SNOW Live Memory forensics: analyzing suspicious code
To Arc4dia’s hunters, malware is not merely a file alerts on disk, it is a live running computation, especially on a Windows systems, these computations leverage a whole bunch of tricks in order to hide themselves within legitimate processes, much the way a parasite would do to it’s host.
These tricks include DLA injection, threat injection, process hollowing and so on.
SNOW, Arc4dia’s EDR solution, detects such hidden computations by carefully balancing the memory accounts of all running processes on a system. Whenever something does not check, this fact is immediately reported over to our central analytics database and an investigation is opened.
For instance, the SNOWboard interface suggests here that a process on a machine is possibly the target of process hollowing. This means that one it’s code segments is very much different from the code stored on the disk for that module. This worries me, so I would very much want to analyze this suspicious code. Fortunately, I can quickly get a dump of this memory segment by sending a command to that machine’s agent. I overscore the address of the memory segment, I input it’s size, and away it goes.
In a matter of minutes, I get the response from the agent. I can now download a copy of this segment and throw it into IDA PRO to figure out what this suspicious code does.
Compare this to current approaches for memory forensics. Analysts must get a memory dump for the full process, possibly even the whole machine. This dump must be gathered through in-person access to the machine, which may disrupt the work of all it’s current users. Perhaps the analyst has a tool to do this work remotely. But then the data transfer implied by the memory dump may impact the network performance for the whole organization.
SNOW removes all these transactional costs from memory forensics, enabling it’s live execution for exploratory re-purposes. SNOW as an EDR solution, helps the IT security staff stay on top of the computations running all across the networks.
