Nowadays there’s a big use of virtualization; tools like VMware, VirtualPC and others are daily used. There are some differencies between the original and the virtualized environment, but to study a malware under a protected blackbox it’s very comfortable. You can study their behaviour without any problems.
Just today, while I was running a malware, I got this foolish idea: can I identify hidden files using VMware’s snapshots?
Under VMware you can save the current state of a virtual machine taking a snapshot of the running guest system. The snapshot is stored somewhere in the guest’s OS folder, it simply needs some files. I’m interestered in one file only, the one containing the guest’s memory. The memory is saved inside a file with .vmem extension.
The idea is to take two snapshots (a virgin and an infected system), and then compare the two files. The main problem is that a single snapshot needs a large amounts of bytes, around 260 Mb on my system. Comparing the snapshots using an hex editor is madness. I decided to write a simple application able to compare two files string to string. Why only strings?
Well, how can I identify an hidden file simply looking at a “memory dump”? The answer is simple: the only thing able to reveal a trace is a string containing the name of the hidden file, nothing more. So, I extract all the strings from the virgin snapshot and then I compare them with all the strings from the infected snapshot. Yes, it’s a foolish idea but it helps me to pass a boring afternoon.
The program is pretty simple and easy to implement, here’s the program in action:
The upper listbox control shows all the strings inside the virgin snapshot. To fill the second listbox control I simply search for all the strings inside the snapshot displaying the ones which are not inside the upper listbox.
The most important part of the program is the internal “search engine”. To speed up the program you have to search for specific strings. To view the results in a quick way I simply search for strings with extension “.sys”, “.dll” or just “.exe”. That’s because these are the file extensions of the files that are always hidden. You can improve the search engine adding some more rules (i.e. string must have “system32” or “windows” inside) but the result won’t change: you can always see some interesting strings.
I tried the program running two malwares: Lager and Nailuj.
Lager malware hides a file named taskdir.exe and Nailuj hides videoati0.sys/dll/exe.
In both cases, I can see some strings referring to the hidden files. Here is a screenshot for Lager:
The string is somewhere in the memory, I’m not interested in its position but in the string itself: it exists!
There are some good tools out there able to show hidden files but sometimes they fail. When they fail you can try with this approach.
I’ll test this approach with some more malwares in the next days. If you want I can share the “Compare snapshots” program, just drop me a mail or write a comment right here.