Donnerstag, 9. Februar 2012

Meterpreter Anti Memory Forensics (Memoryze) Script

This is more of a Proof of Concept which is meant to demonstrate the weaknesses of contemporary memory acquisition tools. I have talked about this at BackTrack Day 2011 and in my opinion the memory acquisition process as well as the tools are only useful in situations when an attacker has not taken any precautions. Let's face it, these tools have to deal with systems which might be under full control by an attacker.

As I like Metasploit I would like to support my claim considering a presentation given in 2009 by Mandiant called Metasploit Autopsy: Reconstructing the scene of the crime.

The presentation really shows how to extract a meterpreter session from memory using Mandiants Memoryze. This is really amazing, as long as you are able to obtain a memory dump. Let me repeat the above sentence "these tools have to deal with systems which might be under full control by an attacker."

What if an attacker is just monitoring if a process emerges called "memoryze.exe" and will kill the process. Or if an attacker prevents that additional drivers can be loaded? To be able to obtain a full memory dump all of the contemporary tools use their own driver. If you prevent that additional drivers can be loaded they will fail (see below).




Now think about it: you are working on very critical systems and you are only allowed to do live response because shutting down the system would cost the system owner a hundred thousand dollars per hour. You decide to obtain a memory dump and an attacker is monitoring for a process called memoryze.exe and will shut down the system once the process occurs, guess who is fucked now?

I am not saying that this is the overall solution (it's actually ridiculous) and you can still change the name of the executable but the name of the driver (mktools.sys) doesn't change as well. This makes it very easy for attackers to use malware analysis strategies against the vendors of these tools. Create a signature for the tools and defeat them, for instance with yara http://averagesecurityguy.info/2012/01/30/hunting-for-artifacts-with-metasploit/

If you want to prevent other drivers from loading then the script will currently only work under Windows XP (not virtualised ) as it uses the preservation.sys driver from the Malware Analysts Cookbook to prevent other drivers from loading as a proof of concept.

I am aware of the fact that this approach writes to disk but it is only for demonstration purposes and I am quite sure that there are guys out there who will be able to modify this script so that it won't write to disk anymore and will even change your underwear without your notice.

Code is not available anymore, drop me a comment if you are interested.