Tuesday, March 17, 2009

A memory snapshot project

Some time ago, I got really tired of seeing lame attempts at proving the value of memory dumps by vendors showing that you could find "hxdef" strings in memory dumps. Today, I'd like to announce a fledgling personal project of mine. I don't yet have a name for it and it's in the very early stages but it goes something like this...

I see a lot of malware and I know there are a lot of people that don't. I also know that people want to do memory analysis but the only real source of samples is from DFRWS from 4 years ago. Here's what I'm doing...

I take 'in the wild' malware, load it up in a virtual machine, suspend the virtual machine and extract the .vmem file. I then upload the .vmem file and make it available to you, my faceless readers and the world at large. This isn't one of those "contests" where I challenge you to analyze a memory dump. Rather I am providing memory dumps of 'in the wild' malware being run in a controlled environment. Maybe this will help developers build better tools, maybe this will educate examiners, maybe this will build incident response IQ, maybe this will give students something to work with, or maybe I'll just waste some cycles providing this stuff. Time will tell.

This post is more or less a test to see if the public can access my skydrive to download the memory snapshots. Up until now, I've had issues sharing files with others. Hopefully skydrive helps with this issue.

My first snapshot is here. The file is a split .AD1 file created with FTK imager 2.5.5. You'll need to combine the segments and extract the contents. It's incredibly easy with FTK imager. The file contained within is a 7zip compressed memory image. Simply uncompress and have fun. All I ask at this point is that you let me know if you have issues, and maybe let me know if you find it valuable.

17 comments:

Keydet89 said...

I've logged into Windows Live...how do I retrieve the files? Tried double-clicking, right-clicking, even tried reading the page...

hogfly said...

Harlan,
When you get in to public\exemplar4 directory, above the files is a link to "download as a .zip file". This will download all files in a single .zip file. Let me know if that works for you.

Sebqc said...

Very good idea :-)

Thanks!

Richard Bejtlich said...

Sorry, I'm not familiar with the "ad" format. Any chance you could acquire and/or post in something less product-specific? Thank you.

hogfly said...

Richard,
Yes I'm sure I can. My inclination last night was just to use ftk imager, but I'll try a few things to see what works best. Likely I'll end up using split.

Robert said...

What a great idea.

I didn't have any problems downloading the files, I tried both methods, the single zip file and then the individual files.

Any thoughts about posting the base VMware image that it was created from so we can reload it in VMWare?

Maybe legal issues here.

I am trying to mount the vmem file as a device but so far have been unsuccessful.

Any thoughts?

moyix said...

This is an excellent idea! I know because I was talking about doing exactly this in #volatility a couple days ago :D And now you've done the work for me.

One possible addition that might make this even more valuable--possibly post the malware sample used as well? It can probably be extracted from memory in most cases, but having the original there (zipped/encrypted of course) would let people see exactly what in-memory effects a piece of malware has.

hogfly said...

Robert,
I did think about posting the base vmware image, but given the max file size of 50MB, that's an awful lot of segments and it wouldn't allow me to have that many available at a time.

Not to mention there probably would be a cease and desist issued at some point.

You're trying to mount it as a device in what tool?

Robert said...

I tried VMWare's diskmount, and the LE version of Liveview.

I also used Encase Enterprise. I can add it as an image but would love to see it in the VM environment

I see lots of malware and virus and would love to help.

hogfly said...

Moyix,
Absolutely I will post the malware, though probably to offensivecomputing for wider dissemination and contribution to that project.

Strangely enough I talked to AAron about this a month ago or more, and finally figured out a file hosting solution in skydrive.

I need to experiment with flypaper to see if I can fully freeze the malware in memory before suspending, that way the processes don't get a chance to exit.

hogfly said...

Robert,
Try examining it with Volatility or Memoryze. I've been working through some of the samples in Responder Pro. It's unlikely you'll get it to work in a VM environment. Your best bet in that regard is to try to extract the binary for memory, or wait for me to upload the sample to offensivecomputing.

Keydet89 said...

Robert,

I have to say, I'm intensely curious...why would you attempt to mount a memory dump/.vmem file in this manner?

I must have missed something...

Keydet89 said...

I grabbed the files, pulled out the .vmem, and ran it through Responder Field edition for a quick look. I exported the Internet History that it found to a .txt file, and found some really cool stuff really quickly.

These are a great means for looking at Volatility, Memoryze, and HBGary, as well as any other tools you may have or use.

Thanks for posting!!

Keydet89 said...

All,

I downloaded the MemoryzeSetup.msi file from Mandiant, and ran it...and nothing happened. I did get the dialog box, but nothing was ever installed. I tried to install Memoryze in D:\Memoryze, and even tried the default path...but nothing happened.

Has anyone else seen this?

hogfly said...

Harlan,
what did you find in the history?

Robert said...

Keydet89

Alot of the conversation involving this was not posted publicly. It basically was a discussion about using a base VMWare image file. By using this approach and sharing the VMWare image with everyone you could mount it if you were interested in doing so.

The main roadblock here would be the sharing of
the VMWare image. I'm sure legal issues would most likely end in a cease and desist letter.

Robert

echo6 said...

Oooh, thanks hogfly, will take a peek when I get chance, look forward to some from moyiz also :) Guess I should get some of my images of injected dlls up!