What am I talking about? I am talking about RAM!
Here are some of the things we can get from RAM, processes, network connections, open files, Encryption Keys – Bitlocker.
The last one Encryption keys from Bitlocker is an awesome presentation I read from Jesse Kornblum on how to get the keys for bitlocker, check it out: http://jessekornblum.com/presentations/omfw08.pdf
There are simply some great tools to get memory, You can use win32dd.exe. This tool will create a raw image file as well as write a MD5 hash of the output file you create.
My personal favorite though is Memoryze from Mandiant. You can find it here as a free download http://www.mandiant.com The cool thing about memoryze is that you can run enumeration tools to give you process information, the registry keys that are being used by the process, what DLL's are running, drivers loaded in memory, etc... The great thing about this is that you can do that on an image that it can enumerate from or on a live machine.
Here is how it works:
Open a command shell (cmd.exe) Change directories to where you installed Memoryze.
Type “MemoryDD.bat” It will create a directory called audits where it will put your memory image or
To write the image to a specific directory, type “MemoryDD.bat –output <directory_name>
To identify all open ports and their processes and Process Id's, type “Process.bat –ports true"
The output is put in xml format:
Notice above you can see the process forcefield.exe as process ID 900 it is making a connection out to IP address 126.96.36.199 on Port 80 This is simply a great way to tell what process is doing what. (ie…malware outbound connections)
Now suppose you wanted to look for rootkit's in Memory. You can use Mandiant's HookDetection.bat file. This executes RootkitAudit.Batch.xml. It identifies hooks in kernel memory often used to subvert the integrity of the system. So you can see below the different processes and how the relate to the kernel or drivers etc…
Notice above you can see the module that has hooks into the kernel i.e 1394BUS.sys where it is located: \windows\system32\drivers\ and a description of it: “Driver”
If you had an unknown process with hooks into the kernel you could find it here.
Now these are all great tools but, what do you do with a memory image after you have it? There are some basic techniques that you can use to do analysis. I would start with a “strings” command. So you can run strings memory.img > memory.str. Then you can begin to parse the file for emails, websites surfed to, or connected to by malware, passwords, blogged text, and unknown executables.
Once you have your image, you might choose to use a tool called Volatility. This tool simply ROCKS!
Here is how it works using Linux:
python volatility command –f /path_to_windows_memory_image
The keyword command refers to a series of commands that you can choose from. Here is a list:
So what can we do with this? Let me show you. First let’s see what processes are running in memory.
first I type the command:
python volatility pslist –f /path_to_image/imagefile.img
and I will see output like this:
Now you can see the executables running. You can also see from the second column what the PID (Process ID) is. So let’s say we did not know what jusched.exe was. (PID 2228) and we thought it might be malware and would like to send it to virus total. Well then, let’s grab it right out of the memory.
python volatility procdump –p 2228 –f /path_to_image/imagefile.img
Now we have carved that process out. However to be sure we did this correctly let’s take a look at what it is using khexedit. Since this is suppose to be an .exe file it should start off in hex with MZ
so in linux khexedit executable.2228.exe
We can see that it is in fact what we are looking for so we could now send this up to virus total, or look deeper into the file to see what it does.
Well that is it for memory on this post. As always be good, be safe, hack legally, responsibly, and share the knowledge -–I’m Out