Volatility - Hunting in Memory Lab 2

Task 1. Is the system infected by Diamorphine?

The linux_check_modules plugin looks for Loadable Kernel Modules (LKM) that are not listed under /proc/module but still appear under /sysfs/module and will output such discrepancies.

The linux_check_syscall plugin checks for modifications of the sys_call_table. All syscall handler function pointers are listed in the sys_call_table array. This plugin compares them with the address specified in the Kernel Symbols Table. In case of a mismatch, the message “hooked” is displayed.

First let’s execute the below (inside /root/memory_dump) to identify all available profiles.

vol.py --info

Select the appropriate Linux profile from the list (matching the kernel version of the memory dump).

Now, let’s start by executing the linux_check_modules plugin against infection1.memory.

vol.py --plugins=plugins --profile=Linuxprofile-2_6_32-754_el6_x86_64x64 linux_check_modules -f /root/memory_dump/infection1.memory

Diamorphine’s module name was identified (it was still visible under /sysfs/module). Let’s use VolShell to look at the first bytes of that module.

vol.py --plugins=plugins --profile=Linuxprofile-2_6_32-754_el6_x86_64x64 linux_volshell -f /root/memory_dump/infection1.memory

Then, we use the db command as follows.

>>> db(0xffffffffa0523740,128)

0xffffffffa0523740 is the module address we found with the help of linux_check_modules.

Let’s now use linux_check_syscall, as follows.

vol.py --plugins=plugins --profile=Linuxprofile-2_6_32-754_el6_x86_64x64 linux_check_syscall -f /root/memory_dump/infection1.memory --output-file=linux_check_syscall.txt

cat linux_check_syscall.txt | grep -i hooked

linux_check_syscall, identified three hooked syscalls (62, 78 and 217). The machine we are currently at has been disinfected, so we can check the syscall table for the abovementioned syscalls (sys_kill, sys_getdents and sys_getdents64), as follows.

cat /proc/kallsyms | grep 'sys_getdents\|sys_kill'

Let’s look at how sys_kill looks like in the pristine system, as follows.

vol.py --plugins=plugins --profile=Linuxprofile-2_6_32-754_el6_x86_64x64 linux_volshell -f /root/memory_dump/vanilla.memory

Then, we use the dis command as follows.

dis(0xffffffff81098d20,length=45)

This is how sys_kill looks like in the pristine system.

Let’s now look at how sys_kill looks like in the infected system, as follows.

vol.py --plugins=plugins --profile=Linuxprofile-2_6_32-754_el6_x86_64x64 linux_volshell -f /root/memory_dump/infection1.memory

Then, we use the dis command as follows.

dis(0xffffffffa0523190,length=45)

0xffffffffa0523190 is the first hooked syscall (sys_kill) that linux_check_syscall identified.

This is how the hooked sys_kill syscall looks like (in the infected system).

By comparing how the two syscalls (sys_kill in the pristine system and sys_kill in the infected system) you can see how a hook looks like!

Task 2. Is the system infected by Reptile?

This time we will use the linux_hidden_modules plugin. The linux_check_syscall plugin can’t detect the hooking technique being employed by the Reptile rootkit (since the syscall handler addresses have not been modified).

Among other things, Reptile hooks fillonedir(), filldir(), filldir64(), compat_fillonedir(), compat_filldir(), compat_filldir64(), __d_lookup(). To hide processes, it hooks tgid_iter() and next_tgid(). To hide network connections, it hooks tcp4_seq_show and udp4_seq_show.

vol.py --plugins=plugins --profile=Linuxprofile-2_6_32-754_el6_x86_64x64 linux_hidden_modules -f /root/memory_dump/infection2.memory

The Reptile rootkit hidden module was uncovered by the linux_hidden_modules plugin.

Now, let’s also check the linux_check_inline_kernel plugin. This plugin detects inline hooking. Among other things it checks if the prologue of specific functions in the kernel contains assembly instructions like JMP, CALL or RET and warns the analyst of any functions being hooked.

vol.py --plugins=plugins --profile=Linuxprofile-2_6_32-754_el6_x86_64x64 linux_check_inline_kernel -f /root/memory_dump/infection2.memory

The plugin detected several network-related functions that were patched by the Reptile rootkit.

Let’s use VolShell again against both vanilla.memory and infection2.memory to see how a hooked function (tcp4_seq_show) looks like.

vol.py --plugins=plugins --profile=Linuxprofile-2_6_32-754_el6_x86_64x64 linux_volshell -f /root/memory_dump/vanilla.memory

Then, we use the dis command as follows.

dis(addrspace().profile.get_symbol("tcp4_seq_show"),length=11)

This is how tcp4_seq_show looks like in the pristine system.

vol.py --plugins=plugins --profile=Linuxprofile-2_6_32-754_el6_x86_64x64 linux_volshell -f /root/memory_dump/infection2.memory

Then, we use the dis command as follows.

dis(addrspace().profile.get_symbol("tcp4_seq_show"),length=11)

This is how tcp4_seq_show looks like in the infected system. It has been patched to jump (JMP) to the Reptile code.

Note: In order to hide directories Reptile also patches the fillonedir function. Volatility didn’t detect this!

vol.py --plugins=plugins --profile=Linuxprofile-2_6_32-754_el6_x86_64x64 linux_volshell -f /root/memory_dump/vanilla.memory

Then, we use the dis command as follows.

dis(addrspace().profile.get_symbol("fillonedir"),length=11)

This is how fillonedir looks like in the pristine system.

vol.py --plugins=plugins --profile=Linuxprofile-2_6_32-754_el6_x86_64x64 linux_volshell -f /root/memory_dump/infection2.memory

Then, we use the dis command as follows.

dis(addrspace().profile.get_symbol("fillonedir"),length=11)

This is how fillonedir looks like in the infected system. It has been patched to jump (JMP) to the Reptile code.

Task 1. Is the system infected by Diamorphine?

Task 2. Is the system infected by Reptile?

References