docMichael Cohen Johannes Stuettgen
download 
Report Transcription
Michael Cohen Johannes Stuettgen
Forensic Memory
Analysis
We can remember it for you wholesale!
Michael Cohen
Johannes Stuettgen
Introduction
● Why memory forensics?
● What can Rekall do for me?
● Symbols and debugging information.
○ How does Rekall support multiple operating systems
and versions?
● Memory imaging
○ Linux.
○ Windows.
http://bit.ly/DFRWS_2014_Rekall_Workshop
short (http://goo.gl/eLljm7)
Memory Forensics - Why?
● Live response.
○ Can quickly triage a system.
● Capture of memory freezes system state.
○ As memory is volatile we can minimize interference
with memory.
○ Analysis does not use the system APIs.
● Memory analysis technology evolves with
time.
○ We used to only have grep :-)
○ NIST reference image: xp-laptop-2005-06-25.img:
■ Registry dump
■ Passwords
■ Screenshots
Popular open source tools
● Two popular open source tools:
○ Volatility - Current release 2.3.1 - supports XP-Win7,
OSX, and Linux.
■ Supports many Windows versions out of the box
with embedded profiles
●
approx 20 different profiles WinXPSP2x86, Win7SP1x64
○ Rekall - A fork (rewrite) of Volatility from 2013.
■ Vastly different design philosophy:
●
Profiles are not distributed with the tool - they are hosted on a
public profile repository - Fetched on demand.
●
Approximately 100 different windows kernel versions from
WinXP to Win8.1 for x86 and amd64 architectures.
●
Profiles also contain exact symbol addresses for specific
The Rekall Memory Forensics
Framework.
● Project page:
http://rekall-forensic.com/
○ Supports OSX, Linux, Windows XP to Win8.1.
● We will be mainly using Rekall.
○ We will explain differences in the two tools
throughout.
Installing Rekall
Installing Rekall for windows
● Binary Windows Installer:
http://downloads.rekall.googlecode.
com/git/Rekall/binaries/
● For Linux and OSX:
pip install rekall
● From Source:
git clone https://code.google.com/p/rekall/
cd rekall
python setup.py install
Rekall interfaces
● Command line
○ Simple one shot execution.
● Text Console
○ Interactive ipython console.
● Notebook
○ Interactive web based document system.
● Web Console
○ A new web console we implemented from scratch
with Rekall specific UI.
Command line interface
● Single shot set and forget:
rekall --verbose -f myimage.dd pslist --pid 2014
Global options
Plugin name
Plugin Options
● Valid plugin names depend on the profile.
● Help is different depending which part it is:
Shows Global options
rekall --help
Shows Global options
plugins relevant to
rekall -f myimage.dd --help and
this image.
rekall -f myimage.dd pslist --help Shows options specific to pslist
Console interface
When not providing a plugin drops into an
interactive session.
● Can run plugins and python code
interactively.
● Interactive console is much more efficient for
real analysis due to use of caching.
● Can get help and command line completion.
Rekall interactive interface
Notebook interface
● Based around the ipython notebook.
○ rekall notebook
● Can mix Rekall plugins, Python code and
formatted Markdown text.
Rekall Notebook interface
Webconsole interface
● Custom webinterface to Rekall
○ rekall webconsole
○ starts up on localhost:5000
● Similar capabilities as the Notebook
○ More tailored to Rekall
○ Work in progress
Rekall Webconsole interface
Lets do forensics!
Imaging and
Acquisition
Part 1: Imaging
● Before we can analyse memory we need to
take an image of it.
● The imaging tool inserts a kernel driver
which provides access to the physical
memory.
○ On 64 bit systems the driver must be signed.
● We can choose the format the image will be
written in.
○ ELF Core format is more efficient since it is sparse.
○ Image can be converted later to windows
Crashdump which can be loaded by windbg.
Run Rekall as admin on Windows 8
We can call Winpmem from Rekall
Linux Memory Acquisition
● Compile pmem module on target and load it
○ make pmem
● Use LMAP if you can’t compile on target
○ lmap -a dump.elf
● Create Profile for target kernel
○ make profile
Virtual Memory
and Paging
Virtual Memory and Paging
● How does virtual memory work?
● Why are images padded, what's the
difference in formats?
● We can see a string in the image - where
does it come from?
● Why do I get a 2gb file when I dump out a
single process address space?
Virtual Memory and Paging.
Pages
Frames
Virtual Address
Shared Memory
Overcommited
Physical Address
Backed Mem
Paged out
Backed Mem
Physical Memory
Page File
Process A
Virtual Memory
Process B
Virtual Memory
Virtual Memory and Paging.
● Paging allows different processes to have
their own unique view of physical memory:
○ Physical memory can be shared between processes
○ Physical memory can be assigned to a specific
process's use without being accessible from other
processes.
○ Processes can request memory to be mapped into
their virtual address space which is not yet backed
by physical memory (overcommitted).
○ A process’s memory can be paged out to disk.
○ A process may map a file into its address space the kernel will automatically read from the file when
Paging in 32 bit model.
Virtual Address
Page Directory Index
CR3
Page Table Index
Byte Index
Directory Table Base (DTB)
Page Frame
PTN
PTE
Page Directory
Page Tables
Physical Memory
The CR3 register.
● Paging is done automatically by the MMU in
hardware.
○ All the CPU has to do is store the address of the
current Page directory table in the CR3 register.
○ When the kernel switches task context (to another
process), a new value of CR3 is loaded to point at
new page tables.
○ The value of CR3 is key to make sense of a physical
memory image.
○ Some imaging tools also capture CR3.
○ CR3 contains a physical address.
● Rekall 'cc' plugin is used to switch contexts.
The Physical Address Space
● Not
continuous
● Memory
Mapped I/O
● Mapped by
Northbridge
Profiles and
Multi OS
Support.
Data Structures
typedef unsigned char uchar;
enum {
OPT1,
OPT2
} options;
struct foobar {
enum options flags;
short int bar;
uchar *foo;
}
It is generally not possible to predict
the memory layout of a C struct
without knowing external factors:
● Alignment
● Endianess
● Bit size (64/32 bit)
● Compiler
● Optimizations etc
Unless packed structs.
Data Structures
typedef unsigned char uchar;
enum {
OPT1,
OPT2
} options;
Debugging symbols contain
the exact layout of all data
structures
struct foobar {
enum options flags;
short int bar;
uchar *foo;
}
What does a Rekall profile look like?
{ "$CONSTANTS": {
"CmNtCSDVersion": 718856,
●
...
"$ENUMS": {
"BUS_QUERY_ID_TYPE": {
●
"0": "BusQueryDeviceID",
"1": "BusQueryHardwareIDs",
...
"$FUNCTIONS": {
"ADD_MAP_REGISTERS": 606670,
...
"$METADATA": {
●
"ProfileClass": "Nt",
"arch": "I386"
...
"$STRUCTS": {
"BATTERY_REPORTING_SCALE": [8, {
"Capacity": [4, ["unsigned long", {}]],
...
File is a JSON data
structure.
Divided into Sections:
○ $CONSTANTS
○ $FUNCTIONS
○ $METADATA
○ $STRUCTS
Usually the profile is
generated from
debugging symbols.
$STRUCT section.
Struct Size
{ "_EPROCESS": [624, {
Member Offset
"AccountingFolded": [548, ["BitField", {
"end_bit": 2,
Member Type
"start_bit": 1,
"target": "unsigned long"
Struct Name
}]],
"ActiveProcessLinks": [160, ["_LIST_ENTRY", {}]],
Arguments to
"ActiveThreads": [376, ["unsigned long", {}]],
the member
"AddressCreationLock": [232, ["_EX_PUSH_LOCK", type.
{}]],
"AddressSpaceInitialized": [552, ["BitField", {
"end_bit": 12,
"start_bit": 10,
"target": "unsigned long"
}]],
"AffinityPermanent": [548, ["BitField", {
"end_bit": 19,
"start_bit": 18,
"target": "unsigned long"...
$CONSTANTS and $FUNCTIONS
"NtAlpcSendWaitReceivePort": 2207436,
"NtAlpcSetInformation": 1805611,
"NtApphelpCacheControl": 2308968,
"NtAreMappedFilesTheSame": 2367400,
"NtAssignProcessToJobObject": 1912487,
"NtBuildGUID": 411132,
"NtBuildLab": 410688,
"NtBuildLabEx": 410912, ...
Constant name
Constant offset (Relative to
the kernel base).
● These addresses come directly from Microsoft
Debugging symbols.
○ Identical to the way the kernel debugger works.
○ No need to scan, guess or otherwise deduce symbol
addresses (Contrast with Volatility).
Rekall Profiles - JSON files
● A profile file is a data structure which
represents all the information needed to
parse OS specific memory.
○ Files are stored in the public profile repository:
■ http://profiles.rekall.googlecode.com/git/
○ Windows Profiles are identified by GUID.
Revision c39b14f8dca9: /nt/GUID
[Project Page]
●
..
●
00625D7D36754CBEBA4533BA9A0F3FE22.gz
●
0100FCDAFD4049B8B06005EC07705A1F2.gz
●
01DDCBD82AEB46BEAFCDC6A409E3B1D31.gz
●
01DF28C698D84DEBB1A74254C3AF800E2.gz
●
03185083233249D9BB747EA777B80C982.gz
●
04FB9A156FF44ECCA6EBCAE9617D8DB73.gz
●
05A6F49C5DD848FF983459421A78F1232.gz
Profiles for nt kernel
are stored here.
Every single kernel
build has a unique
GUID.
Rekall vs. Volatility
● Volatility
○ Contains about 20 embedded windows profiles
(OSX profiles must be downloaded manually).
○ Requires the user to know which profile to select.
○ Windows Profiles do not contain constants - Most
plugins scan/guess offsets of kernel globals.
● Rekall
○ Profile repository contains > 300 profiles, indexed by
GUID.
○ Impractical for user to specify (GUID) - profiles are
usually autoselected.
○ Profiles contain exact offsets of kernel data
Break!!!
Live Memory
Analysis
Analyse Live memory.
1. In order to analyse live memory we need to
tell winpmem to leave the driver in place
after quitting:
winpmem-1.5.5.exe -l
2. Now we can connect to the live memory
device and repeat the process listing.
Running Rekall on Live Memory
Examine the data
1. Pick one of the processes and examine it in
memory using the hexdump module:
2. e.g. dump 0x820238e0
3. Calculate its physical address:
4. e.g vtop 0x820238e0
1. Note that _EPROCESS objects are often
allocated inside large pages.
5. Now dump the physical address from the
physical address space.
1.
dump 0x20238e0, "P"
imageinfo - A quick overview.
win8.1.raw 22:39:56> imageinfo
Fact
When was the image acquired?
Value
-------------------- ----Kernel DTB
0x1a7000
NT Build
9600.winblue_gdr.130913-2141
NT Build Ex
9600.16404.amd64fre.winblue_gdr.130913-2141
Signed Drivers
-
Time (UTC)
2014-01-24 21:20:05+0000
Time (Local)
2014-01-24 21:20:05+0000
Sec Since Boot
764.359375
NtSystemRoot
C:\Windows
Physical address ranges of image
**************** Physical Layout ****************
Physical Start
Physical End
Number of Pages
-------------- -------------- --------------0x000000001000 0x00000009f000 158
0x000000100000 0x000000102000 2
0x000000103000 0x00003fff0000 261869
List following Process listing.
Listing processes - Windows.
$ ./rekall -f ~/images/win7.elf -v
win7.elf 08:33:25> pslist
-----------------> pslist()
Offset (V)
Name
PID
PPID
Thds
Hnds
Sess
Wow64 Start
Exit
-------------- -------------------- ------ ------ ------ -------- ------ ------ ---------------------------------------------INFO:root:Detected kernel base at 0xF8000261F000
DEBUG:root:Listed 41 processes using PsActiveProcessHead
DEBUG:root:Listed 37 processes using CSRSS
DEBUG:root:Listed 41 processes using PspCidTable
DEBUG:root:Listed 39 processes using Sessions
DEBUG:root:Listed 40 processes using Handles
0xfa80008959e0 System
4
0
84
511 ------
False 2012-10-01 21:39:51+0000 -
0xfa80024f85d0 svchost.exe
236
480
19
455
0
False 2012-10-01 14:40:01+0000 -
0xfa8001994310 smss.exe
272
4
2
29 ------
False 2012-10-01 21:39:51+0000 -
Finding hidden processes - psxview
● Combines the output from several plugins
○
○
○
○
○
_EPROCESS list traversal
Pool tag scanning.
CSRSS handles
Thread scanning.
Kernel debugger PspCidTable
● Results are always inconsistent
○ Some processes just do not show up on some
sources.
PSXView
In [5]: psxview
------> psxview()
Offset(P)
Name
PID pslist
psscan
thrdproc pspcdid csrss
---------- -------------------- ------ ------- ------- -------- ------- ------0x01f67500 TaskSwitch.exe
1952 True
True
True
True
True
0x02000980 wmiprvse.exe
4080 True
True
True
False
False
0x02025608 atiptaxx.exe
2040 True
True
True
True
True
0x12cd3020 smss.exe
448 False
True
False
False
False
0x0fe5f8e0 snmp.exe
1424 False
True
False
False
False
528 True
True
True
True
True
2624 True
True
True
True
True
944 True
True
True
True
True
0x01ed76b0 PluckTray.exe
2740 True
True
True
True
True
0x01f48da0 tcpsvcs.exe
1400 True
True
True
True
True
0x01f6db28 msdtc.exe
1076 True
True
True
True
True
580 True
True
True
True
True
1960 False
True
False
False
False
876 True
True
True
True
True
0x01f8eb10 winlogon.exe
0x02079c18 cmd.exe
0x02218020 PluckSvr.exe
0x020e0da0 services.exe
0x1a192a90 Fast.exe
0x01fa8240 Smc.exe
PE Files
PE Executables
● The PE file format is specifically designed to
allow fast and efficient loading of
executables into memory.
○ The structure of executables on disk is similar to
their structure in memory.
○ Imports and Exports are resolved at load time.
PE Overview
http://code.google.com/p/corkami/downloads/detail?name=pe-20110117.pdf
The peinfo plugin
win7.elf 10:17:00> peinfo?
Docstring:
Print information about a PE binary.Dump a PE binary from memory.
Status is shown for each exported function:
- M: The function is mapped into memory.
Link:
http://epydocs.rekall.googlecode.com/git/rekall.plugins.windows.procinfo.PEInfo-class.html
Parameter
Documentation
------------------------------ ---------------------------------------------------------------------output
If specified we write output to this file.
verbosity
Add more output.
executable
If provided we create an address space from this file.
address_space
The address space to use.
image_base
The base of the image.
renderer
Use this renderer for the output.
The peinfo plugin
In [3]: peinfo "nt"
Machine
Can reference the base of the module by using
the module name.
TimeDateStamp
-------------------- ------------Machine
IMAGE_FILE_MACHINE_AMD64
TimeDateStamp
2009-07-13 23:40:48 UTC+0000
Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE, IMAGE_FILE_LARGE_ADDRESS_AWARE
....
Sections (Relative to 0xFFFFF8000261A000):
Perm Name
VMA
Size
---- -------- -------------- -------------xr-
.text
0x000000001000 0x00000019b800
xr-
INITKDBG 0x00000019d000 0x000000003a00
xr-
POOLMI
0x0000001a1000 0x000000001c00
....
Data Directories:
-
VMA
Size
---------------------------------------- -------------- -------------IMAGE_DIRECTORY_ENTRY_EXPORT
0xfffff80002b43000 0x000000010962
IMAGE_DIRECTORY_ENTRY_IMPORT
0xfffff80002bbccec 0x000000000078
IMAGE_DIRECTORY_ENTRY_RESOURCE
0xfffff80002bbe000 0x000000035d34
...
PE Dumping from memory
● Can be done using a bunch of plugins:
○ procdump - Dumps _EPROCESS images using PID.
○ dlldump - Dumps DLLs.
○ pedump - Generic PE dumper that is used by the
other modules.
● Potential problems:
○ Rootkits can easily change the in-memory PE
headers. (e.g. Section description etc).
■ It is possible to corrupt the headers so the tool
blows up - too much data, huge executables.
○ Import Address Table is not patched.
○ Not all sections are fully mapped into memory (e.g. .
Kernel Memory
management.
Window Kernel Memory Allocation
● The windows kernel uses Pools to manage
allocation:
○ Paged pool - can be paged to disk.
○ Non paged - For use by critical components which
must not be paged (e.g. Interrupt level).
● Allocations come from the pool, and are
tagged using a special identifier "Tag":
○ ExAllocatePoolWithTag
○ Tags are used to track memory owners and detect
leaks.
What does a pool allocation look
like?
win8.1.raw 16:14:59> print profile._POOL_HEADER(0xe000023aa890)
[_POOL_HEADER _POOL_HEADER] @ 0xE000023AA890
'Proc' in ascii
Previous block
allocation size
0x00 PoolIndex
[BitField:PoolIndex]: 0x00000000
0x00 PreviousSize
[BitField:PreviousSize]: 0x00000008
0x00 Ulong1
[unsigned long:Ulong1]: 0x02770008
0x02 BlockSize
[BitField:BlockSize]: 0x00000077
0x02 PoolType
[BitField:PoolType]: 0x00000002
0x04 PoolTag
[unsigned long:PoolTag]: 0x636F7250
0x08 AllocatorBackTraceIndex
[unsigned short:AllocatorBackTraceIndex]: 0x00000000
0x08 ProcessBilled
0x0A PoolTagHash
<_EPROCESS Pointer to [0x00000000] (ProcessBilled)>
[unsigned short:PoolTagHash]: 0x00000000
allocation size in pool
blocks (0x20 bytes)
What kinds of pool are they?
win8.1.raw 23:37:38> pools
-------------------> pools()
Type
Index
Size
Start
End
Comment
-------------------- ----- ---------- -------------- -------------- ------PagedPoolSession
0
3216352 0xf90140000000 0xf9213fffffff Session ID 0
PagedPoolSession
0
12489472 0xf90140000000 0xf9213fffffff Session ID 1
PagedPool
0
70872304 0xa80000000000 0xa81fffffffff
PagedPool
1
14192864 0xa80000000000 0xa81fffffffff
PagedPool
2
1539696 0xa80000000000 0xa81fffffffff
PagedPool
3
1635888 0xa80000000000 0xa81fffffffff
PagedPool
4
1718448 0xa80000000000 0xa81fffffffff
NonPagedPoolNx
0
29362464 0xe0000001a000 0xe00077400000 -
The Pool Tracker
win8.1.raw 22:08:03> pool_tracker
Tag
NP Alloc
NP Bytes
P Alloc
P Bytes
---- -------------------- ---------- -------------------- ---------DMV
1 (0)
0
0 (0)
0
8042
6 (4)
4048
12 (0)
0
ACPI
4 (0)
0
0 (0)
0
AFGp
1 (0)
0
0 (0)
0
ALPC
3211 (770)
434240
0 (0)
0
…
Ppin
0 (0)
0
221 (2)
4160
Ppio
10 (0)
0
11718 (0)
0
Pprl
0 (0)
0
3 (0)
0
Ppsu
0 (0)
0
1394 (223)
18512
Prcr
5 (4)
5440
13 (0)
0
Proc
137 (48)
91328
0 (0)
0
PsFn
136 (0)
0
0 (0)
0
PsIn
946 (47)
7040
0 (0)
0
PsPb
135 (0)
0
0 (0)
0
NtFf
62 (0)
0
306 (19)
132224
NtFm
0 (0)
0
2 (2)
16384
NtFs
7 (7)
213664
42682 (2902)
319440
NtFv
5114 (2)
288
112 (0)
0
NtTc
1 (1)
64
0 (0)
0
NtTf
3 (3)
240
0 (0)
0
…
Gives a nice overview
of outstanding
allocations of each type.
For example we know
48 outstanding
_EPROCESS
allocations.
The Windows
Object manager.
Windows Kernel Objects
● The windows Object Manager is responsible
for managing allocation/deallocation of
objects.
○ An object is a managed data structure in the kernel.
○ There are many types of objects - basically anything
we require the kernel to manage is an object.
○ Allocation functions end up delegating to
ObCreateObject()
○ Objects are allocated from specific "Types". The
Types are registered data structures that the kernel
knows about.
ObpObjectTypes Array
win8.1.raw 16:22:44> object_types
-------------------> object_types()
Index
Number Objects PoolType
Name
----- --------------- --------------- ---2
46 NonPagedPoolNx
Type
3
42 PagedPool
Directory
4
167 PagedPool
5
1194 PagedPool
SymbolicLink
Token
6
6 NonPagedPoolNx
Job
7
48 NonPagedPoolNx
8
834 NonPagedPoolNx
9
1 NonPagedPoolNx
UserApcReserve
10
0 NonPagedPoolNx
IoCompletionReserve
11
0 NonPagedPoolNx
DebugObject
12
5669 NonPagedPoolNx
13
279 NonPagedPoolNx
14
21 NonPagedPoolNx
15
1158 NonPagedPoolNx
16
70 NonPagedPoolNx
17
299 NonPagedPoolNx
Process
Thread
Event
Mutant
Callback
Semaphore
Timer
IRTimer
Number of allocated
objects is tracked here.
We know there are 48
outstanding
_EPROCESS objects.
Object Allocation Scheme
http://www.codemachine.com/article_objectheader.html
Number of
optional headers
is encoded in the
Object Header
Pool Header
Optional Header
Optional Header
Object Header
Object (e.g. _EPROCESS,
_FILE_OBJECT etc)
ObCreateObject()
The object tree - Named objects
win8.1.raw 16:36:18> object_tree
-------------------> object_tree()
Offset
Type
Name
-------------- -------------------- -------------------0xe000014afb30 Mutant
PendingRenameMutex
0xc0000000ceb0 Directory
ObjectTypes
0xe000000b7eb0 Type
. TmTm
0xe000000cf640 Type
. Desktop
Named objects exist within well defined
object directory paths.
Here we see some mutants exist in
\Sessions\1\BaseNamedObjects\
...
0xc0000020a600 Directory
Sessions
...
0xc00000e038a0 Directory
. 1
...
0xc000062fb430 Directory
.. BaseNamedObjects
...
0xe00001a744b0 Mutant
... ARC_CommunicationManager_Mutex
0xe0000238b280 Mutant
... _SHuassist.mtx
The object tree - symbolic links
● Often a driver will add a dos symlink so
the device can be accessed from
CreateFile API.
● This also stores the timestamp of creation
of the link - interesting from forensic
perspective.
0xc0000000c6e0
0xc000004c48a0
0xc0000032ea50
0xc000003362f0
0xc00000321830
…
0xc000034b6e00
0xc00000009b30
Directory
SymbolicLink
SymbolicLink
SymbolicLink
SymbolicLink
.
.
.
.
GLOBAL??
D:-> \Device\CdRom0 (2014-01-24 22:07:26+0000)
PhysicalDrive0-> \Device\Harddisk0\DR0 (2014-01-24 22:07:20+0000)
C:-> \Device\HarddiskVolume2 (2014-01-24 22:07:20+0000)
LPT1-> \Device\Parallel0 (2014-01-24 22:07:25+0000)
SymbolicLink
SymbolicLink
. pmem-> \Device\pmem (2014-01-24 21:20:05+0000)
. Global-> \GLOBAL?? (2014-01-24 22:07:19+0000)
Timestamp appears to be UTC during system boot and then
local time later. This might be why the time seems to be back
1 hour here.
Symlink from the GLOBAL?? directory
to the device directory allows CreateFile
("\\.\pmem")
Unloaded modules
Windows keeps a record of recently unloaded
drivers - this is useful sometimes:
win7.dmp 23:01:53> unloaded_modules
INFO:root:Detected kernel base at 0xF80002803000
Name
Start
End
Time
-------------------- -------------- -------------- ---dump_dumpfve.sys
0xf880014a5000 0xf880014b8000 2014-02-21 14:36:35+0000
dump_msahci.sys
0xf8800149a000 0xf880014a5000 2014-02-21 14:36:35+0000
dump_pciidex.sys
0xf8800148e000 0xf8800149a000 2014-02-21 14:36:35+0000
crashdmp.sys
0xf88001480000 0xf8800148e000 2014-02-21 14:36:35+0000
spsys.sys
0xf880038bc000 0xf8800392d000 2014-02-21 14:45:59+0000
pmeD3DF.tmp
0xf88003940000 0xf88003950000 2014-02-21 23:32:11+0000
Pmem driver was unloaded from a temp file name.
Scanning vs. List following
● Scanning:
○
○
○
○
can reveal already freed structures.
But they have no context
Its difficult to say anything definitive about them.
Can be susceptible to manipulations
■ Can modify memory in such a way that scanning
fails.
■ Can plant evidence.
● List Following
○ Much more robust - usually kernel uses the same
lists so its hard to remove objects from them without
destabilizing the kernel.
Break!!!
Kernel Process
memory
management
Process Memory management - The
Vad Tree.
● Windows manages process memory through
2 mechanisms:
○ Ultimately pages are assigned through the page
tables and the PFN database.
○ The Virtual Memory Address Descriptors (VAD)
maintain a high level overview of the pages assigned
to a process.
○ A binary tree in memory of virtual memory assigned
to a process.
○ The kernel uses the VAD tree to manage the page
tables for this process.
The VAD tree: A process-eye view of physical memory - Brendan Dolan-Gavitt digitalinvestigation 4S
(2007) S62–S64
Inspecting the VAD
In [2]: vad pid=4012
------> vad(pid=4012)
Pid: 4012 dd.exe
VAD
lev
start
end
com -
-
Protect
Filename
---------- --- ---------- ---------- ---- ------- ------ -------------------- -------0x81edc7e0
0
0x30
0x12f
3 Private
READWRITE
0x8220fad0
1
0x10
0x10
1 Private
READWRITE
0x81ff0398
2
0x20
0x20
1 Private
READWRITE
0x820ee328
1
0x400
0x40d
2 Mapped
0x82068e78
2
0x140
0x23f
12 Private
0x81f1b548
3
0x130
0x132
0 Mapped
READONLY
0x81f338b0
3
0x250
0x25f
0 Mapped
READWRITE
0x81ffa408
4
0x240
0x24f
6 Private
READWRITE
0x81eef6d8
6
0x2c0
0x300
0 Mapped
READONLY
\WINDOWS\system32\sortkey.nls
0xff94a1d0
6
0x330
0x332
0 Mapped
READONLY
\WINDOWS\system32\ctype.nls
0x8220e848
7
0x320
0x32f
8 Private
READWRITE
0x8136f140
10
0x37f
0x37f
0 Mapped
READONLY
0x82216830
2
0x7c900
0x7c9af
5 Mapped
Exe
EXECUTE_WRITECOPY
\WINDOWS\system32\ntdll.dll
0x820c9308
3
0x7c800
0x7c8f3
5 Mapped
Exe
EXECUTE_WRITECOPY
\WINDOWS\system32\kernel32.dll
0x81f16390
4
0x10000
0x10005
2 Mapped
Exe
EXECUTE_WRITECOPY
\dd\UnicodeRelease\getopt.dll
Exe
EXECUTE_WRITECOPY
\dd\UnicodeRelease\dd.exe
READWRITE
Mapped DLLs are
shared between
processes.
Using the vad to double check
loaded dlls.
● As we mentioned previously there are 3 lists
of loaded dlls in the Peb:
○ In loaded order.
○ In Init order.
○ In Memory order.
● Malware can easily unlink a module from
these lists, but its harder to manipulate the
VAD.
○ Peb data structures are accessible from userspace.
○ VAD data structures only accessible from kernel
space.
How can we get an
executable area
without being in the
module lists and not
having file mapping?
The ldrmodules plugin.
$ rekall -f malwarecookbook/stuxnet.vmem ldrmodules --pid 680
Pid
Process
Base
InLoad InInit InMem MappedPath
-------- -------------------- ---------- ------ ------ ----- ---------1928
lsass.exe
0x00080000
False
False False -
1928
lsass.exe
0x7c900000
True
True
True
\WINDOWS\system32\ntdll.dll
1928
lsass.exe
0x77c00000
True
True
True
\WINDOWS\system32\version.dll
1928
lsass.exe
0x01000000
True
False True
-
1928
lsass.exe
0x5b860000
True
True
True
\WINDOWS\system32\netapi32.dll
1928
lsass.exe
0x76bf0000
True
True
True
\WINDOWS\system32\psapi.dll
1928
lsass.exe
0x77c10000
True
True
True
\WINDOWS\system32\msvcrt.dll
1928
lsass.exe
0x77dd0000
True
True
True
\WINDOWS\system32\advapi32.dll
1928
lsass.exe
0x7c9c0000
True
True
True
\WINDOWS\system32\shell32.dll
1928
lsass.exe
0x00870000
True
True
True
-
1928
lsass.exe
0x76f20000
True
True
True
\WINDOWS\system32\dnsapi.dll
1928
lsass.exe
0x5d090000
True
True
True
\WINDOWS\system32\comctl32.dll
1928
lsass.exe
0x71aa0000
True
True
True
\WINDOWS\system32\ws2help.dll
1928
lsass.exe
0x77b20000
True
True
True
\WINDOWS\system32\msasn1.dll
The windows
registry.
Registry Dumping
● The windows registry is a central location for
configuration data.
○ A rich source of evidence in a digital investigation.
○ There are many tools that can analyse registry files.
● The registry is cached in memory
○ Registry data is stored in hives.
○ Hives are divided into HBins.
○ HBins are cached in memory.
● Rekall has a full registry parser and a bunch
of modules to deal with registry.
Forensic Analysis of the Windows Registry in Memory. - Brendan Dolan-Gavitt. DFRWS 2008
Registry in Memory
_CMHIVE: System
_CMHIVE: Software
Linked list
Hive.Storage.Map[].Directory[].Table[].BlockAddress
HBIN
HBIN
HBIN
Not resident
Structure is very similar to a page table
which refers to HBINS. If a HBIN is not
frequently used it will be paged out (i.e.
not memory resident). When a program
attempts to read a key which is
contained in this HBIN - the HBIN will
be paged into memory.
Registry pointers are 32 bit (Even on 64
bit OS).
Registry in Memory
win8.1.raw 22:36:20> hives
Offset
Name
-------------- ---0xc00000014000
@ 0xc00000014000
0xc00000028000 \REGISTRY\MACHINE\SYSTEM @ 0xc00000028000
0xc0000004a000 \REGISTRY\MACHINE\HARDWARE @ 0xc0000004a000
0xc00000d15000 \Device\HarddiskVolume1\Boot\BCD @ 0xc00000d15000
0xc00000cac000 \SystemRoot\System32\Config\SOFTWARE @ 0xc00000cac000
0xc0000630b000 \SystemRoot\System32\Config\DEFAULT @ 0xc0000630b000
0xc00000f81000 \SystemRoot\System32\Config\SECURITY @ 0xc00000f81000
0xc00000fad000 \SystemRoot\System32\Config\SAM @ 0xc00000fad000
0xc00001021000 \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT @ 0xc00001021000
0xc000010d6000 \SystemRoot\System32\Config\BBI @ 0xc000010d6000
0xc0000120e000 \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT @ 0xc0000120e000
0xc00001e6f000 \??\C:\Windows\AppCompat\Programs\Amcache.hve @ 0xc00001e6f000
0xc0000193f000 \??\C:\Users\test\ntuser.dat @ 0xc0000193f000
0xc000022d7000 \??\C:\Users\test\AppData\Local\Microsoft\Windows\UsrClass.dat @
0xc000022d7000
Printing Keys from memory
win8.1.raw 22:38:20> printkey key=r"ControlSet001/services/pmem"
Legend: (S) = Stable
(V) = Volatile
--------------{00000000-0000-0000-0000-000000000000}/ControlSet001/Services/pmem
Registry: \REGISTRY\MACHINE\SYSTEM @ 0xc00000028000
Key name: pmem (S) @ 0XFFFFC000004BDCA4
Last updated: 2014-01-24 21:20:05+0000
Where was the
driver loaded
from?
Subkeys:
Values:
0XFFFFC000004BDA3C REG_DWORD
Type
: (S) 1
0XFFFFC000004BDA5C REG_DWORD
Start
: (S) 3
0XFFFFC000004BDCFC REG_DWORD
ErrorControl
: (S) 1
0XFFFFC000004BDD24 REG_EXPAND_SZ ImagePath
\Users\test\AppData\Local\Temp\pmeA86F.tmp
: (S) \??\C:
0XFFFFC000004BDDCC REG_SZ
DisplayName
: (S) pmem
0XFFFFC000004BDDF4 REG_DWORD
WOW64
: (S) 1
When was this
service installed?
Registry analysis from memory.
● There are some excellent forensic tools for
registry analysis:
○ Regripper
○ Registry Decoder
○ Encase/FTK and other commercial tools
● But these tools typically only work with
registry files...
○ So we need to dump out the registry into files.
Dumping out the registry
In [11]: regdump?
regdump: Dump all registry hives into a dump directory.
Parameter
Documentation
------------------------------ ----------------------------------------------------hive_offset
A list of hive offsets as found by hivelist (virtual
address). If not provided we call hivescan ourselves
and dump all hives found.
dump_dir
Directory in which to dump hive files.
In [12]: regdump dump_dir="/tmp/"
**************************************************
Dumping \Device\HarddiskVolume1\WINDOWS\system32\config\system @ 0xe1035b60 into
"/tmp/system @ 0xe1035b60"
Dumped 5312512 bytes
**************************************************
Dumping \Device\HarddiskVolume1\Documents and Settings\Sarah\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat @ 0xe1ecd008 into "/tmp/UsrClass_dat @ 0xe1ecd008"
Dumped 8192 bytes
System Users - Analyse the SAM
win8.1.raw 23:43:33> users
…
**************************************************
Password Hash
Key CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}/SAM/Domains/Account/Users/000003E9
UserName
test
Comment
NTHash
0300010078c8adefecd752853dbdba811f870751
LanHash
03000100
FullName
Type
Default Admin User
AccountExpiration
-
LoginCount
3
FailedLoginCount
0
Flags
Normal user account, Password does not expire, Password not required
PasswordFailedTime
-
LastLoginTime
2014-01-24 21:08:48+0000
Rid
1001
PwdResetDate
2014-01-20 21:47:06+0000
**************************************************
Last Login time
The RID is used
to resolve SID to
users.
Who launches this process?
The tokens plugin.
win8.1.raw 23:49:31> tokens
INFO:root:Detected kernel base at 0xF802D3019000
Process
Pid
Sid
Comment
---------------- ----- -------------------------------------------------- ------System
4
S-1-5-18
Local System
System
4
S-1-5-32-544
Administrators
System
4
S-1-1-0
Everyone
System
4
S-1-5-11
Authenticated Users
System
4
S-1-16-16384
System Mandatory Level
smss.exe
292
S-1-5-18
Local System
smss.exe
292
S-1-5-32-544
Administrators
winpmem_1.5.2.
2628
S-1-5-21-1077689984-2177008626-1601812314-1001
User: test
winpmem_1.5.2.
2628
S-1-5-21-1077689984-2177008626-1601812314-513
Domain Users
winpmem_1.5.2.
2628
S-1-1-0
Everyone
…
The SAM is used
to resolve the
SIDs here.
Handles plugin - Our own open files.
We have the driver
opened.
This is a history
file of ipython
commands!
Timers
● Hiding a process is kind of hard to do well.
● Many malware have a need to periodically
do stuff (e.g. C&C).
○ System has the ability to launch tasks at specified
times or intervals: The _KTIMER facility.
○ A malicious kernel driver may register a timer
callback and get called periodically.
win8.1.raw 12:04:33> timers
Offset
DueTime(H)
-------------- --------------------------------------0xe00001a58708 0x0000000001f0df8a92
+ 0x8480
0xf802d32ecd00 0x0000000001c789ad30
CcScanDpc
0xf802d32bcce0 0x0000010c0d9d767529
ExpNextYearDpcRoutine
0xf802d32ac920 0x0000000001e478b3c5
CmpLazyFlushDpcRoutine
0xf80002146660 0x0000000001f3302411
0x3C44
0xf8000072e320 0x00000000c877502ee7
+ 0x23230
0xf800024cbb28 0x0000000001fdfb093c
0x1550
0xe0000127ff40 0x0000000002f06baf46
0x2394
_KTIMER offset
DueTime
Period(ms)
------------------------- ----------
Module
2014-01-24 21:33:58+0000
1000
2014-01-24 21:32:49+0000
0
- 0xf802d311b194 nt!
2015-01-01 00:12:44+0000
0
- 0xf802d32467b4 nt!
2014-01-24 21:33:38+0000
0
- 0xf802d3116abc nt!
2014-01-24 21:34:02+0000
43348
Yes 0xf80002140c44 bowser +
2014-01-25 21:15:04+0000
0
- 0xf80000719230 storport
2014-01-24 21:34:20+0000
28348
Yes 0xf800024af550 tunnel +
2014-01-24 21:41:07+0000
0
Name of callback address
●
Signaled
Routine
-------- --------------
Yes 0xf80000298480 wdf01000
- 0xf80000b31394 volsnap +
Due to go off
Rekall resolves all addresses to a standard name notation:
○
nt!ExpNextYearDpcRoutine -> The function name inside the nt module (kernel).
■ Common for modules with symbols to know exact function names.
○
wdf01000 + 0x8480 -> No function name known but it is 0x8480 bytes from the start of
the wdf01000 module (but still within it).
■ This is common for modules without symbols.
The windows GUI Subsystem
● Once upon a time, Windows was a single
user, 16 bit operating system:
○ All GUI applications used a global shared area to
pass messages to each other and render to the
screen (GDI).
○ Then GDI stuff moved into kernel. Now there is a
global shared area between kernel and userspace.
When the GDI component
moved into the kernel, the
win32k shared area was
directly mapped into the
address space of all
processes.
Address
2 Space 1
Pros:
No context switch
overhead for kernel system
calls in manipulating GUI
structures.
Kernel
Space
Cons:
Shatter attacks - no
process separation!
Trivial to inject code into
another process's address
space.
win32k
Shared
area
Application 1
Application 2
GUI Applications directly
read/write shared data
structures.
Attempt 1 to fix it:
Introduce windows stations
to contain different
processes.
Windows Station
0 - Interactive
Address
2 Space 1
Application 1
Run services in non
interactive windows station
and enforce separation
through GUI ACLs.
Theoretically non
interactive desktop can not
receive GUI messages from
interactive desktop.
There is still the problem of
the shared address space
thing though :-(
Doesn't really work.
Kernel
Space
win32k
Shared
area
Application 2
Windows Station
1 - Non
Interactive
Attempt 2 to fix it:
Introduce sessions to
contain different processes.
Sessions are a collection of
processes belonging to the
same "logon event" (e.g.
Terminal Services logon).
Each session has a unique
memory layout, but within
the same session all
processes still map the
session address space as
before.
This means a session is a
security boundary. Run
services and privileged
processes in Session 0 and
let the user login to session
1.
Address
2 Space 1
Application 1
Kernel
Space
win32k
Session
Shared
Space
area
Application 2
Session 0 application sees
one version of
session space.
Session 1 application sees
a different version
of session space.
PS: Windows 8 introduces process
containers which allow further
separation within the same logon
session.
win8.1.raw 17:30:57> sessions
**************************************************
Session(V): d0002214f000 ID: 0 Processes: 31
PagedPoolStart: f90140000000 PagedPoolEnd f9213fffffff
Process: 380 csrss.exe 2014-01-24 22:07:32+0000 @ 0xe00001be1280
Process: 432 wininit.exe 2014-01-24 22:07:32+0000 @ 0xe000000ce080
Process: 528 services.exe 2014-01-24 22:07:34+0000 @ 0xe00001d3c080
Process: 536 lsass.exe 2014-01-24 22:07:34+0000 @ 0xe00001d2a080
Process: 588 svchost.exe 2014-01-24 22:07:37+0000 @ 0xe00001dc4080
Process: 628 svchost.exe 2014-01-24 22:07:37+0000 @ 0xe00001dea500
...
Process: 2924 AM_Delta.exe 2014-01-24 21:19:30+0000 @ 0xe00000815900
Process: 2276 MpSigStub.exe 2014-01-24 21:19:30+0000 @ 0xe000008cd900
Image: 0xe000014ea0d0, Address 0xf96000151003, Name: win32k.sys
Image: 0xe00001ccccf0, Address 0xf960006ea003, Name: TSDDD.dll
**************************************************
Session(V): d00023ff7000 ID: 1 Processes: 14
PagedPoolStart: f90140000000 PagedPoolEnd f9213fffffff
Process: 440 csrss.exe 2014-01-24 22:07:32+0000 @ 0xe000000d9280
Process: 468 winlogon.exe 2014-01-24 22:07:33+0000 @ 0xe000000f4080
...
Process: 2628 winpmem_1.5.2. 2014-01-24 21:20:04+0000 @ 0xe0000204a900
Process: 3368 wermgr.exe 2014-01-24 21:20:56+0000 @ 0xe00000735900
Image: 0xe00001addd90, Address 0xf96000151003, Name: win32k.sys
Image: 0xe00001ce08a0, Address 0xf96000841003, Name: cdd.dll
Session pool is unique to each
session (But mapped at the
same address).
Session 0 is where services are
running.
Same driver is mapped in
both sessions at the same
address but the data is
different.
Session 1 is where first user
logs in.
Antiforensics
How memory imaging works?
● Most tools call
MmGetPhysicalMemoryRanges
● Lets get Rekall to disassemble this function
for us - so we can understand it.
○ You can use command line completion to save
typing and discover the exact name of the function.
win7.elf 12:02:43> dis "nt!MmGetPhysicalMemoryRanges"
Address
Rel Op Codes
Instruction
Comment
-------------- ---- -------------------- ------------------------------ ------------ nt!MmGetPhysicalMemoryRanges -----0xf80002a8dd20
0 488bc4
MOV RAX, RSP
0xf80002a8dd23
3 48895808
MOV [RAX+0x8], RBX
…
0xf80002a8dd5c
3C 418bfc
MOV EDI, R12D
0xf80002a8dd5f
3F eb2a
JMP 0xf80002a8dd8b
nt!
MmGetPhysicalMemoryRanges + 0x6B
0xf80002a8dd61
41 66ff8bc6010000
DEC WORD [RBX+0x1c6]
0xf80002a8dd68
48 33c0
XOR EAX, EAX
0xf80002a8dd6a
4A f04c0fb13d15f6dcff
LOCK CMPXCHG [RIP-0x2309eb], R15 0x0 nt!
MmDynamicMemoryLock
0xf80002a8dd73
53 740c
JZ 0xf80002a8dd81
nt!
MmGetPhysicalMemoryRanges + 0x61
0xf80002a8dd75
55 488d0d0cf6dcff
LEA RCX, [RIP-0x2309f4]
0x0 nt!
MmDynamicMemoryLock
0xf80002a8dd7c
5C e84f97beff
CALL 0xf800026774d0
nt!
ExfAcquirePushLockShared
0xf80002a8dd81
61 808b5104000020
OR BYTE [RBX+0x451], 0x20
0xf80002a8dd88
68 418bfd
MOV EDI, R13D
0xf80002a8dd8b
6B 488b05a692e3ff
MOV RAX, [RIP-0x1c6d5a]
0xFFFFFA800087CFD0 nt!MmPhysicalMemoryBlock
0xf80002a8dd92
72 33c9
XOR ECX, ECX
win7.elf 12:11:09> dump "nt!MmPhysicalMemoryBlock"
-----------------> dump("nt!MmPhysicalMemoryBlock")
Offset
Hex
-------------- -----------------------------------------------0xf800028c7038 d0 cf 87 00 80 fa ff ff 01 00 01 00 fe 3d 09 a1
0xf800028c7048 e0 8d 91 00 80 fa ff ff 40 4b 89 00 80 fa ff ff
0xf800028c7058 00 00 00 00 01 00 00 00 8e ca 02 00 00 00 00 00
0xf800028c7068 00 00 00 00 40 00 00 00 04 00 00 00 00 00 00 00
Data
---------------.............=..
........@K......
................
....@...........
win7.elf 12:10:56> dump "*nt!MmPhysicalMemoryBlock"
-----------------> dump("*nt!MmPhysicalMemoryBlock")
Offset
Hex
-------------- -----------------------------------------------0xfa800087cfd0 02 00 00 00 00 00 00 00 8e ca 02 00 00 00 00 00
0xfa800087cfe0 01 00 00 00 00 00 00 00 9e 00 00 00 00 00 00 00
0xfa800087cff0 00 01 00 00 00 00 00 00 f0 c9 02 00 00 00 00 00
0xfa800087d000 fe ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
0xfa800087d010 ff ff ff 7f 00 00 00 00 00 00 00 00 00 00 00 00
Data
Comment
---------------- ------................
................
................
................
................
Comment
------nt!MmPhysicalMemoryBlock + 0
nt!IoFileObjectType + 0
nt!MmTrackLockedPages + 0
nt!HvlEnlightenments + 0
win7.elf 12:15:14> print session.profile._PHYSICAL_MEMORY_DESCRIPTOR(0xfa800087cfd0)
[_PHYSICAL_MEMORY_DESCRIPTOR _PHYSICAL_MEMORY_DESCRIPTOR] @ 0xFA800087CFD0
0x00 NumberOfRuns
[unsigned long:NumberOfRuns]: 0x00000002
0x08 NumberOfPages [unsigned long long:NumberOfPages]: 0x0002CA8E
0x10 Run
<Array 2 x _PHYSICAL_MEMORY_RUN @ 0xFA800087CFE0>
win7.elf 12:11:36> phys_map
-----------------> phys_map()
Physical Start Physical End
-------------- -------------0x000000001000 0x00000009f000
0x000000100000 0x00002caf0000
Number of Pages
--------------158
182768
How to break Memory Forensics by
changing one byte.
1. Unload the memory driver, and reload it with
the -w switch. This will enable write mode:
winpmem-1.5.5-write.exe -w -l
2. Open two windows an evil one and a regular
one.
3. Now we are ready to be evil.
win7.elf 12:16:57> a = session.profile.
_PHYSICAL_MEMORY_DESCRIPTOR(0xfa800087cfd0)
win7.elf 12:16:57> a.NumberOfRuns = 0
Challenge: Change the name of a
process.
1. Start Notepad.exe.
2. Press ctrl-alt-delete and bring up the task
manager.
3. Your task is to change the name of notepad.
exe to foobar.exe in the task manager.
Challenge: Change the name of a
process.
There are several places where the process
name exists (check the source for pstree).
● task.SeAuditProcessCreationInfo.ImageFileName =
●
●
"foobar.exe"
task.Peb.ProcessParameters.CommandLine = "foobar.
exe"
task.ImageFileName = "foobar.exe"
Scripting Rekall
1. This exercise is about learning how to script
the interface.
2. We will practice with DKOM - hide a
process.
3. Open up notepad and write the following
program:
def unlink(list_entry):
"Given a list entry - unlink it from the list."
next = list_entry.Flink.dereference()
prev = list_entry.Blink.dereference()
prev.Flink = next.obj_offset
next.Blink = prev.obj_offset
Running script from within the shell
Type run -i myscript.py
This will run the script within the Rekall shell
namespace - this makes the new function
available.
● Experiment by hiding the notepad process.
Conclusions
● Memory forensics is an exciting science!
● Like all forensics its easy to manipulate
when you know how.
DFRWS EU 2014
9th
May
Appendix
What if the Rekall repository does
not have my profile?
● Determine the exact kernel release in your
image:
$ rekall -f win8.1.raw version_scan --name_regex krnl
Offset (P)
GUID/Version
PDB
-------------- -------------------------------- ------------0x000001c33ff0 FD3D00D28EDC4527BB922BCC0509D2851 ntkrnlmp.pdb
0x0000056b1eac 43BFE6AC987243F59695235D5BD69A7F1 ntoskrnl.pdb
0x000023f294a1 1EDDFBD3D6A04821A97C1399C11C31B41 ntoskrnl.pdb
0x00003b8df534 61A9236096164FB399ACBD2A806322011 dxgkrnl.pdb
● Download the PDB file from Microsoft:
$ rekall fetch_pdb -D . --guid FD3D00D28EDC4527BB922BCC0509D2851 --filename ntkrnlmp.pdb
Trying to fetch http://msdl.microsoft.com/download/symbols/ntkrnlmp.
pdb/FD3D00D28EDC4527BB922BCC0509D2851/ntkrnlmp.pd_
Received 1086189 bytes
Extracting cabinet: ntkrnlmp.pd_
extracting ntkrnlmp.pdb
All done, no errors.
● Generate a Rekall profile from the MS PDB
file:
$ rekall parse_pdb --filename ntkrnlmp.pdb
--output ./FD3D00D28EDC4527BB922BCC0509D2851.json
Exporting 64: <unnamed-4998>
● Use the new profile directly (Instead of using
the repository):
$ rekall -f ~/test_data/win8.1/win8.1.raw --profile ./FD3D00D28EDC4527BB922BCC0509D2851.json
---------------------------------------------------------------------------The Rekall Memory Forensic framework 1.0rc7.
"We can remember it for you wholesale!"
This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License.
Type 'help' to get started.
---------------------------------------------------------------------------win8.1.raw 21:35:21>
● Please also consider sharing the GUID with
us. Then we can add it to the public profile
repository and save a couple of minutes for
the next guy
Linux profile
Generation
Demo
Examine the kernel modules
1. Use the modules command to see all the
loaded kernel modules.
2. Can you see anything suspicious?
3. Dump the suspicious module out. What can
you say about it?
4. What kinds of IRPs does the module
handle?
5. Can you guess what it does? disassemble
its handlers.
The Page Frame
Database
The Page Frame Number (PFN)
database (Windows).
● The operating system maintains a database
about the allocation status of every physical
page in the system.
○ Since the page tables exist in the physical address
space, but the OS can only reference the Virtual
Address space, there must be a way to quickly
access the PTEs that control a particular physical
page.
○ The hardware can only do the forward mapping
(Virtual to Physical).
○ Hence the operating system needs to keep track of
Paging in 32 bit model.
Virtual Address
Page Directory Index
CR3
Page Table Index
Byte Index
Directory Table Base (DTB)
Page Frame
PTN
PTE
Page Directory
PFN DB Maps
PFN to PTE
Page Tables
Physical Memory
The PFN Database
● An array of _MMPFN structs, one for every
page of physical memory.
○ The PFN database start is referenced by the symbol
MmPfnDatabase.
○ To get the PFN of a physical address we just divide
by 0x1000 (i.e. its the page number).
○ Index the array of _MMPFN structs (aka the PFN
database) to read the PFN record.
● The PFN record contains important
information about the physical page.
○ In use/Valid/Paged
○ Virtual Address of the PTE which controls this page.
Physical to Virtual mapping
● Can use the PFN database to map from
physical address to virtual address.
○ Find the Virtual PTE address for the physical
address. (e.g. 0xF6FC40018718)
○ Find the PteFrame (This is the physical address for
the PTE). (e.g. 0x00019A18)
○ PTE Physical address is then 0x00019A18718.
○ Because there is a virtual mapping to the PTE itself,
we can repeat the process to find the PTE
controlling this PTE (i.e. the PDE).
■ Use the PFN database to locate the PDE,
PDPDTE, PML4E and DTB, in turn.
Example
In [36]: vtop 0xf880030e3000
-------> vtop(0xf880030e3000)
Virtual 0xF880030E3000, Page Directory 0x00187000
pml4e@ 0x00187F88 = 0x2E004863
pdpte@ 0x2E004000 = 0x2E003863
pde@ 0x2E0030C0 = 0x19A18863
pte@ 0x19A18718 = 0x30E48963
PTE mapped@ 0x19A18718 = 0x30E48000
Physical Address
In [37]: ptov 0x30E48000
-------> ptov(0x30E48000)
Physical Address 0x0000000030E48000 => Virtual Address 0x0000F880030E3000
DTB @ 0x0000000000187000
PML4E @ 0x0000000000187F88
DTB for this page is
found.
PDPDE @ 0x000000002E004000
PDE @ 0x000000002E0030C0
PTE @ 0x0000000019A18718
PFN DB is used to
connect all the levels.
In [35]: pfn 0x30E48
-------> pfn(0x30E48)
PFN 0x00030E48 at kernel address 0x0000FA800092AD80
flink
00000000
blink / share count 0000000000000001
pteaddress (VAS) 0x0000F6FC40018718
reference count 0001
color 0
containing page
0x00019A18
Modified
(Phys AS) 0x0000000019A18718
ActiveAndValid
M
Finding hidden processes using PFN
● Every process has its own address space.
○ Hence every process has its own DTB.
○ Perform the physical to virtual mapping of all the
physical pages, and find all the DTBs.
○ Compare to the DTBs of known processes.
● This is actually very hard for a rootkit to hide.
Finding hidden processes using PFN
$ python vol.py -f ~/images/win7_trial_64bit.dmp --profile=Win7SP0x64 dtbscan
DTB
_EPROCESS
Image Name
-------------- -------------- ---------0x000000187000 0xfa800096a9e0 System
0x00001f915000 0xfa8001d4b630 svchost.exe
0x0000209de000 0xfa8000bbdb30
�&�.exe
0x00001b2c8000 0xfa8001ea5b30 spoolsv.exe
0x0000211a4000 0xfa8001dbfb30 svchost.exe
0x00002ceb9000 0xfa8000a2d060 svchost.exe
0x00002178b000 0xfa8001db5b30 svchost.exe
0x000022e75000 0xfa8000bbd060 conhost.exe
0x000022192000 0xfa8001d03ac0 lsm.exe
0x000019295000 0xfa80020bfb30 sppsvc.exe
0x00001d3a2000 0xfa8001fd9890 svchost.exe
0x00002573b000 0xfa8001974630 winlogon.exe
-0x00000001000 -------------- Process not Found!
0x000021533000 0xfa8001e905b0 svchost.exe
0x00001d5c7000 0xfa8001dd7800 explorer.exe
.....
Some other fun plugins
● Start up internet explorer and navigate to a
site.
● Use the sockets and connections plugins to
observe these connections.
○ Which process connects to these sites?
● On windows 7 the
netstat module does a
similar thing.
Services and drivers
1. Run the svcscan plugin - what suspicious
service can you spot? Why is it suspicious?
2. Use the driverirp scanner to examine this
driver. What do you think it does?
3. Disassemble the write handler.
While examining the driverirp output can you
see a driver which hooks other drivers? Why do
you think it does this?
Consoles plugins
● Shows the history buffer of the command
shell host process.
● cmdscan and console.
● Scary mirror looking.
References
●
●
●
●
●
●
●
●
●
●
http://mista.nu/research/smashing_the_atom.pdf
http://codemachine.com/article_objectheader.html
http://blogs.msdn.com/b/ntdebugging/archive/2012/01/31/identifying-global-atom-table-leaks.
aspx
http://mnin.blogspot.de/2011/10/aint-nuthin-but-ktimer-thing-baby.html
http://mnin.blogspot.de/2011/10/zeroaccess-volatility-and-kernel-timers.html
http://uninformed.org/index.cgi?v=8&a=5&p=10
https://code.google.com/p/rekall/
https://code.google.com/p/volatility/
http://volatility-labs.blogspot.com/
http://rekall-forensic.blogspot.com/
