Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Dfrws eu 2014 rekall workshop

2,442 views

Published on

Published in: Data & Analytics, Technology
  • Be the first to comment

Dfrws eu 2014 rekall workshop

  1. 1. Forensic Memory Analysis We can remember it for you wholesale! Michael Cohen Johannes Stuettgen
  2. 2. Introduction ● Why memory forensics? ● What can Rekall do for me? ● Symbols and debugging information. ○ How does Rekall support multiple operating systems and versions? ● Memory imaging ○ Linux. ○ Windows. http://bit.ly/DFRWS_2014_Rekall_Workshop short (http://goo.gl/eLljm7)
  3. 3. Memory Forensics - Why? ● Live response. ○ Can quickly triage a system. ● Capture of memory freezes system state. ○ As memory is volatile we can minimize interference with memory. ○ Analysis does not use the system APIs. ● Memory analysis technology evolves with time. ○ We used to only have grep :-) ○ NIST reference image: xp-laptop-2005-06-25.img: ■ Registry dump ■ Passwords ■ Screenshots
  4. 4. Popular open source tools ● Two popular open source tools: ○ Volatility - Current release 2.3.1 - supports XP-Win7, OSX, and Linux. ■ Supports many Windows versions out of the box with embedded profiles ● approx 20 different profiles WinXPSP2x86, Win7SP1x64 ○ Rekall - A fork (rewrite) of Volatility from 2013. ■ Vastly different design philosophy: ● Profiles are not distributed with the tool - they are hosted on a public profile repository - Fetched on demand. ● Approximately 100 different windows kernel versions from WinXP to Win8.1 for x86 and amd64 architectures. ● Profiles also contain exact symbol addresses for specific
  5. 5. The Rekall Memory Forensics Framework. ● Project page: http://rekall-forensic.com/ ○ Supports OSX, Linux, Windows XP to Win8.1. ● We will be mainly using Rekall. ○ We will explain differences in the two tools throughout.
  6. 6. Installing Rekall
  7. 7. Installing Rekall for windows ● Binary Windows Installer: http://downloads.rekall.googlecode. com/git/Rekall/binaries/ ● For Linux and OSX: pip install rekall ● From Source: git clone https://code.google.com/p/rekall/ cd rekall python setup.py install
  8. 8. Rekall interfaces ● Command line ○ Simple one shot execution. ● Text Console ○ Interactive ipython console. ● Notebook ○ Interactive web based document system. ● Web Console ○ A new web console we implemented from scratch with Rekall specific UI.
  9. 9. Command line interface ● Single shot set and forget: rekall --verbose -f myimage.dd pslist --pid 2014 ● Valid plugin names depend on the profile. ● Help is different depending which part it is: rekall --help rekall -f myimage.dd --help rekall -f myimage.dd pslist --help Shows options specific to pslist Global options Plugin name Plugin Options Shows Global options Shows Global options and plugins relevant to this image.
  10. 10. Console interface When not providing a plugin drops into an interactive session. ● Can run plugins and python code interactively. ● Interactive console is much more efficient for real analysis due to use of caching. ● Can get help and command line completion.
  11. 11. Rekall interactive interface
  12. 12. Notebook interface ● Based around the ipython notebook. ○ ● Can mix Rekall plugins, Python code and formatted Markdown text.
  13. 13. Rekall Notebook interface
  14. 14. Webconsole interface ● Custom webinterface to Rekall ○ ○ starts up on ● Similar capabilities as the Notebook ○ More tailored to Rekall ○ Work in progress
  15. 15. Rekall Webconsole interface
  16. 16. Lets do forensics!
  17. 17. Imaging and Acquisition
  18. 18. Part 1: Imaging ● Before we can analyse memory we need to take an image of it. ● The imaging tool inserts a kernel driver which provides access to the physical memory. ○ On 64 bit systems the driver must be signed. ● We can choose the format the image will be written in. ○ ELF Core format is more efficient since it is sparse. ○ Image can be converted later to windows Crashdump which can be loaded by windbg.
  19. 19. Run Rekall as admin on Windows 8
  20. 20. We can call Winpmem from Rekall
  21. 21. Linux Memory Acquisition ● Compile pmem module on target and load it ○ ● Use LMAP if you can’t compile on target ○ ● Create Profile for target kernel ○
  22. 22. Virtual Memory and Paging
  23. 23. Virtual Memory and Paging ● How does virtual memory work? ● Why are images padded, what's the difference in formats? ● We can see a string in the image - where does it come from? ● Why do I get a 2gb file when I dump out a single process address space?
  24. 24. Virtual Memory and Paging. Paged out Backed Mem Shared Memory Backed Mem Page File Physical Memory Process A Virtual Memory Process B Virtual Memory Overcommited VirtualAddress PhysicalAddress FramesPages
  25. 25. Virtual Memory and Paging. ● Paging allows different processes to have their own unique view of physical memory: ○ Physical memory can be shared between processes ○ Physical memory can be assigned to a specific process's use without being accessible from other processes. ○ Processes can request memory to be mapped into their virtual address space which is not yet backed by physical memory (overcommitted). ○ A process’s memory can be paged out to disk. ○ A process may map a file into its address space - the kernel will automatically read from the file when
  26. 26. Paging in 32 bit model. Page Directory Index Page Table Index Byte Index Page Directory Page Tables Physical Memory CR3 PTN PTE Page Frame Directory Table Base (DTB) Virtual Address
  27. 27. The CR3 register. ● Paging is done automatically by the MMU in hardware. ○ All the CPU has to do is store the address of the current Page directory table in the CR3 register. ○ When the kernel switches task context (to another process), a new value of CR3 is loaded to point at new page tables. ○ The value of CR3 is key to make sense of a physical memory image. ○ Some imaging tools also capture CR3. ○ CR3 contains a physical address. ● Rekall 'cc' plugin is used to switch contexts.
  28. 28. The Physical Address Space ● Not continuous ● Memory Mapped I/O ● Mapped by Northbridge
  29. 29. Profiles and Multi OS Support.
  30. 30. Data Structures typedef unsigned char uchar; enum { OPT1, OPT2 } options; struct foobar { enum options flags; short int bar; uchar *foo; } It is generally not possible to predict the memory layout of a C struct without knowing external factors: ● Alignment ● Endianess ● Bit size (64/32 bit) ● Compiler ● Optimizations etc Unless packed structs.
  31. 31. Data Structures typedef unsigned char uchar; enum { OPT1, OPT2 } options; struct foobar { enum options flags; short int bar; uchar *foo; } Debugging symbols contain the exact layout of all data structures
  32. 32. What does a Rekall profile look like? { "$CONSTANTS": { "CmNtCSDVersion": 718856, ... "$ENUMS": { "BUS_QUERY_ID_TYPE": { "0": "BusQueryDeviceID", "1": "BusQueryHardwareIDs", ... "$FUNCTIONS": { "ADD_MAP_REGISTERS": 606670, ... "$METADATA": { "ProfileClass": "Nt", "arch": "I386" ... "$STRUCTS": { "BATTERY_REPORTING_SCALE": [8, { "Capacity": [4, ["unsigned long", {}]], ... ● File is a JSON data structure. ● Divided into Sections: ○ $CONSTANTS ○ $FUNCTIONS ○ $METADATA ○ $STRUCTS ● Usually the profile is generated from debugging symbols.
  33. 33. $STRUCT section. { "_EPROCESS": [624, { "AccountingFolded": [548, ["BitField", { "end_bit": 2, "start_bit": 1, "target": "unsigned long" }]], "ActiveProcessLinks": [160, ["_LIST_ENTRY", {}]], "ActiveThreads": [376, ["unsigned long", {}]], "AddressCreationLock": [232, ["_EX_PUSH_LOCK", {}]], "AddressSpaceInitialized": [552, ["BitField", { "end_bit": 12, "start_bit": 10, "target": "unsigned long" }]], "AffinityPermanent": [548, ["BitField", { "end_bit": 19, "start_bit": 18, "target": "unsigned long"... Struct Size Struct Name Member Offset Member Type Arguments to the member type.
  34. 34. $CONSTANTS and $FUNCTIONS "NtAlpcSendWaitReceivePort": 2207436, "NtAlpcSetInformation": 1805611, "NtApphelpCacheControl": 2308968, "NtAreMappedFilesTheSame": 2367400, "NtAssignProcessToJobObject": 1912487, "NtBuildGUID": 411132, "NtBuildLab": 410688, "NtBuildLabEx": 410912, ... ● These addresses come directly from Microsoft Debugging symbols. ○ Identical to the way the kernel debugger works. ○ No need to scan, guess or otherwise deduce symbol addresses (Contrast with Volatility). Constant name Constant offset (Relative to the kernel base).
  35. 35. Rekall Profiles - JSON files ● A profile file is a data structure which represents all the information needed to parse OS specific memory. ○ Files are stored in the public profile repository: ■ http://profiles.rekall.googlecode.com/git/ ○ Windows Profiles are identified by GUID. Revision c39b14f8dca9: /nt/GUID [Project Page] ● .. ● 00625D7D36754CBEBA4533BA9A0F3FE22.gz ● 0100FCDAFD4049B8B06005EC07705A1F2.gz ● 01DDCBD82AEB46BEAFCDC6A409E3B1D31.gz ● 01DF28C698D84DEBB1A74254C3AF800E2.gz ● 03185083233249D9BB747EA777B80C982.gz ● 04FB9A156FF44ECCA6EBCAE9617D8DB73.gz ● 05A6F49C5DD848FF983459421A78F1232.gz Profiles for nt kernel are stored here. Every single kernel build has a unique GUID.
  36. 36. Rekall vs. Volatility ● Volatility ○ Contains about 20 embedded windows profiles (OSX profiles must be downloaded manually). ○ Requires the user to know which profile to select. ○ Windows Profiles do not contain constants - Most plugins scan/guess offsets of kernel globals. ● Rekall ○ Profile repository contains > 300 profiles, indexed by GUID. ○ Impractical for user to specify (GUID) - profiles are usually autoselected. ○ Profiles contain exact offsets of kernel data
  37. 37. Break!!!
  38. 38. Live Memory Analysis
  39. 39. Analyse Live memory. 1. In order to analyse live memory we need to tell winpmem to leave the driver in place after quitting: winpmem-1.5.5.exe -l 2. Now we can connect to the live memory device and repeat the process listing.
  40. 40. Running Rekall on Live Memory
  41. 41. Examine the data 1. Pick one of the processes and examine it in memory using the hexdump module: 2. e.g. dump 0x820238e0 3. Calculate its physical address: 4. e.g vtop 0x820238e0 1. Note that _EPROCESS objects are often allocated inside large pages. 5. Now dump the physical address from the physical address space. 1. dump 0x20238e0, "P"
  42. 42. imageinfo - A quick overview. win8.1.raw 22:39:56> imageinfo Fact Value -------------------- ----- Kernel DTB 0x1a7000 NT Build 9600.winblue_gdr.130913-2141 NT Build Ex 9600.16404.amd64fre.winblue_gdr.130913-2141 Signed Drivers - Time (UTC) 2014-01-24 21:20:05+0000 Time (Local) 2014-01-24 21:20:05+0000 Sec Since Boot 764.359375 NtSystemRoot C:Windows **************** Physical Layout **************** Physical Start Physical End Number of Pages -------------- -------------- --------------- 0x000000001000 0x00000009f000 158 0x000000100000 0x000000102000 2 0x000000103000 0x00003fff0000 261869 When was the image acquired? Physical address ranges of image
  43. 43. List following - Process listing.
  44. 44. Listing processes - Windows. $ ./rekall -f ~/images/win7.elf -v win7.elf 08:33:25> pslist -----------------> pslist() Offset (V) Name PID PPID Thds Hnds Sess Wow64 Start Exit -------------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------ ---------------------- -- INFO:root:Detected kernel base at 0xF8000261F000 DEBUG:root:Listed 41 processes using PsActiveProcessHead DEBUG:root:Listed 37 processes using CSRSS DEBUG:root:Listed 41 processes using PspCidTable DEBUG:root:Listed 39 processes using Sessions DEBUG:root:Listed 40 processes using Handles 0xfa80008959e0 System 4 0 84 511 ------ False 2012-10-01 21:39:51+0000 - 0xfa80024f85d0 svchost.exe 236 480 19 455 0 False 2012-10-01 14:40:01+0000 - 0xfa8001994310 smss.exe 272 4 2 29 ------ False 2012-10-01 21:39:51+0000 -
  45. 45. Finding hidden processes - psxview ● Combines the output from several plugins ○ _EPROCESS list traversal ○ Pool tag scanning. ○ CSRSS handles ○ Thread scanning. ○ Kernel debugger PspCidTable ● Results are always inconsistent ○ Some processes just do not show up on some sources.
  46. 46. PSXView In [5]: psxview ------> psxview() Offset(P) Name PID pslist psscan thrdproc pspcdid csrss ---------- -------------------- ------ ------- ------- -------- ------- ------- 0x01f67500 TaskSwitch.exe 1952 True True True True True 0x02000980 wmiprvse.exe 4080 True True True False False 0x02025608 atiptaxx.exe 2040 True True True True True 0x12cd3020 smss.exe 448 False True False False False 0x0fe5f8e0 snmp.exe 1424 False True False False False 0x01f8eb10 winlogon.exe 528 True True True True True 0x02079c18 cmd.exe 2624 True True True True True 0x02218020 PluckSvr.exe 944 True True True True True 0x01ed76b0 PluckTray.exe 2740 True True True True True 0x01f48da0 tcpsvcs.exe 1400 True True True True True 0x01f6db28 msdtc.exe 1076 True True True True True 0x020e0da0 services.exe 580 True True True True True 0x1a192a90 Fast.exe 1960 False True False False False 0x01fa8240 Smc.exe 876 True True True True True
  47. 47. PE Files
  48. 48. PE Executables ● The PE file format is specifically designed to allow fast and efficient loading of executables into memory. ○ The structure of executables on disk is similar to their structure in memory. ○ Imports and Exports are resolved at load time.
  49. 49. PE Overview http://code.google.com/p/corkami/downloads/detail?name=pe-20110117.pdf
  50. 50. The peinfo plugin win7.elf 10:17:00> peinfo? Docstring: Print information about a PE binary.Dump a PE binary from memory. Status is shown for each exported function: - M: The function is mapped into memory. Link: http://epydocs.rekall.googlecode.com/git/rekall.plugins.windows.procinfo.PEInfo-class.html Parameter Documentation ------------------------------ ---------------------------------------------------------------------- output If specified we write output to this file. verbosity Add more output. executable If provided we create an address space from this file. address_space The address space to use. image_base The base of the image. renderer Use this renderer for the output.
  51. 51. The peinfo plugin In [3]: peinfo "nt" Machine TimeDateStamp -------------------- ------------- Machine IMAGE_FILE_MACHINE_AMD64 TimeDateStamp 2009-07-13 23:40:48 UTC+0000 Characteristics IMAGE_FILE_EXECUTABLE_IMAGE, IMAGE_FILE_LARGE_ADDRESS_AWARE .... Sections (Relative to 0xFFFFF8000261A000): Perm Name VMA Size ---- -------- -------------- -------------- xr- .text 0x000000001000 0x00000019b800 xr- INITKDBG 0x00000019d000 0x000000003a00 xr- POOLMI 0x0000001a1000 0x000000001c00 .... Data Directories: - VMA Size ---------------------------------------- -------------- -------------- IMAGE_DIRECTORY_ENTRY_EXPORT 0xfffff80002b43000 0x000000010962 IMAGE_DIRECTORY_ENTRY_IMPORT 0xfffff80002bbccec 0x000000000078 IMAGE_DIRECTORY_ENTRY_RESOURCE 0xfffff80002bbe000 0x000000035d34 ... Can reference the base of the module by using the module name.
  52. 52. PE Dumping from memory ● Can be done using a bunch of plugins: ○ procdump - Dumps _EPROCESS images using PID. ○ dlldump - Dumps DLLs. ○ pedump - Generic PE dumper that is used by the other modules. ● Potential problems: ○ Rootkits can easily change the in-memory PE headers. (e.g. Section description etc). ■ It is possible to corrupt the headers so the tool blows up - too much data, huge executables. ○ Import Address Table is not patched. ○ Not all sections are fully mapped into memory (e.g. .
  53. 53. Kernel Memory management.
  54. 54. Window Kernel Memory Allocation ● The windows kernel uses Pools to manage allocation: ○ Paged pool - can be paged to disk. ○ Non paged - For use by critical components which must not be paged (e.g. Interrupt level). ● Allocations come from the pool, and are tagged using a special identifier "Tag": ○ ExAllocatePoolWithTag ○ Tags are used to track memory owners and detect leaks.
  55. 55. What does a pool allocation look like? win8.1.raw 16:14:59> print profile._POOL_HEADER(0xe000023aa890) [_POOL_HEADER _POOL_HEADER] @ 0xE000023AA890 0x00 PoolIndex [BitField:PoolIndex]: 0x00000000 0x00 PreviousSize [BitField:PreviousSize]: 0x00000008 0x00 Ulong1 [unsigned long:Ulong1]: 0x02770008 0x02 BlockSize [BitField:BlockSize]: 0x00000077 0x02 PoolType [BitField:PoolType]: 0x00000002 0x04 PoolTag [unsigned long:PoolTag]: 0x636F7250 0x08 AllocatorBackTraceIndex [unsigned short:AllocatorBackTraceIndex]: 0x00000000 0x08 ProcessBilled <_EPROCESS Pointer to [0x00000000] (ProcessBilled)> 0x0A PoolTagHash [unsigned short:PoolTagHash]: 0x00000000 'Proc' in ascii allocation size in pool blocks (0x20 bytes) Previous block allocation size
  56. 56. What kinds of pool are they? win8.1.raw 23:37:38> pools -------------------> pools() Type Index Size Start End Comment -------------------- ----- ---------- -------------- -------------- ------- PagedPoolSession 0 3216352 0xf90140000000 0xf9213fffffff Session ID 0 PagedPoolSession 0 12489472 0xf90140000000 0xf9213fffffff Session ID 1 PagedPool 0 70872304 0xa80000000000 0xa81fffffffff PagedPool 1 14192864 0xa80000000000 0xa81fffffffff PagedPool 2 1539696 0xa80000000000 0xa81fffffffff PagedPool 3 1635888 0xa80000000000 0xa81fffffffff PagedPool 4 1718448 0xa80000000000 0xa81fffffffff NonPagedPoolNx 0 29362464 0xe0000001a000 0xe00077400000 -
  57. 57. The Pool Tracker win8.1.raw 22:08:03> pool_tracker Tag NP Alloc NP Bytes P Alloc P Bytes ---- -------------------- ---------- -------------------- ---------- DMV 1 (0) 0 0 (0) 0 8042 6 (4) 4048 12 (0) 0 ACPI 4 (0) 0 0 (0) 0 AFGp 1 (0) 0 0 (0) 0 ALPC 3211 (770) 434240 0 (0) 0 … Ppin 0 (0) 0 221 (2) 4160 Ppio 10 (0) 0 11718 (0) 0 Pprl 0 (0) 0 3 (0) 0 Ppsu 0 (0) 0 1394 (223) 18512 Prcr 5 (4) 5440 13 (0) 0 Proc 137 (48) 91328 0 (0) 0 PsFn 136 (0) 0 0 (0) 0 PsIn 946 (47) 7040 0 (0) 0 PsPb 135 (0) 0 0 (0) 0 … NtFf 62 (0) 0 306 (19) 132224 NtFm 0 (0) 0 2 (2) 16384 NtFs 7 (7) 213664 42682 (2902) 319440 NtFv 5114 (2) 288 112 (0) 0 NtTc 1 (1) 64 0 (0) 0 NtTf 3 (3) 240 0 (0) 0 Gives a nice overview of outstanding allocations of each type. For example we know 48 outstanding _EPROCESS allocations.
  58. 58. The Windows Object manager.
  59. 59. ● The windows Object Manager is responsible for managing allocation/deallocation of objects. ○ An object is a managed data structure in the kernel. ○ There are many types of objects - basically anything we require the kernel to manage is an object. ○ Allocation functions end up delegating to ObCreateObject() ○ Objects are allocated from specific "Types". The Types are registered data structures that the kernel knows about. Windows Kernel Objects
  60. 60. ObpObjectTypes Array win8.1.raw 16:22:44> object_types -------------------> object_types() Index Number Objects PoolType Name ----- --------------- --------------- ---- 2 46 NonPagedPoolNx Type 3 42 PagedPool Directory 4 167 PagedPool SymbolicLink 5 1194 PagedPool Token 6 6 NonPagedPoolNx Job 7 48 NonPagedPoolNx Process 8 834 NonPagedPoolNx Thread 9 1 NonPagedPoolNx UserApcReserve 10 0 NonPagedPoolNx IoCompletionReserve 11 0 NonPagedPoolNx DebugObject 12 5669 NonPagedPoolNx Event 13 279 NonPagedPoolNx Mutant 14 21 NonPagedPoolNx Callback 15 1158 NonPagedPoolNx Semaphore 16 70 NonPagedPoolNx Timer 17 299 NonPagedPoolNx IRTimer Number of allocated objects is tracked here. We know there are 48 outstanding _EPROCESS objects.
  61. 61. Object Allocation Scheme http://www.codemachine.com/article_objectheader.html Pool Header Optional Header Optional Header Object Header Object (e.g. _EPROCESS, _FILE_OBJECT etc) ObCreateObject() Number of optional headers is encoded in the Object Header
  62. 62. The object tree - Named objects win8.1.raw 16:36:18> object_tree -------------------> object_tree() Offset Type Name -------------- -------------------- -------------------- 0xe000014afb30 Mutant PendingRenameMutex 0xc0000000ceb0 Directory ObjectTypes 0xe000000b7eb0 Type . TmTm 0xe000000cf640 Type . Desktop ... 0xc0000020a600 Directory Sessions ... 0xc00000e038a0 Directory . 1 ... 0xc000062fb430 Directory .. BaseNamedObjects ... 0xe00001a744b0 Mutant ... ARC_CommunicationManager_Mutex 0xe0000238b280 Mutant ... _SHuassist.mtx Named objects exist within well defined object directory paths. Here we see some mutants exist in Sessions1BaseNamedObjects
  63. 63. The object tree - symbolic links ● Often a driver will add a dos symlink so the device can be accessed from CreateFile API. ● This also stores the timestamp of creation of the link - interesting from forensic perspective.
  64. 64. 0xc0000000c6e0 Directory GLOBAL?? 0xc000004c48a0 SymbolicLink . D:-> DeviceCdRom0 (2014-01-24 22:07:26+0000) 0xc0000032ea50 SymbolicLink . PhysicalDrive0-> DeviceHarddisk0DR0 (2014-01-24 22:07:20+0000) 0xc000003362f0 SymbolicLink . C:-> DeviceHarddiskVolume2 (2014-01-24 22:07:20+0000) 0xc00000321830 SymbolicLink . LPT1-> DeviceParallel0 (2014-01-24 22:07:25+0000) … 0xc000034b6e00 SymbolicLink . pmem-> Devicepmem (2014-01-24 21:20:05+0000) 0xc00000009b30 SymbolicLink . Global-> GLOBAL?? (2014-01-24 22:07:19+0000) Symlink from the GLOBAL?? directory to the device directory allows CreateFile (".pmem") Timestamp appears to be UTC during system boot and then local time later. This might be why the time seems to be back 1 hour here.
  65. 65. Unloaded modules Windows keeps a record of recently unloaded drivers - this is useful sometimes: win7.dmp 23:01:53> unloaded_modules INFO:root:Detected kernel base at 0xF80002803000 Name Start End Time -------------------- -------------- -------------- ---- dump_dumpfve.sys 0xf880014a5000 0xf880014b8000 2014-02-21 14:36:35+0000 dump_msahci.sys 0xf8800149a000 0xf880014a5000 2014-02-21 14:36:35+0000 dump_pciidex.sys 0xf8800148e000 0xf8800149a000 2014-02-21 14:36:35+0000 crashdmp.sys 0xf88001480000 0xf8800148e000 2014-02-21 14:36:35+0000 spsys.sys 0xf880038bc000 0xf8800392d000 2014-02-21 14:45:59+0000 pmeD3DF.tmp 0xf88003940000 0xf88003950000 2014-02-21 23:32:11+0000 Pmem driver was unloaded from a temp file name.
  66. 66. Scanning vs. List following ● Scanning: ○ can reveal already freed structures. ○ But they have no context ○ Its difficult to say anything definitive about them. ○ Can be susceptible to manipulations ■ Can modify memory in such a way that scanning fails. ■ Can plant evidence. ● List Following ○ Much more robust - usually kernel uses the same lists so its hard to remove objects from them without destabilizing the kernel.
  67. 67. Break!!!
  68. 68. Kernel Process memory management
  69. 69. Process Memory management - The Vad Tree. ● Windows manages process memory through 2 mechanisms: ○ Ultimately pages are assigned through the page tables and the PFN database. ○ The Virtual Memory Address Descriptors (VAD) maintain a high level overview of the pages assigned to a process. ○ A binary tree in memory of virtual memory assigned to a process. ○ The kernel uses the VAD tree to manage the page tables for this process.
  70. 70. The VAD tree: A process-eye view of physical memory - Brendan Dolan-Gavitt digitalinvestigation 4S (2007) S62–S64
  71. 71. Inspecting the VAD In [2]: vad pid=4012 ------> vad(pid=4012) Pid: 4012 dd.exe VAD lev start end com - - Protect Filename ---------- --- ---------- ---------- ---- ------- ------ -------------------- -------- 0x81edc7e0 0 0x30 0x12f 3 Private READWRITE 0x8220fad0 1 0x10 0x10 1 Private READWRITE 0x81ff0398 2 0x20 0x20 1 Private READWRITE 0x820ee328 1 0x400 0x40d 2 Mapped Exe EXECUTE_WRITECOPY ddUnicodeReleasedd.exe 0x82068e78 2 0x140 0x23f 12 Private READWRITE 0x81f1b548 3 0x130 0x132 0 Mapped READONLY 0x81f338b0 3 0x250 0x25f 0 Mapped READWRITE 0x81ffa408 4 0x240 0x24f 6 Private READWRITE 0x81eef6d8 6 0x2c0 0x300 0 Mapped READONLY WINDOWSsystem32sortkey.nls 0xff94a1d0 6 0x330 0x332 0 Mapped READONLY WINDOWSsystem32ctype.nls 0x8220e848 7 0x320 0x32f 8 Private READWRITE 0x8136f140 10 0x37f 0x37f 0 Mapped READONLY 0x82216830 2 0x7c900 0x7c9af 5 Mapped Exe EXECUTE_WRITECOPY WINDOWSsystem32ntdll.dll 0x820c9308 3 0x7c800 0x7c8f3 5 Mapped Exe EXECUTE_WRITECOPY WINDOWSsystem32kernel32.dll 0x81f16390 4 0x10000 0x10005 2 Mapped Exe EXECUTE_WRITECOPY ddUnicodeReleasegetopt.dll Mapped DLLs are shared between processes.
  72. 72. Using the vad to double check loaded dlls. ● As we mentioned previously there are 3 lists of loaded dlls in the Peb: ○ In loaded order. ○ In Init order. ○ In Memory order. ● Malware can easily unlink a module from these lists, but its harder to manipulate the VAD. ○ Peb data structures are accessible from userspace. ○ VAD data structures only accessible from kernel space.
  73. 73. The ldrmodules plugin. $ rekall -f malwarecookbook/stuxnet.vmem ldrmodules --pid 680 Pid Process Base InLoad InInit InMem MappedPath -------- -------------------- ---------- ------ ------ ----- ---------- 1928 lsass.exe 0x00080000 False False False - 1928 lsass.exe 0x7c900000 True True True WINDOWSsystem32ntdll.dll 1928 lsass.exe 0x77c00000 True True True WINDOWSsystem32version.dll 1928 lsass.exe 0x01000000 True False True - 1928 lsass.exe 0x5b860000 True True True WINDOWSsystem32netapi32.dll 1928 lsass.exe 0x76bf0000 True True True WINDOWSsystem32psapi.dll 1928 lsass.exe 0x77c10000 True True True WINDOWSsystem32msvcrt.dll 1928 lsass.exe 0x77dd0000 True True True WINDOWSsystem32advapi32.dll 1928 lsass.exe 0x7c9c0000 True True True WINDOWSsystem32shell32.dll 1928 lsass.exe 0x00870000 True True True - 1928 lsass.exe 0x76f20000 True True True WINDOWSsystem32dnsapi.dll 1928 lsass.exe 0x5d090000 True True True WINDOWSsystem32comctl32.dll 1928 lsass.exe 0x71aa0000 True True True WINDOWSsystem32ws2help.dll 1928 lsass.exe 0x77b20000 True True True WINDOWSsystem32msasn1.dll How can we get an executable area without being in the module lists and not having file mapping?
  74. 74. The windows registry.
  75. 75. Registry Dumping ● The windows registry is a central location for configuration data. ○ A rich source of evidence in a digital investigation. ○ There are many tools that can analyse registry files. ● The registry is cached in memory ○ Registry data is stored in hives. ○ Hives are divided into HBins. ○ HBins are cached in memory. ● Rekall has a full registry parser and a bunch of modules to deal with registry. Forensic Analysis of the Windows Registry in Memory. - Brendan Dolan-Gavitt. DFRWS 2008
  76. 76. Registry in Memory _CMHIVE: System _CMHIVE: Software Linked list HBIN HBIN HBIN Not resident Hive.Storage.Map[].Directory[].Table[].BlockAddress Structure is very similar to a page table which refers to HBINS. If a HBIN is not frequently used it will be paged out (i.e. not memory resident). When a program attempts to read a key which is contained in this HBIN - the HBIN will be paged into memory. Registry pointers are 32 bit (Even on 64 bit OS).
  77. 77. Registry in Memory win8.1.raw 22:36:20> hives Offset Name -------------- ---- 0xc00000014000 @ 0xc00000014000 0xc00000028000 REGISTRYMACHINESYSTEM @ 0xc00000028000 0xc0000004a000 REGISTRYMACHINEHARDWARE @ 0xc0000004a000 0xc00000d15000 DeviceHarddiskVolume1BootBCD @ 0xc00000d15000 0xc00000cac000 SystemRootSystem32ConfigSOFTWARE @ 0xc00000cac000 0xc0000630b000 SystemRootSystem32ConfigDEFAULT @ 0xc0000630b000 0xc00000f81000 SystemRootSystem32ConfigSECURITY @ 0xc00000f81000 0xc00000fad000 SystemRootSystem32ConfigSAM @ 0xc00000fad000 0xc00001021000 ??C:WindowsServiceProfilesNetworkServiceNTUSER.DAT @ 0xc00001021000 0xc000010d6000 SystemRootSystem32ConfigBBI @ 0xc000010d6000 0xc0000120e000 ??C:WindowsServiceProfilesLocalServiceNTUSER.DAT @ 0xc0000120e000 0xc00001e6f000 ??C:WindowsAppCompatProgramsAmcache.hve @ 0xc00001e6f000 0xc0000193f000 ??C:Userstestntuser.dat @ 0xc0000193f000 0xc000022d7000 ??C:UserstestAppDataLocalMicrosoftWindowsUsrClass.dat @ 0xc000022d7000
  78. 78. Printing Keys from memory win8.1.raw 22:38:20> printkey key=r"ControlSet001/services/pmem" Legend: (S) = Stable (V) = Volatile --------------{00000000-0000-0000-0000-000000000000}/ControlSet001/Services/pmem Registry: REGISTRYMACHINESYSTEM @ 0xc00000028000 Key name: pmem (S) @ 0XFFFFC000004BDCA4 Last updated: 2014-01-24 21:20:05+0000 Subkeys: Values: 0XFFFFC000004BDA3C REG_DWORD Type : (S) 1 0XFFFFC000004BDA5C REG_DWORD Start : (S) 3 0XFFFFC000004BDCFC REG_DWORD ErrorControl : (S) 1 0XFFFFC000004BDD24 REG_EXPAND_SZ ImagePath : (S) ??C: UserstestAppDataLocalTemppmeA86F.tmp 0XFFFFC000004BDDCC REG_SZ DisplayName : (S) pmem 0XFFFFC000004BDDF4 REG_DWORD WOW64 : (S) 1 When was this service installed? Where was the driver loaded from?
  79. 79. Registry analysis from memory. ● There are some excellent forensic tools for registry analysis: ○ Regripper ○ Registry Decoder ○ Encase/FTK and other commercial tools ● But these tools typically only work with registry files... ○ So we need to dump out the registry into files.
  80. 80. Dumping out the registry In [11]: regdump? regdump: Dump all registry hives into a dump directory. Parameter Documentation ------------------------------ ----------------------------------------------------- hive_offset A list of hive offsets as found by hivelist (virtual address). If not provided we call hivescan ourselves and dump all hives found. dump_dir Directory in which to dump hive files. In [12]: regdump dump_dir="/tmp/" ************************************************** Dumping DeviceHarddiskVolume1WINDOWSsystem32configsystem @ 0xe1035b60 into "/tmp/system @ 0xe1035b60" Dumped 5312512 bytes ************************************************** Dumping DeviceHarddiskVolume1Documents and SettingsSarahLocal SettingsApplication DataMicrosoftWindowsUsrClass.dat @ 0xe1ecd008 into "/tmp/UsrClass_dat @ 0xe1ecd008" Dumped 8192 bytes
  81. 81. System Users - Analyse the SAM win8.1.raw 23:43:33> users … ************************************************** Key CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}/SAM/Domains/Account/Users/000003E9 UserName test Comment NTHash 0300010078c8adefecd752853dbdba811f870751 LanHash 03000100 FullName Type Default Admin User AccountExpiration - LoginCount 3 FailedLoginCount 0 Flags Normal user account, Password does not expire, Password not required PasswordFailedTime - LastLoginTime 2014-01-24 21:08:48+0000 Rid 1001 PwdResetDate 2014-01-20 21:47:06+0000 ************************************************** Password Hash Last Login time The RID is used to resolve SID to users.
  82. 82. Who launches this process? The tokens plugin. win8.1.raw 23:49:31> tokens INFO:root:Detected kernel base at 0xF802D3019000 Process Pid Sid Comment ---------------- ----- -------------------------------------------------- ------- System 4 S-1-5-18 Local System System 4 S-1-5-32-544 Administrators System 4 S-1-1-0 Everyone System 4 S-1-5-11 Authenticated Users System 4 S-1-16-16384 System Mandatory Level smss.exe 292 S-1-5-18 Local System smss.exe 292 S-1-5-32-544 Administrators … winpmem_1.5.2. 2628 S-1-5-21-1077689984-2177008626-1601812314-1001 User: test winpmem_1.5.2. 2628 S-1-5-21-1077689984-2177008626-1601812314-513 Domain Users winpmem_1.5.2. 2628 S-1-1-0 Everyone The SAM is used to resolve the SIDs here.
  83. 83. Handles plugin - Our own open files. We have the driver opened. This is a history file of ipython commands!
  84. 84. Timers ● Hiding a process is kind of hard to do well. ● Many malware have a need to periodically do stuff (e.g. C&C). ○ System has the ability to launch tasks at specified times or intervals: The _KTIMER facility. ○ A malicious kernel driver may register a timer callback and get called periodically.
  85. 85. win8.1.raw 12:04:33> timers Offset DueTime(H) DueTime Period(ms) Signaled Routine Module -------------- -------------------- ------------------------- ---------- -------- -------------- -------------------- 0xe00001a58708 0x0000000001f0df8a92 2014-01-24 21:33:58+0000 1000 Yes 0xf80000298480 wdf01000 + 0x8480 0xf802d32ecd00 0x0000000001c789ad30 2014-01-24 21:32:49+0000 0 - 0xf802d311b194 nt! CcScanDpc 0xf802d32bcce0 0x0000010c0d9d767529 2015-01-01 00:12:44+0000 0 - 0xf802d32467b4 nt! ExpNextYearDpcRoutine 0xf802d32ac920 0x0000000001e478b3c5 2014-01-24 21:33:38+0000 0 - 0xf802d3116abc nt! CmpLazyFlushDpcRoutine 0xf80002146660 0x0000000001f3302411 2014-01-24 21:34:02+0000 43348 Yes 0xf80002140c44 bowser + 0x3C44 0xf8000072e320 0x00000000c877502ee7 2014-01-25 21:15:04+0000 0 - 0xf80000719230 storport + 0x23230 0xf800024cbb28 0x0000000001fdfb093c 2014-01-24 21:34:20+0000 28348 Yes 0xf800024af550 tunnel + 0x1550 0xe0000127ff40 0x0000000002f06baf46 2014-01-24 21:41:07+0000 0 - 0xf80000b31394 volsnap + 0x2394 _KTIMER offset Due to go offName of callback address ● Rekall resolves all addresses to a standard name notation: ○ nt!ExpNextYearDpcRoutine -> The function name inside the nt module (kernel). ■ Common for modules with symbols to know exact function names. ○ wdf01000 + 0x8480 -> No function name known but it is 0x8480 bytes from the start of the wdf01000 module (but still within it). ■ This is common for modules without symbols.
  86. 86. The windows GUI Subsystem ● Once upon a time, Windows was a single user, 16 bit operating system: ○ All GUI applications used a global shared area to pass messages to each other and render to the screen (GDI). ○ Then GDI stuff moved into kernel. Now there is a global shared area between kernel and userspace.
  87. 87. Application 1 Application 2 Kernel Space 2 Address Space 1 win32k Shared area GUI Applications directly read/write shared data structures. When the GDI component moved into the kernel, the win32k shared area was directly mapped into the address space of all processes. Pros: No context switch overhead for kernel system calls in manipulating GUI structures. Cons: Shatter attacks - no process separation! Trivial to inject code into another process's address space.
  88. 88. Application 1 Application 2 Kernel Space 2 Address Space 1 win32k Shared area Attempt 1 to fix it: Introduce windows stations to contain different processes. Run services in non interactive windows station and enforce separation through GUI ACLs. Theoretically non interactive desktop can not receive GUI messages from interactive desktop. There is still the problem of the shared address space thing though :-( Doesn't really work. Windows Station 1 - Non Interactive Windows Station 0 - Interactive
  89. 89. Application 1 Application 2 Kernel Space 2 Address Space 1 win32k Shared area Attempt 2 to fix it: Introduce sessions to contain different processes. Sessions are a collection of processes belonging to the same "logon event" (e.g. Terminal Services logon). Each session has a unique memory layout, but within the same session all processes still map the session address space as before. This means a session is a security boundary. Run services and privileged processes in Session 0 and let the user login to session 1. Session 1 - application sees a different version of session space. Session 0 - application sees one version of session space. Session Space PS: Windows 8 introduces process containers which allow further separation within the same logon session.
  90. 90. win8.1.raw 17:30:57> sessions ************************************************** Session(V): d0002214f000 ID: 0 Processes: 31 PagedPoolStart: f90140000000 PagedPoolEnd f9213fffffff Process: 380 csrss.exe 2014-01-24 22:07:32+0000 @ 0xe00001be1280 Process: 432 wininit.exe 2014-01-24 22:07:32+0000 @ 0xe000000ce080 Process: 528 services.exe 2014-01-24 22:07:34+0000 @ 0xe00001d3c080 Process: 536 lsass.exe 2014-01-24 22:07:34+0000 @ 0xe00001d2a080 Process: 588 svchost.exe 2014-01-24 22:07:37+0000 @ 0xe00001dc4080 Process: 628 svchost.exe 2014-01-24 22:07:37+0000 @ 0xe00001dea500 ... Process: 2924 AM_Delta.exe 2014-01-24 21:19:30+0000 @ 0xe00000815900 Process: 2276 MpSigStub.exe 2014-01-24 21:19:30+0000 @ 0xe000008cd900 Image: 0xe000014ea0d0, Address 0xf96000151003, Name: win32k.sys Image: 0xe00001ccccf0, Address 0xf960006ea003, Name: TSDDD.dll ************************************************** Session(V): d00023ff7000 ID: 1 Processes: 14 PagedPoolStart: f90140000000 PagedPoolEnd f9213fffffff Process: 440 csrss.exe 2014-01-24 22:07:32+0000 @ 0xe000000d9280 Process: 468 winlogon.exe 2014-01-24 22:07:33+0000 @ 0xe000000f4080 ... Process: 2628 winpmem_1.5.2. 2014-01-24 21:20:04+0000 @ 0xe0000204a900 Process: 3368 wermgr.exe 2014-01-24 21:20:56+0000 @ 0xe00000735900 Image: 0xe00001addd90, Address 0xf96000151003, Name: win32k.sys Image: 0xe00001ce08a0, Address 0xf96000841003, Name: cdd.dll Session 0 is where services are running. Session 1 is where first user logs in. Same driver is mapped in both sessions at the same address but the data is different. Session pool is unique to each session (But mapped at the same address).
  91. 91. Anti- forensics
  92. 92. How memory imaging works? ● Most tools call MmGetPhysicalMemoryRanges ● Lets get Rekall to disassemble this function for us - so we can understand it. ○ You can use command line completion to save typing and discover the exact name of the function.
  93. 93. win7.elf 12:02:43> dis "nt!MmGetPhysicalMemoryRanges" Address Rel Op Codes Instruction Comment -------------- ---- -------------------- ------------------------------ ------- ------ nt!MmGetPhysicalMemoryRanges ------ 0xf80002a8dd20 0 488bc4 MOV RAX, RSP 0xf80002a8dd23 3 48895808 MOV [RAX+0x8], RBX … 0xf80002a8dd5c 3C 418bfc MOV EDI, R12D 0xf80002a8dd5f 3F eb2a JMP 0xf80002a8dd8b nt! MmGetPhysicalMemoryRanges + 0x6B 0xf80002a8dd61 41 66ff8bc6010000 DEC WORD [RBX+0x1c6] 0xf80002a8dd68 48 33c0 XOR EAX, EAX 0xf80002a8dd6a 4A f04c0fb13d15f6dcff LOCK CMPXCHG [RIP-0x2309eb], R15 0x0 nt! MmDynamicMemoryLock 0xf80002a8dd73 53 740c JZ 0xf80002a8dd81 nt! MmGetPhysicalMemoryRanges + 0x61 0xf80002a8dd75 55 488d0d0cf6dcff LEA RCX, [RIP-0x2309f4] 0x0 nt! MmDynamicMemoryLock 0xf80002a8dd7c 5C e84f97beff CALL 0xf800026774d0 nt! ExfAcquirePushLockShared 0xf80002a8dd81 61 808b5104000020 OR BYTE [RBX+0x451], 0x20 0xf80002a8dd88 68 418bfd MOV EDI, R13D 0xf80002a8dd8b 6B 488b05a692e3ff MOV RAX, [RIP-0x1c6d5a] 0xFFFFFA800087CFD0 nt!MmPhysicalMemoryBlock 0xf80002a8dd92 72 33c9 XOR ECX, ECX
  94. 94. win7.elf 12:11:09> dump "nt!MmPhysicalMemoryBlock" -----------------> dump("nt!MmPhysicalMemoryBlock") Offset Hex Data Comment -------------- ------------------------------------------------ ---------------- ------- 0xf800028c7038 d0 cf 87 00 80 fa ff ff 01 00 01 00 fe 3d 09 a1 .............=.. nt!MmPhysicalMemoryBlock + 0 0xf800028c7048 e0 8d 91 00 80 fa ff ff 40 4b 89 00 80 fa ff ff ........@K...... nt!IoFileObjectType + 0 0xf800028c7058 00 00 00 00 01 00 00 00 8e ca 02 00 00 00 00 00 ................ nt!MmTrackLockedPages + 0 0xf800028c7068 00 00 00 00 40 00 00 00 04 00 00 00 00 00 00 00 ....@........... nt!HvlEnlightenments + 0 win7.elf 12:10:56> dump "*nt!MmPhysicalMemoryBlock" -----------------> dump("*nt!MmPhysicalMemoryBlock") Offset Hex Data Comment -------------- ------------------------------------------------ ---------------- ------- 0xfa800087cfd0 02 00 00 00 00 00 00 00 8e ca 02 00 00 00 00 00 ................ 0xfa800087cfe0 01 00 00 00 00 00 00 00 9e 00 00 00 00 00 00 00 ................ 0xfa800087cff0 00 01 00 00 00 00 00 00 f0 c9 02 00 00 00 00 00 ................ 0xfa800087d000 fe ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................ 0xfa800087d010 ff ff ff 7f 00 00 00 00 00 00 00 00 00 00 00 00 ................ win7.elf 12:15:14> print session.profile._PHYSICAL_MEMORY_DESCRIPTOR(0xfa800087cfd0) [_PHYSICAL_MEMORY_DESCRIPTOR _PHYSICAL_MEMORY_DESCRIPTOR] @ 0xFA800087CFD0 0x00 NumberOfRuns [unsigned long:NumberOfRuns]: 0x00000002 0x08 NumberOfPages [unsigned long long:NumberOfPages]: 0x0002CA8E 0x10 Run <Array 2 x _PHYSICAL_MEMORY_RUN @ 0xFA800087CFE0> win7.elf 12:11:36> phys_map -----------------> phys_map() Physical Start Physical End Number of Pages -------------- -------------- --------------- 0x000000001000 0x00000009f000 158 0x000000100000 0x00002caf0000 182768
  95. 95. How to break Memory Forensics by changing one byte. 1. Unload the memory driver, and reload it with the -w switch. This will enable write mode: winpmem-1.5.5-write.exe -w -l 2. Open two windows an evil one and a regular one. 3. Now we are ready to be evil.
  96. 96. win7.elf 12:16:57> a = session.profile. _PHYSICAL_MEMORY_DESCRIPTOR(0xfa800087cfd0) win7.elf 12:16:57> a.NumberOfRuns = 0
  97. 97. Challenge: Change the name of a process. 1. Start Notepad.exe. 2. Press ctrl-alt-delete and bring up the task manager. 3. Your task is to change the name of notepad. exe to foobar.exe in the task manager.
  98. 98. Challenge: Change the name of a process. There are several places where the process name exists (check the source for pstree). ● task.SeAuditProcessCreationInfo.ImageFileName = "foobar.exe" ● task.Peb.ProcessParameters.CommandLine = "foobar. exe" ● task.ImageFileName = "foobar.exe"
  99. 99. Scripting Rekall 1. This exercise is about learning how to script the interface. 2. We will practice with DKOM - hide a process. 3. Open up notepad and write the following program: def unlink(list_entry): "Given a list entry - unlink it from the list." next = list_entry.Flink.dereference() prev = list_entry.Blink.dereference() prev.Flink = next.obj_offset next.Blink = prev.obj_offset
  100. 100. Running script from within the shell Type run -i myscript.py This will run the script within the Rekall shell namespace - this makes the new function available. ● Experiment by hiding the notepad process.
  101. 101. Conclusions ● Memory forensics is an exciting science! ● Like all forensics its easy to manipulate when you know how.
  102. 102. DFRWS EU 2014 9th May
  103. 103. Appendix
  104. 104. What if the Rekall repository does not have my profile? ● Determine the exact kernel release in your image: $ rekall -f win8.1.raw version_scan --name_regex krnl Offset (P) GUID/Version PDB -------------- -------------------------------- ------------- 0x000001c33ff0 FD3D00D28EDC4527BB922BCC0509D2851 ntkrnlmp.pdb 0x0000056b1eac 43BFE6AC987243F59695235D5BD69A7F1 ntoskrnl.pdb 0x000023f294a1 1EDDFBD3D6A04821A97C1399C11C31B41 ntoskrnl.pdb 0x00003b8df534 61A9236096164FB399ACBD2A806322011 dxgkrnl.pdb ● Download the PDB file from Microsoft: $ rekall fetch_pdb -D . --guid FD3D00D28EDC4527BB922BCC0509D2851 --filename ntkrnlmp.pdb Trying to fetch http://msdl.microsoft.com/download/symbols/ntkrnlmp. pdb/FD3D00D28EDC4527BB922BCC0509D2851/ntkrnlmp.pd_ Received 1086189 bytes Extracting cabinet: ntkrnlmp.pd_ extracting ntkrnlmp.pdb All done, no errors.
  105. 105. ● Generate a Rekall profile from the MS PDB file: $ rekall parse_pdb --filename ntkrnlmp.pdb --output ./FD3D00D28EDC4527BB922BCC0509D2851.json Exporting 64: <unnamed-4998> ● Use the new profile directly (Instead of using the repository): $ rekall -f ~/test_data/win8.1/win8.1.raw --profile ./FD3D00D28EDC4527BB922BCC0509D2851.json ---------------------------------------------------------------------------- The Rekall Memory Forensic framework 1.0rc7. "We can remember it for you wholesale!" This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License. Type 'help' to get started. ---------------------------------------------------------------------------- win8.1.raw 21:35:21>
  106. 106. ● Please also consider sharing the GUID with us. Then we can add it to the public profile repository and save a couple of minutes for the next guy
  107. 107. Linux profile Generation Demo
  108. 108. Examine the kernel modules 1. Use the modules command to see all the loaded kernel modules. 2. Can you see anything suspicious? 3. Dump the suspicious module out. What can you say about it? 4. What kinds of IRPs does the module handle? 5. Can you guess what it does? disassemble its handlers.
  109. 109. The Page Frame Database
  110. 110. The Page Frame Number (PFN) database (Windows). ● The operating system maintains a database about the allocation status of every physical page in the system. ○ Since the page tables exist in the physical address space, but the OS can only reference the Virtual Address space, there must be a way to quickly access the PTEs that control a particular physical page. ○ The hardware can only do the forward mapping (Virtual to Physical). ○ Hence the operating system needs to keep track of
  111. 111. Paging in 32 bit model. Page Directory Index Page Table Index Byte Index Page Directory Page Tables Physical Memory CR3 PTN PTE Page Frame Directory Table Base (DTB) Virtual Address PFN DB Maps PFN to PTE
  112. 112. The PFN Database ● An array of _MMPFN structs, one for every page of physical memory. ○ The PFN database start is referenced by the symbol MmPfnDatabase. ○ To get the PFN of a physical address we just divide by 0x1000 (i.e. its the page number). ○ Index the array of _MMPFN structs (aka the PFN database) to read the PFN record. ● The PFN record contains important information about the physical page. ○ In use/Valid/Paged ○ Virtual Address of the PTE which controls this page.
  113. 113. Physical to Virtual mapping ● Can use the PFN database to map from physical address to virtual address. ○ Find the Virtual PTE address for the physical address. (e.g. 0xF6FC40018718) ○ Find the PteFrame (This is the physical address for the PTE). (e.g. 0x00019A18) ○ PTE Physical address is then 0x00019A18718. ○ Because there is a virtual mapping to the PTE itself, we can repeat the process to find the PTE controlling this PTE (i.e. the PDE). ■ Use the PFN database to locate the PDE, PDPDTE, PML4E and DTB, in turn.
  114. 114. Example In [36]: vtop 0xf880030e3000 -------> vtop(0xf880030e3000) Virtual 0xF880030E3000, Page Directory 0x00187000 pml4e@ 0x00187F88 = 0x2E004863 pdpte@ 0x2E004000 = 0x2E003863 pde@ 0x2E0030C0 = 0x19A18863 pte@ 0x19A18718 = 0x30E48963 PTE mapped@ 0x19A18718 = 0x30E48000 In [37]: ptov 0x30E48000 -------> ptov(0x30E48000) Physical Address 0x0000000030E48000 => Virtual Address 0x0000F880030E3000 DTB @ 0x0000000000187000 PML4E @ 0x0000000000187F88 PDPDE @ 0x000000002E004000 PDE @ 0x000000002E0030C0 PTE @ 0x0000000019A18718 Physical Address PFN DB is used to connect all the levels. DTB for this page is found.
  115. 115. In [35]: pfn 0x30E48 -------> pfn(0x30E48) PFN 0x00030E48 at kernel address 0x0000FA800092AD80 flink 00000000 blink / share count 0000000000000001 pteaddress (VAS) 0x0000F6FC40018718 (Phys AS) 0x0000000019A18718 reference count 0001 color 0 containing page 0x00019A18 ActiveAndValid M Modified
  116. 116. Finding hidden processes using PFN ● Every process has its own address space. ○ Hence every process has its own DTB. ○ Perform the physical to virtual mapping of all the physical pages, and find all the DTBs. ○ Compare to the DTBs of known processes. ● This is actually very hard for a rootkit to hide.
  117. 117. Finding hidden processes using PFN $ python vol.py -f ~/images/win7_trial_64bit.dmp --profile=Win7SP0x64 dtbscan DTB _EPROCESS Image Name -------------- -------------- ---------- 0x000000187000 0xfa800096a9e0 System 0x00001f915000 0xfa8001d4b630 svchost.exe 0x0000209de000 0xfa8000bbdb30 �&�.exe 0x00001b2c8000 0xfa8001ea5b30 spoolsv.exe 0x0000211a4000 0xfa8001dbfb30 svchost.exe 0x00002ceb9000 0xfa8000a2d060 svchost.exe 0x00002178b000 0xfa8001db5b30 svchost.exe 0x000022e75000 0xfa8000bbd060 conhost.exe 0x000022192000 0xfa8001d03ac0 lsm.exe 0x000019295000 0xfa80020bfb30 sppsvc.exe 0x00001d3a2000 0xfa8001fd9890 svchost.exe 0x00002573b000 0xfa8001974630 winlogon.exe -0x00000001000 -------------- Process not Found! 0x000021533000 0xfa8001e905b0 svchost.exe 0x00001d5c7000 0xfa8001dd7800 explorer.exe .....
  118. 118. Some other fun plugins ● Start up internet explorer and navigate to a site. ● Use the sockets and connections plugins to observe these connections. ○ Which process connects to these sites? ● On windows 7 the netstat module does a similar thing.
  119. 119. Services and drivers 1. Run the svcscan plugin - what suspicious service can you spot? Why is it suspicious? 2. Use the driverirp scanner to examine this driver. What do you think it does? 3. Disassemble the write handler. While examining the driverirp output can you see a driver which hooks other drivers? Why do you think it does this?
  120. 120. Consoles plugins ● Shows the history buffer of the command shell host process. ● cmdscan and console. ● Scary mirror looking.
  121. 121. References ● http://mista.nu/research/smashing_the_atom.pdf ● http://codemachine.com/article_objectheader.html ● http://blogs.msdn.com/b/ntdebugging/archive/2012/01/31/identifying-global-atom-table-leaks. aspx ● http://mnin.blogspot.de/2011/10/aint-nuthin-but-ktimer-thing-baby.html ● http://mnin.blogspot.de/2011/10/zeroaccess-volatility-and-kernel-timers.html ● http://uninformed.org/index.cgi?v=8&a=5&p=10 ● https://code.google.com/p/rekall/ ● https://code.google.com/p/volatility/ ● http://volatility-labs.blogspot.com/ ● http://rekall-forensic.blogspot.com/

×