Cross-view Analysis with Volatility

A cross-view analysis compares sets of objects that were enumerated at different API layers or using different techniques. Differences justify a closer examination, though they do not inevitably indicate malicious activity. The Volatility memory analysis framework provides different enumeration methods, like list-walking and scanning, for quite a while. Comparing these lists, however, can be tedious at times. But it's easy to copy&paste some code into a new plugin and let the computer do all the hard work for you.

Let's assume we want to detect active, but "hidden" processes. A common technique for hiding processes is to unlink them from a linked list ob objects. Upper layers of the Windows API rely on this list, e.g. the Windows Task Manager. Also, Volatility's pslist function traverses this list and displays its members.

The pscan and the faster pscan2 functions don't rely on that list, but scan the whole memory image for signatures of process objects. In a first step we filter all process objects that are active and not hidden, i.e. they also appear in pslist output. From the remaining objects we filter all that were terminated, but still exist somewhere in memory.

What remains on our list are process objects, which are active but do not appear on the list of active processes - which is suspicious. It is possible to do the filtering by hand, but it's much easier to let the computer do the work. I merged the sources of pslist and pscan2 into one file and edited a little for the filtering. And here's an example of how the new plugin will report a suspicious process:

$ volatility psxview -f futo.dd 
KVA        PID    PPID   CR3        File
0xffaf6850 408    388    0x00cba000 nc.exe 

For this example I hid an instance of netcat by means of the FUto rootkit. Do you want to reveal the rootkit kernel module as well?

The same technique (list-walking vs. scanning) can be applied to kernel modules. For this, I combined the modules and modscan2 functions:

$ volatility modxview -f futo.dd 
KVA        Base       Size     Module               File
0x81174688 0xfc3b6000 0x010000 msdirectx.sys        \??\C:\FUto\msdirectx.sys

Please note, there are many more ways to hide objects. Also, there are complex interrelationships between kernel objects which provide many different views for cross-view analysis. These plugins are just a small and limited demonstration of the concept. For real-world use I suggest to enumerate all kinds of objects, analyze their object headers and interrelationships, and store this information in a relational database. Jamie Levy recently posted a great article that may help you get started. The whole process can be automatized and may then run unattended over night. You may also build a data warehouse of clean reference images or monitor how a certain system changes over time.

Finally, use the power of a query language and, e.g. set operators in SQL, to unveil unexpected differences. You may also employ specialized software for visualization and exploration of large data sets.



This blog is a project of:
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn

Copyright © 2005-2012 by
Andreas Schuster
All rights reserved.