Malware that is capable of monitoring hardware devices poses a significant threat to the privacy and security of users and organizations. Common capabilities of such malware include keystroke logging, clipboard monitoring, sampling of microphone audio, and recording of web camera footage. All modern operating systems implement APIs that provide hardware access to processes and all have been abused to monitor the activity of journalists and dissidents, conduct espionage operations, and gather data needed for blackmail. Existing memory forensic methods for detecting these techniques are largely confined to malware that operates within kernel space. The use of kernel rootkits has waned in recent years though as operating systems have sharply locked down access to kernel memory. These limitations placed upon kernel rootkits, along with the easy-to-use APIs in userland that allow for access to hardware devices, has led to many device monitoring malware samples that operate solely within process memory. Unfortunately, current methods for detection of such malware are severely outdated or completely lacking. These include attempts at live forensics, which relies on system APIs, but these APIs are often hooked by malware to hide their activity. Partial memory forensics techniques for Windows exist, but are outdated, and there are techniques across operating systems that have no detection support. Given the recent emphasis on memory analysis, such as in CISA directives related to ProxyLogon and SolarWindows, it is imperative that memory forensic techniques are able to properly detect modern threats.
In this presentation, we present our effort to develop algorithms capable of detecting userland device monitoring malware across all major operating systems. Our efforts led to several Volatility plugins being created that are capable of automatically locating all information about processes that are monitoring hardware devices. We plan to contribute our Volatility additions to the community during SecTor.