Memory Dump Evasion

May 1, 2024 · View on GitHub

ID B0006
Objective(s) Anti-Behavioral Analysis
Related ATT&CK Techniques None
Anti-Analysis Type Evasion
Version 2.1
Created 1 August 2019
Last Modified 29 April 2024

Memory Dump Evasion

Memory dump evasion is an anti-forensic technique in which malware hinders retrieval and/or discovery of the contents of the physical memory of the system on which the malware instance is executing [1]. Tools enabling capture of malware code from memory can be software-based or hardware-based. Malicious code thwarts software-based tools by relying on such methods as resolving API addresses before each use (on-the-fly APIs method) and erasing or corrupting specific file parts to prevent rebuilding (tampering method) [2],[3].

Methods

NameIDDescription
Code Encryption in MemoryB0006.001Encrypt the executing malware instance code in memory.
Erase the PE headerB0006.002Erase PE header from memory.
Feed MisinformationB0006.008API behavior can be altered to prevent memory dumps. For example, inaccurate data can be reported when the contents of the physical memory of the system on which the malware instance is executing is retrieved. See Hijack Execution Flow.
Flow Opcode ObstructionB0006.009Flow opcodes (e.g., jumps, loops) are removed and emulated (or decrypted) by the packer during execution, resulting in incorrect dumps. [6].
Guard PagesB0006.006Encrypt blocks of code individually and decrypt temporarily only upon execution. This method is related to Unprotect technique U0102.
Hide virtual memoryB0006.003Hide arbitrary segments of virtual memory.
On-the-Fly APIsB0006.007Resolve API addresses before each use to prevent complete dumping.
SizeOfImageB0006.004Set the SizeOfImage field of PEB.LoaderData to be huge.
TamperingB0006.005Erase or corrupt specific file parts to prevent rebuilding (header, packer stub, etc.).
Hook memory mapping APIsB0006.010Hooking prevents memory dumps by preventing mapping of memory into the kernel's virtual address space. [1]
Patch MmGetPhysicalMemoryRangesB0006.011Patching this function to always return NULL prevents drivers from getting information about the physical address space layout, preventing memory dumps. [1]

Use in Malware

NameDateMethodDescription
Kraken2008--Dumping Kraken's c.dll module from the heap of its own process is tricky because its PE-header is erased in memory. [4]

Code Snippets

B0006.011 Snippet

Memory Dump::Code Encryption in Memory SHA256: 304f533ce9ea4a9ee5c19bc81c49838857c63469e26023f330823c3240ee4e03 
asm
mov cl, 65h ; 'e'
mov al, 70h ; 'p'
mov [ebp+var_23], cl
mov [ebp+var_1F], cl
mov [ebp+String], bl
mov [ebp+var_12], bl
mov [ebp+var_2E], al
mov [ebp+var_2D], al
lea ecx, [ebp+String]
mov al, 74h ; 't'
mov bl, 2Eh ; '.'
push ecx
mov [ebp+var_13], 30h
mov [ebp+var_11], 30h
mov [ebp+var_10], 0
mov [ebp+cp]
mov [ebp+var_2F], 75h
mov [ebp+var_2C], 6Fh
mov [ebp+var_2B], 72h
mov [ebp+var_2A], al
mov [ebp+var_29], bl
mov [ebp+var_28], 62h
mov [ebp+var_27], 79h
mov [ebp+var_26], 69h
mov [ebp+var_25], dl
mov [ebp+var_24], al
mov [ebp+var_22], 72h
mov [ebp+var_21], bl
mov [ebp+var_20], dl
mov [ebp+var_1E], al
mov [ebp+var_1D], 0
call ds:atoi
add esp, 4
mov dword ptr [ebp+hostshort], eax
jmp short loc_401326

References

[1] J. Stüttgen and M. Cohen,"Anti-Forensic Resilient Memory Acquisition," in DFRWS USA 2013 Conference, 2013. [Online]. Available: https://dfrws.org/presentation/anti-forensic-resilient-memory-acquisition/.

[2] L. Maffia, D. Nisi, P. Kotzias, G. Lagorio, S. Aonzo, and D. Balzarotti, "Longitudinal Study of the Prevalence of Malware Evasive Techniques," arXiv:2112.11289 , 21 Dec 2021. [Online]. Available: https://arxiv.org/pdf/2112.11289.pdf.

[3] "PlugX: Memory Forensics Lifecycle with Volatility," Volatility Labs, blog, 6 Nov. 2015. [Online]. Available: https://volatility-labs.blogspot.com/2015/11/plugx-memory-forensics-lifecycle-with.html.

[4] http://blog.threatexpert.com/2008/04/kraken-changes-tactics.html

[5] https://waleedassar.blogspot.com/search/label/anti-dump

[6] https://www.gironsec.com/code/packers.pdf