Memory Analysis using Volatility - apihooks
Volatility is a tool used for the extraction of digital artifacts from volatile memory (RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time-efficient and quick manner.
apihooks – a volatility plugin that is used to detect API hooks in process and kernel memory.
From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.
We use the Volatility apihooks plugin to detect API hooking. Running this plugin directly on the command prompt will display a lot of information. To make it convenient for us, we can extract the result as a .txt file and view it later using other tools such as notepad or notepad++.
The image below is a sample of apihooks detects regsvr32.exe hooks !DeleteFileW and we see different information such as
- Hook mode: Usermode
- Hook type: IAT
- Process responsible for hooking (which is not normal for .exe is hooking a function)
- Hooked function
Malware hooking this function disables the capacity of a user to delete the sample itself from the disk since the DeleteFileW is hooked.
Our syntax will be like: vol.exe -f <mem_dump> –profile=<OS_version> apihooks -p <PID> > Destination