Memfini - A systemwide memory monitor interface for linux

Presented at DEF CON 30 (2022), Aug. 13, 2022, 10 a.m. (115 minutes)

Surprisingly, memory related events logging has been ignored by monitoring tool’s authors since a long time. There are multiple event loggers present for Linux that are capable of monitoring processes, i/o operations, function calls or whole systemwide events. But something which lacks in most is global monitoring of memory related events like allocation, attachment to a shared memory, memory allocation in foreign process etc. This has many applications in security domain or even software engineering in general. The main area of focus or use case for Memfini is to assist Security professionals for carrying out memory specific Dynamic Malware Analysis, in order to help them in finding indicators for malicious activities without reversing the behavior. Below listed are few of the use cases (which we will also be demonstrating in the talk). • Process Injection • Fileless malware execution • Shellcode Execution • Malicious shared memory usage On the other hand, it can also be helpful for Software developers, who wish to have an eagle eye on the memory allocations • Finding Memory Leaks • Error detection for debugging purposes. The is possible as Memfini is capable of monitoring memory allocations on User space, Kernel space as well as some under looked allocations like PCI device mapping, DMA allocations etc. It provides a command line interface with multiple filters, allowing a user to interact with the logs generated & get the required data. Currently, the user will be able to filter the events by individual process, type of access etc. Audience: Defensive security(Malware researcher, IR/Forensics) and Offensive security(memory based vulnerability discovery)

Presenters:

• Rishal Dwivedi
  Rishal is a Security Researcher at Microsoft where he works for Microsoft's defender product. His expertise lies in Offensive security which includes vulnerability discovery and exploitation, owning multiple CVE's. Prior to joining Microsoft, Rishal was a Sr. Security researcher at company where he contributed to their Web Application Security product. Rishal gained fame in bug bounty at an early age of 13 years. After contributing to Application Security for multiple years, he went on to explore other domains of security including IOT security and Malware Analysis.
• Shubham Dubey
  Shubham is a Security Researcher 2 at Microsoft where he works for Microsoft’s defender product. His expertise lies in low level security and internals which includes reverse engineering, exploitation and firmware security. Prior to joining Microsoft, Shubham was Security researcher at Antivirus company working in exploit prevention team where he contributed to protect customers from 0days and vulnerabilities in the wild. Shubham has worked on multiple independent project on kernel level and firmware security. He own a security blog nixhacker.com where you will find lots of content on low level security and internals.

Similar Presentations:

• REcon 2016 / Monitoring & controlling kernel-mode events by HyperPlatform
• Black Hat USA 2020 Virtual / Hiding Process Memory via Anti-Forensic Techniques
• DEF CON 30 (2022) / Master Class: Delivering a New Construct in Advanced Volatile Memory Analysis for Fun and Profit Workshop