« March 2009 | Main | May 2009 »
Memory analysis
My objtypescan plugin for Volatility crashed when it was unable to determine an object's virtual address in kernel space. This is fixed from version 0.4 on. Thanks to Vte. Javier Garcia Mayen for reporting the bug and providing me with extensive test data!
Memory analysis
The PC's BIOS among many other functions also provides a simple routine to read data in from the keyboard. Information about the keys pressed are stored in a ring buffer that provides space for about 16 characters. As Jonathan Brossard has shown in a paper and presented at DEFCON 16, the buffer's contents may be availlable for a while after it has been read by the BIOS. Chances are that passwords of the BIOS or disk encryption software can be recovered.
Memory analysis
I feel somewhat sorry for posting such a creepy title in spring. But don't worry, "mutant" is just how a mutex is called in the Windows kernel. A mutex helps to serialize access to a resource. Some applications employ a mutex to ensure that only a single instance is running. And that way, a mutex may lead us directly into the dark realms of some malware. Scary, isn't it?
Memory analysis
The concept of symbolic links is widely implemented in file systems. But there is also a symbolic link object for kernel objects. Generally, a symbolic link will make an object accessible under a different and probably much shorter name. But symbolic link objects also provide some forensic value.
Memory analysis
Drivers extend the functionality of the kernel, e.g. by implementing a network communication protocol or an interface to a new piece of hardware. They are loadable kernel-mode modules, what allows them to modify any system behavior. Several rootkits are implemented by drivers. In this post I present a plugin for the Volatility memory analysis framework, that scans for driver objects.
Memory analysis
I was not completely satisfied with my first file object scanner. It revealed a lot of objects, including files that were hidden through malicious activity. But it was lacking the ability to connect those files to processes. A couple of days of research later I'm excited to release an improved version.
Memory analysis
Have you ever seen the value 0xbad0b0b0 before? If you're analyzing kernel objects, you certainly will. Here is some information about this special value.
Memory analysis
The Microsoft Windows kernel represents opened files by an _FILE_OBJECT structure. With some help from the Microsoft Debugger, the object type information about files and the Volatility memory analysis framework it is an easy task to craft a file object scanner. This scanner may reveal files even if they are hidden by a rootkit.
Memory analysis
There are many ways to enumerate the various object types of the Microsoft Windows kernel. In this short post, I'm going to present the Microsoft debugger, Sysinternals WinObj and a Volatility plugin.
Memory analysis
Microsoft Windows is an object oriented kernel. Files, Processes, Threads - everything is an object. And all those kernel objects share a common data structure and interface. In this post we'll have a look at how objects are created by the kernel and stored in memory.
Side notes
DFRWS has posted their challenge for the upcoming conference. This year, filesystem data, network captures and memory images of a Sony Playstation 3 need to be analyzed. Submissions are due July 12, 2009. Details are available at the DFRWS website.
This blog is a project of
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn
Germany
impressum@forensikblog.de
Copyright © 2005-2010 by
Andreas Schuster
All rights reserved.