Reconstructing Meterpreter sessions from memory
Peter Silberman and Steve Davis (both from Mandiant) found a method to discover the use of Metaspl0it's Meterpreter and how to construct the session, uncovering the attacker's tracks. They will present their findings at Black Hat this summer.
" During this talk we discuss accessing physical memory for the purpose of acquiring a specific processes’ address space. Process address space acquisition includes DLLs, EXEs, stacks and heaps. This includes memory resident modules. We describe in detail how meterpeter operates in memory and specifically how memory looks when meterpreter scripts/commands are executed and the residue these scripts create in the exploited processes’ memory space. Finally, we tie all this knowledge together and discuss how to reconstruct a meterpreter session – completely from memory – and determine what the attacker was doing on the exploited machine. "
Labels: digital forensics
Post a Comment