Reconstructing a Binary (2)

If you followed through the first part of this tutorial, you might wonder if there shouldn't be a simpler way to extract the binary. Of course there is one.

The principle behind the reconstruction process as it was described in the first part is rather simple:

  1. find the EPROCESS record
  2. locate the start of the in-memory image via the PEB
  3. extract the first page, containing the executable file's header and save it to a file
  4. for every section listed in the header extract and save the proper portion of virtual memory

What is really annoying, to say the least, are all those conversions from virtual to physical addresses and the endless copy'n paste operations. Memdump.pl comes to help! Just let it extract the process memory. All you need is the memory dump file and the Page Directory Base Address of the process. We already know the latter from the first part of this tutorial, it's 0x01d9e000.

Now issue ./memdump.pl dfrws2005-physical-memory1.dmp 0x01d9e000

If all goes well this will create two files in the current directory:

  • 0x1d9e000.map maps virtual addresses to offsets of the extracted process memory
  • 0x1d9e000.mem contains the process memory

We'll now have to locate the PEB. Again from the first part we know that it is at virtual address 0x7ffdf000. Looking at the MAP file:

 virt. addr.  file offset     size
------------ ------------ --------
  0x7ffdf000     0x107000   0x1000

So you'll find the PDB at offset 0x107000 in file 0x1d9e000.mem. Eight bytes further you'll find the ImageBaseAddress. Good to see that it's still 0x0400000.

We'd now have to extract the first page (at 0x0400000, that is file offset 0x26000) and reconstruct all the sections. Again based on out experience from the first part we can speed this up a bit. Here's the relevant portion from the MAP file:

 virt. addr.  file offset     size
------------ ------------ --------
    0x400000      0x26000   0x1000
    0x401000      0x27000   0x1000
    0x402000      0x28000   0x1000
    0x403000      0x29000   0x1000
    0x404000      0x2a000   0x1000
    0x405000      0x2b000   0x1000
    0x406000      0x2c000   0x1000
    0x407000      0x2d000   0x1000
    0x408000      0x2e000   0x1000
    0x409000      0x2f000   0x1000
    0x40a000      0x30000   0x1000
    0x40b000      0x31000   0x1000
    0x40c000      0x32000   0x1000
    0x40d000      0x33000   0x1000

So all left to be done is to copy 14 pages (14 * 4096 bytes = 57344 bytes) starting at offset 0x26000 (38 pages or 155648 bytes in decimal) from the MEM file and save it to a new file. As usual I did it with 010 Editor, but you could do that with dd as well: dd if=0x1d9e000.mem of=reconstructed.exe bs=4096 skip=38 count=14

Now, wasn't that easy?

Harlan Carvey also posted on the subject. Maybe he is going to build an automatic binary extractor? His Perl module to parse the PE header sure would be helpful in the process.

Archives

Imprint

This blog is a project of:
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn
impressum@forensikblog.de

Copyright © 2005-2012 by
Andreas Schuster
All rights reserved.
Powered by Movable Type 5.12