Content

Memory Analysis

What am I talking about? I am talking about RAM!

Here are some of the things we can get from RAM, processes, network connections, open files, Encryption Keys – Bitlocker.

The last one Encryption keys from Bitlocker is an awesome presentation I read from Jesse Kornblum on how to get the keys for bitlocker, check it out: http://jessekornblum.com/presentations/omfw08.pdf

There are simply some great tools to get memory, You can use win32dd.exe. This tool will create a raw image file as well as write a MD5 hash of the output file you create.

My personal favorite though is Memoryze from Mandiant. You can find it here as a free download http://www.mandiant.com The cool thing about memoryze is that you can run enumeration tools to give you process information, the registry keys that are being used by the process, what DLL’s are running, drivers loaded in memory, etc… The great thing about this is that you can do that on an image that it can enumerate from or on a live machine.

Here is how it works:

Open a command shell (cmd.exe) Change directories to where you installed Memoryze.

Type “MemoryDD.bat” It will create a directory called audits where it will put your memory image or

To write the image to a specific directory, type “MemoryDD.bat –output <directory_name>

memorydd-bat

To identify all open ports and their processes and Process Id’s, type “Process.bat –ports true"

The output is put in xml format:

process-bat-ports-true

Notice above you can see the process forcefield.exe as process ID 900 it is making a connection out to IP address 68.142.101.68 on Port 80 This is simply a great way to tell what process is doing what. (ie…malware outbound connections)

Now suppose you wanted to look for rootkit’s in Memory. You can use Mandiant’s HookDetection.bat file. This executes RootkitAudit.Batch.xml. It identifies hooks in kernel memory often used to subvert the integrity of the system.  So you can see below the different processes and how the relate to the kernel or drivers etc…

rootkit

Notice above you can see the module that has hooks into the kernel i.e 1394BUS.sys where it is located: windowssystem32drivers and a description of it: “Driver”

If you had an unknown process  with hooks into the kernel you could find it here.

Now these are all great tools but, what do you do with a memory image after you have it? There are some basic techniques that you can use to do analysis.  I would start with a “strings” command.  So you can run strings memory.img > memory.str. Then you can begin to parse the file for emails, websites surfed to, or connected to by malware, passwords, blogged text, and unknown executables.

Once you have your image, you might choose to use a tool called Volatility. This tool simply ROCKS!

Here is how it works using Linux:

python volatility command –f /path_to_windows_memory_image

The keyword command refers to a series of commands that you can choose from. Here is a list:

volatility

So what can we do with this? Let me show you. First let’s see what processes are running in memory.

first I type the command:

python volatility pslist –f /path_to_image/imagefile.img

and I will see output like this:

volatility1

Now you can see the executables running. You can also see from the second column what the PID (Process ID) is. So let’s say we did not know what jusched.exe was. (PID 2228) and we thought it might be malware and would like to send it to virus total. Well then, let’s grab it right out of the memory.

python volatility procdump –p 2228 –f /path_to_image/imagefile.img

volatility2

Now we have carved that process out. However to be sure we did this correctly let’s take a look at what it is using khexedit. Since this is suppose to be an .exe file it should start off in hex with MZ

so in linux khexedit executable.2228.exe

volatility-khexedit

We can see that it is in fact what we are looking for so we could now send this up to virus total, or look deeper into the file to see what it does.

Well that is it for memory on this post. As always be good, be safe, hack legally, responsibly, and share the knowledge -–I’m Out

Paul Asadoorian

Paul Asadoorian is currently the Principal Security Evangelist for Eclypsium, focused on firmware and supply chain security awareness. Paul’s passion for firmware security extends back many years to the WRT54G hacking days and reverse engineering firmware on IoT devices for fun. Paul and his long-time podcast co-host Larry Pesce co-authored the book “WRTG54G Ultimate Hacking” in 2007, which fueled the firmware hacking fire even more.

Paul has worked in technology and information security for over 20 years, holding various security and engineering roles in a lottery company, university, ISP, independent penetration tester, and security product companies such as Tenable.
In 2005 Paul founded Security Weekly, a weekly podcast dedicated to hacking and information security. Paul grew Security Weekly into a network of security podcasts spanning multiple topics, such as application security and business. It has been estimated that Paul has conducted over 1,000 interviews with security professionals and hosted more than 1,000 podcast episodes in cybersecurity. In 2020 Security Weekly was acquired by the Cyberrisk Alliance.

Paul is still the host of one of the longest-running security podcasts, Paul’s Security Weekly, he enjoys coding in Python, telling everyone he uses Linux as his daily driver, poking at the supply chain, and reading about UEFI and other firmware-related technical topics.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.