My objtypescan plugin for Volatility crashed when it was unable to determine an object's virtual address in kernel space. This is fixed from version 0.4 on. Thanks to Vte. Javier Garcia Mayen for reporting the bug and providing me with extensive test data!
April 2009 Archives
The PC's BIOS among many other functions also provides a simple routine to read data in from the keyboard. Information about the keys pressed are stored in a ring buffer that provides space for about 16 characters. As Jonathan Brossard has shown in a paper and presented at DEFCON 16, the buffer's contents may be availlable for a while after it has been read by the BIOS. Chances are that passwords of the BIOS or disk encryption software can be recovered.
Continue reading Reading Passwords from the Keyboard Buffer.
I feel somewhat sorry for posting such a creepy title in spring. But don't worry, "mutant" is just how a mutex is called in the Windows kernel. A mutex helps to serialize access to a resource. Some applications employ a mutex to ensure that only a single instance is running. And that way, a mutex may lead us directly into the dark realms of some malware. Scary, isn't it?
Continue reading Searching for Mutants.
The concept of symbolic links is widely implemented in file systems. But there is also a symbolic link object for kernel objects. Generally, a symbolic link will make an object accessible under a different and probably much shorter name. But symbolic link objects also provide some forensic value.
Continue reading Symbolic Link Objects.
Drivers extend the functionality of the kernel, e.g. by implementing a network communication protocol or an interface to a new piece of hardware. They are loadable kernel-mode modules, what allows them to modify any system behavior. Several rootkits are implemented by drivers. In this post I present a plugin for the Volatility memory analysis framework, that scans for driver objects.
Continue reading Scanning for Drivers.
I was not completely satisfied with my first file object scanner. It revealed a lot of objects, including files that were hidden through malicious activity. But it was lacking the ability to connect those files to processes. A couple of days of research later I'm excited to release an improved version.
Continue reading Linking File Objects to Processes.
Have you ever seen the value 0xbad0b0b0 before? If you're analyzing kernel objects, you certainly will. Here is some information about this special value.
Continue reading 0xbad0b0b0.
The Microsoft Windows kernel represents opened files by an _FILE_OBJECT structure. With some help from the Microsoft Debugger, the object type information about files and the Volatility memory analysis framework it is an easy task to craft a file object scanner. This scanner may reveal files even if they are hidden by a rootkit.
Continue reading Scanning for File Objects.
There are many ways to enumerate the various object types of the Microsoft Windows kernel. In this short post, I'm going to present the Microsoft debugger, Sysinternals WinObj and a Volatility plugin.
Continue reading Enumerate Object Types.
Microsoft Windows is an object oriented kernel. Files, Processes, Threads - everything is an object. And all those kernel objects share a common data structure and interface. In this post we'll have a look at how objects are created by the kernel and stored in memory.
Continue reading Kernel Objects.
DFRWS has posted their challenge for the upcoming conference. This year, filesystem data, network captures and memory images of a Sony Playstation 3 need to be analyzed. Submissions are due July 12, 2009. Details are available at the DFRWS website.
