Abstract
Nowadays, security practitioners typically use memory acquisition or live forensics to detect and analyze sophisticated malware samples. Subsequently, malware authors began to incorporate anti-forensic techniques that subvert the analysis process by hiding malicious memory areas. Those techniques typically modify characteristics, such as access permissions, or place malicious data near legitimate one, in order to prevent the memory from being identified by analysis tools while still remaining accessible. With this paper, we present three novel methods that prevent malicious user space memory from appearing in analysis tools and additionally making the memory inaccessible from a security analysts perspective. Two of these techniques manipulate kernel structures, namely Page Table Entries and the structures responsible for managing user space memory regions, while the third one utilizes shared memory and hence does not require elevated privileges. As a proof of concept, we implemented all techniques for the Windows and Linux operating systems, and subsequently evaluated these with both, memory forensics and live analysis techniques. Furthermore, we discuss and evaluate several approaches to detect our subversion techniques and introduce two Rekall plugins that automate the detection of hidden memory for the shared memory scenario.
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callMore From: Forensic Science International: Digital Investigation
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
