Memory Analysis for Process Injection

Hey Squad,

Hey Squad,

Today, I am going to write a blog about something interesting. It is about “Memory Forensics”.

Memory forensics (sometimes referred to as memory analysis) refers to the study of volatile data in a computer’s memory dump. Information security professionals conduct memory forensics to investigate and identify attacks or malicious behaviors that do not leave easily detectable tracks on drive data. [1]

Process injection is a technique of running malicious code in the address space of separate processes. After the malicious code is injected into a legitimate process, attackers can access legitimate processes’ resources such as process memory, system/network resources, and elevated privileges. [2]

We going to execute malware and see if we can find it in the memory dump analysis using volatility.

Tools:

  • Volatility
  • Strings
  • Base64

To begin with, we can execute Volatility’s imageinfo plugin to find information about the system

Suggested Profile(s) : Win10x64_17134, Win10x64_14393, Win10x64_10586, Win10x64_16299, Win2016x64_14393, Win10x64_15063 (Instantiated with Win10x64_15063)

After trying the available profiles, we can go ahead with Win10x64_10586.

Hidden Process

Let’s search for hidden processes now,

A False within the column indicates that the process is not found in that area. This allows the analyst to review that list and determine if there is a legitimate reason that the process may not be there, or if it is indicative of an attempt to hide the process.

In our case, we do not have any. The last few false positives might be due to the persistence from the previous reboot.

Network Connections

We can see that powershell.exe made a session to port 80 on a remote host. The reason for searching this port is that many firewalls allow outbound connections on port 80.

Hunt for process injection

Using malfind plugin to find injections in memory.

We have the below observation after removing false positives,

  • Powershell.exe (PID 3720) — 5 injects region
  • Powershell.exe (PID 4740) — 4 injects region
  • Powershell.exe (PID 3004) — 5 injects region

PowerShell should not exhibit any injection-related symptoms during typical operations. The absence of the “MZ” header at the start of any of the injected memory sections, however, could point to the injection of a Windows executable file. However, there might be a number of causes for such, such as the injection of raw shellcode rather than a whole executable or a tool that overwrites the injected memory areas as an anti-forensic approach after execution to prevent analysts from accessing the injected code.

PowerShell processes have had suspicious internet connections and exhibit signs of injections. PowerShell’s scripts are often still stored in the memory of a machine and using the “strings” utility, we can attempt to find certain patterns.

We can see the Mimikatz function on the PowerShell executed.

I can be concluded that a compromise has occurred due to the presence of the string “Invoke-Mimikatz”.

Please give me a clap if you found it to be useful and follow me to get more hacking knowledge.

You can buy me a coffee if you would like to -> https://www.buymeacoffee.com/gowthamaraj


References

  1. https://digitalguardian.com/blog/what-are-memory-forensics-definition-memory-forensics
  2. https://www.picussecurity.com/resource/t1055-process-injection-of-the-mitre-attck-framework
  3. https://medium.com/@zemelusa/first-steps-to-volatile-memory-analysis-dcbd4d2d56a1