Memory Forensics – Process Analysis Part 1 of 2
In a previous blog (Memory Forensics 101) I talked high level about memory forensics in general and the use of Volatility. In this blog I would like to walk through the various plugins you can use to analyze a memory image acquired from a machine infected with Kovter a fileless malware. There are too many plugins to go through all of them, but I would like to cover ones that will help us identify malicious processes and their various components such as DLLs and handles, network connections past and present, code injection, rootkits and process dumping.
Before we walk through the plugins there are some questions you should start to ask yourself as your analyzing potentially malicious processes. Below is a few sample questions and it not a complete list.
Was the process spawned from the right parent process? Most processes start from specific processes and that usually never changes especially system processes. It’s something you will learn over time, but just remember if a process is started from a different parent process it’s something you should look into a bit deep.
Is the process name accurate? If you go into task manager, you will see many of the same system process names running on all workstations. The bad guys like to run their malicious process in plain site by just changing the name ever so slightly. An example would be svchost (valid name) process running as (bad guy name) scvhost.
What time was the process started? Many system processes start at specific times. Knowing the time a process started will help determine if you need to look deeper into it. If a process like smss.exe which starts seconds after boot time is seen starting an hour after boot time that would be suspicious.
Are the processes arguments right? Some processes use arguments when loading such as svchost.exe. This service usually starts with the arguments -k followed by a parameter for grouping services such as BTsvc among others. Knowing which parameters are valid can help identify a malicious process.
Does the process path look normal? Most if not all processes will start from a specific directory such as %SystemRoot%\system32. If you see a service starting from the temp directory its highly likely its malicious.
Like I said these are just a few questions to ask and there are many more. You may be asking yourself “How am I going to remember all this information?” Well, hold that thought for a bit and we will come back to it. Let’s get into the analysis and reviewing various plugins.
PSLIST - volatility pslist -f memory-image.vmem --profile=Win7SP0x86
First plugin we will look at is PLIST. This is a simple plugin that will display the processes that were running at the time of memory acquisition. These are the same processes you will see if you view them on task manager. They are all linked in the EPROCCESS (PEB). If you remember I talked a bit about this in the Memory Forensics 101 blog. As you can see below the pslist plugin will provide you the offset, service name, process ID, parent process ID and various other tidbits. Below (figure 1) is an example of the output.
You’re not going to see any hidden processes here, but you will be able to look for misspelled services, odd services, start times and making sure the right parent process spawn the process among other things. Nothing looks too out of whack but what is interesting are the two regsvr32.exe processes. One was spawned by parent process ID 428 which I can’t seem to find and the other one is spawned by the other regsvr32.exe. This process is a command-line utility to register and unregister OLE controls, such as DLLs and ActiveX controls in the Windows Registry. (binaries as well) Unless someone is troubleshooting I don’t think we should be seeing this process let alone two of them. Something to dive deeper into.
PSSCAN - volatility psscan -f memory-image.vmem --profile=Win7SP0x86
Now that we looked at the processes running on the system let’s see if there are any hidden ones as well. It’s worth noting the steps or the plugin order you do is really up to the individual. I like to go through a specific routine noting all the interesting observations to investigate. Psscan will enumerate processes by scanning physical memory and not the EPROCCESS block so it’s possible to see unlinked or hidden processes. To determine if any processes are hidden you would need to compare the pslist and psscan output. If something is listed in psscan that is not in pslist it’s possible that process is hidden. Keep in mind there could be false positives such as processes that have exited properly but were still resident in memory. Below (figure 2) is an example of the output.
From figure 2 above you can see the plugin will display the offset, process name, process and parent process ID, location of the process data block, creation and exit time. When using the two plugins you would typically have to put results into a spreadsheet or something and manually compare. It’s a bit humbug, but don’t worry there are other plugins such as pstotal that will do the comparison for you through visualization and psxview.
MALPROCFIND - volatility malprocfind -f memory-image.vmem --profile=Win7SP0x86
This is such a cool plugin. It checks to see if any system processes are masquerading as legitimate ones. It has 13 checks it looks for including many of the questions I had listed in the beginning of this blog. The output below (figure 3) will provide you a true or false for each check. If the check is false it means it failed the check and you might need to look into this a bit further. Again, there can still be false positives.
The plugin will check for the following:
PID = The right parent process ID
Name = Process name is correct (not misspelled)
Path = Process path is correct
Priority = Right priority
Cmdline = Command line parameters are correct
User = Right user (SID)
Session/Time = Correct Session and time started (Most system processes run in session 0)
CMD = Was process spawned from the command line?
Phollow = Does the process show signs of process hollowing? (Will discuss more later)
SPath = Looks for suspicious paths like temp directory
In addition, it will show a count of unusual processes as well as processes with no parent process. An output is shown below in figure 4.
In this output you can see that there are seven processes without parents. No process should ever grow up without a parent except in some cases such as the system service which does not have a parent process or processes that are spawned from an instance of the smss service or userinit that may have existed and it no longer present. Wininit, csrss, winlogon and explorer are good examples of that. This leaves that same parentless process we saw earlier on. Regsrv32 (PID 1316). This just adds more evidence we really need to look into that process. You can see there are others that have failed various checks such as svchost that have failed some parameter checks and other processes that may be hollowed out. These processes should be checked out as well, but in an effort not to make this blog longer than it already is we will focus on the regsvr processes. I will let you now know if you don’t already know that this registry because it can register dlls and such the bad guys will sometimes use it to load their malicious code in an effort to by-pass security monitoring tools such as anti-malware. This can happen as some tools may not be monitoring for code that is loaded by regsrv.exe since it’s a trusted process. With that we will stop for now and continue in our next blog (Part 2) coming soon.