Volatility Plugin – SSDeep for malfind and apihooks

For the 2014 Volatility Plugin contest, I put together a few plugins that all use ssdeep in some way.

• ssdeepscan – locating similar memory pages
• malfinddeep and apihooksdeep – whitelisting injected and hooking code with ssdeep

Note: To get these plugins to work, you must install ssdeep and pydeep. Both are very standard installations.

• ssdeep – http://ssdeep.sourceforge.net/ – This was tested with the 2.11.1 version of ssdeep. A standard ./configure; make; sudo make install is all that’s needed.
• pydeep – https://github.com/kbandla/pydeep – Also a standard python setup.py build; sudo python setup.py install is all that’s necessary.

ssdeepscan – locating similar memory pages

This plugin is like yarascan (the yarascan.py code was actually used as the starting point), but rather than yara rules, it uses the ssdeep hash of a memory page to scan for.

I was originally trying to use ssdeep (via pydeep) to attempt to find the source EXE or DLL that created the injected code found in malfind output or hooking code in apihooks. The idea was to be able to find injected code or hooks that Volatility might normally not be able to trace back to a specific DLL (lists the hooking module as <unknown>), and see what other EXE or DLL may have copied it into that memory allocation. This likely isn’t always going to work because the hook code won’t be copied directly from one memory location to another, and might be moved via multiple instructions or some other method.

However, it does appear to find some similar code sections. An example follows. I am using the memory image linked to in this post: http://malware.dontneedcoffee.com/2014/08/angler-ek-now-capable-of-fileless.html

A normal scan of malfind finds the following:

$ vol.py -f D5XLBY3J-bf977e52_lookIE_pid_860.vmss --profile=WinXPSP2x86 malfind  | grep Process
Volatility Foundation Volatility Framework 2.4
Process: csrss.exe Pid: 652 Address: 0x7f6f0000
Process: explorer.exe Pid: 1776 Address: 0x29d0000
Process: Fiddler.exe Pid: 4048 Address: 0x3c0000
Process: Fiddler.exe Pid: 4048 Address: 0x360000
Process: iexplore.exe Pid: 3224 Address: 0x1390000
Process: iexplore.exe Pid: 3224 Address: 0x1e40000
Process: iexplore.exe Pid: 3224 Address: 0x5fff0000
Process: iexplore.exe Pid: 860 Address: 0x6a50000
Process: iexplore.exe Pid: 860 Address: 0x1b00000
Process: iexplore.exe Pid: 860 Address: 0x2b70000
Process: iexplore.exe Pid: 860 Address: 0x6480000
Process: iexplore.exe Pid: 860 Address: 0x6440000
Process: iexplore.exe Pid: 860 Address: 0x6410000
Process: iexplore.exe Pid: 860 Address: 0x6400000
Process: iexplore.exe Pid: 860 Address: 0x6430000
Process: iexplore.exe Pid: 860 Address: 0x6420000
Process: iexplore.exe Pid: 860 Address: 0x6460000
Process: iexplore.exe Pid: 860 Address: 0x6450000
Process: iexplore.exe Pid: 860 Address: 0x6470000
Process: iexplore.exe Pid: 860 Address: 0x64b0000
Process: iexplore.exe Pid: 860 Address: 0x64a0000
Process: iexplore.exe Pid: 860 Address: 0x6490000
Process: iexplore.exe Pid: 860 Address: 0x64d0000
Process: iexplore.exe Pid: 860 Address: 0x64c0000
Process: iexplore.exe Pid: 860 Address: 0x64f0000
Process: iexplore.exe Pid: 860 Address: 0x64e0000
Process: iexplore.exe Pid: 860 Address: 0x6520000
Process: iexplore.exe Pid: 860 Address: 0x6500000
Process: iexplore.exe Pid: 860 Address: 0x6540000
Process: iexplore.exe Pid: 860 Address: 0x6560000
Process: iexplore.exe Pid: 860 Address: 0x6580000
Process: iexplore.exe Pid: 860 Address: 0x65a0000
Process: iexplore.exe Pid: 860 Address: 0x65c0000
Process: iexplore.exe Pid: 860 Address: 0x6a10000
Process: iexplore.exe Pid: 860 Address: 0x6a30000
Process: iexplore.exe Pid: 860 Address: 0x6ad0000
Process: iexplore.exe Pid: 860 Address: 0x6a90000
Process: iexplore.exe Pid: 860 Address: 0x6a70000
Process: iexplore.exe Pid: 860 Address: 0x6ab0000
Process: iexplore.exe Pid: 860 Address: 0x6b30000
Process: iexplore.exe Pid: 860 Address: 0x6b10000
Process: iexplore.exe Pid: 860 Address: 0x6af0000
Process: iexplore.exe Pid: 860 Address: 0x6b90000
Process: iexplore.exe Pid: 860 Address: 0x6b60000
Process: iexplore.exe Pid: 860 Address: 0x6bf0000
Process: iexplore.exe Pid: 860 Address: 0x6bc0000
Process: iexplore.exe Pid: 860 Address: 0x6c50000
Process: iexplore.exe Pid: 860 Address: 0x6c20000
Process: iexplore.exe Pid: 860 Address: 0x6c80000
Process: iexplore.exe Pid: 860 Address: 0x6cb0000
Process: iexplore.exe Pid: 860 Address: 0x6ce0000
Process: iexplore.exe Pid: 860 Address: 0x5fff0000

The details of one of these sections (virtual address 0x6c80000) in iexplore.exe (PID 860) is as follows:

Process: iexplore.exe Pid: 860 Address: 0x6c80000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 40, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x06c80000  e7 c4 a6 c1 9d 79 53 59 77 bc 21 52 74 79 de d1   .....ySYw.!Rty..
0x06c80010  5b 53 76 51 f1 b0 27 5c 9f 40 35 51 74 91 50 5a   [SvQ..'\.@5Qt.PZ
0x06c80020  77 54 33 35 73 39 53 e0 3a 0e 36 51 ff 69 d0 99   wT35s9S.:.6Q.i..
0x06c80030  73 32 0f 59 01 40 d8 11 4b d7 cf 11 06 48 68 93   s2.Y.@..K....Hh.

0x6c80000 e7c4             OUT 0xc4, EAX
0x6c80002 a6               CMPSB
0x6c80003 c19d79535977bc   RCR DWORD [EBP+0x77595379], 0xbc
0x6c8000a 215274           AND [EDX+0x74], EDX
0x6c8000d 79de             JNS 0x6c7ffed
0x6c8000f d15b53           RCR DWORD [EBX+0x53], 0x1
0x6c80012 7651             JBE 0x6c80065
0x6c80014 f1               INT1

If you dump the whole VAD section, you can see that this segment is XORed with a repeating 8-byte key, wT6QtySY, which explains why the disassembly looks abnormal. If we take this PID and virtual address and run ssdeepscan, we can find other locations this code exists besides what malfind found, specifically some instances in lsass.exe (100% ssdeep match). The plugin uses the -T option and takes a colon separated PID and BASE virtual offset. The plugin runs ssdeep on the 4096 byte page at the offset provided and scans all other pages to determine similarity. The output provides the ssdeep hash of the page, the ssdeep comparison score, the page offset, the VAD region that offset is in, and the corresponding Process information if available.

$ vol.py -f D5XLBY3J-bf977e52_lookIE_pid_860.vmss --profile=WinXPSP2x86 ssdeepscan -T 860:0x6c80000
Volatility Foundation Volatility Framework 2.4
ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x4b2000L
VAD region: 0x420000L-0x522fffL
Owner: Process lsass.exe Pid 732

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0xcb2000L
VAD region: 0xcb0000L-0xceffffL
Owner: Process lsass.exe Pid 732

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x5b8b4000L
VAD region: 0x5b860000L-0x5b8b4fffL
Owner: Process lsass.exe Pid 732

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x5d0b2000L
VAD region: 0x5d090000L-0x5d129fffL
Owner: Process lsass.exe Pid 732

ssdeep hash: 96:8sJkHbXrUY6Ng00o029c/pIdHDGh1ZnpSWHi80jz:rIrn6r022pIdHDYnpSS0n
ssdeep score: 46
offset: 0x2342000L
VAD region: 0x12e0000L-0x32dffffL
Owner: Process Fiddler.exe Pid 4048

ssdeep hash: 48:2GhcoEikcq0lIuHqB7wkEHSSMQAko2kj2/ENENJMiB4H1w0DbKdsM6ItLr0t2LGI:2Gzjq+HqBc1VOx9jVyN+DH1wndHDGhO
ssdeep score: 19
offset: 0x2362000L
VAD region: 0x12e0000L-0x32dffffL
Owner: Process Fiddler.exe Pid 4048

ssdeep hash: 48:U7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeL:KZnpSWHi80j8Gn3L
ssdeep score: 85
offset: 0x2363000L
VAD region: 0x12e0000L-0x32dffffL
Owner: Process Fiddler.exe Pid 4048

ssdeep hash: 48:2Lr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKet:eGh1ZnpSWHi80j8Gn3t
ssdeep score: 97
offset: 0x23a3000L
VAD region: 0x12e0000L-0x32dffffL
Owner: Process Fiddler.exe Pid 4048

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6a50000L
VAD region: 0x6a50000L-0x6a69fffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6480000L
VAD region: 0x6480000L-0x6488fffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6440000L
VAD region: 0x6440000L-0x6444fffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6410000L
VAD region: 0x6410000L-0x6411fffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6430000L
VAD region: 0x6430000L-0x6433fffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6420000L
VAD region: 0x6420000L-0x6422fffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6460000L
VAD region: 0x6460000L-0x6466fffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6450000L
VAD region: 0x6450000L-0x6455fffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6470000L
VAD region: 0x6470000L-0x6477fffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x64b0000L
VAD region: 0x64b0000L-0x64bbfffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x64a0000L
VAD region: 0x64a0000L-0x64aafffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6490000L
VAD region: 0x6490000L-0x6499fffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x64d0000L
VAD region: 0x64d0000L-0x64ddfffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x64c0000L
VAD region: 0x64c0000L-0x64ccfffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x64f0000L
VAD region: 0x64f0000L-0x64fffffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x64e0000L
VAD region: 0x64e0000L-0x64eefffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6520000L
VAD region: 0x6520000L-0x6531fffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6500000L
VAD region: 0x6500000L-0x6510fffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6540000L
VAD region: 0x6540000L-0x6552fffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6560000L
VAD region: 0x6560000L-0x6573fffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6580000L
VAD region: 0x6580000L-0x6594fffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x65a0000L
VAD region: 0x65a0000L-0x65b5fffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x65c0000L
VAD region: 0x65c0000L-0x65d6fffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6a10000L
VAD region: 0x6a10000L-0x6a27fffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6a30000L
VAD region: 0x6a30000L-0x6a48fffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6ad0000L
VAD region: 0x6ad0000L-0x6aedfffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6a90000L
VAD region: 0x6a90000L-0x6aabfffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6a70000L
VAD region: 0x6a70000L-0x6a8afffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6ab0000L
VAD region: 0x6ab0000L-0x6accfffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6b30000L
VAD region: 0x6b30000L-0x6b50fffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6b10000L
VAD region: 0x6b10000L-0x6b2ffffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6af0000L
VAD region: 0x6af0000L-0x6b0efffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6b90000L
VAD region: 0x6b90000L-0x6bb2fffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6b60000L
VAD region: 0x6b60000L-0x6b81fffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6bf0000L
VAD region: 0x6bf0000L-0x6c14fffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6bc0000L
VAD region: 0x6bc0000L-0x6be3fffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6c50000L
VAD region: 0x6c50000L-0x6c76fffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6c20000L
VAD region: 0x6c20000L-0x6c45fffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6c80000L
VAD region: 0x6c80000L-0x6ca7fffL
Owner: Process iexplore.exe Pid 860

The ssdeep score was 100, but to verify, we can use volshell to disassemble one of the sections found in lsass.exe and see that it matches the code injected in iexplore.exe.

$ vol.py -f D5XLBY3J-bf977e52_lookIE_pid_860.vmss --profile=WinXPSP2x86 volshell
Volatility Foundation Volatility Framework 2.4
Current context: System @ 0x825c69c8, pid=4, ppid=0 DTB=0x2a20020
Welcome to volshell! Current memory image is:
file:///Users/dave/D5XLBY3J-bf977e52_lookIE_pid_860.vmss
To get help, type 'hh()'
>>> cc(pid=732)
Current context: lsass.exe @ 0x824d7bc0, pid=732, ppid=676 DTB=0x2a200c0
>>> db(0x4b2000L)
0x004b2000  e7 c4 a6 c1 9d 79 53 59 77 bc 21 52 74 79 de d1   .....ySYw.!Rty..
0x004b2010  5b 53 76 51 f1 b0 27 5c 9f 40 35 51 74 91 50 5a   [SvQ..'\.@5Qt.PZ
0x004b2020  77 54 33 35 73 39 53 e0 3a 0e 36 51 ff 69 d0 99   wT35s9S.:.6Q.i..
0x004b2030  73 32 0f 59 01 40 d8 11 4b d7 cf 11 06 48 68 93   s2.Y.@..K....Hh.
0x004b2040  00 79 b7 6d 75 29 16 59 77 21 12 07 ca 79 73 59   .y.mu).Yw!...ysY
0x004b2050  77 32 b3 25 75 6f 0d 2d 67 93 72 50 14 3c 25 61   w2.%uo.-g.rP.<%a
0x004b2060  65 dd 72 50 10 f0 07 58 1f 04 de 2f 76 79 53 6a   e.rP...X.../vySj
0x004b2070  b7 97 63 da 98 28 05 0e 9f fc 34 51 74 f2 a3 d8   ..c..(....4Qt...
>>> dis(0x4b2000L)
0x4b2000 e7c4                             OUT 0xc4, EAX
0x4b2002 a6                               CMPSB
0x4b2003 c19d79535977bc                   RCR DWORD [EBP+0x77595379], 0xbc
0x4b200a 215274                           AND [EDX+0x74], EDX
0x4b200d 79de                             JNS 0x4b1fed
0x4b200f d15b53                           RCR DWORD [EBX+0x53], 0x1
0x4b2012 7651                             JBE 0x4b2065
0x4b2014 f1                               INT1

Back to top

malfinddeep and apihooksdeep – whitelisting injected and hooking code with ssdeep

I wasn’t getting the exact results I hoped for with ssdeepscan, but I realized using ssdeep on pages like this could provide an additional method of whitelisting in malfind and apihooks. I’ve come across several security tools such as AV, DLP, EMET, etc., that have sections of code that are found with malfind and apihooks. Sometimes these are in sections mapped to DLLs and the plugin output provides that information. Other times, they are memory allocated without any reference to a file. In the former case, apihooks provides a whitelisting method to omit those hooks; however, this is more difficult when Volatility can’t identify the corresponding file.

The plugins malfinddeep and apihooksdeep extend the malfind and apihooks classes. They both work in similar ways and add a global whitelist_ssdeep list of tuples in the format (name, ssdeep_hash). For example:

whitelist_ssdeep = [
    ('Sample', '96:gd5l0eLAUpzGA73fBSu5yg7407l4WpE2eSHhhixk0EU0A:opLdpzL34u5dvZrp9/hwCA'),
    ('Badstuff', '48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g'),
]

Then, for any injected code or hooks, each 4096 byte page is hashed with ssdeep and compared to the hashes in that whitelist. If they are greater than the specified threshold (-T option, with a default of 25), a message is displayed indicating they matched, rather than printing the normal output. After writing the plugin, I was able to whitelist some malfind and apihooks output I typically see at work. I don’t have a memory sample I can provide for that, but I can show how it works using the same memory sample above.

Running apihooks on PID 860 in the sample finds several hooks in AcLayers.DLL:

************************************************************************
Hook mode: Usermode
Hook type: Import Address Table (IAT)
Process: 860 (iexplore.exe)
Victim module: iexplore.exe (0x400000 - 0x49c000)
Function: kernel32.dll!LoadLibraryExW
Hook address: 0x715ba16b
Hooking module: AcLayers.DLL

Disassembly(0):
0x715ba16b b8d52a5e71       MOV EAX, 0x715e2ad5
0x715ba170 e88b360100       CALL 0x715cd800
0x715ba175 83ec14           SUB ESP, 0x14
0x715ba178 53               PUSH EBX
0x715ba179 56               PUSH ESI
0x715ba17a 57               PUSH EDI
0x715ba17b 8965f0           MOV [EBP-0x10], ESP
0x715ba17e ff7508           PUSH DWORD [EBP+0x8]
0x715ba181 33db             XOR EBX, EBX

Again, this could be bypassed by updating the existing whitelists in apihooks:

whitelist_rules = {
    HOOK_MODE_USER | HOOKTYPE_IAT : [
    # Ignore hooks that point inside AcLayers.DLL
    (".*", ".*", "AcLayers\.DLL", ".*"),
    ]
}

But if this was a hook where “Hooking module” was , that would not work. First we want to find the memory section of the legitimate hooking code then dump it. In this case we can use dlllist and dlldump or vaddump. If the hooking code wasn’t in a loaded DLL, we could use vadinfo and vaddump instead.

$ vol.py -f D5XLBY3J-bf977e52_lookIE_pid_860.vmss --profile=WinXPSP2x86 dlllist -p 860 | grep AcLayers.DLL
Volatility Foundation Volatility Framework 2.4
0x71590000    0x79000        0x1 C:\WINDOWS\AppPatch\AcLayers.DLL

$ vol.py -f D5XLBY3J-bf977e52_lookIE_pid_860.vmss --profile=WinXPSP2x86 vaddump -p 860 -b 0x71590000 -D dumps
Volatility Foundation Volatility Framework 2.4
Pid        Process              Start      End        Result
---------- -------------------- ---------- ---------- ------
       860 iexplore.exe         0x71590000 0x71608fff dumps/iexplore.exe.24296b8.0x71590000-0x71608fff.dmp

Then, using another tool called hash_by_page.py in my DFIR repo on github, we can generate the tuples for the whitelist. This script divides the file specified with -f into 4096 byte chunks, runs ssdeep on those chunks, and puts the hash in a tuple, along with a name provided by the -n option. This name will be displayed in the malfinddeep/apihooksdeep output.

$ python hash_by_page.py -n AcLayers.DLL -f dumps/iexplore.exe.24296b8.0x71590000-0x71608fff.dmp
('AcLayers.DLL', '6:idqLvVg3F+X32xbQ7esfGkxNPWgwh9lorlcIfMfEtj/lkwSM0E/mh6l+tgdwL:eqGSGfP0FWgO9arlcIrUpEec1w'),
('AcLayers.DLL', '96:1SxccXfBWrvZnxbZ3IX26dZC6FsEzSVr6y616GpIHoib8u:uvBWrpxbxGpWEcr3UTpIHPb8u'),
('AcLayers.DLL', '96:ID+ySxDl27kgOXMCAsN6GTMPu2lXOvRdGrOlPieZBpJH0:4SxDsYgQMCA5GTMPueXOJMrk1ZBpJU'),
('AcLayers.DLL', '96:K/1yppIrSQ/bYI1iLK8bWvuUh+ftrim+DH1HPLNgkJXHQc9vNMbMe8q7c9dCTwTw:KjXUAH16GJSx37'),
('AcLayers.DLL', '96:g41MCF7LwINCITDtl8MDM86LwBlsSQPBGHIdT944p4kUvXf:91M67LwINCITDtl8MDM86KlnOGod2RkS'),
('AcLayers.DLL', '96:0snevYPT4Nyj5Elewqci2RT+6aIOkBUXWcD4QdTHro63:0sevYPT4Nyj5fwn3G4QtHro63'),
('AcLayers.DLL', '48:yniBikPm+U4NTDfLTTLTDfLTTvy4YTqTssssjJJeoMOVuAhl6MyT0yu5D8f2kmfc:Lokfdf33Pf3u9cLMOUAukB8ftm30Co'),
('AcLayers.DLL', '96:qgaH5Dq2alZ8jDm278F71xg0wwT7zaDIrgmlTFH4QzLLdgI:qzHolZ8h8x8wT7WDh8TFLLL2I'),
('AcLayers.DLL', '96:KNtR6s1VGPy29Y/I4pbt7zUTB0CntgN5r/ZsAZXggdtn:e6sDGK2l4DzGB0CntgN5r/ZlZQgdN'),
('AcLayers.DLL', '48:fse/+seS+se6xseCxse0LseOW+seZpBseKmselseWse6Fseqse9EbseMWse0seKB:rA8xsZamCD0VqW59aq'),
('AcLayers.DLL', '96:0DvxU+tt5rgdVwAasvDC/H7y1WeeIa6r6Uf3yM1s:0DJUWUdGAfvDC/OgtUf3i'),
('AcLayers.DLL', '96:y1IEXIt5xLE8QZ9GaYMSKczpG1HHfPCagBKZgB8y:yq/LEvZ9GYSoF/PCaihB'),
('AcLayers.DLL', '96:Jd9NR1/1+NjtjPlYqF5PnFWG5QMlrIWoKUQqAxvx0O/BuuW:L95UN9NcMaB3UxZ0O5M'),
('AcLayers.DLL', '96:1G/2YVUCkSupJpNrlehf0p7oxqy5rNPncvYWc1sLN:EuYVnkSVhf0WxkSuLN'),
('AcLayers.DLL', '96:Q43XaN81Gs9fnQVsRT17YZFQ5hRXIbX2lTPF8qndlo:z3XaRsyV4T17SoPwGdFJd6'),
('AcLayers.DLL', '96:uQY0MrX4CyhiFUTJ3ZJYCDdQK4/gS+1inYe:u6w4CmJ37JQK4/gM'),
('AcLayers.DLL', '96:CSBgao7Is+9/DphKW0ABzOhmalA7taImewD1kveeC5:CIDZsahAOdB8IZs1kW15'),
('AcLayers.DLL', '48:gtfltRXnwp+mYyapar6NkK/z4UJpRSrCwig6zQLb6B7AALhhgxsSGgPYm:gftRXAYyapar/AzZ+KgU8WAxW5gPB'),
('AcLayers.DLL', '96:G+s4rSTMefQ1JWAq8o07uWSyqxZR5uZphKxTrUkUKDrYyK:Ns4OTM5JWh8o0HPSRwYKp'),
('AcLayers.DLL', '48:/hdkmQB0i10gGCJpGBgn1JLe6MMptduN/YocxUp2bmo+YfI+4VhxSgq8JFQKH0Xv:5kGCJpGWn1RINnomo+n+4Vz3q8z9Emdm'),
('AcLayers.DLL', '96:vBq5n08qWaAb+EVsN2XLdPdjaJCr+bYa1eiPJfZdiUzIU+ss:JqWFWas+osSLiNzditLx'),
('AcLayers.DLL', '96:WeTUeJz8a7Owm7iMdof0l9FXsvRL96vIbSQ/9fO4PfK8+T7j9:W8bJ1UA0l9psAOpOj9'),
('AcLayers.DLL', '96:BQ25ushGnba6wsV32bpnNPH0TJpG4B6b7NSqeyu78:n5ur26wsx29nNPHaoix78'),
('AcLayers.DLL', '96:DLDDMZdmyzLdfC8cGbqKQ63Cq+CmGWg3CLtYL:fD6dr9vcGbQ6SqpmVg62L'),
('AcLayers.DLL', '96:idZmWh2nukfdyhpmdVugsnaUcpVcQNLHr:izh21yhpq9snCp'),
('AcLayers.DLL', '96:LyKQfK4tV+8MRXyGhmDoSv09Quk44z6bvnx8t:MK4cBQJvGk44zEy'),
('AcLayers.DLL', '96:1V5WH7bMW2KhT1Ob1FArroI71D16kTq8tI8shiNd5qUyA+sdfLtx/:QH3MWDhT1zrroI71D16Eqokib5PLx/'),
('AcLayers.DLL', '96:qzUecvCbE4KkzNCAorOc32+2YZ6fU49dQBh:qUqbDhCf32+206Mg4h'),
('AcLayers.DLL', '96:C7WoLuHqNUUl/KRSyJwOJ//374JRVRInR+J:C7WIuHqNB/KRSyOO8JTRi+J'),
('AcLayers.DLL', '48:18MRm+jh8z0sunwhic714ou+Lws1pog+vwbl2tlq13FPbXFqsWeCCfGsajQ:18ymMhXHn+zKojg4liAhbXF/PFvajQ'),
('AcLayers.DLL', '48:t8br6SIYQM0870if5Uuovhgc77aRCeBjl4pPUqspNkIbPAIzh1S5kin9pdVk3r:6brRIY68Ys5zad77aNCpFyPzmt9nVk3r'),
('AcLayers.DLL', '96:YW4S4rMFXQR5Cz0pysaE6xWYBQRAJlXPF2VA6HYkZxM:aS4rQXQLCsysa4YB1XPFEAVkxM'),
('AcLayers.DLL', '48:/Jj2AcRdSEpeSjqBalu/qNnS4tbtpvE9hlUDl0GgVmuTvzs6x99XI:/JjVaaq44NvmhOuGgVZD/LNI'),
('AcLayers.DLL', '48:vHPWGNiSnsLQyiG8aKGvtWr8mkB8+OY6ERp0GC5lq70/7ODmV37ZM:vH/NiRRUafRmunOY6ERp0GDs7/M'),
('AcLayers.DLL', '96:nBDgbLmIzimcsTCXz/IFhNIZGdEotTnKEuLM/ue/3yb4lnmC:BDBeimmXzMcZG2QbkMGePyb2mC'),
('AcLayers.DLL', '48:rNClJZZiuC4PRdXFzYm3ckyiD5sSGCqyBl:sIu9PRdRx3ckXDh1jBl'),
('AcLayers.DLL', '96:g0/kTSJLa3aFAWxXmBWFuQv3npPOQ2+veWFfzPJVLG7wJ1HNt:j/RgiFxA/o33vxr6oNNt'),
('AcLayers.DLL', '48:sNdhkcX9budG696E6+esCzOpmnj2rbuH4kOF42hXXcdmBPItT+NklvZ:G7kGrnjSbK5qhnc0BgtyN'),
('AcLayers.DLL', '96:eFUhoSkb/fYKshki3uzOCZY5sHfrJKR7M:eaIb/fy33jCZY52DAR'),
('AcLayers.DLL', '3:eQtvM4y/kx7lql2C7s1OGJt:eQt04RnqlDgYGJ'),
('AcLayers.DLL', '12:AkbFKMXEbIC0iF58OOJzuJOwuOzOchuwOwucRzOwuwOzXurOPzOSEkY:kzICrP8Ztp'),
('AcLayers.DLL', '12:26LO5SfXMvmNKzuDsm2KV52LpSPWGVYag:26uSkeKyjL21SRYf'),
('AcLayers.DLL', '96:Nlx0j/gmLGdPqCLSUkBytiDwqNBKAZiHn:Nlx0j/DL+'),

Next, add this into the whitelist_ssdeep variable in apihooksdeep.py shown above. Now when running the plugin, these hooks will not be fully displayed:

$ vol.py -f D5XLBY3J-bf977e52_lookIE_pid_860.vmss --profile=WinXPSP2x86 apihooksdeep -p 860
Volatility Foundation Volatility Framework 2.4
Process: 860 (iexplore.exe)
Hook at 0x715b9e59 in page 0x715b9000 is 100% similar to whitelist hook AcLayers.DLL

Process: 860 (iexplore.exe)
Hook at 0x715ba067 in page 0x715ba000 is 100% similar to whitelist hook AcLayers.DLL

Process: 860 (iexplore.exe)
Hook at 0x715ba16b in page 0x715ba000 is 100% similar to whitelist hook AcLayers.DLL

************************************************************************
Hook mode: Usermode
Hook type: Inline/Trampoline
Process: 860 (iexplore.exe)
Victim module: ntdll.dll (0x7c900000 - 0x7c9b2000)
Function: ntdll.dll!NtTerminateProcess at 0x7c90de6e
Hook address: 0x6cebb88
Hooking module: 

Disassembly(0):
0x7c90de6e e915dd3d8a       JMP 0x6cebb88
0x7c90de73 ba0003fe7f       MOV EDX, 0x7ffe0300
0x7c90de78 ff12             CALL DWORD [EDX]
0x7c90de7a c20800           RET 0x8
0x7c90de7d 90               NOP
0x7c90de7e b802010000       MOV EAX, 0x102
0x7c90de83 ba               DB 0xba
0x7c90de84 0003             ADD [EBX], AL

Disassembly(1):
0x6cebb88 55               PUSH EBP
0x6cebb89 8bec             MOV EBP, ESP
0x6cebb8b 837d08ff         CMP DWORD [EBP+0x8], -0x1
0x6cebb8f 751c             JNZ 0x6cebbad
0x6cebb91 817d0c050000c0   CMP DWORD [EBP+0xc], 0xc0000005
0x6cebb98 7413             JZ 0x6cebbad
0x6cebb9a 81               DB 0x81
0x6cebb9b 7d0c             JGE 0x6cebba9
0x6cebb9d 06               PUSH ES
0x6cebb9e 0000             ADD [EAX], AL

************************************************************************
Hook mode: Usermode
Hook type: Inline/Trampoline
Process: 860 (iexplore.exe)
Victim module: ntdll.dll (0x7c900000 - 0x7c9b2000)
Function: ntdll.dll!ZwTerminateProcess at 0x7c90de6e
Hook address: 0x6cebb88
Hooking module: 

Disassembly(0):
0x7c90de6e e915dd3d8a       JMP 0x6cebb88
0x7c90de73 ba0003fe7f       MOV EDX, 0x7ffe0300
0x7c90de78 ff12             CALL DWORD [EDX]
0x7c90de7a c20800           RET 0x8
0x7c90de7d 90               NOP
0x7c90de7e b802010000       MOV EAX, 0x102
0x7c90de83 ba               DB 0xba
0x7c90de84 0003             ADD [EBX], AL

Disassembly(1):
0x6cebb88 55               PUSH EBP
0x6cebb89 8bec             MOV EBP, ESP
0x6cebb8b 837d08ff         CMP DWORD [EBP+0x8], -0x1
0x6cebb8f 751c             JNZ 0x6cebbad
0x6cebb91 817d0c050000c0   CMP DWORD [EBP+0xc], 0xc0000005
0x6cebb98 7413             JZ 0x6cebbad
0x6cebb9a 81               DB 0x81
0x6cebb9b 7d0c             JGE 0x6cebba9
0x6cebb9d 06               PUSH ES
0x6cebb9e 0000             ADD [EAX], AL

************************************************************************
Hook mode: Usermode
Hook type: Inline/Trampoline
Process: 860 (iexplore.exe)
Victim module: kernel32.dll (0x7c800000 - 0x7c8f6000)
Function: kernel32.dll!ExitProcess at 0x7c81d20a
Hook address: 0x6cebb78
Hooking module: 

Disassembly(0):
0x7c81d20a e969e94c8a       JMP 0x6cebb78
0x7c81d20f 6aff             PUSH -0x1
0x7c81d211 68b0f3e877       PUSH DWORD 0x77e8f3b0
0x7c81d216 ff7508           PUSH DWORD [EBP+0x8]
0x7c81d219 e846ffffff       CALL 0x7c81d164
0x7c81d21e e9               DB 0xe9
0x7c81d21f 7ac8             JP 0x7c81d1e9
0x7c81d221 01               DB 0x1

Disassembly(1):
0x6cebb78 e8dd060000       CALL 0x6cec25a
0x6cebb7d 68010000c0       PUSH DWORD 0xc0000001
0x6cebb82 e8b8b7ffff       CALL 0x6ce733f
0x6cebb87 cc               INT 3
0x6cebb88 55               PUSH EBP
0x6cebb89 8bec             MOV EBP, ESP
0x6cebb8b 837d08ff         CMP DWORD [EBP+0x8], -0x1
0x6cebb8f 75               DB 0x75

Process: 860 (iexplore.exe)
Hook at 0x715ba16b in page 0x715ba000 is 100% similar to whitelist hook AcLayers.DLL

Process: 860 (iexplore.exe)
Hook at 0x715ba067 in page 0x715ba000 is 100% similar to whitelist hook AcLayers.DLL

Process: 860 (iexplore.exe)
Hook at 0x715b9e59 in page 0x715b9000 is 100% similar to whitelist hook AcLayers.DLL

Process: 860 (iexplore.exe)
Hook at 0x715b9e59 in page 0x715b9000 is 100% similar to whitelist hook AcLayers.DLL

Process: 860 (iexplore.exe)
Hook at 0x715ba067 in page 0x715ba000 is 100% similar to whitelist hook AcLayers.DLL

Process: 860 (iexplore.exe)
Hook at 0x715b9e59 in page 0x715b9000 is 100% similar to whitelist hook AcLayers.DLL

Process: 860 (iexplore.exe)
Hook at 0x715ba067 in page 0x715ba000 is 100% similar to whitelist hook AcLayers.DLL

Process: 860 (iexplore.exe)
Hook at 0x715ba16b in page 0x715ba000 is 100% similar to whitelist hook AcLayers.DLL

Process: 860 (iexplore.exe)
Hook at 0x715b9e59 in page 0x715b9000 is 100% similar to whitelist hook AcLayers.DLL

Process: 860 (iexplore.exe)
Hook at 0x715ba067 in page 0x715ba000 is 100% similar to whitelist hook AcLayers.DLL

************************************************************************
Hook mode: Usermode
Hook type: Inline/Trampoline
Process: 860 (iexplore.exe)
Victim module: USER32.dll (0x7e410000 - 0x7e4a1000)
Function: USER32.dll!CallNextHookEx at 0x7e42b3c6
Hook address: 0x3e2dd1c5
Hooking module: IEFRAME.dll

Disassembly(0):
0x7e42b3c6 e9fa1debbf       JMP 0x3e2dd1c5
0x7e42b3cb 64a118000000     MOV EAX, [FS:0x18]
0x7e42b3d1 83784000         CMP DWORD [EAX+0x40], 0x0
0x7e42b3d5 0f84d06c0100     JZ 0x7e4420ab
0x7e42b3db 53               PUSH EBX
0x7e42b3dc 56               PUSH ESI
0x7e42b3dd 57               PUSH EDI

Disassembly(1):
0x3e2dd1c5 8bff             MOV EDI, EDI
0x3e2dd1c7 55               PUSH EBP
0x3e2dd1c8 8bec             MOV EBP, ESP
0x3e2dd1ca 56               PUSH ESI
0x3e2dd1cb 33f6             XOR ESI, ESI
0x3e2dd1cd e824000000       CALL 0x3e2dd1f6
0x3e2dd1d2 85c0             TEST EAX, EAX
0x3e2dd1d4 7514             JNZ 0x3e2dd1ea
0x3e2dd1d6 ff7514           PUSH DWORD [EBP+0x14]
0x3e2dd1d9 ff7510           PUSH DWORD [EBP+0x10]
0x3e2dd1dc ff               DB 0xff

Implementing the whitelist in malfinddeep works the same way and uses the same options.

Back to top