Reconstructing a Binary (3)

As it has been shown in two earlier posts it definitely is possible to reconstruct a program file from a full memory dump. However there's no guarantee the file will run properly. I'm going to explain the reason in this article.

I've described two procedures to reconstruct a program file from a full memory dump so far. Regardless which way you choose, it'll take some effort. But is it worth all the hassle?

Reconstructed (top) and original program file (bottom) behave differently.

Obviously the program file reconstructed during both of the earlier articles does not behave as expected. By the way, the program is dd from George Garner's fine set of Forensic Aquisition Utilities. Now, that the original program is known it might be a good idea to compare it with the reconstructed one. Therefore I'll use nwdiff.

NWdiff reveals some differences between both program files.

Nwdiff compares both program files and highlights any differing bits. Obviously there are only some small, yet important differences. The corresponding addresses belong to the .data section. That part of a PE file holds initialized data. Variables in that section already contain their starting values when they are loaded into memory; there's no need to initialiize them at runtime. Of course their value can change while the program runs.

Hence the memory image does not contain the program in its pristine state. For example, in the first screenshot the blockcounter's value is "15435". Assumed the block size had been set to the size of a memory page, that is 4096 bytes, this means a physical address of 63221760, or 0x3c4b000 in hex. That's exactly the physical address of the program's .data section (see the table at the end of the first article).

So, will it be futile to reconstruct a program file? Probably a dynamic analysis of the reconstructed program will fail. This would require some additional effort anyway, like reconstruction of additional files or adding of some registry keys.

However it is possible to perform a static analysis on the recovered file. You could analyze it in a disassembler, examine its header or check it with an anti-virus tool.

In my opinion depending on the case this information gained through static analysis can justify the effort to reconstruct a program binary from a memory dump.

Archives

Imprint

This blog is a project of:
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn
impressum@forensikblog.de

Copyright © 2005-2012 by
Andreas Schuster
All rights reserved.
Powered by Movable Type 5.12