Memory Forensics : Tracking Process Injection


This post describe about process memory internals which allow us to track process injections.
Example used below is recent Brazil Malspam (hxxp://malware-traffic-analysis.net/2017/07/07/index.html) which inject DLL fltLib.dll into process notepad.exe.

Attach kernel debugger to infected machine and get information about notepad.exe Process object.


Process object is represented by EPROCESS structure. VAD (Virtual Address Descriptors) is member of EPROCESS structure and describes the layout of process memory segments. VADs contain the names of memory-mapped files, the total number of pages in the region, the initial protection (read, write, execute), and several other flags that can tell you a lot about what type of data the regions contain.

VAD is a self balancing tree and each node in tree represent one range in process virtual memory.Each node has child in the form of left and right node.A node is represented using MMADDRESS_NODE structure.

Listing all VAD nodes of notepad.exe using Parent node address 0x852fb2a8.

As highlighted above the address (0x8539de90) of node contains injected fltLib.dll. 
start and end are VPN (Virtual Page Numbers). Describe the range of virtual memory for node.
commit - Number of pages commited.
Protection - EXECUTE_WRITECOPY. Enables execute, read-only, or copy-on-write access to a
mapped view of a file. DLL's have this kind of protection.

Let's see how we can derive virtual memory address from VPN's of node. We will also see structures which store commit, Protection values for a node and also track down the object representing mapped fltLib.dll.

As mentioned above each node is represented by MMADDRESS_NODE. Let's have a look at node  (0x8539de90) containing injected fltLib.dll.
Node does not have any child nodes. start and end virtual page numbers are 0x2a40 and 0x2e5c respectively.

To convert a page number to virtual memory address, multiply page number with page size.

As shown above VPN*PageSize = 0x2a40*0x1000 = 0x2a40000. Dumping 2 bytes at memory address 0x2a40000 we get 'MZ' portable executable magic bytes which means fltLib.dll is loaded at memory address 0x2a40000.

We can confirm the above findings by switching to user mode to view loaded module in process notepad.exe.

Below are the loaded modules in process notepad.exe .Virtual address of fltLib.dll is 0x2a4000 as highlighted below.

Starting windows Vista till windows 7 VAD's node is represented using MMADDRESS_NODE structure. In Windows XP VAD's node is represented using MMVAD structure.

Representing node (0x8539de90) contains fltLib.dll using MMVAD structure.As we can see in below image MMVAD structure contains a union u which have two members LongFlags and VadFlags. 
Below is representation of bits of VadFlags.
dt nt!_MMVAD_FLAGS
  +0x000 CommitCharge     : Pos 0, 19 Bits
  +0x000 NoChange             : Pos 19, 1 Bit
  +0x000 VadType                : Pos 20, 3 Bits
  +0x000 MemCommit         : Pos 23, 1 Bit
  +0x000 Protection              : Pos 24, 5 Bits
  +0x000 Spare                     : Pos 29, 2 Bits
  +0x000 PrivateMemory     : Pos 31, 1 Bit

CommitCharge - specifies the number of pages committed in the region described by the VAD node.

Protection - This field indicates what type of access should be allowed to the memory region.
// Protection bits:
#define MM_ZERO_ACCESS                   0  // this value is not used.
#define MM_READONLY                         1
#define MM_EXECUTE                             2
#define MM_EXECUTE_READ                3
#define MM_READWRITE                        4  // bit 2 is set if this is writable.
#define MM_WRITECOPY                        5
#define MM_EXECUTE_READWRITE    6
#define MM_EXECUTE_WRITECOPY    7

VadType
Tag          Node Type
Vadl         _MMVAD_LONG
Vadm       _MMVAD_LONG
Vad          _MMVAD_LONG
VadS       _MMVAD_SHORT
VadF       _MMVAD_SHORT 


VadType is defined by PoolTag member of POOL_HEADER structure which exists in memory directly before the node address.
Subtracting the size of POOL_HEADER structure from address (0x8539de90) of node contains fltLib.dll to get address of POOL_HEADER structure.


To track the object representing fltLib.dll, we need to look at SUBSECTION structure which OS uses to track information on files or DLLs mapped into the region.

SUBSECTION structure is member of MMVAD structure and is at offset 0x24. Below is the SUBSECTION structure for node address 0x8539de90.

SUBSECTION structure contains CONTROL_AREA structure as one of its member.Below is the CONTROL_AREA structure.

CONTROL_AREA structure member FilePointer points to another structure _EX_FAST_REF which contains pointer to object representing fltLib.dll.
Object member of _EX_FAST_REF structure point to file object (_FILE_OBJECT) structure representing fltLib.dll.

To get address of _FILE_OBJECT structure we have to mask the value of Object member of _EX_FAST_REF with 0xfffffff8 as shown below.

Comments

Popular posts from this blog

VIrtual Machine Detection Techniques

DoublePulsar Backdoor

Google CTF 2017 : Android RE Challenge

Debugging MBR : IDA Pro and Bochs Emulator

Analyzing ATM Malwares

PaloAlto CTF 2017 : Binary Challenge 2

FireEye FLARE CTF 2017 : APK Challenge 8

NotPetya\Petya : Overwriting System MBR

WannaCry Encryption Flow

Samsung CTF : Chicken or Egg Reversing Challenge