Research on Forensics Technology of Malicious Code Based on Deleted PE File Header

doi:10.3969/j.issn.1671-1122.2021.12.006

Abstract

Abstract:

In particular, malware removes the headers of executable file and copy them to the memory pages which have the execute protection to prevent code exposure during the memory forensic analysis. This paper proposed a method to detect executable files without headers by searching the Section table in the memory dump. Therefore, this paper explore the Section header signatures and check whether the offset intervals among them are a multiple of the Section header size to detect Section tables. We select the non-private pages with execute protection in Virtual Address Descriptor (VAD) which are highly likely to be hidden by malicious code and scan the Section Tables. In addition, this paper verified the detection performance by implementing the proposal as a plug-in that can be executed in Volatility 3 Framework and analyzing the memory of the system infected with Ursnif.

Key words: memory forensics, virtual address descriptor, volatility3, malicious code

CLC Number:

TP309

LI Pengchao, LIU Yanfei. Research on Forensics Technology of Malicious Code Based on Deleted PE File Header[J]. Netinfo Security, 2021, 21(12): 38-43.

Figures/Tables 5

References 16

[1]	MICHAEL H L. The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory[M]. New Jersey: John Wiley, 2014.
[2]	HOGLUND G, BUTLER J. Rootkits: Subverting the Windows Kernel[J]. Pearson Schweiz Ag, 2005, 7(2):169-212.
[3]	AFIANIAN A, NIKSEFAT S, SADEGHIYAN B, et al. Malware Dynamic Analysis Evasion Techniques: A Survey[J]. ACMComputingSurveys(CSUR), 2018, 52(6):1-28.
[4]	ANDREW C, GOLDEN G. Memory Forensics: The Path Forward[J]. Digital Investigation: The Internatnional Journal of Digital Forensics & Incident Response, 2017, 20(3):23-33.
[5]	TRENDMICRO. URSNIF Malware Still Making New Waves[EB/OL]. https://success.trendmicro.com/solution/000283513, 2020-12-18.
[6]	DTM. Anti-forensic and File-less Malwares[EB/OL]. https://0x00sec.org/t/anti-forensic-and-file-less-malware/10008, 2018-12-06.
[7]	PALUTKE R, BLOCK F, REICHENBERGER P, et al. Hiding Process Memory Via Anti-forensic Techniques[J]. Forensic Science International: Digital Investigation, 2020, 33(7):418-426.
[8]	HARUYAMA T. One-byte Modification for Breaking Memory Forensic Analysis[EB/OL]. https://www.blackhat.com/html/bh-eu-12/bh-eu-12-archives.html#haruyama, 2012-03-16.
[9]	STÜTTGEN J, COHEN M. Anti-forensic Resilient Memory Acquisition[J]. Digital Investigation, 2013, 10(2):105-115.
[10]	CARRIER B D, GRAND J. A Hardware-based Memory Acquisition Procedure for Digital Investigations[J]. Digital Investigation, 2004, 1(1):50-60. doi: 10.1016/j.diin.2003.12.001 URL
[11]	ZHANG Lei, WANG Lianhai. Live Memory Acquisition through FireWire[J]. China Communications, 2010, 7(6):78-85.
[12]	Rekall Forensics. Windows Plugin[EB/OL]. http://www.rekall-forensic.com/documentation-1/rekall-documentation/pluginsl, 2021-09-20.
[13]	Rekall Forensics. Plugin Reference[EB/OL]. https://rekall.readthedocs.io/en/latest/plugins.html, 2021-09-20.
[14]	Microsoft. PE Format[EB/OL]. https://docs.microsoft.com/en-us/windows/win32/debug/pe-format, 2021-09-20.
[15]	JUNG S, SEO S, KIM Y, et al. Memory Layout Extraction and Verification Method for Reliable Physical Memory Acquisition[J]. Electronics, 2021, 10(12):1380-1383. doi: 10.3390/electronics10121380 URL
[16]	BLOCK F, DEWALD A. Windows Memory Forensics: Detecting (Un)Intentionally Hidden Injected Code by Examining Page Table Entries[J]. Digital Investigation, 2019, 29(S):3-12.

Section名	内容	Section名	内容
.bss	未初始化数据	.drective	链接选项
.data	已初始化数据	.reloc	镜像重定位
.pdata	异常信息	.rsrc	资源目录
.text	执行代码	.idata	导入表