What processes are “normal” in Windows.
What an application has access to.
Security Contexts/Privilege Levels
Hidden Processes
Evasive Techniques
A process is a running program with a set of resources.
A thread is an entity within a process that is scheduled for execution.
All processes have at least 1 thread.
A small sequence of programmed instructions
Can be managed independently by a scheduler
Executes within a process
Share data with other threads in the process
A process's threads shares its context
Also shares memory
Takes advantage of multiple cores in the processor
Can run on a single core processor
Reference to a windows object.
Stored in a table for easy lookup.
Protection rings separate user and kernel and is enforced at a hardware level.
Ring 0 = Kernel
Ring 3 = User
Uses system calls and interrupts to switch between rings
Each process contains an executive EPROCESS data structure.
Exists in Kernel space.
Points to several lists
Kernel equivalent of the PEB in user space.
>>> dt ("_EPROCESS")
'_EPROCESS' (704 bytes)
0x0 : Pcb ['_KPROCESS']
0x98 : ProcessLock ['_EX_PUSH_LOCK']
0xa0 : CreateTime ['WinTimeStamp', {'is_utc': True}]
0xa8 : ExitTime ['WinTimeStamp', {'is_utc': True}]
0xb0 : RundownProtect ['_EX_RUNDOWN_REF']
0xb4 : UniqueProcessId ['unsigned int']
0xb8 : ActiveProcessLinks ['_LIST_ENTRY']
0xc0 : ProcessQuotaUsage ['array', 2, ['unsigned long']]
0x13c : Win32WindowStation ['pointer', ['void']] #Clipboard and desktop objects
0x198 : ActiveThreads ['unsigned long']
0x1a8 : Peb ['pointer', ['_PEB']]
0x278 : VadRoot ['_MM_AVL_TABLE']
PCB: _KPROCESS structure. (Process Control Block)
Create time, Exit Time
PID (Unique)
ActiveProcessLinks
Parent PID
Session
ImageFileName
ThreadList
VadRoot
Processes memory segments
Process Environment Block
Used by the Kernel to track a process.
Related to scheduling and book-keeping of the process.
_EPROCESS is Executive Subsystem object that holds the _KPROCESS block.
Just a lower level view of the process than _EPROCESS.
What ImageInfo uses to discover what operating system profile to output
'_KPROCESS' (152 bytes)
0x0 : Header ['_DISPATCHER_HEADER']
0x18 : DirectoryTableBase ['unsigned long']
0x1c : LdtDescriptor ['_KGDTENTRY']
0x24 : Int21Descriptor ['_KIDTENTRY']
0x2c : ThreadListHead ['_LIST_ENTRY']
0x34 : ProcessLock ['unsigned long']
0x38 : Affinity ['_KAFFINITY_EX']
0x44 : ReadyListHead ['_LIST_ENTRY']
0x4c : SwapListEntry ['_SINGLE_LIST_ENTRY']
0x50 : ActiveProcessors ['_KAFFINITY_EX']
0x74 : StackCount ['_KSTACK_COUNT']
0x78 : ProcessListEntry ['_LIST_ENTRY']
0x80 : CycleTime ['unsigned long long']
0x88 : KernelTime ['unsigned long']
0x8c : UserTime ['unsigned long']
Doubly linked list of processes in a _LIST_ENTRY struct contained within other structs such as _EPROCESS.
_LIST_ENTRY is common in Windows and is also used for loaded modules in the PEB.
Contains a forward, Flink, and a back pointer, Blink, to entries.
Task Manager – Windows native
Pslist – Sysinternals, volatility
Procexp – Sysinternals
Process Hacker
Several API calls walk lists
Created by Ntoskrnl.exe
PPID: None
PID: 4
Creates session manager process, smss.exe.
Starts at boot and is what Volshell context switches into by default.
Holds kernel-mode threads and drivers.
Uses PsCreateSystemThread to create system threads from kernel mode.
container for CPU.
PID: 0
Created by System
PPID: 4/System
Location: %SYSTEMROOT%\System32
First user mode process
Creates crss and winlogon and then exits.
Creates sessions that isolate OS services.
One is always running as one exits after creating its children.
Creates and deletes processes/Threads, temp files, etc.
Created by SSMS
Location: %SYSTEMROOT%\System32
Multiple run. One per session.
Malware often names itself after csrss to blend in.
Windows < 7 = cmd.exe broker
Interactive login prompt
Screen saver
Started by SSMS, so no PID as SSMS exits.
Secure Attention Sequences (Ctrl+Alt+Del)
Location: %SYSTEMROOT%\System32
Parent: None as smss.exe creates it which exits.
Marks itself critical so that if it exits prematurely and the system is booted in debugging mode, it will break into the debugger (if not, the system will crash).
Location: %SystemRoot%\system32\wininit.exe
Performs user-mode initalization tasks and starts user-mode scheduling.
Creates %windir%\temp
Starts Lsass.exe, Lsm.exe and Services.exe
Manages Windows services
Parent of any svchost process, dllhost, taskhost.
One copy
Location: %SYSTEMROOT%\System32
Created by WININET
Services defined in HKLM\SYSTEM\CurrentControlSet\Services
Whole lecture on these later
The Stuxnet service
Child of Wininit.exe
Only one on the system!
Manages local security policy. manages users allowed to login, password policies, security event logs, etc.
Targeted by malware to dump passwords!
Should not have any children
Resources: https://sysforensics.org/2014/01/know-your-windows-processes.html
Know important Windows services and what is normal before trying to find the abnormal.
Symbol that points to doubly-linked list of _EPROCESS objects.
Inactive processes remain active in list if another process has an open handle to it.
A process with 0 threads and an ExitTime can still appear in list, although it has terminated.
Process is removed from list when PspProcessDelete it called
Each process has ActiveProcessList
>>> dt("_EPROCESS")
'_EPROCESS' (704 bytes)
0xb8 : ActiveProcessLinks ['_LIST_ENTRY']
The main PsActiveProcessHead is in the Kernel Processor Control Region (KPCR).
Structure where kernel stores per-processor information and is viewable from a debugger.
It is located from the FS register from Windows <= Vista.
Contains the contents of CR3.
Recall the _KDDEBUGGER_DATA64 structure from week 1-02.
Magic = KDBG
Scans for potential KPCR structures
Imageinfo also shows the location of the KDBG and KPCR.
Uses a signature to location the _KPCR struct and ensures the _KPCR.Self points to itself.
SLOW SLOW SLOW SLOW
[root&windows]#volatility -f Win7.bin --profile=Win7SP0x86 kpcrscan
Volatility Foundation Volatility Framework 2.4
**************************************************
Offset (V) : 0x8292ec00
Offset (P) : 0x292ec00
KdVersionBlock : 0x8292dc00
IDT : 0x80b95400
GDT : 0x80b95000
CurrentThread : 0x8516c030 TID 624 (svchost.exe:1204)
IdleThread : 0x82938380 TID 0 (Idle:0)
Details : CPU 0 (GenuineIntel @ 3191 MHz)
CR3/DTB : 0x185000
[root&windows]#volatility -f Win7.bin --profile=Win7SP0x86 imageinfo
---CUT---
KDBG : 0x8292dc28L
KPCR for CPU 0 : 0x8292ec00L
---CUT---
>>> dt("_KPCR")
'_KPCR' (14152 bytes)
0x0 : NtTib ['_NT_TIB']
0x0 : Used_ExceptionList ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]
0x4 : Used_StackBase ['pointer', ['void']]
0x8 : Spare2 ['pointer', ['void']]
0xc : TssCopy ['pointer', ['void']]
0x10 : ContextSwitches ['unsigned long']
0x14 : SetMemberCopy ['unsigned long']
0x18 : Used_Self ['pointer', ['void']]
0x1c : SelfPcr ['pointer', ['_KPCR']]
0x20 : Prcb ['pointer', ['_KPRCB']]
0x24 : Irql ['unsigned char']
0x28 : IRR ['unsigned long']
0x2c : IrrActive ['unsigned long']
0x30 : IDR ['unsigned long']
0x34 : KdVersionBlock ['pointer', ['void']]
0x38 : IDT ['pointer', ['array', 256, ['_KIDTENTRY']]]
0x3c : GDT ['pointer', ['array', 128, ['_KGDTENTRY']]]
0x40 : TSS ['pointer', ['_KTSS']]
0x44 : MajorVersion ['unsigned short']
0x46 : MinorVersion ['unsigned short']
0x48 : SetMember ['unsigned long']
0x4c : StallScaleFactor ['unsigned long']
0x50 : SpareUnused ['unsigned char']
0x51 : Number ['unsigned char']
0x52 : Spare0 ['unsigned char']
0x53 : SecondLevelCacheAssociativity ['unsigned char']
0x54 : VdmAlert ['unsigned long']
0x58 : KernelReserved ['array', 14, ['unsigned long']]
0x90 : SecondLevelCacheSize ['unsigned long']
0x94 : HalReserved ['array', 16, ['unsigned long']]
0xd4 : InterruptMode ['unsigned long']
0xd8 : Spare1 ['unsigned char']
0xdc : KernelReserved2 ['array', 17, ['unsigned long']]
0x120 : PrcbData ['_KPRCB']
We really only care about getting to the KDVersionBlock!
Offset 0x34 = KdVersionBlock pointer
Offset 0x78 in KdVersionBlock is &PsActiveProcessHead
Contains the PsActiveProcessHead
Already found this in imageinfo
Easier than the aforementioned method and how Volatility does it
>>> dt("_KDDEBUGGER_DATA64")
'_KDDEBUGGER_DATA64' (832 bytes)
0x0 : Header ['_DBGKD_DEBUG_DATA_HEADER64']
0x18 : KernBase ['unsigned long long']
0x20 : BreakpointWithStatus ['unsigned long long']
0x28 : SavedContext ['unsigned long long']
0x30 : ThCallbackStack ['unsigned short']
0x32 : NextCallback ['unsigned short']
0x34 : FramePointer ['unsigned short']
0x38 : KiCallUserMode ['unsigned long long']
0x40 : KeUserCallbackDispatcher ['unsigned long long']
0x48 : PsLoadedModuleList ['pointer', ['_LIST_ENTRY']]
0x50 : PsActiveProcessHead ['pointer', ['_LIST_ENTRY']]
0x58 : PspCidTable ['pointer', ['pointer', ['_PSP_CID_TABLE']]]
Search for and dump potential KDBG values
[root&windows]#volatility -f Win7.bin --profile=Win7SP0x86 kdbgscan
Volatility Foundation Volatility Framework 2.4
**************************************************
Instantiating KDBG using: Kernel AS Win7SP0x86 (6.1.7600 32bit)
Offset (V) : 0x8292dc28
Offset (P) : 0x292dc28
KDBG owner tag check : True
Profile suggestion (KDBGHeader): Win7SP1x86
Version64 : 0x8292dc00 (Major: 15, Minor: 7601)
Service Pack (CmNtCSDVersion) : 1
Build string (NtBuildLab) : 7601.18205.x86fre.win7sp1_gdr.13
PsActiveProcessHead : 0x82945ba8 (54 processes)
PsLoadedModuleList : 0x8294d4d0 (155 modules)
KernelBase : 0x82804000 (Matches MZ: True)
Major (OptionalHeader) : 6
Minor (OptionalHeader) : 1
KPCR : 0x8292ec00 (CPU 0)
Pslist
Pstree
Psscan
Psxview
PsActiveProcessHead
Shows
Options - -P gives the physical offset address
Points to the start of a list of _EPROCESS structures
[root&windows]#volatility -f Win7.bin --profile=Win7SP0x86 pstree
Name Pid PPid Thds Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
0x853f7490:csrss.exe 348 340 9 523 2013-10-15 18:45:53 UTC+0000
. 0x8426ad40:conhost.exe 3880 348 0 ------ 2013-10-15 18:49:01 UTC+0000
0x859c2d40:wininit.exe 400 340 3 74 2013-10-15 18:45:53 UTC+0000
. 0x85a2d308:lsass.exe 520 400 7 595 2013-10-15 18:45:53 UTC+0000
. 0x85a315a8:lsm.exe 528 400 10 162 2013-10-15 18:45:53 UTC+0000
. 0x85a1e410:services.exe 504 400 11 218 2013-10-15 18:45:53 UTC+0000
.. 0x8526ad00:svchost.exe 3712 504 9 204 2013-10-15 18:46:43 UTC+0000
.. 0x8538b030:dllhost.exe 1804 504 21 189 2013-10-15 18:45:57 UTC+0000
.. 0x86485030:FXSSVC.exe 3092 504 18 110 2013-10-15 18:46:15 UTC+0000
.. 0x86019b48:spoolsv.exe 1304 504 15 337 2013-10-15 18:45:55 UTC+0000
.. 0x8617ab90:TPAutoConnSvc. 1668 504 11 139 2013-10-15 18:45:57 UTC+0000
... 0x862ba8c8:TPAutoConnect. 2176 1668 6 123 2013-10-15 18:46:00 UTC+0000
Ps* contains virtual address of _EPROCESS structure.
_EPROCESS of Winlogon
Can use it in Volshell to parse information
[root&windows]#volatility -f Win7.bin --profile=Win7SP0x86 pstree | grep cmd.exe
... 0x842424b8:cmd.exe 3912 1504 0 ------ 2013-10-15 18:49:01 UTC+0000
[root&windows]#volatility -f Win7.bin --profile=Win7SP0x86 volshell
>>> dt("_EPROCESS", 0x842424b8)
[_EPROCESS _EPROCESS] @ 0x842424B8
0x0 : Pcb 2216961208
0x98 : ProcessLock 2216961360
0xa0 : CreateTime 2013-10-15 18:49:01 UTC+0000
0xa8 : ExitTime 2013-10-15 18:49:01 UTC+0000
0xb0 : RundownProtect 2216961384
0xb4 : UniqueProcessId 3912
0xb8 : ActiveProcessLinks 2216961392
0xc0 : ProcessQuotaUsage -
0xc8 : ProcessQuotaPeak -
0xd0 : CommitCharge 0
0xd4 : QuotaBlock 2190711296
0xd8 : CpuQuotaBlock 0
0x274 : ExitStatus 0
0x278 : VadRoot 2216961840
[root&windows]#volatility -f Win7.bin --profile=Win7SP0x86 volshell
>>> dt("_KPROCESS", 2216961208)
[CType _KPROCESS] @ 0x842424B8
0x0 : Header 2216961208
0x10 : ProfileListHead 2216961224
0x18 : DirectoryTableBase 1053738560
0x1c : LdtDescriptor 2216961236
0x24 : Int21Descriptor 2216961244
0x2c : ThreadListHead 2216961252
0x34 : ProcessLock 0
0x38 : Affinity 2216961264
0x44 : ReadyListHead 2216961276
0x4c : SwapListEntry 2216961284
0x50 : ActiveProcessors 2216961288
0x6c : Flags 2216961316
0x6d : Unused1 0
0x6e : IopmOffset 8364
0x70 : Unused4 0
0x74 : StackCount 2216961324
0x78 : ProcessListEntry 2216961328
0x80 : CycleTime 20807923
0x88 : KernelTime 0
Enumerates processes
can find processes
Downside
Scans for a process by enumerating 7 listings.
Pool-tag scanning
Thread scanning.
CRSS handle table
PspCid table
Session processes
Desktop threads
True = Process Found
False = Process not in list.
[root&windows]#volatility -f Win7.bin --profile=Win7SP0x86 psxview --apply-rules
Offset(P) Name PID pslist psscan thrdproc pspcid csrss session deskthrd ExitTime
---------- -------------------- ------ ------ ------ -------- ------ ----- ------- -------- --------
0x3ec6ad00 svchost.exe 3712 True True True True True True False
0x3df3ad40 msdtc.exe 1980 True True True True True True True
0x3e42d308 lsass.exe 520 True True True True True True False
0x3da80530 calc.exe 3032 True True True True True True True
0x3df7ab90 TPAutoConnSvc. 1668 True True True True True True True
0x3dcba248 conhost.exe 2184 True True True True True True True
0x3e0f03c8 svchost.exe 908 True True True True True True True
0x3f435030 msra.exe 3676 True True True True True True True
0x3e7c2030 csrss.exe 412 True True True True Okay True True
If an attacker gets access to system and can write into kernel objects, they can hide information from certain lists.
Kernel Drivers have unrestricted access to kernel memory.
\Device\PhysicalMemory in XP
ZwSystemDebugControl winAPI function to access kernel objects if SeDebugPrivilege is set on a process.
Hide Processes, files, network connections
Adjust Privileges
Add groups to tokens
Manipulate event view
Hide Ports
Default Kernel mode IDS/IPS/AV
Anything in a Kernel list can be manipulated with DKOM if careful (VADs are HARD to DKOM).
Install Kernel driver onto system and control it from user land.
itemTOHide = (PLIST_ENTRY)((PUCHAR)toHide + hardcodeaddress);
*((PDWORD)itemTOHide->Blink) = (DWORD)itemTOHide->Flink;
*((PDWORD)(itemTOHide->Flink) + 1) = (DWORD)itemTOHide->Blink;
itemTOHide->Blink = (PLIST_ENTRY)&itemTOHide->Flink;
itemTOHide->Flink = (PLIST_ENTRY)&itemTOHide->Flink;
Simple forward/back link swap! Easy!
Need to get a driver installed or a kernel module loaded though...
Would also need to know offsets to PID and _LIST_ENTRY
Security Identifies (SIDs) determine the privileges a user or group has.
Tokens are used by a process to store SID values for users/groups.
Tokens are the underlying object that describe security context
Several API functions to control security context
S-1-5-21-2753350090-3269873950-3447048925-1000
S = Prefix for SID
1 = Revision Level (NT = 1)
5 = Highest level of authority that can issue SID.
21-2753350090-3269873950-3447048925 = Local computer/domain Identifier
1000 = Relative Identifier. 1000> = OS didn't create by default. https://msdn.microsoft.com/en-us/library/windows/desktop/aa379649(v=vs.85).aspx
HKEY_USERS\SID*
HKEY_USERS\SID\Volatile Environment\Username
All over the place...
The SID from HKEY_USERS is what gets put in HKEY_CURRENT_USER for a logged in account
_TOKEN
_LUID
OpenProcessToken → GetTokenInformation
Also, procexplorer from SysInternals
Volatility plugin to get the SIDs associated with a process.
[root&windows]#volatility -f Win7.bin --profile=Win7SP0x86 getsids -n cmd
cmd.exe (3912): S-1-5-18 (Local System)
cmd.exe (3912): S-1-5-32-544 (Administrators)
cmd.exe (3912): S-1-1-0 (Everyone)
cmd.exe (3912): S-1-5-11 (Authenticated Users)
cmd.exe (3912): S-1-16-16384 (System Mandatory Level)
Tokens contain information on what privileges they have.
Privileges = Permission to perform a specific task.
All processes contain tokens.
The Local Security Policy dictates what privileges can be enabled.
A privilege can be present but not enabled.
Processes can inheritance privileges
Privileges can be enabled by default
SeDebug= Read/Write into other processes. Malware LOVES this one.
SeLoadDriver = Load/unload Kernel drivers.
Can use DKOM methods to trick kernel into enabling all privileges and hiding information from user mode.
Volatility plugin to list present and enabled privileges on a per process basis.
[root&windows]#volatility -f Win7.bin --profile=Win7SP0x86 privs -n cmd
Pid Process Value Privilege Attributes Description
-------- ---------------- ------ ------------------------------------ ------------------------ -----------
3912 cmd.exe 2 SeCreateTokenPrivilege Create a token object
3912 cmd.exe 3 SeAssignPrimaryTokenPrivilege Present Replace a process-level token
3912 cmd.exe 4 SeLockMemoryPrivilege Present,Enabled,Default Lock pages in memory
3912 cmd.exe 5 SeIncreaseQuotaPrivilege Present Increase quotas
3912 cmd.exe 6 SeMachineAccountPrivilege Add workstations to the domain
3912 cmd.exe 7 SeTcbPrivilege Present,Enabled,Default Act as part of the operating system
3912 cmd.exe 8 SeSecurityPrivilege Present Manage auditing and security log
3912 cmd.exe 9 SeTakeOwnershipPrivilege Present Take ownership of files/objects
3912 cmd.exe 10 SeLoadDriverPrivilege Present Load and unload device drivers
3912 cmd.exe 11 SeSystemProfilePrivilege Present,Enabled,Default Profile system performance
3912 cmd.exe 12 SeSystemtimePrivilege Present Change the system time
3912 cmd.exe 13 SeProfileSingleProcessPrivilege Present,Enabled,Default Profile a single process
3912 cmd.exe 14 SeIncreaseBasePriorityPrivilege Present,Enabled,Default Increase scheduling priority
3912 cmd.exe 15 SeCreatePagefilePrivilege Present,Enabled,Default Create a pagefile
3912 cmd.exe 16 SeCreatePermanentPrivilege Present,Enabled,Default Create permanent shared objects
3912 cmd.exe 17 SeBackupPrivilege Present Backup files and directories
3912 cmd.exe 18 SeRestorePrivilege Present Restore files and directories
3912 cmd.exe 19 SeShutdownPrivilege Present Shut down the system
3912 cmd.exe 20 SeDebugPrivilege Present,Default Debug programs
3912 cmd.exe 21 SeAuditPrivilege Present,Enabled,Default Generate security audits
3912 cmd.exe 22 SeSystemEnvironmentPrivilege Present Edit firmware environment values
3912 cmd.exe 23 SeChangeNotifyPrivilege Present,Enabled,Default Receive notifications of changes to files or directories
3912 cmd.exe 24 SeRemoteShutdownPrivilege Force shutdown from a remote system
3912 cmd.exe 25 SeUndockPrivilege Present Remove computer from docking station
3912 cmd.exe 26 SeSyncAgentPrivilege Synch directory service data
3912 cmd.exe 27 SeEnableDelegationPrivilege Enable user accounts to be trusted for delegation
3912 cmd.exe 28 SeManageVolumePrivilege Present Manage the files on a volume
3912 cmd.exe 29 SeImpersonatePrivilege Present,Enabled,Default Impersonate a client after authentication
3912 cmd.exe 30 SeCreateGlobalPrivilege Present,Enabled,Default Create global objects
3912 cmd.exe 31 SeTrustedCredManAccessPrivilege Access Credential Manager as a trusted caller
3912 cmd.exe 32 SeRelabelPrivilege Modify the mandatory integrity level of an object
3912 cmd.exe 33 SeIncreaseWorkingSetPrivilege Present,Enabled,Default Allocate more memory for user applications
3912 cmd.exe 34 SeTimeZonePrivilege Present,Enabled,Default Adjust the time zone of the computer's internal clock
3912 cmd.exe 35 SeCreateSymbolicLinkPrivilege Present,Enabled,Default Required to create a symbolic link
Use privs with a goal in mind!
[root&windows]#volatility -f Win7.bin --profile=Win7SP0x86 privs -s | grep SeDebug
1108 ProcessHacker. 20 SeDebugPrivilege Present,Enabled Debug programs
Explorer.exe
Common target for attackers as it is white-listed for automatic elevation to administrator.
Enabled privileges could indicate malicious activity.
Reference to an open instance of a kernel object
Includes files, registry keys, mutexes, named pipes, events, window stations, desktops, threads, and all other types of securable executive objects.
Recall the executive creates several objects based on API call. CreateFile → _FILE_OBJECT
System has handle table of Kernel resources
._EPROCESS.ObjectTable has handle table
Indexes contain _HANDLE_TABLE_ENTRY structs in yet another _LIST_ENTRY list
_HANDLE_TABLE_ENTRY point to an Object member which contain the _OBJECT_HEADER of the object.
_EPROCESS.ObjectTable → _Handle_Table.TableCode → _HANDLE_TABLE_ENTRY → _OBJECT_HEADER
Volatility plugin to display all open handles.
-p for process
-o for physical offset to _EPROCESS
-t objectType (comma-serparated)
--silent = surpress unamed objects
ProcessHacker = PID 1108 had SeDebugPriv added
[root&windows]#volatility -f Win7.bin --profile=Win7SP0x86 handles -p 1108
Offset(V) Pid Handle Access Type Details
---------- ------ ---------- ---------- -------------------------- -------
0x8bbd6458 1108 0x4 0x3 Directory KnownDlls
0x86450cd0 1108 0x8 0x100020 File \Device\HarddiskVolume1\Users\Daniel\Desktop\processhacker-2.31-bin\x86
0x85a09eb8 1108 0xc 0x100020 File \Device\HarddiskVolume1\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2
0x933b8310 1108 0x10 0x20019 Key MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\SORTING\VERSIONS
0x8650e500 1108 0x14 0x1f0001 ALPC Port
0x85f36770 1108 0x18 0x804 EtwRegistration
0x84408988 1108 0x38c 0x1fffff Thread TID 852 PID 1108
0x86452d40 1108 0x290 0x1400 Process StikyNot.exe(2972)
0x862f63a0 1108 0x294 0x1400 Process mstsc.exe(2704)
0x863f63b8 1108 0x298 0x1400 Process devenv.exe(2876)
0x86480530 1108 0x29c 0x1400 Process calc.exe(3032)
0x8533ad40 1108 0x2a0 0x1400 Process WFS.exe(3056)
0x86485030 1108 0x2a4 0x1400 Process FXSSVC.exe(3092)
0x86499d40 1108 0x2a8 0x1400 Process mspaint.exe(3196)
0x864ada20 1108 0x2ac 0x1400 Process svchost.exe(3232)
0x864b5d40 1108 0x2b0 0x1400 Process SnippingTool.e(3276)
0x86487d40 1108 0x2b4 0x1400 Process wisptis.exe(3364)
0x85358d40 1108 0x2b8 0x1400 Process mobsync.exe(3444)
0x86250770 1108 0x2bc 0x1400 Process sidebar.exe(3544)
0x84a35030 1108 0x2c0 0x1400 Process msra.exe(3676)
0x8526ad00 1108 0x2c4 0x1400 Process svchost.exe(3712)
0x861abd40 1108 0x2c8 0x1400 Process svchost.exe(3744)
0x863a20f0 1108 0x110 0x1f0001 Mutant ProcessHacker2Mutant
ProcessHacker opened a handle to processes running on the system.
It also created a mutant, ProcessHacker2Mutant! EASY flag for a scan!
Address Space
Synchronizing techniques - Memory locks - Process/thread preemption
Maintains a count between zero and a specified maximum value
Semaphore object is useful in controlling a shared resource that can support a limited number of users
Semaphore objects control shared resources
Limits the number of threads sharing a resource
The wait function blocks execution of the window-creation code
Incremented each time a thread releases the semaphore
Decremented each time a thread completes a wait
When count reaches zero, no more threads can successfully wait
State of a semaphore is set to signaled when its count is greater than zero, and nonsignaled when its count is zero
State is set to nonsignaled when its count is zero No more threads can successfully wait for the semaphore
If more than one thread is waiting on a semaphore, a waiting thread is selected
Is not a first-in, first-out (FIFO) order
External events such as kernel-mode states can change the wait order.
Watch for these when doing analysis
CreateSemaphore
OpenSemaphore
ReleaseSemaphore
CloseHandle
A mutex is a synchronization object
Whose state is set to signaled when it is Not owned by any thread is set to signaled
Nonsignaled when it is owned
Only one thread at a time can own a mutex object
Useful in coordinating mutually exclusive access to a shared resource
Similar to a semaphore for single thread access
Example: to prevent two threads from writing to shared memory at the same time, each thread waits for ownership of a mutex object before executing the code that accesses the memory. After writing to the shared memory, the thread releases the mutex object.
Malware LOVES Mutexes!!!
Scan physical memory for KMUTANT objects with pool tag scanning
Displays all objects, a LOT
The CID column contains the process ID and thread ID of the mutex owner if one exists.
[root&windows]#volatility -f Win7.bin --profile=Win7SP0x86 mutantscan -s
Offset(P) #Ptr #Hnd Signal Thread CID Name
------------------ -------- -------- ------ ---------- --------- ----
0x000000003dfd45f8 2 1 1 0x00000000 .NET Data Provider for Oracle_Perf_Library_Lock_PID_5e0
0x000000003dfd47e0 2 1 1 0x00000000 .NET Data Provider for SqlServer_Perf_Library_Lock_PID_5e0
0x000000003dfdf758 2 1 1 0x00000000 MSDTC_STATS_EVENT
0x000000003dfe9bf8 5 4 1 0x00000000 TpVcW32ListMutex
0x000000003dfeab88 2 1 1 0x00000000 TP-TMUACCESS
0x000000003dd99f08 2 1 1 0x00000000 WindowsSearchService_EfsRegKeysMutex
0x000000003dda20f0 2 1 1 0x00000000 ProcessHacker2Mutant
When using volshell it assumes you are in virtual space
Not all plugins give virtual address
Switch to physical space
physical_space = utils.load_as(self._config, astype = 'physical')
dt("_STRUCT", 0xdeadbeef, physical_space)
Table of Contents | t |
---|---|
Exposé | ESC |
Full screen slides | e |
Presenter View | p |
Source Files | s |
Slide Numbers | n |
Toggle screen blanking | b |
Show/hide slide context | c |
Notes | 2 |
Help | h |