Professional Documents
Culture Documents
Jisung Han
Digital Forensic Research Center
CIST, Korea Univ.
xnetblue@korea.ac.kr
Who am I?
§ Interested in
Windows Memory Forensics, File-system, Reverse Engineering
§ xnetblue@gmail.com, xnetblue@korea.ac.kr
§ Blog
• http://baadc0de.blogspot.com
§ Live Forensics
• to perform live response
Based on
§ \Device\PhysicalMemory
UNICODE_STRING usPhysicalMemory;
OBJECT_ATTRIBUTES oa;
*(HANDLE*)pIrp->AssociatedIrp.SystemBuffer = hPhysicalMemory;
pIrp->IoStatus.Information = 4;
status = 0;
§ MmGetPhysicalMemoryRanges()
typedef struct _PHYSICAL_MEMORY_RANGE {
PHYSICAL_ADDRESS BaseAddress;
LARGE_INTEGER NumberOfBytes;
} PHYSICAL_MEMORY_RANGE, *PPHYSICAL_MEMORY_RANGE;
NTKERNELAPI
PPHYSICAL_MEMORY_RANGE
MmGetPhysicalMemoryRanges (
VOID
);
PVOID
MmMapIoSpace(
IN PHYSICAL_ADDRESS PhysicalAddress,
IN ULONG NumberOfBytes,
IN MEMORY_CACHING_TYPE CacheType
);
§ MmMapMemoryDumpMdl()
• windd uses undocumented kernel function
typedef struct _MDL {
struct _MDL *Next;
CSHORT Size;
CSHORT MdlFlags;
struct _EPROCESS *Process;
PVOID MappedSystemVa; // return 0xFFBF0000 à reserved by crash dump driver
PVOID StartVa;
ULONG ByteCount;
ULONG ByteOffset;
} MDL, *PMDL;
NTKERNELAPI
VOID
MmMapMemoryDumpMdl (
__inout PMDL MemoryDumpMdl
);
• User land
◦ Processes and DLLs
VA 804d9000 =
10 000000010 011011001000000000000
2 2 D9000
PDPTE PDE Byte Offset
0: kd> dd /p 00b3a000+8*2 L2
00b3a010 004009e3 00000000
0: kd> db /p (400*1000)+d9000
004d9000 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ..............
004d9010 b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@.......
004d9020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
004d9030 00 00 00 00 00 00 00 00-00 00 00 00 e0 00 00 00 ................
004d9040 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ........!..L.!Th
004d9050 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno
004d9060 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS
004d9070 6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00 mode....$.......
0: kd> db
804d9000
804d9000
4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ.............. =
804d9010 b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@.......
804d9020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
804d9030 00 00 00 00 00 00 00 00-00 00 00 00 e0 00 00 00 ................
804d9040 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ........!..L.!Th
804d9050 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno
804d9060 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS
804d9070 6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00 mode....$.......
PDE 004009e3 =
00000000010000000000 100111100011
400
Page Frame Number Flags
// LSB = 1 = Valid
// PS = 1 = Large Page
§ ExAllocatePoolWithTag()
• used to allocate memory pool with a special tag
PVOID
ExAllocatePoolWithTag (
__in POOL_TYPE PoolType,
__in SIZE_T NumberOfBytes,
__in ULONG Tag
)
§ Components of a system
• processes, threads, DLLs, files, and so on…
à _KPROCESSOS_STATE.SpecialRegisters à _KSPECIAL_REGISTERS.Cr3
§ Process list
Parameters
ProcessParameters 0x10 Ptr32_RTL_USER_PROCESS_PARAMETERS (Path, Command line, Window name, Current
directory)
§ Loaded modules
• kernel driver
◦ PsLoadedModuleList
• DLL
◦ _PEB.Ldr à _PEB_LDR_DATA.InLoadOrderModuleList
kd> ? PsLoadedModuleList
Evaluate expression: -2104072176 = 82966810
kd> dt nt!_LDR_DATA_TABLE_ENTRY InLoadOrderLinks.Flink 82966810
+0x000 InLoadOrderLinks : [ 0x84131c98 - 0x85df0968 ]
+0x000 Flink : 0x84131c98 _LIST_ENTRY [ 0x84131c20 - 0x82966810 ]
kd> dt nt!_LDR_DATA_TABLE_ENTRY 0x84131c98
+0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x84131c20 - 0x82966810 ]
+0x008 InMemoryOrderLinks : _LIST_ENTRY [ 0x82886744 - 0x12 ]
+0x010 InInitializationOrderLinks : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x018 DllBase : 0x8281e000 Void
+0x01c EntryPoint : 0x8293b4d8 Void
+0x020 SizeOfImage : 0x410000
+0x024 FullDllName : _UNICODE_STRING "\SystemRoot\system32\ntkrnlpa.exe"
+0x02c BaseDllName : _UNICODE_STRING "ntoskrnl.exe"
+0x034 Flags : 0x8004000
+0x038 LoadCount : 0x6a
+0x03a TlsIndex : 0
+0x03c HashLinks : _LIST_ENTRY [ 0x0 - 0x3cbbe7 ]
+0x03c SectionPointer : (null)
+0x040 CheckSum : 0x3cbbe7
+0x044 TimeDateStamp : 0
+0x044 LoadedImports : (null)
+0x048 EntryPointActivationContext : (null)
+0x04c PatchInformation : (null)
+0x050 ForwarderLinks : _LIST_ENTRY [ 0x0 - 0x410000 ]
+0x058 ServiceTagLinks : _LIST_ENTRY [ 0x4c1c3fac - 0x74006e ]
+0x060 StaticLinks : _LIST_ENTRY [ 0x73006f - 0x72006b ]
+0x068 ContextInformation : 0x006c006e Void
+0x06c OriginalBase : 0x65002e
+0x070 LoadTime : _LARGE_INTEGER 0x650078
§ Handle
31 26 18 10 2 0
§ Handle table
• memory map
• binary tree
• _EPROCESS.VadRoot
◦ _MMVAD structure
§ TCP session
• managed by tcpip.sys
• PoolTag = ‘TCPB’
§ Extract Strings
• old-fashioned?
Thank you!
any question?
http://baadc0de.blogspot.com
xnetblue@korea.ac.kr, xnetblue@gmail.com