Flag: Tornado! Hurricane!

OpenRCE Article Comments: Memoryze Memory Forensics Tool

Article Abstract The goal of this article is to demonstrate how simple malware analysis can be using Memoryze and some good old fashion common sense. Readers should have some knowledge of how malware works, and be somewhat familiar with Memoryze. A good place to familiarize yourself with Memoryze is the user guide included in the installer.

Memoryze is designed to aid in memory analysis in incident response scenarios. However, it has many useful features that can be utilized when doing malware analysis. Memoryze is special in that it does not rely on API calls. Instead Memoryze parses the operating systems' internal structures to determine for itself what the operating system and its running processes and drivers are doing.

Full Article ...    Printer Friendly ...

Article Comments
k05tya Posted: Thursday, November 27 2008 18:11.59 CST
Peter, thank you for Memoryze, AuditViewer and article! Nice tools and article. All is cool except AllAudits file. ;).

peter Posted: Thursday, November 27 2008 18:51.41 CST
Thanks for pointing that out. I've fixed it.

naggingmachine Posted: Wednesday, December 10 2008 20:20.59 CST
Thanks for your cool article.

echephron Posted: Friday, December 12 2008 18:00.09 CST
Peter, excellent work.  I am having one issue, though.  Using the AllAudits or even the standard RootkitAudit batch, I cannot load the audit.  Python fails giving an error in the hooking module.  If i delete the rootkit xml audits, it opens fine.  It seems it's possible for malware to corrupt these audits somehow?  Currently, machine is infected (purposely) with Koobface, TDSS rootkit, W32.bagle.gm and an unknown variant of the "UPS" virus.

peter Posted: Saturday, December 13 2008 10:02.13 CST
echephron,
Thanks for the bug report. I assume when you say "Python fails giving an error in the hooking module" you mean python reported no "HookingModule" key? If the error is different please e-mail it to me peter.silberman _insert at_ mandiant dot com. A new audit viewer with the hookingmodule, and some other fixes will be released in the coming week. Please check the blog (http://blog.mandiant.com) for an announcement of when the new audit viewer is released.
Thanks,
Peter Silberman

echephron Posted: Monday, December 15 2008 09:12.59 CST
Peter - email in route.  Error is different.  Audit cannot be parsed...python hangs.  Screenshot included in email.  

thanks.

step1515 Posted: Friday, January 16 2009 11:52.26 CST
I was excited to try your tools and techniques on some real rootkit-malware myself.   For no good reason, I ended up bringing down Rustock.B from OffensiveComputing.net.  The md5 is eaa4a3ae6f0512fa4ee9169a86684dda if anyone else would like to try also.  Either I'm an idiot, or it just happens to be that the very rootkit I decide to use for a first time test case is not detectable with Memoryze/Audit Viewer.

I executed the malware on Vmware workstation (Windows XP SP3).  All the network signatures of this particular malware came up right away in Wireshark.  But when I ran your tools, no unusual processes were noted, nothing in SSDT, and nothing of interest in IRP.  IDT shows the SysEnter function being hooked.  Hooked module is ntoskrnl.exe but the hooking module is also \Windows\system32\ntoskrnl.exe.  That confuses me but I am new at this stuff so maybe it makes sense to someone.   So there is not a newly introduced file like in your example with burito24b1-1710.sys.  That would have been easy for me, a dead give-away.  Now I'm trying to figure out if this SysEnter detect is evil or explainable?

I also booted the VMware image in to Ubunto Linux.  Then and only then, could I see all the registry entries that this malware creates.  The malware supposedly hides lzx32.sys using ADS behind the C:\Windows\System32 Folder.  I inspected this in Ubunto Linux and also using the LADS ADS detection tool and mysteriously, I never did find the ADS hidden file!

Just posting in case someone else wants to try the same challenge I chose and also, possibly someone with more experience than I can give a pointer or two where I could have went wrong, if I did.

The malware is explained here:  http://www.threatexpert.com/report.aspx?md5=eaa4a3ae6f0512fa4ee9169a86684dda

Thanks,
step1515

g6123 Posted: Monday, March 2 2009 00:59.51 CST
How information!

Genius Posted: Monday, March 23 2009 15:54.52 CDT
perfect ! we'll wait for your future articles about malware analysing ;)

gemoroy Posted: Sunday, June 14 2009 06:14.28 CDT
Very informative, thanks a lot!
Enjoyed reading.

Silkut Posted: Tuesday, November 17 2009 10:13.55 CST
Nice, thx.

laramies Posted: Thursday, November 19 2009 03:09.51 CST
Nice article, and great tools, keep sharing memoryze examples :)

Silkut Posted: Friday, September 24 2010 02:22.10 CDT
The tool has been updated, it now works with Win7/Win2k8 x64 !

http://www.mandiant.com/products/free_software/memoryze/

cyberpsych0z Posted: Sunday, September 26 2010 07:14.56 CDT
nice thing :)

slolurner Posted: Monday, October 25 2010 10:40.36 CDT
For folks coming late to the party like me, I was having some issues with AuditViewer complaining ">
An auditor that supports this module could not be found." I contacted Peter and he said the fix is to use AuditViewer to configure Memoryze via the GUI. That works and gives a better view into what Memoryze is capable of. If you want to do it from the command line, modify the AllAudits xml file and change "w32kernel-rootkitdetection" to "w32kernel-hookdetection".

eaescob Posted: Monday, June 27 2011 19:28.08 CDT
Very nice work, thanks!

zezo010 Posted: Sunday, August 14 2011 04:26.00 CDT
I'm waite for next lessons.
Nice work, thanks!

cirix Posted: Wednesday, August 8 2012 21:33.24 CDT
good job,thx

firebits Posted: Sunday, December 7 2014 07:41.08 CST
good job,thx


Add New Comment
Comment:










There are 31,310 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
hi!
Jul/01
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

oleavr
Aug/27
CryptoShark: code tracer ba...

oleavr
Jun/25
Build a debugger in 5 minutes

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit