trietptm / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
1 stars 2 forks source link

Yarascan and rootkit #364

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
Hey Guys,

I found a problem with yarascan behavior.

Volatility only scans VAD from the processes he can see in the EPROCESS list. 

If a malware with have rootkit capability, volatility failed to detect yara 
signature.

Here's a suggestion to improve yarascan:

http://code.google.com/p/volatility/source/browse/trunk/volatility/plugins/malwa
re/malfind.py#408

replace that line by:

for proc in filescan.PSScan(self._config).calculate():

http://code.google.com/p/volatility/source/browse/trunk/volatility/plugins/malwa
re/malfind.py#427

replace that line by:

for task in filescan.PSScan(self._config).calculate():

Also, results are not the same if you scan with or without the -K option, so we 
need to execute volatility twice to have all the results for kernel and user 
memory. 

Maybe an option to scan kernel and user address space at the same time would be 
good thing to add?

Thanks in advance for your help!

Sebastien

Original issue reported on code.google.com by sebastie...@gmail.com on 6 Dec 2012 at 2:41

GoogleCodeExporter commented 9 years ago

Original comment by jamie.l...@gmail.com on 10 Dec 2012 at 2:13

GoogleCodeExporter commented 9 years ago
Hi Sebastien, 

Regarding the first problem "Volatility only scans VAD from the processes he 
can see in the EPROCESS list" - that's actually OK. Its the same default 
behavior as dlllist, handles, getsids, malfind, and various other plugins. With 
no parameters, they work on all processes in the active list. If you want to 
only analyze one or more processes in the active list, you can use -p/--pid. 
More importantly for your situation is they all also accept the -o/--offset 
parameter:

$ python vol.py yarascan -h
  -o OFFSET, --offset=OFFSET
                        EPROCESS offset (in hex) in the physical address space
  -p PID, --pid=PID     Operate on these Process IDs (comma-separated)
  -K, --kernel          Scan kernel modules
.......

So if you wanted to scan a hidden process, and you've identified it with 
psscan, just pass the physical offset using that parameter above and yarascan 
will work with it. 

Regarding the userspace vs kernel scan, I see what you mean, though I'm not 
100% convinced its a required change at this time. It would be a very minor 
change to enable scanning both spaces at the same time though. In fact, here's 
a patch which I think would achieve your goal. Let me know if its what you're 
thinking? 

Original comment by michael.hale@gmail.com on 3 Jan 2013 at 10:35

Attachments:

GoogleCodeExporter commented 9 years ago
Hey Sebastien, I'm going to mark this as wont-fix for now, unless a majority of 
users want the change. You have the patch now and can enable it for your own 
usage if desired. Hope that is ok? 

Original comment by michael.hale@gmail.com on 11 Jan 2013 at 3:21

GoogleCodeExporter commented 9 years ago
Hi Michael,

Sorry I didn't replied earlier, I just came back from holidays and was on 
training all week.

>Regarding the userspace vs kernel scan, I see what you mean, though I'm not 
100% convinced its a required change at this time. It would 
>be a very minor change to enable scanning both spaces at the same time though. 
In fact, here's a patch which I think would achieve your 
>goal. Let me know if its what you're thinking? 

Thanks for the patch! Yes that's what I was looking for. I agree that it's an 
enhancement to speed up analysis and not an issue per se. I was just lazy to 
run 2 times volatility instead of one time ;-)

>More importantly for your situation is they all also accept the -o/--offset 
parameter

Hadn't thought of the --offset option, thanks for leading me to that solution 
:-)

However, I wasn't able to test it because yarascan doesn't seem to work with 
the --offset parameter. Am I missing something? Sorry I had a long week! The 
-p/--pid parameter works has expected. 

>Regarding the first problem "Volatility only scans VAD from the processes he 
can see in the EPROCESS list" 
>- that's actually OK. Its the same default behavior as dlllist, handles, 
getsids, malfind, and various 
>other plugins.

I understand that it is the default behavior but I don't think it should be for 
yarascan. 

When yara is used as a triage tool against a memory dump, analysts (or 
automated sanboxes) needs to perform more steps to identify/classify the memory 
dump:

1) Run yarascan against a set of rules, no need to run this step twice with 
your patch ;-)
2) Run psxview to identify possible rootkit processes
3) Run psscan to find if processes found in step 2) are terminated (if analysts 
only wants active rootkit)
4) Run yarascan against processes found in step 2 and/or 3 (sometimes can be 
useful to run yara on terminated processes to detect lateral movement)

Regards,

Sebastien

Original comment by sebastie...@gmail.com on 11 Jan 2013 at 4:28