Paradox Conference 2011

Windows 7 Memory Forensics

2011.01.29.

Jisung Han
Digital Forensic Research Center
CIST, Korea Univ.
xnetblue@korea.ac.kr
 Who am I?

§ Jisung, Han (XnetBLue)

§ Digital Forensic Research Center, CIST, Korea Univ.

§ Interested in
Windows Memory Forensics, File-system, Reverse Engineering

§ xnetblue@gmail.com, xnetblue@korea.ac.kr

§ Blog
• http://baadc0de.blogspot.com

Digital Forensic Research Center, CIST, Korea Univ. 2

 Live Forensics

§ Data in volatile storages

• Processes, handles, modules(DLLs & SYSs), and other kernel states

• not stored in hard disks

◦ in registers or physical memory

• smaller than hard disk data

§ Live Forensics
• to perform live response

• can detect malwares more effectively than traditional forensics

Digital Forensic Research Center, CIST, Korea Univ. 3

 Memory Forensics

§ Analyzing physical memory dumps

• minimize volatile data changes
◦ volatile data damage caused by investigator’s acts
◦ how to minimize changes?
– the least activities should be performed
– only execute memory dumper (mdd, windd, or fastdd, …)

• detour tampered results

◦ technique used by malwares
– DKOM, SSDT or IDT hooking, code patching, or …
◦ analyze kernel states directly
– not affected by numerous techniques

• can re-analyze dumps anytime

Digital Forensic Research Center, CIST, Korea Univ. 4

 The Object of Study

Based on

Digital Forensic Research Center, CIST, Korea Univ. 5

 Methods for
Acquiring Windows Physical Memory

§ \Device\PhysicalMemory
UNICODE_STRING usPhysicalMemory;
OBJECT_ATTRIBUTES oa;

RtlInitUnicodeString( &usPhysicalMemory, L"\\Device\\PhysicalMemory");

InitializeObjectAttributes( &oa, &usPhysicalMemory,

OBJ_CASE_INSENSITIVE,
NULL, NULL );
status = ZwOpenSection( &hPhysicalMemory, SECTION_MAP_READ, &oa );
if( !NT_SUCCESS(status) )
{
DbgPrint("Failed to open %wZ! Status %p\n", usPhysicalMemory, status);
hPhysicalMemory = NULL;
goto done;
}
DbgPrint("Opened section handle %p in driver\n", hPhysicalMemory);

*(HANDLE*)pIrp->AssociatedIrp.SystemBuffer = hPhysicalMemory;
pIrp->IoStatus.Information = 4;
status = 0;

Digital Forensic Research Center, CIST, Korea Univ. 6

 Methods for
Acquiring Windows Physical Memory (cont’d)

§ MmGetPhysicalMemoryRanges()
typedef struct _PHYSICAL_MEMORY_RANGE {
PHYSICAL_ADDRESS BaseAddress;
LARGE_INTEGER NumberOfBytes;
} PHYSICAL_MEMORY_RANGE, *PPHYSICAL_MEMORY_RANGE;

NTKERNELAPI
PPHYSICAL_MEMORY_RANGE
MmGetPhysicalMemoryRanges (
VOID
);

PVOID
MmMapIoSpace(
IN PHYSICAL_ADDRESS PhysicalAddress,
IN ULONG NumberOfBytes,
IN MEMORY_CACHING_TYPE CacheType
);

Digital Forensic Research Center, CIST, Korea Univ. 7

 Methods for
Acquiring Windows Physical Memory (cont’d)

§ MmMapMemoryDumpMdl()
• windd uses undocumented kernel function
typedef struct _MDL {
struct _MDL *Next;
CSHORT Size;
CSHORT MdlFlags;
struct _EPROCESS *Process;
PVOID MappedSystemVa; // return 0xFFBF0000 à reserved by crash dump driver
PVOID StartVa;
ULONG ByteCount;
ULONG ByteOffset;
} MDL, *PMDL;

NTKERNELAPI
VOID
MmMapMemoryDumpMdl (
__inout PMDL MemoryDumpMdl
);

Digital Forensic Research Center, CIST, Korea Univ. 8

 Kernel & User Land

§ Kernel and User Address Space

• Kernel land
◦ Windows Kernel and Drivers

• User land
◦ Processes and DLLs

◦ Isolated from each process

Digital Forensic Research Center, CIST, Korea Univ. 9

Virtual to Physical Address Translation

Digital Forensic Research Center, CIST, Korea Univ. 10

Virtual to Physical Address Translation (cont’d)

§ e.g.) VA = 804d9000 = kernel base address

0: kd> db 804d9000
804d9000 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ..............
804d9010 b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@.......
804d9020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
804d9030 00 00 00 00 00 00 00 00-00 00 00 00 e0 00 00 00 ................
804d9040 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ........!..L.!Th
804d9050 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno
804d9060 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS
804d9070 6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00 mode....$.......
0: kd> r cr3
cr3=00b37000
0: kd> dd /p 00b37000 L8
00b37000 00b38001 00000000 00b39001 00000000
00b37010 00b3a001 00000000 00b3b001 00000000
// PD Address = 31:12 bits = 00b3a000

VA 804d9000 =
10 000000010 011011001000000000000
2 2 D9000
PDPTE PDE Byte Offset

Digital Forensic Research Center, CIST, Korea Univ. 11

Virtual to Physical Address Translation (cont’d)

0: kd> dd /p 00b3a000+8*2 L2
00b3a010 004009e3 00000000
0: kd> db /p (400*1000)+d9000
004d9000 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ..............
004d9010 b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@.......
004d9020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
004d9030 00 00 00 00 00 00 00 00-00 00 00 00 e0 00 00 00 ................
004d9040 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ........!..L.!Th
004d9050 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno
004d9060 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS
004d9070 6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00 mode....$.......
0: kd> db
804d9000
804d9000
4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ.............. =
804d9010 b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@.......
804d9020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
804d9030 00 00 00 00 00 00 00 00-00 00 00 00 e0 00 00 00 ................
804d9040 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ........!..L.!Th
804d9050 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno
804d9060 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS
804d9070 6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00 mode....$.......

PDE 004009e3 =
00000000010000000000 100111100011
400
Page Frame Number Flags

// LSB = 1 = Valid
// PS = 1 = Large Page

Digital Forensic Research Center, CIST, Korea Univ. 12

 Memory Allocation

§ ExAllocatePoolWithTag()
• used to allocate memory pool with a special tag
PVOID
ExAllocatePoolWithTag (
__in POOL_TYPE PoolType,
__in SIZE_T NumberOfBytes,
__in ULONG Tag
)

kd> dt nt!_POOL_HEADER 86065030-28-8

+0x000 PreviousSize : 0y000000000 (0)
+0x000 PoolIndex : 0y0000000 (0)
+0x002 BlockSize : 0y001011110 (0x5e)
+0x002 PoolType : 0y0000010 (0x2)
+0x000 Ulong1 : 0x45e0000
+0x004 PoolTag : 0xe36f7250
+0x004 AllocatorBackTraceIndex : 0x7250
+0x006 PoolTagHash : 0xe36f
kd> db 86065030-28-8
86065000 00 00 5e 04 50 72 6f e3-00 10 00 00 f0 02 00 00 ..^.Pro.........
86065010 b8 00 00 00 40 2c 95 82-25 00 00 00 03 00 00 00 ....@,..%.......
86065020 00 00 00 00 07 00 08 00-40 2c 95 82 ea 96 2a 95 ........@,....*.
86065030 03 00 26 00 00 00 00 00-38 50 06 86 38 50 06 86 ..&.....8P..8P..
86065040 40 50 06 86 40 50 06 86-20 34 ca 3e 00 00 00 00 @P..@P.. 4.>....
86065050 00 00 00 00 00 00 00 00-00 00 00 00 18 58 06 86 .............X..
86065060 e8 1e 07 86 00 00 00 00-01 00 01 00 00 00 00 00 ................
86065070 01 00 00 00 74 50 06 86-74 50 06 86 00 00 00 00 ....tP..tP......

Digital Forensic Research Center, CIST, Korea Univ. 13

 Kernel Object

§ Components of a system
• processes, threads, DLLs, files, and so on…

§ Users can’t access to the kernel object directly

• handle is used to access indirectly to the kernel object instead of address

Digital Forensic Research Center, CIST, Korea Univ. 14

 Windows Memory Analysis

§ Find Directory Table Base

• loaded on CR3 register
• _KPCR.Pcrb à _KPRCB.ProcessorState

à _KPROCESSOS_STATE.SpecialRegisters à _KSPECIAL_REGISTERS.Cr3

• can be found by carving method

kd> dt nt!_KSPECIAL_REGISTERS 82947d20+18+2cc
+0x000 Cr0 : 0x8001003b
+0x004 Cr2 : 0x95ca2000
+0x008 Cr3 : 0x185000
+0x00c Cr4 : 0x6f9
+0x010 KernelDr0 : 0
+0x014 KernelDr1
+0x018 KernelDr2
: 0
: 0
KPCR.SelfPcr + 0x120
+0x01c KernelDr3 : 0 = KPCR.Prcb
+0x020 KernelDr6 : 0xffff0ff0
+0x024 KernelDr7 : 0x400
+0x028 Gdtr : _DESCRIPTOR
+0x030 Idtr : _DESCRIPTOR
+0x038 Tr : 0x28
+0x03a Ldtr : 0
+0x03c Reserved : [6] 0

Digital Forensic Research Center, CIST, Korea Univ. 15

 Windows Memory Analysis (cont’d)

§ Find Kernel Variables

• _KDDEBUGGER_DATA64
typedef struct _KDDEBUGGER_DATA64 {
• important variables DBGKD_DEBUG_DATA_HEADER 64 Header;
ULONG64 KernBase;
ULONG64 BreakpointWithStatus;
◦ KernBase ULONG64 SavedContext;
USHORT ThCallbackStack;
◦ PaeEnabled USHORT NextCallback;
USHORT FramePointer;
USHORT PaeEnabled:1;
◦ PsActiveProcessHead ULONG64 KiCallUserMode;
ULONG64 KeUserCallbackDispatcher ;
◦ PsLoadedModuleList ULONG64 PsLoadedModuleList;
ULONG64 PsActiveProcessHead;
ULONG64 PspCidTable;
◦ PspCidTable [...]
};
◦ …

• can be found by carving method

◦ \0\0\0\0\0\0\0\0KDBG

Digital Forensic Research Center, CIST, Korea Univ. 16

 Windows Memory Analysis (cont’d)

§ Process list

Digital Forensic Research Center, CIST, Korea Univ. 17

 Windows Memory Analysis (cont’d)

kd> dt nt!_EPROCESS PsActiveProcessHead-b8

+0x000 Pcb : _KPROCESS
+0x098 ProcessLock : _EX_PUSH_LOCK
+0x0a0 CreateTime : _LARGE_INTEGER 0x0
+0x0a8 ExitTime : _LARGE_INTEGER 0x120c06`00000000
+0x0b0 RundownProtect : _EX_RUNDOWN_REF
+0x0b4 UniqueProcessId : 0x860654e0 Void
+0x0b8 ActiveProcessLinks : _LIST_ENTRY [ 0x84133ac0 - 0x860650e8 ]
[...]
kd> dt nt!_EPROCESS 0x84133ac0-b8
+0x000 Pcb : _KPROCESS
+0x098 ProcessLock : _EX_PUSH_LOCK
+0x0a0 CreateTime : _LARGE_INTEGER 0x1cbbd32`c38d6d52
+0x0a8 ExitTime : _LARGE_INTEGER 0x0
+0x0b0 RundownProtect : _EX_RUNDOWN_REF
+0x0b4 UniqueProcessId : 0x00000004 Void
+0x0b8 ActiveProcessLinks : _LIST_ENTRY [ 0x852a08d8 - 0x8295ee98 ]
[...]
+0x168 Session : (null)
+0x16c ImageFileName : [15] "System"
+0x17b PriorityClass : 0x2 ''
[...]

Digital Forensic Research Center, CIST, Korea Univ. 18

 Windows Memory Analysis (cont’d)

§ Process Environment Block (PEB)

• PEB address = _EPROCESS.Peb
◦ this indicates process address space (0x00000000 ~ 0xFFFFFFFF)

◦ use _EPROCESS.Pcr.DirectoryTableBase to translate address

Field name Offset Data type Meaning

ImageBaseAddress 0x08 Ptr32 Void Base address of image

Ldr 0x0C Ptr32 _PEB_LDR_DATA Loaded DLL

Parameters
ProcessParameters 0x10 Ptr32_RTL_USER_PROCESS_PARAMETERS (Path, Command line, Window name, Current
directory)

OSMajorVersion 0xA4 Uint4B OS major version

OSMinorVersion 0xA8 Uint4B OS minor version

OSBuildNumber 0xAC Uint4B OS build number

OSCSDVersion 0xAE Uint4B OS service pack version

Digital Forensic Research Center, CIST, Korea Univ. 19

 Windows Memory Analysis (cont’d)
kd> dt nt!_PEB 7ffdb000 –r
[...]
+0x002 BeingDebugged : 0 ''
[...]
+0x003 IsProtectedProcess : 0y0
[...]
+0x008 ImageBaseAddress : 0x00400000 Void
+0x00c Ldr : 0x77667880 _PEB_LDR_DATA
+0x000 Length : 0x30
+0x004 Initialized : 0x1 ''
+0x008 SsHandle : (null)
+0x00c InLoadOrderModuleList : _LIST_ENTRY [ 0x1918b0 - 0x1ce6e8 ]
[...]
+0x010 ProcessParameters : 0x00191060 _RTL_USER_PROCESS_PARAMETERS
[...]
+0x024 CurrentDirectory : _CURDIR
+0x000 DosPath : _UNICODE_STRING "C:\Windows\system32\"
+0x008 Handle : 0x00000008 Void
+0x030 DllPath : _UNICODE_STRING "C:\Program Files\VMware\VMware
Tools;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\Program Files\VMware\VMware
Tools\;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\"
+0x000 Length : 0x1c2
+0x002 MaximumLength : 0x1c4
+0x004 Buffer : 0x00191500 "C:\Program Files\VMware\VMware
Tools;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\Program Files\VMware\VMware
Tools\;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\"
+0x038 ImagePathName : _UNICODE_STRING "C:\Program Files\VMware\VMware Tools\VMwareUser.exe"
+0x000 Length : 0x66
+0x002 MaximumLength : 0x68
+0x004 Buffer : 0x001916c4 "C:\Program Files\VMware\VMware Tools\VMwareUser.exe"
+0x040 CommandLine : _UNICODE_STRING ""C:\Program Files\VMware\VMware Tools\VMwareUser.exe" "
+0x000 Length : 0x6c
+0x002 MaximumLength : 0x6e
+0x004 Buffer : 0x0019172c ""C:\Program Files\VMware\VMware Tools\VMwareUser.exe" “
[...]

Digital Forensic Research Center, CIST, Korea Univ. 20

 Windows Memory Analysis (cont’d)

§ Loaded modules
• kernel driver
◦ PsLoadedModuleList

• DLL
◦ _PEB.Ldr à _PEB_LDR_DATA.InLoadOrderModuleList

Digital Forensic Research Center, CIST, Korea Univ. 21

 Windows Memory Analysis (cont’d)

kd> ? PsLoadedModuleList
Evaluate expression: -2104072176 = 82966810
kd> dt nt!_LDR_DATA_TABLE_ENTRY InLoadOrderLinks.Flink 82966810
+0x000 InLoadOrderLinks : [ 0x84131c98 - 0x85df0968 ]
+0x000 Flink : 0x84131c98 _LIST_ENTRY [ 0x84131c20 - 0x82966810 ]
kd> dt nt!_LDR_DATA_TABLE_ENTRY 0x84131c98
+0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x84131c20 - 0x82966810 ]
+0x008 InMemoryOrderLinks : _LIST_ENTRY [ 0x82886744 - 0x12 ]
+0x010 InInitializationOrderLinks : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x018 DllBase : 0x8281e000 Void
+0x01c EntryPoint : 0x8293b4d8 Void
+0x020 SizeOfImage : 0x410000
+0x024 FullDllName : _UNICODE_STRING "\SystemRoot\system32\ntkrnlpa.exe"
+0x02c BaseDllName : _UNICODE_STRING "ntoskrnl.exe"
+0x034 Flags : 0x8004000
+0x038 LoadCount : 0x6a
+0x03a TlsIndex : 0
+0x03c HashLinks : _LIST_ENTRY [ 0x0 - 0x3cbbe7 ]
+0x03c SectionPointer : (null)
+0x040 CheckSum : 0x3cbbe7
+0x044 TimeDateStamp : 0
+0x044 LoadedImports : (null)
+0x048 EntryPointActivationContext : (null)
+0x04c PatchInformation : (null)
+0x050 ForwarderLinks : _LIST_ENTRY [ 0x0 - 0x410000 ]
+0x058 ServiceTagLinks : _LIST_ENTRY [ 0x4c1c3fac - 0x74006e ]
+0x060 StaticLinks : _LIST_ENTRY [ 0x73006f - 0x72006b ]
+0x068 ContextInformation : 0x006c006e Void
+0x06c OriginalBase : 0x65002e
+0x070 LoadTime : _LARGE_INTEGER 0x650078

Digital Forensic Research Center, CIST, Korea Univ. 22

 Windows Memory Analysis (cont’d)

§ Handle
31 26 18 10 2 0

Level 1 index Level 2 index Level 3 index

§ Handle table

Digital Forensic Research Center, CIST, Korea Univ. 23

 Windows Memory Analysis (cont’d)

0: kd> dt _eprocess 85dc6020

nt!_EPROCESS
+0x000 Pcb : _KPROCESS
+0x06c ProcessLock : _EX_PUSH_LOCK
[…]
+0x0b4 SessionProcessLinks : _LIST_ENTRY [ 0x861aed6c - 0x85f94c54 ]
+0x0c4 ObjectTable : 0xe197a3f0 _HANDLE_TABLE
+0x0c8 Token : _EX_FAST_REF
[…]
+0x0ec WorkingSetPage : 0xc353
+0x0f0 AddressCreationLock : _FAST_MUTEX
[…]
+0x174 ImageFileName : [16] "svchost.exe“
[…]
0: kd> dt _handle_table 0xe197a3f0
nt!_HANDLE_TABLE
+0x000 TableCode : 0xe1e8c001 // 0xe1e8c001 & 0x03 = 1 = 2 level table
+0x004 QuotaProcess : 0x85dc6020 _EPROCESS
+0x008 UniqueProcessId : 0x00000434 Void
[…]
0: kd> dd 0xe1e8c000 L8 // handle table pointers
e1e8c000 e1b7f000 e1e8f000 e1cd2000 00000000
e1e8c010 00000000 00000000 00000000 00000000
0: kd> dd e1b7f000 // handle table entries
e1b7f000 00000000 fffffffe e10086e9 000f0003
e1b7f010 e14229b1 00000003 85dc6b8b 00100020
e1b7f020 85f81ce1 00100003 e14ba6d1 000f000f
e1b7f030 e1a964e1 021f0001 85dc6cd9 00100003
e1b7f040 e142ccf9 0002000f 85de4fc9 001f0001
e1b7f050 e1adf551 020f003f 85f9c5e9 000f016e
e1b7f060 85dc6359 021f0003 85de1e89 000f00cf
e1b7f070 85f9c5e9 000f016e 85f7ef61 00100003
[…]

Digital Forensic Research Center, CIST, Korea Univ. 24

 Windows Memory Analysis (cont’d)

0: kd> dt _handle_table_entry e1b7f000+a0 nt!_HANDLE_TABLE_ENTRY

+0x000 Object : 0x85dc6839 Void
+0x000 ObAttributes : 0x85dc6839
+0x000 InfoTable : 0x85dc6839 _HANDLE_TABLE_ENTRY_INFO
+0x000 Value : 0x85dc6839
+0x004 GrantedAccess : 0x100001
+0x004 GrantedAccessIndex : 1
+0x006 CreatorBackTraceIndex : 0x10
+0x004 NextFreeTableEntry : 0n1048577
0: kd> dt _object_header 85dc6838 // LSB = Lock bit.. 85dc6839 & ~0x01 = 85dc6838
nt!_OBJECT_HEADER
+0x000 PointerCount : 0n3
+0x004 HandleCount : 0n1
+0x004 NextToFree : 0x00000001 Void
+0x008 Type : 0x863e7ad0 _OBJECT_TYPE
+0x00c NameInfoOffset : 0 ''
+0x00d HandleInfoOffset : 0x8 ''
[…]
0: kd> dt _object_type 0x863e7ad0 // check object type
nt!_OBJECT_TYPE
+0x000 Mutex : _ERESOURCE
+0x038 TypeList : _LIST_ENTRY [ 0x863e7b08 - 0x863e7b08 ]
+0x040 Name : _UNICODE_STRING "File"
+0x048 DefaultObject : 0x0000005c Void
+0x04c Index : 0x1c
+0x050 TotalNumberOfObjects : 0x7a9
+0x054 TotalNumberOfHandles : 0x3b6
+0x058 HighWaterNumberOfObjects : 0x7e2
+0x05c HighWaterNumberOfHandles : 0x3fe
+0x060 TypeInfo : _OBJECT_TYPE_INITIALIZER
+0x0ac Key : 0x656c6946
+0x0b0 ObjectLocks : [4] _ERESOURCE

Digital Forensic Research Center, CIST, Korea Univ. 25

 Windows Memory Analysis (cont’d)

0: kd> dt _file_object 85dc6838+18 // object body = object header + 0x18

nt!_FILE_OBJECT
+0x000 Type : 0n5
+0x002 Size : 0n112
+0x004 DeviceObject : 0x85fec588 _DEVICE_OBJECT
+0x008 Vpb : (null)
+0x00c FsContext : 0xe19e6e98 Void
+0x010 FsContext2 : 0x85dc6c58 Void
+0x014 SectionObjectPointer : (null)
+0x018 PrivateCacheMap : 0x00000001 Void
+0x01c FinalStatus : 0n0
+0x020 RelatedFileObject : (null)
+0x024 LockOperation : 0 ''
+0x025 DeletePending : 0 ''
+0x026 ReadAccess : 0 ''
+0x027 WriteAccess : 0 ''
+0x028 DeleteAccess : 0 ''
+0x029 SharedRead : 0 ''
+0x02a SharedWrite : 0 ''
+0x02b SharedDelete : 0 ''
+0x02c Flags : 0x40082
+0x030 FileName : _UNICODE_STRING "\net\NtControlPipe5"
+0x038 CurrentByteOffset : _LARGE_INTEGER 0x0
+0x040 Waiters : 0
+0x044 Busy : 1
+0x048 LastLock : (null)
+0x04c Lock : _KEVENT
+0x05c Event : _KEVENT
+0x06c CompletionContext : (null)

Digital Forensic Research Center, CIST, Korea Univ. 26

 Windows Memory Analysis (cont’d)

§ Virtual Address Descriptors (VADs)

• describes process address space

• memory map

• binary tree

• _EPROCESS.VadRoot
◦ _MMVAD structure

Digital Forensic Research Center, CIST, Korea Univ. 27

Windows Memory Analysis (cont’d)

Digital Forensic Research Center, CIST, Korea Univ. 28

 Windows Memory Analysis (cont’d)
kd> dt nt!_EPROCESS 86065030
+0x000 Pcb : _KPROCESS
+0x098 ProcessLock : _EX_PUSH_LOCK
+0x0a0 CreateTime : _LARGE_INTEGER 0x1cbbd32`de9cfa14
+0x0a8 ExitTime : _LARGE_INTEGER 0x0
+0x0b0 RundownProtect : _EX_RUNDOWN_REF
+0x0b4 UniqueProcessId : 0x00000854 Void
[…]
+0x274 ExitStatus : 0n259
+0x278 VadRoot : _MM_AVL_TABLE
+0x298 AlpcContext : _ALPC_PROCESS_CONTEXT
[…]
kd> dt nt!_MM_AVL_TABLE 86065030+278
+0x000 BalancedRoot : _MMADDRESS_NODE
+0x014 DepthOfTree : 0y00111 (0x7)
+0x014 Unused : 0y000
+0x014 NumberGenericTableElements : 0y000000000000000000111100 (0x3c)
+0x018 NodeHint : 0x86065418 Void
+0x01c NodeFreeHint : (null)
kd> dt nt!_MMVAD 86065030+278
+0x000 u1 : <unnamed-tag>
+0x004 LeftChild : (null)
+0x008 RightChild : 0x85d5ad00 _MMVAD
+0x00c StartingVpn : 0
+0x010 EndingVpn : 0
+0x014 u : <unnamed-tag>
+0x018 PushLock : _EX_PUSH_LOCK
+0x01c u5 : <unnamed-tag>
+0x020 u2 : <unnamed-tag>
+0x024 Subsection : 0x952bd4e4 _SUBSECTION
+0x024 MappedSubsection : 0x952bd4e4 _MSUBSECTION
+0x028 FirstPrototypePte : 0x952bd4e4 _MMPTE
+0x02c LastContiguousPte : (null)
+0x030 ViewLinks : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x038 VadsProcess : (null)

Digital Forensic Research Center, CIST, Korea Univ. 29

 Windows Memory Analysis (cont’d)

§ TCP session
• managed by tcpip.sys

• _TCB structure (Windows 2000, XP)

• PoolTag = ‘TCPB’

• can be found by carving method

• Vista, 7 à it requires reversing! typedef struct _TCB

{
PTCB Next;
BYTE Reserved[8];
ULONG RemoteIpAddress;
ULONG LocalIpAddress;
USHORT RemotePort;
USHORT LocalPort;
ULONG Pid;
[...]
} TCB, *PTCB;

Digital Forensic Research Center, CIST, Korea Univ. 30

 Windows Memory Analysis (cont’d)

§ Extract Strings
• old-fashioned?

No! It’s very useful!

Digital Forensic Research Center, CIST, Korea Univ. 31

Physical Memory Dump Explorer

Digital Forensic Research Center, CIST, Korea Univ. 32

 References
§ Volatility, Volatile Systems, https://www.volatilesystems.com/default/volatility
§ MoonSols Windows Memory Toolkit Community Edition, MoonSols,
http://moonsols.com/component/jdownloads/view.download/3/2
§ ReactOS, http://www.reactos.org
§ M.E. Russinovich and D.A. Solomon, Windows Internals, 5th Edition, Microsoft Press, June 2009.
§ A. Schuster, "The impact of Microsoft Windows pool allocation strategies on memory forensics", The Proceedings
of the Eighth Annual DFRWS Conference, Vol. 5, Supplement 1, pp. S58-S64, September 2008.
§ A. Schuster, "Searching for processes and threads in Microsoft Windows memory dumps", Digital Investigation, Vol.
3, Supplement 1, pp. 10-16, September 2006.
§ D. Aumaitre, "A Little Journey inside Windows Memory", Journal in Computer Virology, Vol. 5, No. 2, pp. 105-177,
January 2009.
§ R. Zhang, L. Wang, and S. Zhang, "Windows Memory Analysis Based on KPCR", Proceedings of the 2009 Fifth
International Conference on Information Assurance and Security, Vol. 2, pp. 677-680, August 2009.
§ "Intel® 64 and IA-32 Architectures Software Developer’s Manual, Volume 3A: System Programming Guide, Part 1",
Intel Corp., http://www.intel.com/Assets/PDF/manual/253668.pdf
§ J. Okolica, and G. L. Peterson, “Windows Operating System Agnostic Memory Analysis”, The Proceedings of the
Tenth Annual DFRWS Conference, Vol. 7, Supplement 1, pp. S48-S56, August 2010.

Digital Forensic Research Center, CIST, Korea Univ. 33

 Q&A

Thank you!

any question?
http://baadc0de.blogspot.com
xnetblue@korea.ac.kr, xnetblue@gmail.com

Digital Forensic Research Center, CIST, Korea Univ. 34