[Vol-users] Identifying HIPS process injection

Michael Hale Ligh michael.hale at gmail.com
Wed Nov 9 19:28:25 CST 2011


Hey Darren,

On Tue, Nov 8, 2011 at 8:48 PM, Darren Spruell <phatbuckett at gmail.com> wrote:
> I've got a suspect process running on a system.
>
> 0x0703fcb8 8880792.tmp        5940   1504 0x0b353000 2011-05-27 07:00:12
>  %Windir%\Temp\8880792.tmp
>
> It's 64K on disk and looks like it's packed with Armadillo:
>
> File Name:  8880792.tmp
> File Size:  65536
> File Type:  PE32 executable for MS Windows (GUI) Intel 80386 32-bit
> MD5 Hash:   fec737234a47ae90ee79af44d3081a4d
> SHA1 Hash:  4fb9abf6aba05ec1232b98ab39073c7635f7b9aa
> Cymru MHR:  Not listed
> Packer ID(s):
> => Armadillo v1.71
>
> Number of sections: 3
> --------------------
> ('.text\x00\x00\x00', '0x1000', '0xb446', 49152)
> ('.rdata\x00\x00', '0xd000', '0x15d2', 8192)
> ('.data\x00\x00\x00', '0xf000', '0x20c0', 4096)
>
> I dump process memory (procmemdump) and end up with strings not much
> different than what I get for the file on disk. The procmemdump output
> is about 10K larger.
>
> The memdump output is 245M and going through the addressable memory
> contents I get loads of suspicious data that looks like it's related
> to malware. Samples:
>
> are\EES\BIFROST
>
> //sharedfreehosting.c
>
> USER remote
> hello   keypublic
> WEBCAM  Ekran.png       Ekran.bmp
> 60.167.78.224
>
> www.proxyserverlist.biz
>
> proxy_checker/index.php
>
> ClientSocket
> www.66444.com
> open
> ww4.tmdqq.net/51lin
> www3.57185.com/is686_.h
> 1.hao591.net/is6
> exefile=cdb.exe
> dllfile=test.dll
> regedits=stubpath
> tp://bravor.net
> w.ya.ru
> whatismyip.co
>
> Welcom to BackDor serv  by emPyte
> Fan666` .
> tem\lsass.ex
> ion\Run
> *sniff*
>  sad
> yo,
> PRIVMSG
> Splinter        ddos v1.0
> INFECT
> Plus!
> terra.com.mx
> send.aspx?id=
>
>
> Windll22.exe
> !reboot
> !reconnect
> !join
> !pwl
> !connection
> !switch
> !chatslaves
>
> Connected to
> NetShadow v1.2
> Server ID:
> F:\Work\TEST    MyFunlove
> \calc.ex
> LAgPCfAGCxoRI
> CwgMCA8JERAO9x
> Chat-Fenster
> pcinfo
> Resolution:
>        tmdqq.net       57185.com
> szfocus.net
> cool-pic.com
> dcomScaner
> Vortex1 mazafaka
> GONNA BE AN IRCF
> HTTP://WWW.ASEXVIDEO
>        HACKTOOLZ
> ?ACTION=LOGIN&SEND=
> ICQBETA
>
> I suppose though that this is data from the HIPS application that has
> been injected into this executable's process space. The same strings
> are present in the memory space of all processes. I want to confirm
> this by finding an indicator in the process memory that attributes
> this data to the HIPS application. What is the best way to do this?

That's possible. I'd suggest using vaddump instead of memdump. You'll
get the same content, but it will be broken up into chunks named
according to the starting address. For example:

$ ls -alh vads/
-rw-r--r--    1 User  staff   128K Feb  8 15:29
System.a2d960.00120000-0013ffff.dmp
-rw-r--r--    1 User  staff   128K Feb  8 15:29
System.a2d960.00140000-0015ffff.dmp
-rw-r--r--    1 User  staff   128K Feb  8 15:29
System.a2d960.00160000-0017ffff.dmp
-rw-r--r--    1 User  staff   128K Feb  8 15:29
System.a2d960.00180000-0019ffff.dmp

Then you'd find out which one(s) contain the strings you see. If its
the first one, then you know the starting memory address is 00120000.
Then you'd use vadinfo on that process and look for the vad entry
whose start address is 00120000. The entry will tell you if there's a
mapped file or DLL loaded there, if the memory is executable or just
RW, and some other things. Compare those characteristics to some known
instances of code injection (like zeus, stuxnet, whatever).

> My initial suspicion is that the VAD table could show me that. Is this
> right? How could this analysis proceed in Volatility? The 'modules'
> plugin shows me a couple of entries that I suspect relate to it.
>
> 0x8a3c01e8 mfehidk.sys
> 0x00f70a9000 0x052000 mfehidk.sys
> 0x89030a20 \SystemRoot\system32\drivers\mfetdik.sys
> 0x00f7697000 0x00e000 mfetdik.sys
> 0x89237e68 \Device\mfehidk01.sys
> 0x00b7f38000 0x053000 mfehidk01.sys

Well those are related in the sense that they're part of McAfee, but
"modules" shows the kernel drivers and you're asking about something
found in user mode. Also depending on which product  of McAfee's is
installed, you may see DLLs with names like HIPIS*.dll, which you can
then look at the module base + size to figure out where its loaded. Or
use the verinfo plugin which can sometimes print FileDescription =
"HIPSCore Injected Stub" etc.

Hope it helps!
MHL

> --
> Darren Spruell
> phatbuckett at gmail.com
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>


More information about the Vol-users mailing list