Master Class: Advanced Volatile Memory Analysis for Fun and Profit (Online Training)

Malware continues to advance in sophistication and prevalence. Well-engineered malware can obfuscate itself from the user, network, and even the operating system running host-based security applications. But one place malware cannot easily hide itself is within volatile computer memory (RAM). Many problems and inefficiencies exist with our current approach of conducting memory analysis: it takes too much time, is very labor intensive, and artifact extraction comes with a deluge of raw data that is not practical to analyze on real-world computer systems compromised with malware. These inefficiencies ultimately result in greater time and resource expenditure to conduct the analysis while impairing accuracy of results since it is too easy to miss a key artifact from the overload of data during the analysis. I have seen many people struggle with capture the flag memory challenges as well due to these same issues. I have solved this problem by engineering a new construct for memory analysis along with a new tool release to provide an automated process for advanced memory analysis, correlation, and user-interaction that increases investigation accuracy, reduces analysis workload, and better detects obfuscated malware.

This workshop is especially perfect if you have conducted memory analysis before and understand the pain and difficulty with completing this type of investigation. During this session, I will provide many new features that optimize memory analysis to include a new, revolutionary interactive construct that provides a visual representation of artifacts and indicators extracted from memory. During the many hands-on exercises in this workshop, will also cover a new data cross-reference (data xref) capability I built into the open-source tool (Xavier Memory Analysis Framework) that creates a new index and memory context feature to view how your keyword data is coupled with processes, modules, and events captured in memory. This data xref feature also allows you immediately pivot to create specific process-memory dumps and file extraction directly from each keyword entered by the user. Finally, a new concept called a System Manifest is delivered by this research. The System Manifest is a single file detailing significant artifacts (and their relationships) distilled from a memory image. This manifest allows Xavier to immediately reload the full memory image context in seconds versus hours to without this tool. The most beneficial feature about the manifest file creation is the new ability to create and analyze memory snapshots. This uniquely provides a new light-weight yet very powerful and precise memory analysis capability to automatically detect system changes captured in memory from malware execution especially useful for exploit dev and malware analysis and software reverse engineering!

This workshop is full of hands-on practicums as we will take real-world capture the flag memory analysis engagements, and demonstrate how the Xavier Construct optimizes memory analysis. Additionally, we will cover advanced concepts including code injection and rootkit hooking and finally conclude with real-world capstone memory analysis capstone engagements.

This training is in 2 parts:

Part I :

  1. Intro / Background / Research Motivation
  2. Setting the Stage: Real-World Memory Analysis Capture the Flag Challenge Problem and Exercise highlighting difficulties and inefficiencies with current memory analysis approach and the need for a new construct to analyze memory
  3. Next, we jump deeper into the new analysis framework and learning how to initiate automated analysis and interact with the output report constructs created by the tool.
  4. Then we pivot into additional hands-on practicums showing exactly how the Data XREF (cross-reference) feature works and how to execute it on the tool.
  5. After Data XREF, we explore how the system manifest is revolutionary in conducting memory analysis snapshots as a very light-weight and highly impactful feature to produce automated reports on precise malware indicators of compromise automated generated from memory analysis of this tool.
  6. After this, move into Practical Windows Internals, Virtual Address Descriptors, and Page Mapping Protections
  7. Then we cover Process Hiding and Code Injection techniques and detection methods via memory analysis
  8. We conclude the day with a capstone exercise

Part II: is a deep-dive of Code injection and Rootkit techniques discovered in memory

  1. Windows Internals: Process Security and Access Rights
  2. Code Injection Deep Dive - DLL Injection - Process Hallowing - Shellcode Injection
  3. Rootkits & Hooking (User-Space & Kernel-Space) - Drivers & IRP Hooking - SSDT Hooking - IDT - Direct-Kernel Object Manipulation
  4. Day 2 Capstone

Day 2 is rich with hands-on exercises to gain in-depth understanding of concepts for advanced memory analysis using the new tool, Xavier Memory Analysis Framework.

About the Speaker