YoVDO

Hiding Process Memory via Anti-Forensic Techniques

Offered By: Black Hat via YouTube

Tags

Black Hat Courses Cybersecurity Courses Malware Analysis Courses Security Analysis Courses Memory Forensics Courses

Course Description

Overview

Explore advanced anti-forensic techniques for hiding process memory in this 37-minute Black Hat conference talk. Delve into three novel methods that prevent malicious user space memory from appearing in analysis tools and make it inaccessible to security analysts. Learn about process address space, paging, PTE subversions, remapping, and erasure. Evaluate the effectiveness of these techniques against memory and live forensics. Examine considerations for modified PFN remapping on Windows, MAS remapping detection, and PTE subversion detection on both Windows and Linux. Analyze shared memory subversion detection, test environments, and detection evaluation across operating systems. Compare these techniques from an attacker's perspective, and discuss limitations and future work in this field of anti-forensic research.

Syllabus

Intro
Agenda
Introduction
Process Address Space
Paging
Overview
PTE Subversions
PTE Remapping
PTE Erasure
Evaluation - Memory Forensics
Evaluation - Live Forensics
Considerations
Modified PFN Remapping on Windows
MAS Remapping Detection
PTE Subversion Detection - Windows
PTE Subversion Detection - Linux
Shared Memory Subversion Detection
Test environment
Detection Evaluation - Windows
Detection Evaluation - Linux
False Positives - Windows
False Positives - Linux
Comparison - Attacker's Point of View
Conclusion
Limitations
Future Work


Taught by

Black Hat

Related Courses

Attack on Titan M, Reloaded - Vulnerability Research on a Modern Security Chip
Black Hat via YouTube
Attacks From a New Front Door in 4G & 5G Mobile Networks
Black Hat via YouTube
AAD Joined Machines - The New Lateral Movement
Black Hat via YouTube
Better Privacy Through Offense - How to Build a Privacy Red Team
Black Hat via YouTube
Whip the Whisperer - Simulating Side Channel Leakage
Black Hat via YouTube