Presentation is loading. Please wait.

Presentation is loading. Please wait.

Monnappa KA  Info Security Cisco  Member of SecurityXploded  Reverse Engineering, Malware Analysis, Memory Forensics 

Published byKristin Sherman Modified over 9 years ago

Similar presentations

Presentation on theme: "Monnappa KA  Info Security Cisco  Member of SecurityXploded  Reverse Engineering, Malware Analysis, Memory Forensics "— Presentation transcript:

1

2 Monnappa KA  Info Security Investigator @ Cisco  Member of SecurityXploded  Reverse Engineering, Malware Analysis, Memory Forensics  Email: monnappa22@gmail.com  Twitter: @monnappa22  Blog: http://malware-unplugged.blogspot.inhttp://malware-unplugged.blogspot.in  Linkedin: http://in.linkedin.com/pub/monnappa-ka-grem-ceh/42/45a/1b8http://in.linkedin.com/pub/monnappa-ka-grem-ceh/42/45a/1b8

3  What is a Rootkit  User Mode Rootkits  Kernel Mode Rootkits  Why Memory Forensics  Steps in Memory Forensics  Memory Acquistion Tools  Volatility  Volatility commands  Video Demo (TDSS Rootkit Analysis)

4  Program that perform system hooking or modifies functionality of OS  Hide files, processes, other objects to conceal its presence  Intercepts and alters the normal execution flow  Can contain both user mode and kernel mode components  Some rootkits can install as device drivers  Types: User Mode and Kernel Mode Rootkits

5  Runs in Ring 3  Hooking in user space or application space  Some common user mode Rootkit techniques: - IAT (Import Address Table) hooking - Inline API hooking

6  Runs in Ring 0  System hooking or modification in kernel space  Some Kernel mode Rootkit techniques: - SSDT (System Service Descriptor Table) hooking - DKOM (Direct Kernel Object Manipulation) - IDT (Interrupt Descriptor Table) hooking - Installing as Device Drivers - Driver IRP hooking

7  Finding and extracting forensic artifacts  Helps in malware analysis  Determining process, network, registry activities  Reconstructing original state of the system  Assists with unpacking, rootkit detection and reverse engineering  Sophisticated actors  Critical data exists in memory

8  Memory acquisition - Dumping the memory of a target machine  Memory analysis - Analyzing the memory dump for forensic artifacts

9 Process of Acquiring Volatile memory to non volatile storage On Physical Machines(Tools):  KnTTools  F-Response  Mandiant Memoryze  HBGary FastDump  MoonSols Windows Memory Toolkit(DumpIt) On Virtual Machines:  Suspend the VM (.vmem)

10  Advanced memory Forensics Framework written in python  Runs on multiple platforms  Open source  Extensible API  Coverage of multiple file formats  Powerful community  Used in incident response and forensics

11 Installation details: http://www.volatilityfoundation.org/ Basic commands ==============  python vol.py -h  python vol.py -f --profile= plugin [args]

12 Determining profile ===================  python vol.py -f imageinfo  python vol.py -f kdbgscan Displaying help ===============  python vol.py -h --> gives help for the default profile WinXPSP2x86  python vol.py --profile= -h --> gives the help for specific profile

13

Download ppt "Monnappa KA  Info Security Cisco  Member of SecurityXploded  Reverse Engineering, Malware Analysis, Memory Forensics "

Similar presentations

Operating Systems Manage system resources –CPU scheduling –Process management –Memory management –Input/Output device management –Storage device management.

Operating Systems Manage system resources –CPU scheduling –Process management –Memory management –Input/Output device management –Storage device management.
Monnappa KA  Info Security Cisco  Core Member of SecurityXploded  Focus on Threat Intelligence  Reverse Engineering, Malware Analysis,

Monnappa KA  Info Security Cisco  Core Member of SecurityXploded  Focus on Threat Intelligence  Reverse Engineering, Malware Analysis,
VICE – Catch the hookers! (Plus new rootkit techniques)

VICE – Catch the hookers! (Plus new rootkit techniques)
Operating System Security : David Phillips A Study of Windows Rootkits.

Operating System Security : David Phillips A Study of Windows Rootkits.
Operating System Structure

Operating System Structure
How an attacker can maintain control over their victim’s system without being discovered.

How an attacker can maintain control over their victim’s system without being discovered.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Windows Rootkits – Userland API Hooking Robert Vinson – IT Security Analyst – University of Iowa 09/06/06.

Windows Rootkits – Userland API Hooking Robert Vinson – IT Security Analyst – University of Iowa 09/06/06.
ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.

ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.
Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz.

Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz.
Memory Forensics During Incident Response

Memory Forensics During Incident Response
DEPARTMENT OF COMPUTER ENGINEERING

DEPARTMENT OF COMPUTER ENGINEERING
Windows Security and Rootkits Mike Willard January 2007.

Windows Security and Rootkits Mike Willard January 2007.
2: OS Structures 1 Jerry Breecher OPERATING SYSTEMS STRUCTURES.

2: OS Structures 1 Jerry Breecher OPERATING SYSTEMS STRUCTURES.
Mobile Application Development

Mobile Application Development
Cs238 Lecture 3 Operating System Structures Dr. Alan R. Davis.

Cs238 Lecture 3 Operating System Structures Dr. Alan R. Davis.
ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.

ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.
Copyright John “Four” Flynn 2005. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

Copyright John “Four” Flynn This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
Asst.Prof.Dr.Ahmet Ünveren 2014-2015 SPRING Computer Engineering Department Asst.Prof.Dr.Ahmet Ünveren 2014-2015 SPRING Computer Engineering Department.

Asst.Prof.Dr.Ahmet Ünveren SPRING Computer Engineering Department Asst.Prof.Dr.Ahmet Ünveren SPRING Computer Engineering Department.
Forensic Artifacts From A Pass The Hash (PtH) Attack

Forensic Artifacts From A Pass The Hash (PtH) Attack

Similar presentations

Ads by Google