logo

Hiding Process Memory via Anti-Forensic Techniques

Conference:  BlackHat USA 2020

2020-08-05

Summary

The presentation introduces three novel subversion techniques that can hide memory from memory and live forensics on Windows and Linux. The speaker also discusses the evaluation of their detection approaches and the limitations and future work of their research.
  • Introduced three novel subversion techniques that can hide memory from memory and live forensics on Windows and Linux
  • Released proof of concept implementations for both operating systems that implement their subversion techniques and plugins
  • Evaluated their detection approaches and discussed limitations and future work
  • Encountered false positives in their test environment, especially for Linux
  • Plan to optimize their detection approaches and have a closer look at different ways for mapping shared memory
The speaker mentioned that they encountered quite a few false positives in their test environment, especially for Linux. For example, they had quite some false positives with the Firefox browser and the systemd journal process. They are planning to optimize their detection approaches in the future to improve the output.

Abstract

Nowadays, security practitioners typically use memory acquisition or live forensics to detect and analyze sophisticated malware samples. Subsequently, malware authors began to incorporate anti-forensic techniques that subvert the analysis process by hiding malicious memory areas. Those techniques typically modify characteristics, such as access permissions, or place malicious data near legitimate one, in order to prevent the memory from being identified by analysis tools while still remaining accessible.In this talk, we present three novel methods that prevent malicious user space memory from appearing in analysis tools and additionally making the memory inaccessible from a security analysts perspective. Two of these techniques manipulate kernel structures, namely Page Table Entries and the structures responsible for managing user space memory regions (vm_area_struct and VAD strucutes), while the third one utilizes shared memory and hence does not require elevated privileges. As a proof of concept, we implemented all techniques for the Windows and Linux operating systems, and subsequently evaluated these with both, memory forensics and live analysis techniques.Furthermore, we discuss and evaluate several approaches to detect our subversion techniques and present several Volatility and Rekall plugins that automate the detection of the hidden memory.

Materials:

Tags: