Event Reconstruction

Presenter Notes

What

String Encodings

Strings in memory

Command and Console history

Presenter Notes

String Encodings

Presenter Notes

Strings

ASCII v. Unicode

Windows API

  • A = ASCII
  • W = Unicode (wide)

Presenter Notes

ASCII

255 code positions

single byte

0 -> 127 = normal characters

128 -> 255 = special characters

Strings -a

  • for ascii-only

Presenter Notes

Unicode

1,114,112 code positions

2 bytes

Allows other languages other than English

Searched with "wide" options

Strings -u

  • for ascii-only

Presenter Notes

Base64

Presenter Notes

Base64

Binary data in an ASCII string with radix-64 representation.

ASCII String -> Each 6 bits creates index -> index into base64 for encoded character

Pads with '=' to indicate padding

[root&windows]#echo "Man" | base64
TWFuCg==
[root&windows]#echo "TWFuCg==" | base64 -d
Man
[root&windows]#echo "woman" | base64
d29tYW4K

Presenter Notes

Presenter Notes

Presenter Notes

In Memory

Presenter Notes

Extracting Strings

Volatility does not extract strings for you

  • Python too slow

Volatility requires tool to output strings in form of

<decimal_offset>:<string>
<decimal_offset> <string>

Get ASCII and Unicode strings

Presenter Notes

How

Get strings from a raw physical memory sample

  • if you want to map them back to virtual, that is.
  • Can use "imagecopy" to make a crash dump/hibernation file into a raw dump!

Windows

Sysinternals strings does both ASCII and Unicode by default

strings.exe –q –o memory.dmp > strings.txt

Linux

GNU strings requires ASCII and Unicode separately

$ strings -td -a memory.dmp > strings.txt
$ strings -td -el -a memory.dmp >> strings.txt

Presenter Notes

Now

We have a text file of strings with the offset of where that string is in the memory dump

[root&windows]#wc -l strings.txt    
6284806 strings.txt
[root&windows]#cat strings.txt
[snip]
88064077 !This program cannot be run in DOS mode.
88064215 ?Rich1
88064308 CS P
88064504 .pexe
[snip]
88850456 AuthzInitializeContextFromToken
88850488 AuthzInitializeObjectAccessAuditEvent2
88850528 AuthzAccessCheck
88850552 AuthzFreeAuditEvent
88850576 AuthzFreeContext
88850600 AuthzInitializeResourceManager
88850632 AuthzFreeResourceManager
88850760 RegCloseKey
88850840  __SuperClass = '
88853408 string too long
88853424 invalid string position
88853448 Invalid parameter passed to C runtime function.

Presenter Notes

Volatility

With a strings file, volatility can translate them to a virtual address if a mapping exists between the physical offset and virtual offset.

Strings

Match physical offsets to virtual addresses (may take a while, VERY verbose)

 -s STRING_FILE, --string-file=STRING_FILE
                        File output in strings format (offset:string)
  -S, --scan            Use PSScan if no offset is provided
  -o OFFSET, --offset=OFFSET
                        EPROCESS offset (in hex) in the physical address space
  -p PID, --pid=PID     Operate on these Process IDs (comma-separated)

Presenter Notes

Volatility Strings

[root&windows]#volatility -f lab5.vmem --profile Win7SP1x64 strings -s strings.txt > translated.txt

Presenter Notes

Presenter Notes

Translated.txt

[root&windows]#head -n 50 translated.txt
1631 [kernel:f88000a0565f kernel:ffffffd0e65f] t&fh
1775 [kernel:f88000a056ef kernel:ffffffd0e6ef] TCPAu2
[snip]
4273468 [FREE MEMORY] L[email protected]H3
4273481 [FREE MEMORY] \$hH
4273486 [FREE MEMORY] t$pH
[snip]
4293475 [1244:03483363] cag\\V
4293546 [1244:034833aa] )46NPTl/3K%)A8?Sjq
4293565 [1244:034833bd] (/>IOV$*1&.;[email protected];aMW
[snip]

Shows PID that owned the string and at what virtual address.

See what region of memory an address is in for a specific process/dll/kernel module...

Presenter Notes

Noise

Presenter Notes

Eliminate

ftrings with

  • a certain length
  • a certain extension
  • an IP

Presenter Notes

Grep

[root&windows]#grep "\.pf" translated.txt | grep -i .exe
15508352 [kernel:f8a002c83380] \Device\HarddiskVolume1\Windows\Prefetch\SVCHOST.EXE-18D06B2E.pf
32931346 [kernel:f8a002a3ee12] WMIPRVSE.EXE-43972D0F.pfWMIPRVSE.EXE-43972D0F.PF
33072096 [kernel:f8a002d323e0] \Device\HarddiskVolume1\Windows\Prefetch\SVCHOST.EXE-135A30D8.pf
1031395400 [kernel:fa8001b9d848] \Device\HarddiskVolume1\Windows\Prefetch\VSSVC.EXE-04D079CC.pf
1031395552 [kernel:fa8001b9d8e0] \Device\HarddiskVolume1\Windows\Prefetch\W32TM.EXE-5D2265F4.pf
1031395704 [kernel:fa8001b9d978] \Device\HarddiskVolume1\Windows\Prefetch\WERFAULT.EXE-0897AE09.pf
1031395864 [kernel:fa8001b9da18] \Device\HarddiskVolume1\Windows\Prefetch\WERMGR.EXE-2A1BCBC7.pf
1031396016 [kernel:fa8001b9dab0] \Device\HarddiskVolume1\Windows\Prefetch\WMIADAP.EXE-369DF1CD.pf
1031396176 [kernel:fa8001b9db50] \Device\HarddiskVolume1\Windows\Prefetch\WMIPRVSE.EXE-43972D0F.pf
1033059648 [kernel:fa8001933d40] \Device\HarddiskVolume1\Windows\Prefetch\IPCONFIG.EXE-62724FE6.pf
1033067264 [kernel:fa8001935b00] \Device\HarddiskVolume1\Windows\Prefetch\SLUI.EXE-A65918C4.pf
1033072632 [kernel:fa8001936ff8] \Device\HarddiskVolume1\Windows\Prefetch\PING.EXE-B29F6629.pf
1033307768 [kernel:fa8001970678] \Device\HarddiskVolume1\Windows\Prefetch\MSCORSVW.EXE-FAA88858.pf
1033325216 [kernel:fa8001974aa0] \Device\HarddiskVolume1\Windows\Prefetch\MSCORSVW.EXE-98F0699A.pf
1033330800 [kernel:fa8001976070] \Device\HarddiskVolume1\Windows\Prefetch\SVCHOST.EXE-135A30D8.pf
1033336752 [kernel:fa80019777b0] \Device\HarddiskVolume1\Windows\Prefetch\SVCHOST.EXE-18D06B2E.pf

Presenter Notes

Grep

[root&windows]#grep "iexplorer" translated.txt
714446624 [2844:028f5720] %temp%\iexplorer.exe
715546636 [2844:02b7600c] ifexist%temp%\iexplorers.dllgotocon
715546722 [2844:02b76062] 0%temp%\iexplorer.exe
973140368 [2844:026ec190] hyiexplorerbarclass
973140388 [2844:026ec1a4] hyiexplorerbarclass
947465176 [2844:02a0abd8] c:\windows\fonts\iexplorer.exe

Presenter Notes

Free memory

Strings can be in freed or unallocated pages

31059195 [FREE MEMORY] Washington1
31059216 [FREE MEMORY] Redmond1
31059234 [FREE MEMORY] Microsoft Corporation1#0!
31059266 [FREE MEMORY] Microsoft Code Signing PCA0

Presenter Notes

Shared Pages

DLLs are shared

Files can be shared

Named shared memory

Stings shows strings of shared things with addr [thing1:addr thing2:addr ...]

[root&windows]#grep -E '[[0-9]+:[0-9]+ [0-9]+' translated.txt
96149592 [1244:74212058 1352:74212058] cname.comodoca.com
146513920 [372:00de2000 372:f900c0602000 424:f900c0602000 528:f900c0602000 536:f900c0602000 544:f900c0602000 644:f900c0602000 720:f900c0602000 812:f900c0602000 856:f900c0602000 884:f900c0602000 972:f900c0602000 248:f900c0602000 300:f900c0602000 1064:00782000 1064:f900c0602000 1104:f900c0602000 1252:f900c0602000 1560:f900c0602000 1608:f900c0602000 1864:f900c0602000 2012:f900c0602000 1552:f900c0602000 2164:f900c0602000 2812:f900c0602000 2924:f900c0602000 2640:f900c0602000 2844:f900c0602000 1928:f900c0602000 2272:f900c0602000 920:f900c0602000 2396:f900c0602000] F9B-9EF4-7114B42285A9}
131777536 [2448:73347400 1244:73347400 1352:73347400] OLEACC.dll
131777552 [2448:73347410 1244:73347410 1352:73347410] OLEAUT32.dll
131777600 [2448:73347440 1244:73347440 1352:73347440] WINMM.dll
131777616 [2448:73347450 1244:73347450 1352:73347450] WindowsCodecs.dll

Presenter Notes

Shared things

131777616 [2448:73347450 1244:73347450 1352:73347450] WindowsCodecs.dll

[root&windows]#volatility -f lab5.vmem --profile Win7SP1x64 pslist -p 2448,1244,1352
Volatility Foundation Volatility Framework 2.4
Offset(V)          Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit
------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0xfffffa8000dd0630 iexplore.exe           2448   2508     22      684      1      1 2015-05-20 16:10:09 UTC+0000
0xfffffa8000f263a0 iexplore.exe           1244   2448     46      886      1      1 2015-05-20 16:10:11 UTC+0000
0xfffffa8001105b30 iexplore.exe           1352   2448     37      925      1      1 2015-05-20 16:11:00 UTC+0000

[root&windows]#volatility -f lab5.vmem --profile Win7SP1x64 dlllist -p 2448,1244,1352
Volatility Foundation Volatility Framework 2.4
************************************************************************
iexplore.exe pid:   2448
Command line : "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
Note: use ldrmodules for listing DLLs in Wow64 processes

Presenter Notes

Looking for 2448:73347450

[root&windows]#volatility -f lab5.vmem --profile Win7SP1x64 ldrmodules  -p 2448
Volatility Foundation Volatility Framework 2.4
Pid      Process              Base               InLoad InInit InMem MappedPath
-------- -------------------- ------------------ ------ ------ ----- ----------
 2448 iexplore.exe         0x0000000073200000 False  False  False \Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll

Presenter Notes

Dump DLL and view Strings

[root&windows]#mkdir comctl32
/bin/mkdir: created directory `comctl32'

[root&windows]#volatility -f lab5.vmem --profile Win7SP1x64 dlldump -p 2448 -b 0x0000000073200000 -D comctl32/
Volatility Foundation Volatility Framework 2.4
Process(V)         Name                 Module Base        Module Name          Result
------------------ -------------------- ------------------ -------------------- ------
0xfffffa8000dd0630 iexplore.exe         0x0000000073200000 UNKNOWN              OK: module.2448.3e5d0630.73200000.dll

[root&windows]#strings comctl32/module.2448.3e5d0630.73200000.dll | grep WindowsCodecs
WindowsCodecs.dll

Presenter Notes

WoW64

Windows On Windows

Interface between 32-bit NtDll.dll

Wow64.dll is interface between 32-bit applications and a 64-bit Kernel

Loads a x86 version of Ntdll.dll with all thunks (values) to Ntoskrnl.exe entry-point functions

Presenter Notes

Command History

Presenter Notes

Cmd.exe

No command history on disk like UNIX bash shell

Windows < 7 used csrss.exe with SYSTEM privileges to broker commands

  • Always running with machine powered on
  • Contains history buffer and stdio, stdout, stderr

Windows > 7 uses conhost.exe (console host) and runs with same permissions as user

Cmd.exe is a client-server architecture

Presenter Notes

Conhost.exe

Undocumented functions

  • SrvAllocCOnsole
  • AllocateCommandHistory
  • AddCommand
  • FindCommandHistory
  • RemoveCommand
  • FindMachingCommand
  • FindCommandHistory

Presenter Notes

Finding History

conhost.exe!_gConsoleInformation

Contains _COMMAND_HISTORY and _SCREEN_INFORMATION

Each history buffer has a _COMMAND for each command typed

Screen contains _ROW structs to show console windows height

Presenter Notes

conhost.exe!_gConsoleInformation

>>> dt("_CONSOLE_INFORMATION")
 '_CONSOLE_INFORMATION' (None bytes)
0x18  : ProcessList                    ['_LIST_ENTRY'] #_CONSOLE_PROCESS 
0x98  : CurrentScreenBuffer            ['pointer', ['_SCREEN_INFORMATION']]
0x9c  : ScreenBuffer                   ['pointer', ['_SCREEN_INFORMATION']]
0xd4  : HistoryList                    ['_LIST_ENTRY'] #_COMMAND_HISTORY
0xdc  : ExeAliasList                   ['_LIST_ENTRY']
0xe4  : HistoryBufferCount             ['unsigned short']
0xe6  : HistoryBufferMax               ['unsigned short']
0xe8  : CommandHistorySize             ['unsigned short']
0xec  : OriginalTitle                  ['pointer', ['String', {'length': 256, 'encoding': 'utf16'}]]
0xf0  : Title                          ['pointer', ['String', {'length': 256, 'encoding': 'utf16'}]]

Presenter Notes

_COMMAND_HISTORY In Memory

>>> dt("_COMMAND_HISTORY")
 '_COMMAND_HISTORY' (None bytes)
0x0   : ListEntry                      ['_LIST_ENTRY']
0x8   : Flags                          ['Flags', {'bitmap': {'Reset': 1, 'Allocated': 0}}]
0xc   : Application                    ['pointer', ['String', {'length': 256, 'encoding': 'utf16'}]]
0x10  : CommandCount                   ['short']
0x12  : LastAdded                      ['short']
0x14  : LastDisplayed                  ['short']
0x16  : FirstCommand                   ['short']
0x18  : CommandCountMax                ['short']
0x1c  : ProcessHandle                  ['unsigned int']
0x20  : PopupList                      ['_LIST_ENTRY']
0x28  : CommandBucket                  ['array', <function <lambda> at 0xa0ed10c>, ['pointer', ['_COMMAND']]]

>>> dt("_COMMAND")
 '_COMMAND' (None bytes)
0x0   : CmdLength                      ['unsigned short']
0x2   : Cmd                            ['String', {'length': <function <lambda> at 0xa0ed0d4>, 'encoding': 'utf16'}]

Presenter Notes

_SCREEN_INFORMATION in Memory

>>> dt("_SCREEN_INFORMATION")
 '_SCREEN_INFORMATION' (None bytes)
0x8   : ScreenX                        ['short']
0xa   : ScreenY                        ['short']
0x3c  : Rows                           ['pointer', ['array', <function <lambda> at 0xa0ed1ec>, ['_ROW']]]
0xdc  : Next                           ['pointer', ['_SCREEN_INFORMATION']]

#Content within screen buffer 
>>> dt("_ROW")
 '_ROW' (28 bytes)
0x8   : Chars                          ['pointer', ['String', {'length': 256, 'encoding': 'utf16'}]]

Presenter Notes

Graphical

Presenter Notes

Console Settings?

HKEY_CURRENT_USER\Console

  • HistoryBufferSize
  • NumberOfHistoryBuffers

Changed from cmd.exe itself... screen buffer, window size, font, etc...

Volatility allows configurable settings to be altered

  • -h on plugins shows how to adjust size
  • biffer size and command count

Presenter Notes

CmdScan

Extract command history by scanning for _COMMAND_HISTORY

Locate command history with default size (50)

Searches in pages owned by csrss or conhost

Validates _COMMAND_HISTORY

Traverse CommandBucket

Shows which broker is being used and which applications used it

Presenter Notes

CmdScan

[root&windows]#volatility -f Win7.bin --profile=Win7SP0x64 cmdscan
Volatility Foundation Volatility Framework 2.4
**************************************************
CommandProcess: conhost.exe Pid: 2132
CommandHistory: 0x1de4c0 Application: TPAutoConnect.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x60
**************************************************
CommandProcess: conhost.exe Pid: 112
CommandHistory: 0x2cf9e0 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 9 LastAdded: 8 LastDisplayed: 8
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x68
Cmd #0 @ 0x2ce4b0: ipconfig
Cmd #1 @ 0x2ceee0: ping 4.2.2.2
Cmd #2 @ 0x2cef10: ping google.com
Cmd #3 @ 0x2ce4f0: cd ..
Cmd #4 @ 0x2ce1b0: dir
Cmd #5 @ 0x2ce510: cd ..
Cmd #6 @ 0x2ce250: dir
Cmd #7 @ 0x2ce530: cd bin
Cmd #8 @ 0x2cfc70: dir

Presenter Notes

Consoles

Scans for _CONSOLE_INFORMATION

Access to screen buffers

  • stdout, stderr, stdin

Presenter Notes

Consoles

**************************************************
ConsoleProcess: csrss.exe Pid: 7888
Console: 0x4c2404 CommandHistorySize: 50
HistoryBufferCount: 4 HistoryBufferMax: 4
OriginalTitle: Command Prompt
Title: Command Prompt
AttachedProcess: cmd.exe Pid: 5544 Handle: 0x25c
----
CommandHistory: 0x4c2c30 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 12 LastAdded: 11 LastDisplayed: 11
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x25c
Cmd #0 at 0x4c1f90: d:
Cmd #1 at 0xf41280: cd inetlogs
Cmd #2 at 0xf412e8: cd w*46
Cmd #3 at 0xf41340: type <REDACTED>.log | find "<REDACTED>.jpg" | find "GET"
Cmd #4 at 0xf41b10: c:
Cmd #5 at 0xf412a0: cd\windows\system32\<REDACTED>\sample
Cmd #6 at 0xf41b20: ftp <REDACTED>.com
Cmd #7 at 0xf41948: notepad <REDACTED>.log
Cmd #8 at 0x4c2388: notepad <REDACTED>.log
Cmd #9 at 0xf43e70: ftp <REDACTED>.com
Cmd #10 at 0xf43fb0: dir
Cmd #11 at 0xf41550: notepad <REDACTED>.log
----
Screen 0x4c2b10 X:80 Y:3000
Dump:
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\WINDOWS\system32\<REDACTED>\sample>dir
Volume in drive C has no label.
Volume Serial Number is AC20-A7D1
Directory of C:\WINDOWS\system32\<REDACTED>\sample
05/22/2012 09:18 PM <DIR> .
05/22/2012 09:18 PM <DIR> ..
02/28/2012 08:30 AM 0 <REDACTED>.att
02/28/2012 08:30 AM 341 <REDACTED>.bdy
02/28/2012 08:30 AM 474 <REDACTED>.epj
02/28/2012 08:30 AM 0 <REDACTED>.fad
02/28/2012 08:27 AM 100 <REDACTED>.txt
02/28/2012 08:30 AM 0 <REDACTED>.vad
08/03/2011 06:48 AM 323 <REDACTED>.vbs
02/28/2012 08:05 AM 501,760 <REDACTED>.hlp
05/22/2012 09:18 PM 44,184,520 <REDACTED>.log
05/22/2012 09:10 PM 24,686,680 <REDACTED>.log
05/22/2012 09:09 PM 3,272,096 <REDACTED>.log
05/21/2012 01:25 AM 28,672 JpgCommand.exe
08/03/2011 06:49 AM 4,608 <REDACTED>.exe
01/20/2012 09:07 AM 57,344 <REDACTED>.hlp
14 File(s) 72,736,918 bytes
2 Dir(s) 39,034,490,880 bytes free

Presenter Notes

EOF

Presenter Notes