-
-
[原创]从内存取证角度检测shellcode
-
发表于: 2021-9-19 18:56
-
内存取证技术是计算机取证技术的分支,是指从计算机物理内存和页面交换文件中查找、提取、分析易失性证据,方法是通过硬件接口、软件获取、虚拟机快照等方式获取内存转储文件,将其保存到非易失性存储器中,使用专用软件(如Volatility Framework或Rekall等)进行分析。
内存镜像获取的方式有很多种,不同情况下应采取不同的方法,具体内存获取方式决策树如下图所示:
如果目标操作系统是虚拟机,可以使用虚拟机挂起功能将运行的虚拟机挂起。
然后在对应的目录中能够找到一个扩展名为.vmem的文件,这个文件中包含了虚拟机全部的物理内存数据和其他配置信息。
另外,也可以通过软件的方式获取,这里推荐使用DumpIt这个软件,在目标系统安装好后双击运行,按y + 回车,等待一会显示dump成功后,就能够在其所在的目录中找到一个扩展名为.raw的文件:
目前笔者常用的获取内存转储的方式是这两种,其他方式有兴趣可以去了解一下,详细参考《The Art of Memory Forensics》一书。
目前主流的分析内存镜像的方法是使用Volatility内存取证框架分析。
Volatility Framework是一款基于GNU协议开发的开源内存取证框架,使用python语言编写,支持32位或64位的Windows、Linux、Mac OS、Android的大多数版本操作系统,其最大的亮点在于框架的可扩展性,取证人员可通过框架提供的基础功能接口编写自己的插件,从不同的角度分析内存中的数据,以满足不同的取证需求。
目前volatility常用的插件有:
还有许多插件实现了不同的功能,这里不一一运行了,这里给出volatility中的全部插件列表及其功能:
shellcode注入是一种进程注入技术,其主要过程如下:
利用OpenProcess()附加到被害进程
使用VirtualAllocEx()在被害进程中分配内存,这里一定要以可执行权限分配,不然会由于DEP保护,使得注入的代码无法执行
使用WriteProcessMemory()函数在分配的内存中写入shellcode
使用CreateRemoteThread()将程序执行流控制到shellcode的起始地址(执行shellcode)
shellcode成功注入并执行后,受害进程中会存在具有可执行权限保护的页面,那么页面对应的pte的NX位应置为0。而正常进程中几乎不可能利用分配的内存去执行恶意代码,也就是说一般情况下分配的内存不会出现可执行权限,利用这一特点,能够检测进程地址空间是否有shellcode。
检测思路如下:
首先将进程的用户地址空间区分为映射文件区和非映射文件区,映射文件区主要包括进程的加载可执行文件和模块,如exe文件、dll文件、nls文件等;非映射文件区主要包括内存中的堆栈等缓冲区,这些内存区几乎不会分配可执行权限的页面。这样做的目的是由于内存中的映射文件本身具有可执行的页面,需要将这些排除在外,防止产生误报。
获取全部非映射文件区的页面的pte
检查这些pte的NX位
若存在NX为0的页面,说明这个页面可能是被注入的页面
输出被注入的页面地址及其内容
使用kali生成shellcode:
此处生成的是一个弹出对话框的shellcode。
编译运行这段代码:
运行后输入一个想要注入的进程ID,这里选择taskhostw.exe这个进程
输入任务管理器的PID后显示成功注入并执行了shellcode。
首先执行完shellcode后获取内存转储,这里使用DumpIt获取内存转储,然后使用自己编写的volatility插件检测恶意代码。
检测shellcode插件的源码放在了我的github中,插件中的关键代码如下:
此处函数用于提取全部具有可执行权限的页面
此处函数用于提取非映射文件区的可执行页面
运行后查看结果:
能够看到插件共检测出两个可疑页面,地址分别是:0x28f07b90000和0x7fffa2581000
使用volshell查看这地址的内容:
可以看到0x28f07b90000这部分正是shellcode的内容。至此成功检测出被注入shellcode的页面。
思路:由于插件的检测方式依赖于PTE的NX位,在执行完shellcode后可通过VirtualProtect()函数将其可执行权限设置为不可执行,此时插件是无法检测到的。
《The Art of Memory Forensics》
amcache Print AmCache information
apihooks Detect API hooks in process and kernel memory
atoms Print session and window station atom tables
atomscan Pool scanner for atom tables
auditpol Prints out the Audit Policies from HKLM\SECURITY\Policy\PolAdtEv
bigpools Dump the big page pools using BigPagePoolScannerbioskbd Reads the keyboard buffer from Real Mode memory
cachedump Dumps cached domain hashes from memory
callbacks Print system-wide notification routines
clipboard Extract the contents of the windows clipboardcmdline Display process command-line arguments
cmdscan Extract command history by scanning for _COMMAND_HISTORY
consoles Extract command history by scanning for _CONSOLE_INFORMATION
crashinfo Dump crash-dump information
deskscan Poolscaner for tagDESKTOP (desktops)
devicetree Show device treedlldump Dump DLLs from a process address space
dlllist Print list of loaded dlls for each process
driverirp Driver IRP hook detectiondrivermodule Associate driver objects to kernel modulesdriverscan Pool scanner for driver objects
dumpcerts Dump RSA private and public SSL keys
dumpfiles Extract memory mapped and cached files
dumpregistry Dumps registry files out to disk editbox Displays information about Edit controls. (Listbox experimental.)envars Display process environment variableseventhooks Print details on windows event hooks
filescan Pool scanner for file objects
gahti Dump the USER handle type information
getservicesids Get the names of services in the Registry and return Calculated SID
getsids Print the SIDs owning each process
handles Print list of open handles for each process
hashdump Dumps passwords hashes (LM/NTLM) from memory
hibinfo Dump hibernation file information
hivedump Prints out a hivehivelist Print list of registry hives.
hivescan Pool scanner for registry hives
hpakextract Extract physical memory from an HPAK file
hpakinfo Info on an HPAK file
iehistory Reconstruct Internet Explorer cache / history
imagecopy Copies a physical address space out as a raw DD imageimageinfo Identify information for the image
impscan Scan for calls to imported functions
joblinks Print process job link information
kdbgscan Search for and dump potential KDBG values
kpcrscan Search for and dump potential KPCR values
ldrmodules Detect unlinked DLLslsadump Dump (decrypted) LSA secrets from the registry
machoinfo Dump Mach-O file format information
malfind Find hidden and injected code
malfindplus Find the injected codembrparser Scans for and parses potential Master Boot Records (MBRs)
memdump Dump the addressable memory for a process
memmap Print the memory map
messagehooks List desktop and thread window message hooks
mftparser Scans for and parses potential MFT entries
moddump Dump a kernel driver to an executable file sample
modscan Pool scanner for kernel modules
modules Print list of loaded modules
multiscan Scan for various objects at once
mutantscan Pool scanner for mutex objects
netscan Scan a Vista (or later) image for connections and sockets
objtypescan Scan for Windows object type objects
patcher Patches memory based on page scanspoolpeek Configurable pool scanner pluginpooltracker Show a summary of pool tag usageprintkey Print a registry key, and its subkeys and values
privs Display process privilegesprocdump Dump a process to an executable file sample
pslist Print all running processes by following the EPROCESS lists
psscan Pool scanner for process objects
pstree Print process list as a tree
psxview Find hidden processes with various process listingsqemuinfo Dump Qemu informationraw2dmp Converts a physical memory sample to a windbg crash dumpscreenshot Save a pseudo-screenshot based on GDI windows
sessions List details on _MM_SESSION_SPACE (user logon sessions)
shellbags Prints ShellBags infoshimcache Parses the Application Compatibility Shim Cache registry keyshutdowntime Print ShutdownTime of machine from registry
ssdt Display SSDT entriesstrings Match physical offsets to virtual addresses (may take a while, VERY verbose)
svcscan Scan for Windows services
symlinkscan Pool scanner for symlink objects
thrdscan Pool scanner for thread objects
threads Investigate _ETHREAD and _KTHREADs
timeliner Creates a timeline from various artifacts in memory
timers Print kernel timers and associated module DPCs
truecryptmaster Recover TrueCrypt 7.1a Master Keys
truecryptpassphrase TrueCrypt Cached Passphrase Findertruecryptsummary TrueCrypt Summaryunloadedmodules Print list of unloaded modules
userassist Print userassist registry keys and information
userhandles Dump the USER handle tablesvaddump Dumps out the vad sections to a file
vadinfo Dump the VAD infovadtree Walk the VAD tree and display in tree format
vadwalk Walk the VAD treevboxinfo Dump virtualbox informationverinfo Prints out the version information from PE images
vmwareinfo Dump VMware VMSS/VMSN information
volshell Shell in the memory image
win10cookie Find the ObHeaderCookie value for Windows 10
windows Print Desktop Windows (verbose details)
wintree Print Z-Order Desktop Windows Tree
wndscan Pool scanner for window stations
yarascan Scan process or kernel memory with Yara signatures
amcache Print AmCache information
apihooks Detect API hooks in process and kernel memory
atoms Print session and window station atom tables
atomscan Pool scanner for atom tables
auditpol Prints out the Audit Policies from HKLM\SECURITY\Policy\PolAdtEv
bigpools Dump the big page pools using BigPagePoolScannerbioskbd Reads the keyboard buffer from Real Mode memory
cachedump Dumps cached domain hashes from memory
callbacks Print system-wide notification routines
clipboard Extract the contents of the windows clipboardcmdline Display process command-line arguments
cmdscan Extract command history by scanning for _COMMAND_HISTORY
consoles Extract command history by scanning for _CONSOLE_INFORMATION
crashinfo Dump crash-dump information
deskscan Poolscaner for tagDESKTOP (desktops)
devicetree Show device treedlldump Dump DLLs from a process address space
dlllist Print list of loaded dlls for each process
driverirp Driver IRP hook detectiondrivermodule Associate driver objects to kernel modulesdriverscan Pool scanner for driver objects
dumpcerts Dump RSA private and public SSL keys
dumpfiles Extract memory mapped and cached files
dumpregistry Dumps registry files out to disk editbox Displays information about Edit controls. (Listbox experimental.)envars Display process environment variableseventhooks Print details on windows event hooks
filescan Pool scanner for file objects
gahti Dump the USER handle type information
getservicesids Get the names of services in the Registry and return Calculated SID
getsids Print the SIDs owning each process
handles Print list of open handles for each process
hashdump Dumps passwords hashes (LM/NTLM) from memory
hibinfo Dump hibernation file information
hivedump Prints out a hivehivelist Print list of registry hives.
hivescan Pool scanner for registry hives
hpakextract Extract physical memory from an HPAK file
hpakinfo Info on an HPAK file
iehistory Reconstruct Internet Explorer cache / history
imagecopy Copies a physical address space out as a raw DD imageimageinfo Identify information for the image
impscan Scan for calls to imported functions
joblinks Print process job link information
kdbgscan Search for and dump potential KDBG values
kpcrscan Search for and dump potential KPCR values
ldrmodules Detect unlinked DLLslsadump Dump (decrypted) LSA secrets from the registry
machoinfo Dump Mach-O file format information
malfind Find hidden and injected code
malfindplus Find the injected codembrparser Scans for and parses potential Master Boot Records (MBRs)
memdump Dump the addressable memory for a process
memmap Print the memory map
messagehooks List desktop and thread window message hooks
mftparser Scans for and parses potential MFT entries
moddump Dump a kernel driver to an executable file sample
modscan Pool scanner for kernel modules
modules Print list of loaded modules
multiscan Scan for various objects at once
mutantscan Pool scanner for mutex objects
netscan Scan a Vista (or later) image for connections and sockets
objtypescan Scan for Windows object type objects
patcher Patches memory based on page scanspoolpeek Configurable pool scanner pluginpooltracker Show a summary of pool tag usageprintkey Print a registry key, and its subkeys and values
privs Display process privilegesprocdump Dump a process to an executable file sample
pslist Print all running processes by following the EPROCESS lists
psscan Pool scanner for process objects
pstree Print process list as a tree
psxview Find hidden processes with various process listingsqemuinfo Dump Qemu informationraw2dmp Converts a physical memory sample to a windbg crash dumpscreenshot Save a pseudo-screenshot based on GDI windows
sessions List details on _MM_SESSION_SPACE (user logon sessions)
shellbags Prints ShellBags infoshimcache Parses the Application Compatibility Shim Cache registry keyshutdowntime Print ShutdownTime of machine from registry
ssdt Display SSDT entriesstrings Match physical offsets to virtual addresses (may take a while, VERY verbose)
svcscan Scan for Windows services
symlinkscan Pool scanner for symlink objects
thrdscan Pool scanner for thread objects
threads Investigate _ETHREAD and _KTHREADs
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
|
|
|
|
|
|
|
|
你说的方法确实是一种反取证方式,清除掉了shellcode,但是你做的这一系列清除痕迹的操作还是会留下记录,还会有反反取证的方式去检测这种操作,就像是法医学中的罗卡定律,任何犯罪必然会留下痕迹。取证与反取证就是在相互颠覆、此消彼长的过程,学习这个过程本身我觉得就是有意义的 |
|
|
|
|
|
|
|
|
|
|
|
|
