2. #RSAC
Purpose of the Talk
Show how real rootkits affect system security and stability
Demonstrate how rootkits can be found with memory forensics
Utilize the open source Volatility framework for deep analysis of
system state
2
3. #RSAC
Agenda
Why memory forensics?
Introduction to Volatility
Showcase Mac memory analysis capabilities
Detect Mac kernel rootkit techniques with memory forensics
4. #RSAC
Why Memory Forensics?
Memory forensics analyzes the entire operating system state
Processes
Network Data
Loaded kernel modules
Running processes
Much more..
Nearly all of this information in memory is *never* written to disk
5. #RSAC
Why Memory Forensics? Cont.
Advanced malware operates only in memory
Meterperter / CANVAS / Core Impact
Custom tools by real attackers
“Pull the plug” and your best evidence disappears!
6. #RSAC
Volatility
Open source memory analysis framework written in Python
Provides an architecture and plugins for deep analysis of data
structures in memory
Contains many features not available in any other memory forensics
tools
One of the most used tools in forensics
7. #RSAC
Supported OSes
Windows
XP through 7, including server operating systems
32 & 64 bit
Linux / Android
2.6.11 through 3.x
Mac
8. #RSAC
Supported Memory Capture Formats
All
raw (dd), Encase (EWF), VMWare, Virtualbox
Windows
crash dumps, hibernation files, Hpak
Linux
LiME
10. #RSAC
Acquisition
Mac Memory Reader (ATC-NY)
Saves files to Macho-o format
Works from 10.5.x to 10.8.x, broken on 10.9
OSXPmem (Michael Cohen)
Works on 10.9
Mac Memoryze (Mandiant)
10.7+ guests in VMware Fusion
Fully supported by Apple
11. #RSAC
Previous Efforts before Volatility Support
Matthieu Suiche - Mac OS X Physical Memory Analysis [1]
Finding page tables, processes, mounted file systems, and system call
table
Volafox
First real plugin based OS X analysis
Around 7 plugins for analysis
Brittle support for new versions and difficult to add
12. #RSAC
Volatility & Mac Memory Forensics
2.3 is the first official release with Mac support
Has been in SVN for quite some time
10.7.x support since summer 2012
Full support since early 2013
Many more OS versions supported
New plugins
Bug fixes
13. #RSAC
Supported Operating System Versions
32-bit 10.5.x Leopard (no 64 bit version)
32-bit & 64-bit 10.6.x Snow Leopard
32-bit & 64-bit 10.7.x Lion
64-bit 10.8.x Mountain Lion (no 32-bit version)
64-bit 10.9.x (no 32-bit version)
14. #RSAC
Process Enumeration
mac_pslist*
Often hits an endless loop due to acquisition issues, plugin checks for the
condition and bails
mac_tasks
mac_psaux
Command line arguments from userland
mac_pstree
Parent/child relationship
26. #RSAC
Mounted Filesystems
$ python vol.py --profile=MacMountainLion_10_8_3_AMDx64 -f 10.8.3.mmr.macho mac_mount
Volatile Systems Volatility Framework 2.3
Device Mount Point Type
--------------------- ------------------------------------- ------
/ /dev/disk3 hfs
/dev devfs devfs
/net map -hosts autofs
/home map auto_home autofs
/Volumes/LaCie /dev/disk2s2 hfs
27. #RSAC
Kernel Debug Buffer
$ python vol.py --profile=MacMountainLion_10_8_3_AMDx64 -f 10.8.3.mmr.macho mac_dmesg
Volatile Systems Volatility Framework 2.3
deny mach-lookup com.apple.coresymbolicationd
MacAuthEvent en1 Auth result for: 00:26:bb:77:d2:a7 MAC AUTH succeeded
wlEvent: en1 en1 Link UP virtIf = 0
AirPort: RSN handshake complete on en1
wl0: Roamed or switched channel, reason #8, bssid 00:26:bb:77:d2:a7
en1: BSSID changed to 00:26:bb:77:d2:a7
en1::IO80211Interface::postMessage bssid changed
MacAuthEvent en1 Auth result for: 00:26:bb:77:d2:a7 MAC AUTH succeeded
wlEvent: en1 en1 Link UP virtIf = 0
AirPort: RSN handshake complete on en1
[snip]
28. #RSAC
Allocator Zones
Important kernel data structures are created using the zone allocator
The allocator keeps track of both active and previously freed objects
The free lists can be used to find historical objects in a structured
manner
28
31. #RSAC
Kernel Rootkit Detection
Volatility provides the most comprehensive kernel-rootkit detection
available
We will now walkthrough analyzing a memory sample infected with
the Rubilyn rootkit
Other kernel rootkits employ similar or the same techniques as
Rubilyn
34. #RSAC
mac_check_syscalls / mac_check_trap_table
$ python vol.py -f rubilyn.vmem --profile=MacLion_10_7_5_AMDx64 mac_check_syscalls | grep HOOK
Volatile Systems Volatility Framework 2.3
SyscallTable 222 0xffffff7f807ff41d HOOKED
SyscallTable 344 0xffffff7f807ff2ee HOOKED
SyscallTable 397 0xffffff7f807ffa7e HOOKED
------
The hooked entries allow the rootkit to hide files and file data from the file system
35. #RSAC
mac_ip_filters
$ python vol.py -f rubilyn.vmem --profile=MacLion_10_7_5_AMDx64 mac_ip_filters
Volatile Systems Volatility Framework 2.3
Context Filter Pointer Status
---------- -------------- ------------------ ------
INPUT rubilyn 0xffffff7f807ff577 OK
OUTPUT rubilyn 0xffffff7f807ff5ff OK
DETACH rubilyn 0xffffff7f807ff607 OK
36. #RSAC
mac_notifiers
$ python vol.py --profile=MacMountainLion_10_8_3_AMDx64 -f ~/10.8.3.mmr.macho mac_notifiers
Volatile Systems Volatility Framework 2.3_alpha
Status Key Handler Matches
---------- ------------------------ --------------- -------
OK IOServicePublish 0xffffff7f8fa878e8 IODisplayConnect
OK IOServicePublish 0xffffff7f91206ab6 IOResources,AppleClamshellState
OK IOServicePublish 0xffffff7f8fa94188 IOResources,AppleClamshellState
OK IOServicePublish 0xffffff800f872d50 IODisplayWrangler
OK IOServicePublish 0xffffff7f902ff732 IOHIDevice
OK IOServicePublish 0xffffff7f902ff732 IOHIDEventService
OK IOServicePublish 0xffffff7f902ff732 IODisplayWrangler
OK IOServicePublish 0xffffff7f902ffe74 AppleKeyswitch
[snip]
37. #RSAC
Work from @osxreverser & Friends
Their initial releases led to mac_trustedbsd
Their second round of rootkit techniques led to Cem Gurkok’s
submission to the Volatility plugin contest [4]
38. #RSAC
mac_volshell & mac_yarascan
MHL ported Volatility’s yarascan infrastructure and volshell plugin to
work with both Linux & Mac
yarascan:
Search yara rules or simple strings across processes or kernel memory
volshell:
Fully interactive Python shell inside Volatility environment
39. #RSAC
Mac Analysis
Mac memory forensics has come a long way in the last year
Still some work to be done to reach the level of Windows & Linux, but that
will be fixed soon
10.9.x has some interesting new research areas
Particularly the compressed free pages
Dr. Golden Richard of the University of New Orleans has implemented
compressed page support into Volatility
40. #RSAC
Want to Learn Memory Forensics?
Community Documentation [5]
Links to all memory forensics research published by entire forensics
community
Blog [6]
“Solving the GrrCon Network Forensics Challenge with Volatility ” [7]