In the previous post we looked at HollowFind Volatility plugin and saw how it can detect different process hollowing techniques and display those malicious processes which are victims of process hollowing . In this post lets look at another Volatility plugin called Psinfo. This plugin is similar to hollowfind plugin but instead of identifying the malicious processes, it collects the process related information from the VAD (Virtual Address Descriptor) and PEB (Process Enivornment Block) and displays the collected information and suspicious memory regions for all the processes running on the system. The reason for writing this plugin is to collect information related to process without having to run multiple plugins.
The below screenshot shows some of the process related information displayed by the psinfo plugin. As show below the plugin gives process name, process id, parent process information, creation time, command line information, base address, full path to the process executable (both from VAD and PEB)
The plugin also displays similar processes (based on the process name) and the suspicious memory regions (if there are any)
Psinfo Plugin Use Cases
In this section lets see how psinfo plugin can help in investigation.
a) Example 1
In the screenshot below pslist shows multiple instances of svchost.exe and one of the process (svchost..exe with pid 3832) is suspicious because the parent process id (3712) is different from other svchost.exe processes, wheares other svchost.exe processes have a parent of services.exe. Also notice the name of the file is not svchost.exe it is svchost..exe (there is an additional dot character before the .exe extension), this is an attempt to blend in with legitimate processes.
Inspecting the suspicious process (Pid 3832) with psinfo plugin shows that this process does not have a parent process name (probably because its exited), and this process is running from the startup directory. Even though there was an attempt to make it look like legitimate svchost.exe process the plugin helped in spotting the anomaly.
b) Example 2
In the example below there are two instances of winlogon.exe running
From the psinfo plugin it can be determined that winlogon.exe with pid 264 is malicious because it it running from C:\system32 directory whereas the legitimate winlogon.exe (pid 924) is running from C:\WINDOWS\system32 directory. Also the malicious winlogon.exe process does not have a parent process whereas the legitimate winlogon.exe has a parent process of smss.exe
c) Example 3
Another use case of psinfo plugin is to inspect the process which uses command line arguments. In the below screenshot running the psinfo plugin on a memory image infected with enfal shows that the malware loads a malicious dll (npkim.dll) and calls the export function RooUoo using rundll32.exe
d) Example 4
Another use case of psinfo plugin is to detect injected code. Psinfo plugin detects suspicious memory regions, this works similar to the malfind Volatility plugin. In the below screenshot running the psinfo plugin on a memory image infected with Spyeye shows the explorer.exe process injected with malicious PE File and code.
These suspicious memory regions can be dumped using the -D options as shown below.
Submitting the dumped memory regions to VirusTotal confirms these injected code to be component of Spyeye
e) Example 5
Another use case of psinfo plugin is to detect process hollowing. In the screeshot below the results from the VAD and PEB shows the discrepancy in the process path and also the memory protection of the base address is set to PAGE_EXECUTE_READWRITE instead of PAGE_EXECUTE_WRITECOPY indicating the process was hollowed out and injected with executable code. Also comparing the similar processes shows that two lsass.exe processes have services.exe as its parent, this is suspicious because on a clean system lsass.exe is started by winlogon.exe on pre-Vista machines and wininit.exe on Vista and later systems. This indicates that two lsass.exe processes (pid 868 and 1928) is malicious.
f) Example 6
In the screenshot below psinfo detected a memory region as suspicious because the memory region has PAGE_EXECUTE_WRITECOPY protection but does not contain a PE File. Some malwares as mentioned in my previous post use this technique to hide from forensic analysis
Conclusion
In this blog post we looked at psinfo plugin which collects the process related information from the VAD (Virtual Address Descriptor) and PEB (Process Enivornment Block), displays the collected information and suspicious memory regions for all the processes running on the system. We also saw how this plugin can help in forensic investigation by detecting the process anomaly and suspicious memory regions. This plugin should also allow a security analyst to get the process related information without having to run multiple plugins.
Download Link: Psinfo Plugin