Searching in Pool Allocations

Harlan Carvey posted some comments and an article regarding the analysis of pool allocations. One of the remaining taks is to identify "interesting" pool tags. I already wrote about network activity to illustrate the top-down approach. Now here's a tool to aid in bottom-up.

For this example I will search a dump for allocations containing a timestamp.I will use a crash dump, because it contains a timestamp to start with. Any other dump file format should work too, but you'll have to find out the proper system time on your own.

In a crash dump file the system time is recorded at offset 0xfc0 as an 8 byte FILETIME. I take the most significant 3 bytes, in this example f4 c6 01. A search for that byte sequence in a hex editor returns about 30,000 hits. A lot of them are in the file system cache. Using a kernel memory dump instead of a full dump sure would trim down the result set to a reasonable size. But there still would be some scrolling back and forth in the hex editor to find out wether the hit is in a tagged pool allocation or not.

So I wrote PoolGrep. As the name implies, it searches for a given byte string like grep does. In addition it takes a lisiting generated by PoolFinder to limit its search to pool allocations.

Back to the search for timestamps. The next step is to generate the index file of pool allocations: mydump.dmp > mydump.pools.txt

Now we can conduct the search: --dumpfile mydump.dmp --listfile mydump.pools.txt \xf4\xc6\x01

Please note that the search string is a Perl regular expression.

This search returns about 1,300 hits. If you're only interested in the tags then the --unique option is for you: --dumpfile mydump.dmp --listfile mydump.pools.txt --unique \xf4\xc6\x01

You may also search for textual strings: --listfile mydump.pools.txt --dumpfile mydump.DMP system32

Here's a case-insensitive search: --listfile mydump.pools.txt --dumpfile mydump.DMP --ignorecase system32

Unicode is also possible, but requires some tweaking: --listfile mydump.pools.txt --dumpfile mydump.DMP --ignorecase s\000y\000s\000t\000e\000m\0003\0002\000
This time the NULL-bytes are given in octal (\000) instead of hex notation (\0x00).

So PoolGrep may help you to find the proper tags as long as you can find an example for the data you're interested in. Some good search expressions are (binary) timestamps, IP addresses (watch the network byte order!), registry keys or a driver's name.

You still might have to find the proper code snippet to reveal the data's structure, though. But that's a different story to tell.



This blog is a project of:
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn

Copyright © 2005-2012 by
Andreas Schuster
All rights reserved.
Powered by Movable Type 5.12