Hiding Process Memory Via Anti-Forensic Techniques – Frank Block – BH20 #4
Malware authors constantly search for new ways of hiding their activity/content from the eyes of the analysts. In order to help the malware authors in their constant struggle ;-), we introduce three novel methods that prevent malicious user space memory from appearing in analysis tools and additionally making the memory inaccessible from a security analysts perspective on both, Windows and Linux. We are, however, also covering different approaches for detecting the hidden memory and releasing various Volatility 3 and Rekall plugins. The last piece of our release are PoC implementations for all subversion techniques for Windows and Linux, and an upgraded version for one of the subversion techniques, which is controllable with a C&C server.
Guest
Frank Block is a security researcher working for ERNW Research GmbH with more than 10 years of experience, and an external PhD student at the University of Erlangen-Nuremberg (Department Informatik) with a focus on memory forensics. His main fields of interest are incident analysis and penetration testing. When not involved in customer projects, he enjoys doing research in all kinds of areas and usually presents the results at conferences such as DFRWS USA, Black Hat USA/EU and Troopers.
Host
