Windows memory forensics: Identification of (malicious) modifications in memory-mapped image files

Memory forensics plays a crucial role for the analysis of sophisticated malware, especially with memory-only variants, and has in the past extended its capabilities for detecting various attacker techniques. Several of these techniques affect the memory of victim processes, partly resulting in suspicious private memory regions, but others affect especially the memory-mapped image files (executables and DLLs). One infamous example are API hooks, which commonly are used to redirect the control flow by modifying a few bytes/instructions in the existing code of memory-mapped image files. Other examples are AMSI and ETW bypasses, which also modify just a few bytes, and Module Stomping which has a larger modification effect. While there are already tools for the detection of modified pages and these attacker techniques, one disadvantage they have in common is the inability to pinpoint the exact modified bytes. Instead, they either report modifications on a page level, which means to present 4096 instead of only 3 bytes that actually have been modified, or they use pattern matching in order to identify malicious traces. In this work, we will show that current detection approaches fail to reliably identify modified image-file pages, and even if not, miss some malicious modifications. We then present our novel approach to reliably detect modified pages and to reveal the exact bytes/instructions that have been modified, while filtering benign modifications. With this work we also release a Volatility 3 plugin named imgmalfind, which implements our approach and reports potentially malicious modifications, enriched with some analysis details.