 0x07daec18 0x07d94000 QCONSVC.EXE
19 Proc 0 2007-09-09 18:12:45 0x07e26b50 0x07e8f000 skls.exe
20 Proc 412 2007-09-09 18:13:05 0x08df4da8 0x08ded000 explorer.exe 21 Proc 632 2007-09-09 18:13:07 0x09783c48 0x09897000 igfxtray.exe 22 Proc 280 2007-09-09 18:13:08 0x098b2960 0x098fb000 hkcmd.exe 23 Proc 656 2007-09-09 18:13:08 0x099da6a8 0x09a4a000 LTSMMSG.exe 24 Proc 828 2007-09-09 18:13:08 0x09afb288 0x09b82000 tp4serv.exe 25 Proc 404 2007-09-09 18:14:15 0x09afb508 0x0e27a000 wuauclt.exe 26 Proc 1024 2007-09-09 18:13:08 0x09c3fda8 0x09ba9000 rundll32.exe 27 Proc 1236 2007-09-09 18:13:09 0x09cec2c0 0x09fed000 Qctray.exe 28 Proc 1100 2007-09-09 18:13:09 0x09e4da28 0x09e6d000 TPHKMGR.exe 29 Proc 372 2007-09-09 18:19:56 0x09f05020 0x09774000 cmd.exe 30 Proc 1284 2007-09-09 18:13:09 0x09f6b6a8 0x0a093000 dirx9.exe
31 Proc 0 2007-09-09 18:13:10 0x0a10fbe8 0x0a039000 skl.exe
32 Proc 976 2007-09-09 18:13:16 0x0bc35898 0x0c03b000 msmsgs.exe Performing temporal analysis of the running processes can help digital investigators interpret events surrounding malware on a system, such as when it started running and other unusual processes that started around the same time. The success of this type of analysis is generally contingent upon the operating system not having been restarted since the malware was installed.
It can also be fruitful to perform a relational reconstruction, as detailed in the Introduction. The relationships between processes on a computer can be depicted graphically as shown in Figure 3.3. Examining the relationships between processes can reveal anomalies relating to malware. For instance, most user processes are launched by “explorer.exe,” and any deviation from this pattern deserves further investigation. The highlighted process in Figure 3.3 clearly shows that the hidden “skls.exe” process was spawned by “services.exe.”
1852 file ofs file ofs 0x104c818 0x5cc9da8 ibmpmsvc.exe 928 logonui.exe started started 18:12:00 18:12:34 2007-09-09 2007-09-09 running 0 file ofs 0x7e26b50 skls.exe started 18:12:45 2007-09-09 running file ofs 956 0x626bd80 svchost.exe started 18:12:34 2007-09-09 running file ofs 1080 0x63d46a0 svchost.exe started 18:12:34 2007-09-09 running file ofs 1228 0x63d46a0 svchost.exe started 18:12:36 2007-09-09 running 1260 1452 1604 file ofs 0x6cb0728 svchost.exe started 18:12:36 2007-09-09 running
file ofs file ofs 0x7509da8 0x7daec18 QCONSVC.EXE spoolsv.exe started started 18:12:38 18:12:44 2007-09-09 2007-09-09 running running running 736 748 756 0x2151668 0x5683da8 lsass.exe file ofs file ofs file ofs 0x20cd7d8 services.exe started started started exited 18:17:50 2007-09-09 code 0 savedump.exe 18:12:29 18:12:29 18:12:29 2007-09-09 2007-09-09 2007-09-09 running running 1808 0x26c7420 dd.exe file ofs started 18:19:56 2007-09-09 running