Detecting (un)Intentionally Hidden Injected Code by Examining Page Table Entries

Conference:  BlackHat EU 2019



Malware utilizes code injection techniques to either manipulate other processes (e.g. done by banking trojans) or hide its existence. With some exceptions, such as ROP gadgets, the injected code needs to be executable by the CPU (at least at some point in time).In this talk, we will cover hiding techniques that prevent executable pages (containing injected code) from being reported by current memory forensic plugins. These techniques can either be implemented by malware in order to hide its injected code (as already observed) or can, in one case, unintentionally be taken care of by the operating system through its paging mechanism. In a second step, we present an approach to reveal such pages despite the mentioned hiding techniques by examining Page Table Entries. This approach has been implemented as a plugin for the memory forensic framework Rekall, which automatically reports any memory region containing executable pages.The talk will also contain several live demonstrations, showing the successful hiding from current memory forensic plugins and the detection with our plugin.