This is the online repository for the paper "Hiding Process Memory via Anti-Forensic Techniques" by Ralph Palutke, Frank Block, Patrick Reichenberger and Dominik Stripeika. It contains all material referenced in the paper.

rekall_framework contains the Rekall version used during the evaluation. It is based on Rekall's Commit 041d696 but with our modifications: Commit b1c7888

Those modifications are required in order for the detection approaches to work.

The MAS remapping and PTE subversion implementation has mainly been done by Patrick Reichenberger (for Linux) and Dominik Stripeika (for Windows): Commit 9239d82

But it was modified for the evaluation of this paper: Commit 2cdd26e (it's the current state of the code).

The Rekall plugins for the shared memory subversion detection are in the folder detection. They depend on our modifications to the Rekall framework.

Most actions have been done within a GUI. Exception is searching for malicious data and creating process dumps within WinDbg:

s -a 0 L?0x7fffffffffff "what.the.eyes"

.dump /mfFhutipwdc c:\users\user\procdump_windbg_mfFhutipwdc_hidden.dmp
.dump /ma c:\users\user\procudmp_windbg_ma_hidden.dmp
.dump /f c:\users\user\procdump_windbg_f_hidden.dmp

.dump /mfFhutipwdc c:\users\user\procdump_windbg_mfFhutipwdc_unhidden.dmp
.dump /ma c:\users\user\procdump_windbg_ma_unhidden.dmp
.dump /f c:\users\user\procdump_windbg_f_unhidden.dmp

Checking MASs and handles:

cat /proc/$(pidof norm-process)/maps
ls -lah /proc/$(pidof norm-process)/fd/

Creating core dump:

gcore -o gcore_coredump $(pidof norm-process)

Searching for malicious memory and creating core dump in gdb:

find 0x7f6ca27aa000,+0x1000,'w','h','a','t','.','t','h','e','.','e','y','e','s'
find 0x7f6ca27aa000,+0x2000,'T','h','e',' ','m','a','l','i','c','i','o','u','s',' ','a','c','t','i','o','n'

generate-core-file