Hiding Process Memory via Anti-Forensic Techniques

Presented at Black Hat USA 2020 Virtual, Aug. 5, 2020, 10 a.m. (40 minutes).

<p>Nowadays, security practitioners typically use memory acquisition or live forensics to detect and analyze sophisticated malware samples. Subsequently, malware authors began to incorporate anti-forensic techniques that subvert the analysis process by hiding malicious memory areas. Those techniques typically modify characteristics, such as access permissions, or place malicious data near legitimate one, in order to prevent the memory from being identified by analysis tools while still remaining accessible.</p><p>In this talk, we present three novel methods that prevent malicious user space memory from appearing in analysis tools and additionally making the memory inaccessible from a security analysts perspective. Two of these techniques manipulate kernel structures, namely Page Table Entries and the structures responsible for managing user space memory regions (vm_area_struct and VAD strucutes), while the third one utilizes shared memory and hence does not require elevated privileges. As a proof of concept, we implemented all techniques for the Windows and Linux operating systems, and subsequently evaluated these with both, memory forensics and live analysis techniques.</p><p>Furthermore, we discuss and evaluate several approaches to detect our subversion techniques and present several Volatility and Rekall plugins that automate the detection of the hidden memory.</p>

Presenters:

  • Frank Block - Security Researcher, ERNW Research GmbH
    Frank Block is a security researcher working for ERNW Research GmbH with more than 10 years of experience, and an external PhD student at the University of Erlangen-Nuremberg (Department Informatik) with a focus on memory forensics. His main fields of interest are incident analysis and penetration testing. When not involved in customer projects, he enjoys doing research in all kinds of areas and usually presents the results at conferences such as DFRWS USA, Black Hat USA/EU, and Troopers.

Links:

Similar Presentations: