Hiding Process Memory Via Anti-Forensic Techniques – Frank Block – BH2020

Malware authors constantly search for new ways of hiding their activity/content from the eyes of the analysts. In order to help the malware authors in their constant struggle ;-), we introduce three novel methods that prevent malicious user space memory from appearing in analysis tools and additionally making the memory inaccessible from a security analysts perspective on both, Windows and Linux. We are, however, also covering different approaches for detecting the hidden memory and releasing various Volatility 3 and Rekall plugins. The last piece of our release are PoC implementations for all subversion techniques for Windows and Linux, and an upgraded version for one of the subversion techniques, which is controllable with a C&C server. Visit https://securityweekly.com/summercamp2020 to view the Live Stream and previously recorded micro-interviews.

Chat live with the Security Weekly Staff, Hosts, and Guests in our Discord Server: https://discord.gg/pqSwWm4

Full Episode Show Notes

Hiding Process Memory Via Anti-Forensic Techniques

Segment Resources: https://www.blackhat.com/us-20/briefings/schedule/index.html#hiding-process-memory-via-anti-forensic-techniques-20661 https://github.com/f-block/BlackHat-USA-2020 https://github.com/DFRWS-memory-subversion/

Hosts

Paul Asadoorian
Paul Asadoorian – Founder & CTO

Guests

Frank Block
Frank Block – Security Researcher