Hooktracer: Automatic Detection and Analysis of Keystroke Loggers Using Memory Forensics

Abstract Advances in malware development have led to the widespread use of attacker toolkits that do not leave any trace in the local filesystem. This negatively impacts traditional investigative procedures that rely on filesystem analysis to reconstruct attacker activities. As a solution, memory forensics has replaced filesystem analysis in these scenarios. Unfortunately, existing memory forensics tools leave many capabilities inaccessible to all but the most experienced investigators, who are well versed in operating systems internals and reverse engineering. The goal of the research described in this paper is to make investigation of one of the greatest threats that organizations face, userland keyloggers, less error-prone and less dependent on manual reverse engineering. To accomplish this, we have added significant new capabilities to HookTracer, which is an engine capable of emulating code discovered in a physical memory captures and recording all actions taken by the emulated code. Based on this work, we present new memory forensics capabilities, embodied in a new Volatility plugin, hooktracer_messagehooks, that uses Hooktracer to automatically decide whether a hook in memory is associated with a malicious keylogger or benign software. We also include a detailed case study that illustrates our technique’s ability to successfully analyze very sophisticated keyloggers, such as Turla.

[1]  Wenke Lee,et al.  Ether: malware analysis via hardware virtualization extensions , 2008, CCS.

[2]  Wenke Lee,et al.  Lares: An Architecture for Secure Active Monitoring Using Virtualization , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[3]  Mingxuan Sun,et al.  HookTracer: A System for Automated and Accessible API Hooks Analysis , 2019, Digit. Investig..

[4]  Zhenkai Liang,et al.  HookFinder: Identifying and Understanding Malware Hooking Behaviors , 2008, NDSS.

[5]  Kevin P. Lawton Bochs: A Portable PC Emulator for Unix/X , 1996 .

[6]  Mark Vella,et al.  Enhancing Virtual Machine Introspection-Based Memory Analysis with Event Triggers , 2018, 2018 IEEE International Conference on Cloud Computing Technology and Science (CloudCom).

[7]  Aaron Walters,et al.  The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory , 2014 .

[8]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[9]  Heng Yin TEMU: Binary Code Analysis via Whole-System Layered Annotative Execution , 2010 .

[10]  Jonathon T. Giffin,et al.  2011 IEEE Symposium on Security and Privacy Virtuoso: Narrowing the Semantic Gap in Virtual Machine Introspection , 2022 .

[11]  Golden G. Richard,et al.  Integrity Checking of Function Pointers in Kernel Pools via Virtual Machine Introspection , 2013, ISC.

[12]  Golden G. Richard,et al.  Rule-Based Integrity Checking of Interrupt Descriptor Tables in Cloud Environments , 2013, IFIP Int. Conf. Digital Forensics.

[13]  Golden G. Richard,et al.  ModChecker: Kernel Module Integrity Checking in the Cloud Environment , 2012, 2012 41st International Conference on Parallel Processing Workshops.

[14]  Davide Balzarotti,et al.  ROPMEMU: A Framework for the Analysis of Complex Code-Reuse Attacks , 2016, AsiaCCS.

[15]  Heng Yin,et al.  Panorama: capturing system-wide information flow for malware detection and analysis , 2007, CCS '07.

[16]  Michael Ligh,et al.  Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code , 2010 .

[17]  Samuel T. King,et al.  MAVMM: Lightweight and Purpose Built VMM for Malware Analysis , 2009, 2009 Annual Computer Security Applications Conference.

[18]  Bryan D. Payne,et al.  Simplifying virtual machine introspection using LibVMI. , 2012 .

[19]  Fabrice Bellard,et al.  QEMU, a Fast and Portable Dynamic Translator , 2005, USENIX ATC, FREENIX Track.