Malware and Memory Actions/Objects

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Malware and Memory Actions/Objects

Kirillov, Ivan A.

Hi Everyone,

 

One of the less defined sections of MAEC, especially in the dynamic analysis context, is with regards to malware and actions on memory. Right now we only have two abstract action names defined, Write To Process Virtual Memory, and Allocate Virtual Memory in Process, both of which we derived from their respective Win32 Kernel API calls (ZwWriteVirtualMemory and ZwAllocateVirtualMemory, respectively).

 

Similarly, the current CybOX generic memory object (http://cybox.mitre.org/XMLSchema/objects/Memory_Object.xsd) only covers hashes, start address, and region size.

 

As such, there’s clearly more we can cover (we will definitely be taking a look at Volatility and other related tools), but I wanted to gather other thoughts and opinions on this topic before we started delving into it. Is there something like a minimum set of actions, objects, and attributes that we should cover? Are there any particular areas that we direly need to add (e.g. heap-related stuff)? Should we be covering platform-specific constructs, like the memory protection flags in Windows?

 

Regards,

Ivan

 

Ivan Kirillov

MAEC Working Group
The
MITRE Corporation