Abstract
Distributed code injection is a new type of malicious code injection technique. It makes existing forensics techniques for injected code detection infeasible by splitting a malicious code into several code snippets, injecting them into multiple running processes, and executing them in each process spaces. In spite of the impact of it on practical forensics fields, there was no discussion on countermeasures against this threat. In this paper, we present a memory forensics method for finding all code snippets distributively injected into multiple processes to defeat distributed code injection attacks. Our method is designed on the following observation for distributed code injection attacks. Even though malicious code is split and distributed in multiple processes, the split code snippets have to synchronize each other at runtime to maintain the order of the execution of the original malicious code. We exploit this characteristic of distributed code injection attacks with our method. The experimental results showed that our method successfully found all distributed code snippets and assisted to reconstruct the original code from them. We believe that we are the first to present a countermeasure against distributed code injection attacks. We also believe that our method is able to improve the efficiency of forensics especially for a host compromised with distributed code injection attacks.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
We modified the code of malWASH, which was downloaded from [9], for fixing bugs.
- 2.
Note that a TID is globally unique in the Windows environment while a thread with the TID is alive. We can use a TID to identify the thread uniquely.
References
Arasteh, A.R., Debbabi, M.: Forensic memory analysis: from stack and code to execution history. Digit. Invest. 4(Suppl.), 114–125 (2007)
Barabosch, T., Bergmann, N., Dombeck, A., Padilla, E.: Quincy: detecting host-based code injection attacks in memory dumps. In: Polychronakis, M., Meier, M. (eds.) DIMVA 2017. LNCS, vol. 10327, pp. 209–229. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-60876-1_10
CodeMachine Inc.: CodeMachine – Article – Catalog of key Windows kernel data structures. https://www.codemachine.com/article_kernelstruct.html. Accessed 02 Apr 2019
Cohen, M.: Scanning memory with Yara. Digit. Invest. 20, 34–43 (2017). https://doi.org/10.1016/j.diin.2017.02.005
FireEye, Inc.: M-trends (2019). https://content.fireeye.com/m-trends. Accessed 02 Apr 2019
Google Inc.: Rekall memory forensic framework. http://www.rekall-forensic.com/. Accessed 02 Apr 2019
Hammond, A.: Hunting for gargoyle memory scanning evasion. https://www.countercept.com/blog/hunting-for-gargoyle/. Accessed 02 Apr 2019
Hejazi, S.M., Talhi, C., Debbabi, M.: Extraction of forensically sensitive information from windows physical memory. Digit. Invest. 6(Suppl.), S121–S131 (2009)
HexHive: Github – hexhive/malwash. https://github.com/HexHive/malWASH. Accessed 02 Apr 2019
Ispoglou, K.K., Payer, M.: malWASH: washing malware to evade dynamic analysis. In: 10th USENIX Workshop on Offensive Technologies (WOOT 2016). USENIX Association (2016)
KSLGroup: Github – kslgroup/process-doppelganging-doppelfind: a volatility plugin to detect process doppelganging. https://github.com/kslgroup/Process-Doppelganging-Doppelfind. Accessed 02 Apr 2019
Leitch, J.: Process hollowing. https://www.autosectools.com/Process-Hollowing.html. Accessed 02 Apr 2019
Liberman, T., Kogan, E.: Lost in transaction: process doppelgänging. Black Hat Europe 2017 (2017)
Lospinoso, J.: Gargoyle, a memory scanning evasion technique. https://lospi.net/security/assembly/c/cpp/developing/software/2017/03/04/gargoyle-memory-analysis-evasion.html. Accessed 02 Apr 2019
Microsoft: Singly and doubly linked lists – Windows drivers—Microsoft docs. https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/singly-and-doubly-linked-lists. Accessed 02 Apr 2019
Microsoft: Transactional NTFS (TxF) – Windows applications—Microsoft docs. https://docs.microsoft.com/ja-jp/windows/desktop/FileIO/transactional-ntfs-portal. Accessed 02 Apr 2019
Monnappa, K.A.: Detecting deceptive process hollowing techniques using hollowfind volatility plugin - cysinfo. https://cysinfo.com/detecting-deceptive-hollowing-techniques/. Accessed 02 Apr 2019
Otsuki, Y., Kawakoya, Y., Iwamura, M., Miyoshi, J., Ohkubo, K.: Building stack traces from memory dump of windows x64. Digit. Invest. 24, S101–S110 (2018). https://doi.org/10.1016/j.diin.2018.01.013
Pék, G., Lázár, Z., Várnagy, Z., Félegyházi, M., Buttyán, L.: Membrane: a posteriori detection of malicious code loading by memory paging analysis. In: Askoxylakis, I., Ioannidis, S., Katsikas, S., Meadows, C. (eds.) ESORICS 2016. LNCS, vol. 9878, pp. 199–216. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45744-4_10
Pshoul, D.: Community/dimapshoul at master \(\cdot \) volatilityfoundation/community \(\cdot \) github. https://github.com/volatilityfoundation/community/tree/master/DimaPshoul. Accessed 02 Apr 2019
Pulley, C.: Github – carlpulley/volatility: a collection of volatility framework plugins. https://github.com/carlpulley/volatility. Accessed 02 Apr 2019
Roemer, R., Buchanan, E., Shacham, H., Savage, S.: Return-oriented programming: systems, languages, and applications. ACM Trans. Inf. Syst. Secur. 15(1), 2:1–2:34 (2012)
Smulders, E.: Github – dutchy-/volatility-plugins: container for assorted volatility plugins. https://github.com/Dutchy-/volatility-plugins. Accessed 02 Apr 2019
The Volatility Foundation: The volatility foundation – open source memory forensics. http://www.volatilityfoundation.org/. Accessed 02 Apr 2019
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Implementation Details
A Implementation Details
In this appendix, we explain how we implemented the component for building Thread to Thread links. To build them, we have two steps. First is how we extract the threads waiting for a synchronization object. Second is how we extract the thread holding a synchronization object. To simplify the explanation, we focus our scope into only semaphore from several synchronization objects.
Extraction of Threads Waiting for a Synchronization Object. We first explain the data structure for the extraction, i.e., KWAIT_BLOCK. Then, we explain how to extract threads using the data structure.
All threads waiting for a semaphore object are linked via KWAIT_BLOCKs. KWAIT_BLOCK structure represents a list entry of the wait list for a synchronization object. The wait list is a LIST_ENTRY-based doubly-linked list [15] linking with KWAIT_BLOCKs as many as threads waiting for the same synchronization object. A KWAIT_BLOCK also includes two pointers: Thread and Object. The Thread points to the thread object, i.e. KTHREAD object, corresponding a waiting thread. A KTHREAD object has the WaitBlockList pointing to an array of KWAIT_BLOCKs for synchronization objects waited by the thread [3]. The Object points to the synchronization object waited for by the thread pointed to by the Thread. A synchronization object has the WaitListHead that is the head LIST_ENTRY of the KWAIT_BLOCK list.
By walking each KWAIT_BLOCK list, we can retrieve all waiting threads and the waited semaphore object. After our plugin enumerates thread objects corresponding the threads executing suspicious code regions, it firstly extracts KWAIT_BLOCKs from WaitBlockList of each of the thread objects. Second, our plugin extracts the semaphore object and other waiting threads by traversing the list of each of the KWAIT_BLOCKs. Third, it distinguishes semaphore objects waited for by only threads executing suspicious code regions and defines the semaphore objects as ones for coordinating distributed code snippets. Our plugin finally extracts the threads waiting for the semaphore objects.
Extraction of Threads Holding a Synchronization Object. We first explain the problem on how to identify the thread holding a semaphore object. Then, we explain our approach to solve the problem extracting the thread via the handle for the object opened by a process.
The problem is that there is no explicit evidence to find the owners of a semaphore object in Windows environment. A KWAIT_BLOCK list for a semaphore object is defined to manage only waiting threads and does not include any information regarding the owners of the semaphore object. Semaphore object, i.e. KSEMAPHORE object, also has no direct pointer to the owners. Therefore, we need to find the owner threads of it from other data sources.
To solve this problem, we focus on processes opening the handles of a specific semaphore objects. All processes owning threads holding semaphore objects must hold handles for the semaphore objects. The semaphore objects for coordinating distributed code snippets must be unique and never acquired by threads executing benign code. Therefore, we can use processes as mediators to find out threads holding the semaphore objects.
Figure 7 illustrates how to find out the owner thread in our implementation. The detail of our approach is as follows.
Linked code snippets via threads sharing a semaphore object.
-
1.
Find semaphore objects based on the results of waiting threads extraction.
-
2.
Enumerate processes holding a handle for each of the objects.
-
3.
Extract processes owning threads, which are detected as executing suspicious code and are not waiting for the semaphore object, from the enumerated processes.
-
4.
Define the threads as the owners of the semaphore objects.
We explain each step of our plugin with Fig. 7. Our plugin first detects the thread A, B, and C executing the suspicious code (1), (2), and (3), like in the case of Fig. 3. The thread B and C are waiting for the semaphore object X and our plugin builds a link between the thread B and C from the KWAIT_BLOCK list for the semaphore object X. After that, our plugin starts extracting the owner threads of the semaphore objects. For the first step, it finds the semaphore object X via the thread B and C. For the second step, our plugin enumerates the process A’, B’, C’ as processes holding a handle for the semaphore X. For the third step, it distinguishes the process A’ owning the thread A, which is not waiting the semaphore object X, from the others. For the fourth step, our plugin defines the thread A as the current owner of the semaphore object X. Our plugin finally builds a Thread to Thread link throughout the thread A, B, and C.
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Otsuki, Y., Kawakoya, Y., Iwamura, M., Miyoshi, J., Faires, J., Lillard, T. (2019). Toward the Analysis of Distributed Code Injection in Post-mortem Forensics. In: Attrapadung, N., Yagi, T. (eds) Advances in Information and Computer Security. IWSEC 2019. Lecture Notes in Computer Science(), vol 11689. Springer, Cham. https://doi.org/10.1007/978-3-030-26834-3_23
Download citation
DOI: https://doi.org/10.1007/978-3-030-26834-3_23
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-26833-6
Online ISBN: 978-3-030-26834-3
eBook Packages: Computer ScienceComputer Science (R0)