Detecting and Identifying Hidden Processes (Volatility Edition)

 

Adversaries use many mechanisms to operate in stealth mode often in ways that even traditional and modern detection methods fail to catch. In cybersecurity, we have a term for a particular variant of malware with this capability: rootkit.

In my opinion, not every piece of malware is a rootkit, but some special malware can have rootkit-like functionality. We can’t simply say that any malware capable of manipulating kernel objects to hide processes is a rootkit, because nowadays most malware incorporates functionalities from other variants.

For example, a worm has the ability to self-propagate across computer networks. Interestingly, a stealer generated by the BlackNet botnet has similar capabilities.

In this article, we will discuss the Prolaco worm. Prolaco is not a rootkit, but it does have the ability to manipulate kernel objects and hide its own processes.

In this edition, we will focus on using Volatility for analysis. In the next article, Inshallah, we will explore how to identify hidden processes on a live machine.

Lab Preparation

1. Download Volatility (Standalone Version)

   • Download the file volatility_2.6_win64_standalone.exe from:
     https://sourceforge.net/projects/forensiczone/files/PTFinder2018/volatility_2.6_win64_standalone.exe/download

   • After downloading, rename the file to vol.exe for convenience.

2. Download the Sample Memory Image

• Download the Prolaco worm memory image from:
  https://github.com/ganboing/malwarecookbook/blob/master/15/6/prolaco.vmem.zip

• Extract the .vmem file from the downloaded ZIP archive.

The first step in our analysis is to determine the correct profile for the memory image, as this tells Volatility how to interpret the operating system structures in the captured memory. In our case, we run the command vol.exe -f prolaco.vmem imageinfo, which instructs Volatility to scan the prolaco.vmem file and detect details such as the operating system version, service pack level, architecture, and kernel debug information. Based on this scan, Volatility will suggest the most appropriate profile to use for further analysis, along with additional metadata about the memory capture that can help guide our investigation.

I will select WinXPSP3x86 as my profile, and you can select WinXPSP2x86. It works for both, but some commands in Volatility don’t support WinXPSP2x86. For example, the netscan command shows the following error:
ERROR : volatility.debug : This command does not support the profile WinXPSP2x86

The next commands I would like to use are pslist and pstree to view a list of processes. The pslist command is similar to the Windows tasklist command, while its name originates from the Unix/Linux ps command, which also lists running processes.

In addition, pstree provides extra information by showing the parent–child relationships between processes. In contrast, pslist (or simply the Windows tasklist) does not display these hierarchical relationships.

pstree Version :

Next, let’s check for network connections specifically, any remote connections that a process may have established with an external IP address on various port numbers.

It appears that a remote connection has been made to a suspicious IP address. However, here’s something that should draw your attention: we don’t see the process with PID 1336 in either pstree or pslist. This could indicate that a process is hidden and remaining stealthy on the machine.

The challenge is that we’re not working on a live system we only have a memory image and a single toolkit, the Volatility Framework. Fortunately, Volatility has another command, psscan, which can help reveal hidden processes. The output of psscan is shown below:

Booo! As you can see, we’ve found the process with PID 1336, and its name is 1_doc_RCData_61. Based on the name, I have a hunch that “RC” might stand for Resources. This could suggest that the executable is embedded in the resources section of a file. 

This concludes our article. In the next installment, Inshallah, we will conduct further threat hunting and then execute the actual malware in a live lab environment. We will use specialized software and toolkits such as Windows Kernel Explorer, PowerTool, and Hidden Process Detector to locate hidden processes.