Look for processes in /proc/<PID>/exe where the path shows "(deleted)"
Here are two examples๐ 1. BPFDoor deleted binary 2. An attacker abusing memfd_create() to exec their malware in RAM w/o dropping files to disk.
2\ To recover/extract these binaries running in memory - you can copying them out from this location:
/proc/<PID>/exe
Also as an FYI for memfd_create() abuse detection you can hunt for the "memfd: (deleted)" string directly.
3\ You can also review what command line spawned the pid by reviewing:
/proc/<PID>/cmdline
This screenshot shows the cmdline used for the memdf_create() reverse shell. There are a lot of other interesting things you can also review in /proc/PID
4\ Btw if you're interested in the memdf_create() technique if you're a redteamer/pentester check out this awesome presentation discussing this technique
2\ Most IR analysts are taught to detect timestomping using two methods:
> Compare $FI vs $SI times in the MFT
> Look for 0s in timestamp nanoseconds
These two detections are NOT foolproof - they will catch simple cases. Attackers can set nanoseconds and modify $FN time!
3\ Why should you care?
Most forensic courses teach these 2 detections without introducing more variables. A lot of analysts treat what they are taught as the "bible" without questioning it and when it comes to detecting these anomalies... critical evidence may be missed.
2\ Each process in Windows is represented by an "EPROCESS" structure.
These EPROCESS blocks are joined in a doubly linked list structure. The flink (forward link) tells you the next process running and blink (backwards link) tells you the previous process.
3\ When you see a list of processes on a live system, often times this is gathered by walking this doubly-linked structure of EPROCESS blocks.
Of course malware can unlink a process in this doubly linked list to hide from detection :P
1\ #MalwareAnalysis: Detecting Process Hollowing
The first pattern to look for are any calls to create processes in a suspended state:
> CreateProcessA
"dwCreationFlags" set 0x04 CREATE_SUSPENDED
Purpose is to disguise malicious code in a legit exe by replacing the contents.
2\ Following the process being started in a suspended state... (usually svchost.exe but who's counting). Then there are API calls to native/non native APIs:
3\ Other ones:
> NTResumethread
> NTwritevirtualmemory
> ntsetcontextthread
The logic is to look for signs of processes being started in suspended state - then the process being hollowed, replaced with "malicious" contents and resuming of execution.