Rootkits & Memory Forensics: Can They Hide?

TL;DR

Yes, rootkits can hide processes from memory forensics tools like Volatility, but it’s not a guaranteed success. Modern rootkits employ various techniques to evade detection, but skilled analysts can often uncover them using advanced analysis methods and plugins within these tools.

How Rootkits Hide Processes

Rootkits aim to conceal malicious activity by modifying the operating system’s core components or hooking into system calls. Here’s how they attempt to hide processes from memory forensics:

1. Unlinking from Process Lists: The rootkit removes the process entry from kernel data structures that Volatility uses to enumerate running processes (e.g., ActiveProcessLinks).
2. Modifying System Call Tables: Rootkits can alter system call tables to intercept calls related to process enumeration and filter out unwanted entries.
3. Direct Kernel Object Manipulation (DKOM): This involves directly changing kernel data structures in memory, making it harder for forensics tools to accurately reconstruct the process list.
4. Hooking System Calls: Intercepting system calls like NtQuerySystemInformation and filtering results before they reach user-space applications or forensics tools.
5. Using Hidden Drivers: Rootkits can load drivers that aren’t visible through standard methods, running malicious code in the kernel without being easily detected.

Detecting Hidden Processes with Volatility

Volatility offers several plugins and techniques to combat rootkit hiding:

1. Basic Process Enumeration: Start with standard plugins like pslist, pstree, and psscan. Compare the results from different plugins; discrepancies can indicate hidden processes.

   volatility -f <memory_image> pslist

2. Scanning for Hidden Drivers: Use the driverscan plugin to identify potentially malicious or unsigned drivers. Look for drivers with unusual names or characteristics.

   volatility -f <memory_image> driverscan

3. The vadinfo Plugin: This plugin displays Virtual Address Descriptor (VAD) information, which can reveal hidden regions of memory not associated with known processes.

   volatility -f <memory_image> vadinfo

4. The netscan Plugin: Rootkits often establish network connections. Use netscan to identify suspicious connections that don’t correspond to known processes.

   volatility -f <memory_image> netscan

5. The malfind Plugin: This plugin scans memory for potentially malicious code signatures. It can detect injected code used by rootkits.

   volatility -f <memory_image> malfind

6. The yarascan Plugin: Use YARA rules to scan memory for specific patterns associated with known rootkits. You’ll need a suitable YARA rule set.

   volatility -f <memory_image> yarascan --rules-path <path_to_yara_rules>

7. The filescan Plugin: Scan for hidden files on disk that may be associated with the rootkit.

   volatility -f <memory_image> filescan

8. Advanced Kernel Object Analysis: Use plugins like objlist and manually examine kernel object lists for inconsistencies. This requires a deep understanding of the operating system’s internals.
9. Timeline Analysis: Create a timeline of events using timeline to identify suspicious activity patterns that might indicate rootkit behavior.

   volatility -f <memory_image> timeline

Beyond Volatility

Other tools and techniques can supplement Volatility:

• Memory Dump Analysis with WinDbg: Use a debugger like WinDbg to directly examine kernel data structures and system call tables.
• System Call Monitoring: Tools that monitor system calls in real-time can help identify suspicious activity.
• Rootkit Scanners: Dedicated rootkit scanners (e.g., from antivirus vendors) can sometimes detect hidden processes, but they are not always reliable.

Important Considerations

• Image Integrity: Ensure the memory image is untampered with before analysis.
• Kernel Version: Use the correct Volatility profile for the kernel version of the system being analyzed.
• Rootkit Sophistication: More advanced rootkits are harder to detect and require more sophisticated analysis techniques.