BSides Rochester 2017: int0x80: Anti Forensics AF
Show transcript [en]
Hey right thank you so much for having me I'm very excited to be here oh and then friends and stuff your research we mess around basically was August so the top you can see is anti forensics data and when I would see that meeting like on the Internet like that's too video that's silly a I would always read it is that's stupid in pipe forensics something different so I'm not ready to go work this mark said you guys play watchdogs to our song and all the things in watchdogs to you can hire it on my team so Mac computers I reckon average does a lot of mess around this stuff and just have a good time in general so
we're talking about a currency today and I'm gonna pick up kind of where I left off on my last hit that critics pocket which is doing some stuff to tamper with memory forensics all of this is coming from the viewpoint of an operator we're late you are somebody that own the system you have a shell you have access you drop in the implant and you want to maintain access onto that system without getting detected if you do get a detective you want to inhibit the forensic investigation process so that the blue team can't arrive late good IOC's to find you I was fairly environment right we all spend a lot of time like after toolchains writing
around malware but when it's all burned and then you have like Brad will need to obtain in the well-covered doing this with like oh those and winning stuff so it will see that we tamper our executable in memory we can like cause a lot of problems for forensic schools and win as a red key that's good previous versions of this talk to us and he enjoyed some now and all kind of touched on it but I actually selling the stock just for you guys so company Tammuz at that point not like kind of go off the record a little bit and then I'll show you some fun stuff here with SD cards we'll play that
little mini CTF all together it'll be really cool okay so all these systems all the way I don't do forensics professionally like I said we're gonna write to you so all this was just me messing around stuff I love to mess with everybody so like I love to give our blue team a hard time get like rs232 those hard times everybody I'm not an expert at all I literally just like cinema s and my role my head around on the keyboard after every play it doesn't buckle and I'm pretty sure everything that I have learned to do that taught myself it's like people are gonna buy buying some lots of do illegal things and we
learn right from doing my own attacker we're kidding about that we're in terms of software protection right link we spent all this time writing malware we have this cool implant would get like cool shells they have good functionality like you know TTY limitation whatever and we don't want to team to find that rehearse it and then like mine are c2 infrastructure in bonus so if front of us and we see like somebody sitting around we wanted like persist in like for detection and if we team is on our trail you know like it could be like they're investigating like over your blog entry or whatever for any reason they're like closing in on our founder we want to prevent them from
either acquiring or analyzing the matter would be to spend time great so you don't think about this and they are all these myth on the news in previous talks like I'm actually like trove in like the actual memory forensics tools when they like get on the system which works really well like I had whatever Mandy's told was at the time I liked her to that and had it right out in memory like troll instead of like actual so this is this is cool right that memory stuff is like the no - like oh this friends is like holding busted so you have a stuff one on a memory and what happened what happens is like your
program first like it is on disk just as a bottle right and you know this section or something like code or data or resources or whatever and then we move from disk that's when you're in memory and start having fun so with all these session is once you're in memory in your codes executing and you're running if you don't need a section anymore there's no reason for that section to be in memory or there's no reason for its data to maintain its integrity meaning we can either remove it over a to the zeros or a write it like something completely different so we do something like that we tamper or sections we no longer need
memory that analysis tools they still need that data right so they like that really part time and piecing together what actually happened if you give them that data so busy attacker lots of fun to be had it's great okay so this is my first demo its program narrows in this we're going to recall which is an open source memory forensics analysis bucket and we swim team em to a fire fire do it and see how it goes
I'm just gonna mirror the displays and I think it'll make it easier on all of us
yes all right now of course I'm going to steam zero
oh I forgot to mention in my bio slide I also moving fan of mulan Szechuan teri Okita more seasons 97 or all right cool so here's this thing we noticed vm right in and estar get whatever a starter starter malware so the vm catch help me guess oh my god this is terrible I'm so sorry I feel like I want a 56k modem or something I'm gonna like reboot this VM cuz I'm like hating my life right now
[Music]
I'll tell you guys a really cool thing I learned recently so like my friends like to debate the like the stupid naming of gift versus just right and so they're like this one continued her friend said just adamant that it's like it's gif link and the rest of my friends like it's definitely give like a heart to you and actually and it's a research and do expect tired but with stupid flame around my RC and what I found out was it's pronounced like the Jeep in gigantic
this is this is making my life force I hate this all right here we go should I don't like it snapped out or something
all right
rather notice my password is extremely short it's one two three four seeing the combination is my luggage just in case not all you have 3d printed pSATS tonio workers clothes BM ever just meet
you cool car now where's rain there we go and I don't think this one prints anything I'd seen it just runs so
okay cool can you guess the other thing is that like big enough all right cool all right so now we're running meet Windows not refreshing fine so let's let's inspire memory so could you now I'm going to use windy men and we're just gonna write a tune out book file we'll just call it L well the ff4 is like its own thing so here we go we're in a choir memory I guess one that does have us let's like do something else because that might take a minute let's watch the video
[Music]
[Music] one day the Buffalo house keys baby
not gonna happen man [Music] baby [Music]
[Music]
[Music] today the wall dog
[Applause]
[Music]
[Music]
[Music]
amazing putting on the show these guys are awesome Posse in their fantastic that was episode 204 alright in our memory acquisition business great all right so let's let's let every call and we'll take a look at what we got and remember our motto story so we should be able to get to Mount way that's our old anomaly
I'd write all this down something my brains okay postalveolar recall recall basically gives you this like I Python interface really nice calculation and I think it's not like you know Python stuff in it as well so when UPS is we get a listing of like processors that we see from the memory don't write this to us looking at this like a log on a metaphor and seeing like what's going on so there's our like on a view so there's a Google update running in the background the keys are like right next to each other so now we're still running cool let's try to grab it so we use this to Michael Klump Rocco and can actually
just like specify right types like he has of these volatility before you have to find the pin first and process ID and tell it you know like don't this pit but in this case of Allah Atilla T or of the recall we just say like oh the process that I want it's got like this in the name and it's like no problem there you go so and then let's dump it out to move it is top
No well it's doing that actually I'll just show you guys real quick like in Exeter Exeter and like Ida like what what this program looks like normally
this you know standard stuff right you see like got a RMS Kosta up front here's a PE header sections like we're good everything's totally legit let's toss it in I know then we should see like a nice call graph again this is the original binary right it's like currently running so yeah easy peasy call grab it like subroutines to find this is normal right if you're doing our analysis is what you want to see so
and okay there's our output executable dot so here it is so let's take a look at this in the hex editor oh man it's all zeros okay that's pretty denied up I think there's like were cartridge like further down but you know it definitely doesn't look doesn't [Music] I didn't think since now the MMS tasks on file so let's see what those none of that doesn't work either huh but how are still running so we win attackers win red team wins that's awesome actually when I did is instead of timbering the forensics tools I had the binary brain itself so shade is first good
okay it's over here you guys can you see that okay is that big enough all right so over here is this is this a source code for PSE first off just find the ms-dos better memory with the 45 a magic bytes and find a PE header come down get the size of the header so that we know that how much data we need to overwrite we call a virtual protect which changes the permissions of the page in memory so that will be a right to it so now it's like cranky get into it when it's originally mapped it's like reading reading eternity so if we try to write into a feeling an access violation after
we have changed his permissions we use our tl0 of memory which is essentially just like a wrapper for Menna set to just write zeros into that section of memory and then we'll restore the initial protections with virtual protect and at the bottom here I'm just like looping infinitely so the matter executors okay so that's sale I can just rewrite zeros for the head and it's it's awesome because it meets the forensics tools you can do like other things that if you get into city your right leg random or like interesting values if you like certain fields in the header and when analysis tools like Ida or like a little bit some other tools we when they
go to parse those values get like weird behaviors because they're expecting like a large number of ice thinking to like read or write and there's like or a small number of bytes then they read a large number of something like that so you can estimate you've seen behavior so that was the keys are like right next to each other for Windows okay so this is kind of recapping what we did right we don't need to pediatr out we've loaded so you can just do whatever we want in this case we zeroed out process is still running so our mouths are still active we still get our shells like keep kicking butt but the analysis tools fail
and so we're I love talking to my previous talk was like doing this on Windows XP which was before it was end-of-life and as you saw he works in the distance so it's still a valid attack for completeness and you guys like I mean I guess I'm on YouTube or whatever so if you're playing along at home and you want to just like possibility on the side there it is that's okay let's hurry for the next event instead of using a recalling when came out with new line possibility
and unfortunately Lyon is like a lot faster so there won't be time for God
all right cool so let's actually all right so now we ready ready to see the bottom down here I'll head over sighs this is like bugging out put doing evil stuff you'll see this evil stuff so one of the things that's interesting polity and the land specifically is like or with Alton specifically is it doesn't shift with profile for doing memory forensics automatic system so you have to build a profile yourself so I'm just gonna kind of like when you guys go quick through building line and building the volatility profile and then that way like if you wanna do this at home hopefully it'll be easier all right so here's line just get it from github so I
can kick on nice and easy so let's see I think I have a copy so I'll just like me clean it cool okay so all you need is I think it's just me so a simple name will make the files for you then you can spawn it so you're inserting the Linux kernel module and took like matches kernel version that's kind of you this shorthand like every as copy and paste it when you mean batch ourselves and you can see I mean this is like the that's the model that got built right and hat equals and then this is where our memory opportunity so call it lol I'm in tenth and we'll tell it the
format is line which possible universe so inserting the kernel module will start remembering acquisition for us meanwhile not we're still rank doing evil stuff okay cool alright so now the memory acquisition is done shared up a file outline nice alright let's do some volatility this work it's all too neat so I'll start you guys hot will will make the the profile curve for a bit you okay so we go in some subdirectory all of tools and then Linux it's underneath your public so if you check out and you do a mate versus in case all right Jim produces model for file and should have eight you should see this like dot debug string so there is a key bug info now
let's emailing the file build okay all right now you need to create a sip file in these certain directory so you put in this volatility volatility plugins overlays Linux and then I'm just going to call it the big juice you know for that's it [Music] then we give it our new files then we just make tools and it is work and we give it the system out for the carbon right colonel again using that you name - our shorthand to get the current version so we do that looks like it created everything cool alright so now we can get our profile name so here's our vault hi and if we do that touching vote we can
rep for Linux show us thinking profiles that we have that start with the name Linux alright cool so this is the one that I just built great the 16.4 so let's use that to process our memory dump that we grab your wine that's in that time directory so there's a lot of high def file this is like our memory acquisition file a lot outline the profile is this Linux one that we just build and let's do a PS list so we can get the process listing and our own as the process ID of the malware and then we'll try to dump it up or extract it from the memory gnome alright so there's a process listing of everything that was
running when the acquisition is taken here's the keys are like right next to eachother 2383 cool so let's do Linux and track them and put it into ten [Music] it was 2383 I think great alright so here we go fingers crossed alright cool looks like the like what the warnings are just like missing these four modules there that's fine it's not an issue but nobody thinks about like dumbing the executable so we're gonna all right think right single guy let's Ronstadt okay there's definitely a file there but one thing that looks weird to me is that the file size is zero let's like see oh no it's empty butter our still ready so good job the Tigers win again
so let's talk about what happened there and I'll show you guys so this is like almost the same thing as the Windows version except I kind of do something clacey programming here right so to find myself in memory reading the profits left Rock which has like all kinds of stuff about this point on the process there's not a reliable way to do this I've been on systems where like you won't have access to properly it's just like they've totally restricted it so this is bad and I shouldn't feel bad but it works in this case so I so if I'm serving at risk for the better memory I've gotta be bugging out it was you guys talking about
malware started running and then here instead of a virtual protector calling and protect its ascend to the same things changing page permissions adding the rate so that we can create into the page and remember set writing zeroes into the header that same memory and restoring the original permissions with Miss Lee yes the rest is new product prevention this whole it wouldn't with this product from with getting the base from the question is would if there was another route kid that messed with proc on the system or like the wrister didn't progress thinking like that I didn't mess with this particularly cooling and women this case because of the way the lazy way that I did find myself in memory you can
totally do it like in the normal way but I was just lazy so in this case yes I would - the file size here instead of file people as yours and I'm not actually sure my guess is that because I haven't like like debug bits until I can be 100% definitive answer but my suspicion is that when it tries to read into the process structure like in the header it reads like a size of like the file or something like that and it's a C 0 so it's like oh that's zero and it doesn't even try to like read anymore so you could technically like you could like de from the memory image and just
be like okay like I have this blank hair but I don't like a bunch of code here you can put it Knight up and like start getting C to like get it to represent code but like you might not be getting C in the right place between my colleague and I disassembly stuff in there as well or like all kinds of other things can go wrong then from my lips I've made my experience and I only know like one forensic analyst that how doesn't know how to do that everybody else that method does forensics maybe like promised sand mp5 well I mean it's the zero in binary sure to totally trying to attach TDB to it you
know which do it space like the counter for that from like the right to decide would be to like mess with the P trade stuff right and like prevent like do like anti attach stuff and like anti debugging stuff yes
they see things like zero papery you're gonna know that somebody's doing something once then why not just like copy you know pages from a random process into it so the least was like gives you some semblance of yeah and that's a great point the point is like why why write zeros which is like an anomaly when you could like raise something that looks normal and like another thing we can do is like you seem like tiny Ella for tiny Vee what you're like they're like minuscule like executables and what you do is like break that in your head right and then like if somebody don't set out that it's like Oh which is still like weird tiny tiny PE or tiny I'll be
running on system but like your eyesight looks like a complete red flag like all zeroes so yeah this is to point yes it's it's fine like you know if you've got like tax on the box or whatever like the SDU the question is like how does the system code with the right X or execute it permission and setup and it's it's the same way this is the reason we're calling like and protect or we're calling for a tool perfect and it doesn't modify the page permissions right so then the executable maps into memory by default that page permission where the header is only read and execute which so it's executing and not right and so we're making that extra
protect call or protect cause late add write permissions and then we write and then we remove the write permission to restore the original all right let's uh
because the forensics blue team already know your people trust plenty they they know which process you are running in every kill it will what are you protecting I'm protecting the time that I have spent like developing my nightmare my Tim plan my framework like my whole community right what's that's burn yeah right and some like you in this case is a PFC that would stay on the disk but like ourself like remove it software disk yes Yeah right now is fine but also like time intensity there's some like the windows one right we know the new valve head over there after loading in this case and we're having meeting like all the stage unpacking your and stuff like
that so we consider the header a loop in set or right random values to it or whatever and our process continues to run so like we're still operating successfully but the analysis comes faces pretty great for completeness this is like the entire process doing git clone building the kernel module and installing it pre inserting it building the volatility profile
[Music] you know just doing possibly stuff with my volatility friends okay Android somebody's gonna like the pipeline basically just like use encryption and all that does is turn your phone off under certain circumstances I always like the deceased or you stay home so I'm playing at Thanksgiving dinner he's trying to signal my wife up you took my dog and his total students preparing the old recipe para for milk my $60 multi-story signal I want you to kind of Cherry Garcia ice cream you change the bowler or not used for you signal something Social Security numbers for Bitcoin he's my manager
so my atoms pumped up the police and I'm sorry that you had read on their device and misuse of sensors I wanted to use magnets as well but I don't know how they work I have a friend that takes blocks and he's like look we started $125 to remove a boot from retired 75
okay tween 300 videos
okay so I have and this SD card regular SD card the physical lock has not said if we were ideally able to play this this game might have handed each of you economy of this SD card and we'd all play together individually but there's one of me and there's like way more of you so just kind of feel like play along with me as a crowd all right so for the SD card and we see there's a file [Music]
cool the rules of the CTF challenger's he add the name to the end of the file once you've done that ensure the files say sing it and you'll see most revive you definitely remounted success must be validated enter your name below alright pretty easy right files already mounted let's just edit it add our name there it is great cool let's unmount it take it out put it back in
her name is not there but we didn't get any ears boss good thought but I mounted it so he mounted us the sink so all the buffers have been flushed everything's been saved to disk that's a good question it won't they won't eject it employed sink are you I can use a sink also but it's a stinker good luck yes I'm sorry okay good night it's not too bad that's good if you've already seen this by the way you're not yes and your guinea on that said no FS have is completely normal but that's that's good we can check like mount flags right if it was mounted like read only when we would have gone to
save sure yeah good that's so like environment variables and stuff like that would be like an element relive like loading a library messing with like mountains all the user people are all the same like ideally you guys could all have a copy of this and be doing this as well so there's nothing I haven't touched any like my operating environment doesn't have anything special going on good diet regular text file up we can like hexanol bit take a look at it
that's the whole content so there's always good yeah
no but that's a good guy so the lots which like for example it's set the unlock position if it were sensible acquisition we would have gotten like an error saying like you know this is like an read all be state good not good that I have something that automatically runs when mounting on mounting no like that's everything is like the operating environments like normally it would be like you're an operating environment as well I might give this SD card to you yet John yeah you totally PD the argument it would take a bit cuz it's like yeah like media but I'll tell you like even if we need that on to it it's still going to be the yeah they oh how
about like if we run strings against it
it's not gonna be back yeah maybe this mountain no but yeah we could literally like we could try like eating the entire part like I'm gonna be late like the disk image like right back onto it it's a moment like extended for causes in there yes yes yeah so what we're doing is we're tampering the SD card firmware from use early on so nice work here have some swedish fish that's why i computer instead of sports all right so there's this this tool that uses call SD tool open source
and we run status we see that right protection state is temporarily abled so we can unlock it now the right protection is off take it out put it in
mount it pull it out put it back in
and we did it so you might mean like BFD pooja or Jia Jia like what is Louis's matter Rises before he appears I think it's kinda cool for a couple different reasons so so the reason this is cool is because you're already and totally normally your OS is not thinking about anything but you're not allowing anything either so you're not creating any forensics evidence just pretty rad so a couple of caveats a lot of USB hubs a show up it's like a different device so I will be able necessarily you see us becoming this case you might need like a directed mm stroke so I have a two laptops but the things that I like about
this right I think we've done some like Android implant work but we like make these Android devices like we have like radius that work for Wi-Fi limitation there's times like 80 so we like put these enduring places and like the bathroom people sit down and go to the bathroom and then they like to the Wi-Fi but it's actually our Wi-Fi on our Android device and then like we get their credit okay but if the Android device gets collected by the blue team then like I don't want them to get any evidence where we get selected by something random get anything off the phone right so if your if all your this is going out like
a microSD card that like I can't save anything and you tie that it with like the anti friendships of the turns the phone off and photos encrypted everything's protected was good if you render a back platform off of SD card right you can totally operate all the time do the legal things and then there's like no evidence is no problem so it's good portable high when they grow up like a modified is it's all a little bit for a few more things but it's basically like you take like a Raspberry Pi and you just like browse while you're talking through tor and then how like any weeks of like the NS a-- or with our partly see stuff or need
stuff like that like by past few years because so clearly and everything is run through tor so put that on SD card where you've got like the right protection
yeah I need to do that so that you won't have tell us is like having multiple VMs right at the middle bottom this is basically a physical box for me I think I'm done with these anyways so the suggestion tool if you want to grab it that was louder if you guys haven't seen that videos it's like nine hit video this guy's laughing in this hysterical manner this is how you use it I used to build it's a DCCC didn't work for I'm good I'm good that's mine [Music]
[Music] you guys
[Music]
Related talks
49:29
53:02
55:21
28:47
47:05
51:46