Virtual Memory Analysis: The overlooked part of Dynamic Analysis
When we talk about dynamic analysis of malware in windows environment, we see file modification, Registry modification, Network communication, Process creation but I feel people overlook the virtual memory of a process. Well most experienced researchers might be using it but an amateur researcher might miss as there is rare mention of it in any, blogs or tutorials. Please do not confuse this with memory forensics.
Before getting into details , I would recommend readers to have some basic idea on virtual memory of windows. I have explained some of windows internal concept including virtual memory in chapter 2 of my book Preventing Ransomware.
While Process Explorer limits itself to displaying memory strings of a specific area (only the main module or main function )of memory only but process hacker can show much more details like memory blocks,permission of memory blocks, page states, modules etc . Also process Hacker shows strings of the entire user space virtual memory unlike process explorer.
To inspect memory strings process explorer,double click a process and go to strings tab and click on "memory" radio button.
As I said process explorer limits itself to the strings. From strings you can derive a lot of stuff. We will see that in sometime.
To view memory with process hacker you can double click a process and go to memory tab.
The image displayed has a page whose state is commit and permission is RW(read write). Don't think that these properties are of no use. These can be used to find out injected code, memory allocated by API's like VirtualAlloc etc. In this article I will stress more what we can derive from strings available in memory.
You can view strings in process hacker by clicking on strings button shown in the above image.
Well you can see lot more strings in process hacker compared to process explorer ,even the address of the strings. You can use this data while reverse engineering too. If you are analyzing strings using process hacker you also need to find out which areas of memory you should omit and what to look into and some more filtering ,otherwise you will get millions of strings to analyse. Well I am keeping the string filtering stuff restricted to my training.
Here are some stuff you can derive by looking into the strings in memory:
1) Was the file malware file packed or not?
you can compare strings in file and virtual memory. If you get useful strings in memory and not in file then ,the malware file is packed and unpacks in memory. Well you need a bit of practice to find out if the strings are important or not. I have mentioned some important strings in the following points but there are lot more.
2) malware was armored or not?
Often malwares do not execute completely if they detect virtual machines or security tool or due to any other reasons but still you can see relevant data
This is screenshot strings of a malware memory which did not execute completely as it seems like it is looking for presence of virtual machines but at the same time I found other string like run entry and URL patterns which helped me to conclude that it is a malware even though nothing conclusive was visible in dynamic analysis other than a process being created.
3) Command and control patterns.URL's etc.
Even though the malware did not execute for me I could see the following pattern. This pattern is likely to be used by malware to send victim's system information to the hacker's server
4) Malware Classification,naming
Sometimes you can see see string like names of malwares, author names. You can google for certain patterns and find that similar malware has been analysed in some blogs or sandbox.
Here is one of my blogs on Kronos Ransomware.
If you see strings like "data_before,data_after,data_inject,data_end", it's more likely to be a banking malware.
Well it's important to mention that a lot of times you might not get an opportunity to view strings as the malware process might terminate quickly or memory pages may be overwritten but there is always workaround for such problems . you can try my process stopper tool even though it's not perfect. Other techniques can include efficiently using debuggers.
Well you can do lot more by analyzing the memory. Well I stress a lot on memory analysis in my training "Malware Analysis made Easy Training"(The site is still under construction) . Sometimes the techniques can eliminate the need to go through complex reverse engineering process.