Windows Plugins
Support for Windows memory analysis.
analyze_struct
View SourceA plugin to analyze a memory location.
Plugin Arguments
offset | A virtual address to analyze. (type: SymbolAddress) |
search | How far back to search for pool tag. (type: IntParser)
|
size | How many elements to identify. (type: IntParser)
|
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
The Windows kernel allocates memory from “pool space”. To ease debugging memory leaks, the kernel uses a unique “Pool Tag” to tag many allocations. Each kernel subsystem or driver would use a specific tag to keep track of its allocation.
We can use this fact when we look at some undocumented, or unknown memory
region. This is what the analyze_struct plugin does:
- It first searched back from the address of interest to determine if this address is part of a pool allocation. The plugin will report the pool tag of this allocation as well as its size and starting offset.
- For each slot in the struct, the plugin assumes it is a pointer to something, and checks if whatever it is pointing to is a pool allocation or a known address.
We can use this to get an idea of what exists at this memory location and its struct layout.
In the below example, we pick an _EPROCESS from the output of pslist and
search for pointers to it somewhere in kernel memory (There are many pointers!
We just picked one for this example.). We then use the analyze_struct plugin
to discover that the pointer resides in an allocation with the pool tag
‘ObHd’. We can search the kernel disassembly to realize this is an Object
Handle. Note how we use grep to search for the little endian representation of
the _EPROCESS address.
[1] win7.elf 23:14:38> pslist
_EPROCESS Name PID PPID Thds Hnds Sess Wow64 Start Exit
-------------- -------------------- ----- ------ ------ -------- ------ ------ ------------------------ ------------------------
....
0xfa8002ad0190 cmd.exe 2644 2616 2 66 1 True 2012-10-01 14:40:20Z -
[1] win7.elf 23:14:55> grep keyword="\x90\x01\xad\x02\x80\xfa"
....
Offset Data Comment
-------------- ----------------------------------------------------------------- ----------------------------------------
0xf8a0013d8ad8 60 40 a9 02 80 fa ff ff 01 00 00 00 00 00 00 00 `@..............
0xf8a0013d8ae8 90 01 ad 02 80 fa ff ff 01 00 00 00 00 00 00 00 ................
0xf8a0013d8af8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
...
[1] win7.elf 23:17:20> analyze_struct 0xf8a0013d8ae8
0xf8a0013d8ae8 is inside pool allocation with tag 'ObHd' (0xf8a0013d8a30) and size 0x100
Offset Content
-------------- -------
0x0 Data:0xfa8002ad0190 Tag:Pro\xe3 @0xfa8002ad0190 (0x530)
0x8 Data:0x1
0x10 Data:0x0
0x18 Data:0x0
0x20 Data:0x0
0x28 Data:0x0
0x30 Data:0xfa80017f9060 Tag:Pro\xe3 @0xfa80017f9060 (0x530)
0x38 Data:0x1
0x40 Data:0x730061006c
0x48 Data:0x744e034d0110
0x50 Data:0x490053004c
0x58 Data:0xa4801280702
0x60 Data:0x981e
0x68 Data:0x100000000
0x70 Data:0x0
[1] win7.elf 23:22:25> hex(struct.unpack("<I", 'ObHd')[0])
Out<24> '0x6448624f'
[1] win7.elf 23:22:33> dis "nt!ObpInsertHandleCount"
---------------------> dis("nt!ObpInsertHandleCount")
Address Rel Op Codes Instruction Comment
------- -------------- -------------------- ---------------------------------------- -------
------ nt!ObpInsertHandleCount ------: 0xf80002976010
0xf80002976010 0x0 48895c2408 mov qword ptr [rsp + 8], rbx
0xf80002976015 0x5 48896c2410 mov qword ptr [rsp + 0x10], rbp
....
0xf80002976089 0x79 41b84f624864 mov r8d, 0x6448624f
0xf8000297608f 0x7f e83cd3e4ff call 0xf800027c33d0 nt!ExAllocatePoolWithTag
0xf80002976094 0x84 4885c0 test rax, rax
0xf80002976097 0x87 0f84dacd0400 je 0xf800029c2e77 nt!ExpProfileCreate+0x9d57
0xf8000297609d 0x8d 458bc5 mov r8d, r13d
callbacks
View SourceEnumerate callback routines.
This plugin just enumerates installed callback routines from various sources. It does not scan for them.
This plugin is loosely based on the original Volatility plugin of the same name but much expanded using new information.
Reference: http://www.codemachine.com/notes.html
Plugin Arguments
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
The Windows kernel has a facility to register callbacks for certain events. This
is often misused by malware in order to gain persistence. The callbacks plugin
enumerates these callbacks.
Since Rekall has an address resolver, we can often say more about what exists at each of the callback locations. Normally Rekall only tracks the profile for certain binaries (such as the kernel).
In the below example the callbacks plugins resolves the address of kernel symbols precisely since it has the kernel profile loaded. Other symbols are give approximately as their distance from the module’s export table.
Suppose we want to verify what is the callback in the “wdf01000” driver. We can instruct the address resolver to download the profile from the Microsoft symbol server. Once the profile is downloaded, Rekall can determine the exact function name registered (wdf01000!FxpBugCheckCallback).
[1] win7.elf 00:59:59> callbacks
---------------------> callbacks()
Type Offset Callback Symbol Details
------------------------------------ -------------- -------------- -------------------------------------------------- -------
nt!PspLoadImageNotifyRoutine 0xf8000283e4a0 0xf800029acb68 nt!EtwpTraceLoadImage
nt!PspCreateProcessNotifyRoutine 0xf8000283e720 0xf8000265af28 nt!ViCreateProcessCallback
nt!PspCreateProcessNotifyRoutine 0xf8000283e728 0xf88001211330 ksecdd!AcceptSecurityContext+0x230
nt!PspCreateProcessNotifyRoutine 0xf8000283e730 0xf8800112b910 cng!SystemPrng+0x6a0
nt!PspCreateProcessNotifyRoutine 0xf8000283e738 0xf8800164c390 tcpip!CreateProcessNotifyRoutineEx
nt!PspCreateProcessNotifyRoutine 0xf8000283e740 0xf88000d01b94 ci!CiFreePolicyInfo+0xce84
nt!KeBugCheckCallbackListHead 0xfa80019c3ea0 0xf880014548f0 ndis!NdisGetSharedDataAlignment+0x10 Ndis min
nt!KeBugCheckCallbackListHead 0xfa80019a4ea0 0xf880014548f0 ndis!NdisGetSharedDataAlignment+0x10 Ndis min
nt!KeBugCheckCallbackListHead 0xfa80019a1ea0 0xf880014548f0 ndis!NdisGetSharedDataAlignment+0x10 Ndis min
nt!KeBugCheckCallbackListHead 0xf80002c25400 0xf80002c0eef4 hal!HalQueryMaximumProcessorCount+0x54c ACPI x64
nt!KeBugCheckReasonCallbackListHead 0xfa80026549f8 0xf88000efd054 wdf01000+0x7a054 PEAUTH
nt!KeBugCheckReasonCallbackListHead 0xfa8000927f88 0xf88000efd054 wdf01000+0x7a054 monitor
[1] win7.elf 02:04:35> address_resolver "wdf01000"
---------------------> address_resolver("wdf01000") |
Trying to fetch http://msdl.microsoft.com/download/symbols/wdf01000.pdb/99521C1B360441A9A1EAECC9E5087A251/wdf01000.pd_
Trying to fetch http://msdl.microsoft.com/download/symbols/wdf01000.pdb/99521C1B360441A9A1EAECC9E5087A251/wdf01000.pd_
Extracting cabinet: /tmp/tmpnOmJvR/wdf01000.pd_
extracting Wdf01000.pdb
All done, no errors.
Out<1> Plugin: address_resolver
1] win7.elf 02:05:08> callbacks
---------------------> callbacks()
Type Offset Callback Symbol Details
------------------------------------ -------------- -------------- -------------------------------------------------- -------
nt!PspLoadImageNotifyRoutine 0xf8000283e4a0 0xf800029acb68 nt!EtwpTraceLoadImage
nt!PspCreateProcessNotifyRoutine 0xf8000283e720 0xf8000265af28 nt!ViCreateProcessCallback
nt!PspCreateProcessNotifyRoutine 0xf8000283e728 0xf88001211330 ksecdd!AcceptSecurityContext+0x230
nt!PspCreateProcessNotifyRoutine 0xf8000283e730 0xf8800112b910 cng!SystemPrng+0x6a0
nt!PspCreateProcessNotifyRoutine 0xf8000283e738 0xf8800164c390 tcpip!CreateProcessNotifyRoutineEx
nt!PspCreateProcessNotifyRoutine 0xf8000283e740 0xf88000d01b94 ci!CiFreePolicyInfo+0xce84
nt!KeBugCheckCallbackListHead 0xfa80019c3ea0 0xf880014548f0 ndis!NdisGetSharedDataAlignment+0x10 Ndis min
nt!KeBugCheckCallbackListHead 0xfa80019a4ea0 0xf880014548f0 ndis!NdisGetSharedDataAlignment+0x10 Ndis min
nt!KeBugCheckCallbackListHead 0xfa80019a1ea0 0xf880014548f0 ndis!NdisGetSharedDataAlignment+0x10 Ndis min
nt!KeBugCheckCallbackListHead 0xf80002c25400 0xf80002c0eef4 hal!HalQueryMaximumProcessorCount+0x54c ACPI x64
nt!KeBugCheckReasonCallbackListHead 0xfa80026549f8 0xf88000efd054 wdf01000!FxpBugCheckCallback PEAUTH
nt!KeBugCheckReasonCallbackListHead 0xfa8000927f88 0xf88000efd054 wdf01000!FxpBugCheckCallback monitor
nt!KeBugCheckReasonCallbackListHead 0xfa80021f54b0 0xf88003edaf40 mouhid+0x3f40 mouhid
cc
View SourceA cc plugin for windows.
Plugin Arguments
eprocess | Kernel addresses of eprocess structs. (type: ArrayIntParser)
|
method | Method to list processes. (type: ChoiceArray)
|
pids | One or more pids of processes to select. (type: ArrayIntParser)
|
proc_regex | A regex to select a process by name. (type: RegEx) |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
check_pehooks
View SourceChecks a pe file mapped into memory for hooks.
Plugin Arguments
image_base | The base address of the pe image in memory. (type: SymbolAddress)
|
thorough | By default we take some optimization. This flags forces thorough but slower checks. (type: Boolean)
|
type | Type of hook to display. (type: Choice)
|
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
cmdscan
View SourceExtract command history by scanning for _COMMAND_HISTORY
Plugin Arguments
max_history | Value of history buffer size. See HKEY_CURRENT_USER\Console\HistoryBufferSize for default. (type: IntParser)
|
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
The cmdscan plugin searches the memory of csrss.exe on XP/2003/Vista/2008 and conhost.exe on Windows 7 for commands that attackers entered through a console shell (cmd.exe). This is one of the most powerful commands you can use to gain visibility into an attackers actions on a victim system, whether they opened cmd.exe through an RDP session or proxied input/output to a command shell from a networked backdoor.
This plugin finds structures known as COMMAND_HISTORY by looking for a known constant value (MaxHistory) and then applying sanity checks. It is important to note that the MaxHistory value can be changed by right clicking in the top left of a cmd.exe window and going to Properties. The value can also be changed for all consoles opened by a given user by modifying the registry key HKCU\Console\HistoryBufferSize. The default is 50 on Windows systems, meaning the most recent 50 commands are saved. You can tweak it if needed by using the –max_history=NUMBER parameter.
The structures used by this plugin are not public (i.e. Microsoft does not produce PDBs for them), thus they’re not available in WinDBG or any other forensic framework. They were reverse engineered by Michael Ligh from the conhost.exe and winsrv.dll binaries.
In addition to the commands entered into a shell, this plugin shows:
-
The name of the console host process (csrss.exe or conhost.exe)
-
The name of the application using the console (whatever process is using cmd.exe)
-
The location of the command history buffers, including the current buffer count, last added command, and last displayed command
-
The application process handle
Due to the scanning technique this plugin uses, it has the capability to find commands from both active and closed consoles.
Notes
This plugin is pretty fragile since it relies on reversed structures in undocumented code. We are working on improving the situation here but there is a moderate chance that it will produce no results or garbage results.
Sample Output
The following showing an operator using the winpmem acquisition tool to analyse the live memory of a Windows 7 machine.
win7.elf 22:15:39> cmdscan
-----------------> cmdscan()
**************************************************
CommandProcess: conhost.exe Pid: 2652
CommandHistory: 0x7ea40 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 3 LastAdded: 2 LastDisplayed: 2
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x5c
Cmd Address Text
--- -------------- --------------------------------------------------
0 0x00000005ea70 cd \Users\a\Desktop
1 0x00000005b920 winpmem_1.1-write.exe -w -l
2 0x0000000b3e70 vol.exe --profile Win7SP1x64 --file \\.\pmem
15 0x000000040158
16 0x00000007d3b0
**************************************************
CommandProcess: conhost.exe Pid: 2652
CommandHistory: 0xb40c0 Application: vol.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0xd4
Cmd Address Text
--- -------------- --------------------------------------------------
0 0x0000001f77e0
3 0x000000060ef0
5 0x0000001f77e0
8 0x000000060ef0
10 0x0000001f77e0
13 0x0000ffd96238
14 0x00000007ec20
15 0x0000001f7720
23 0x0000000610a0
24 0x0000000974e0
**************************************************
CommandProcess: conhost.exe Pid: 2652
CommandHistory: 0xb4410 Application: vol.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0xd8
Cmd Address Text
--- -------------- --------------------------------------------------
connections
View SourcePrint list of open connections [Windows XP Only]
This module enumerates the active connections from tcpip.sys.
Note that if you are using a hibernated image this might not work because Windows closes all sockets before hibernating. You might find it more effective to do conscan instead.
Active TCP connections are found in a hash table. The Hash table is given by the _TCBTable symbol. The size of the hash table is found in the _MaxHashTableSize variable.
Plugin Arguments
tcpip_guid | Force this profile to be used for tcpip. |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
Prior to Windows 7, the windows TCP/IP stack uses objects of type _TCP_OBJECT to track TCP endpoints. These are the objects parsed by this module, hence this module will only be available on images from windows XP.
This module walks the _TCP_OBJECT hash tables and displays information related to the TCP endpoints.
Notes
-
This plugin depends on exported debugging symbols, and therefore requires the correct tcpip profile to be loaded from the profile repository. See the FAQ if you need to generate a profile.
-
For later versions of windows use the netscan or the netstat modules.
Sample output
xp-laptop-2005-06-25.img 23:00:24> connections
---------------------------------> connections()
Offset (V) Local Address Remote Address Pid
---------- ------------------------- ------------------------- ------
0x820869b0 127.0.0.1:1055 127.0.0.1:1056 2160
0xffa2baf0 127.0.0.1:1056 127.0.0.1:1055 2160
0x8220c008 192.168.2.7:1077 64.62.243.144:80 2392
0x81f11e70 192.168.2.7:1082 205.161.7.134:80 2392
0x8220d6b8 192.168.2.7:1066 199.239.137.200:80 2392
connscan
View SourceScan Physical memory for _TCPT_OBJECT objects (tcp connections)
Plugin Arguments
eprocess | Kernel addresses of eprocess structs. (type: ArrayIntParser)
|
limit | The length of data to search in each selected region. (type: IntParser)
|
method | Method to list processes. (type: ChoiceArray)
|
pids | One or more pids of processes to select. (type: ArrayIntParser)
|
proc_regex | A regex to select a process by name. (type: RegEx) |
scan_kernel | Scan the entire kernel address space. (type: Boolean)
|
scan_kernel_code | Scan the kernel image and loaded drivers. (type: Boolean)
|
scan_kernel_nonpaged_pool | Scan the kernel non-paged pool. (type: Boolean)
|
scan_kernel_paged_pool | Scan the kernel paged pool. (type: Boolean)
|
scan_kernel_session_pools | Scan session pools for all processes. (type: Boolean)
|
scan_physical | Scan the physical address space only. (type: Boolean)
|
scan_process_memory | Scan all of process memory. Uses process selectors to narrow down selections. (type: Boolean)
|
tcpip_guid | Force this profile to be used for tcpip. |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
Similar to the connections plugin, this plugin searches from _TCP_OBJECT structs. However, it employs pool scanning techniques.
Notes
-
This plugin only works on versions of winsows prior to Win7.
-
Since the plugin may recover freed pool memory, the data may have been overwritten. This might produce garbage results for terminated connections.
Sample output.
Note the nonsensical connection for local address 3.0.48.2 and the incorrect pid number below.
xp-laptop-2005-06-25.img 23:00:29> connscan
---------------------------------> connscan()
Offset(P) Local Address Remote Address Pid
---------- ------------------------- ------------------------- ----------
0x01370e70 192.168.2.7:1115 207.126.123.29:80 1916
0x01ed1a50 3.0.48.2:17985 66.179.81.245:20084 4287933200
0x01f0e358 192.168.2.7:1164 66.179.81.247:80 944
0x01f11e70 192.168.2.7:1082 205.161.7.134:80 2392
0x01f35cd0 192.168.2.7:1086 199.239.137.200:80 1916
0x01f88e70 192.168.2.7:1162 170.224.8.51:80 1916
0x020869b0 127.0.0.1:1055 127.0.0.1:1056 2160
consoles
View SourceEnumerate command consoles.
Plugin Arguments
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
Similar to cmdscan the consoles plugin finds commands that attackers typed into cmd.exe or executed via backdoors. However, instead of scanning for COMMAND_HISTORY, this plugin scans for CONSOLE_INFORMATION. The major advantage to this plugin is it not only prints the commands attackers typed, but it collects the entire screen buffer (input and output). For instance, instead of just seeing “dir”, you’ll see exactly what the attacker saw, including all files and directories listed by the “dir” command.
Additionally, this plugin prints the following:
- The original console window title and current console window title
- The name and pid of attached processes (walks a LIST_ENTRY to enumerate all of them if more than one)
- Any aliases associated with the commands executed. For example, attackers can register an alias such that typing “hello” actually executes “cd system”
- The screen coordinates of the cmd.exe console.
Notes
This plugin is pretty fragile since it relies on reversed structures in undocumented code. We are working on improving the situation here but there is a moderate chance that it will produce no results or garbage results.
Sample Output
win7.elf 22:23:10> consoles
**************************************************
ConsoleProcess: conhost.exe Pid: 2652
Console: 0xffd96200 CommandHistorySize: 50
HistoryBufferCount: 4 HistoryBufferMax: 4
OriginalTitle: Console2 command window
Title: Administrator: Console2 command window - vol.exe --profile Win7SP1x64 --file \\.\pmem
AttachedProcess: vol.exe Pid: 2920 Handle: 0xd8
AttachedProcess: vol.exe Pid: 2912 Handle: 0xd4
AttachedProcess: cmd.exe Pid: 2644 Handle: 0x5c
----
CommandHistory: 0xb4410 Application: vol.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0xd8
----
CommandHistory: 0xb40c0 Application: vol.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0xd4
----
CommandHistory: 0xb3ee0 Application: winpmem_1.1-write.exe Flags:
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x0
----
CommandHistory: 0x7ea40 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 3 LastAdded: 2 LastDisplayed: 2
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x5c
Cmd #0 at 0x5ea70: cd \Users\a\Desktop
Cmd #1 at 0x5b920: winpmem_1.1-write.exe -w -l
Cmd #2 at 0xb3e70: vol.exe --profile Win7SP1x64 --file \\.\pmem
----
Screen 0x60ef0 X:117 Y:500
Dump:
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>cd \Users\a\Desktop
C:\Users\a\Desktop>winpmem_1.1-write.exe -w -l
Will enable write mode
Loaded Driver.
C:\Users\a\Desktop>vol.exe --profile Win7SP1x64 --file \\.\pmem
Python 2.7.3 (default, Apr 10 2012, 23:31:26) [MSC v.1500 32 bit (Intel)]
Type "copyright", "credits" or "license" for more information.
IPython 0.12.1 -- An enhanced Interactive Python.
? -> Introduction and overview of IPython's features.
%quickref -> Quick reference.
help -> Python's own help system.
object? -> Details about 'object', use 'object??' for extra details.
The Volatility Memory Forensic Framework technology preview (3.0_tp2).
NOTE: This is pre-release software and is provided for evauation only. Please
check at http://volatility.googlecode.com/ for officially supported versions.
This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License.
Win7SP1x64:pmem 07:41:08> pslist
------------------------> pslist()
Offset (V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
-------------- -------------------- ------ ------ ------ -------- ------ ------ -------------------- ----------------
----
0xfa80008959e0 System 4 0 85 502 ------ False 2012-10-01 21:39:51 -
0xfa8001994310 smss.exe 272 4 2 29 ------ False 2012-10-01 21:39:51 -
devicetree
View SourceShow device tree.
Plugin Arguments
eprocess | Kernel addresses of eprocess structs. (type: ArrayIntParser)
|
limit | The length of data to search in each selected region. (type: IntParser)
|
method | Method to list processes. (type: ChoiceArray)
|
pids | One or more pids of processes to select. (type: ArrayIntParser)
|
proc_regex | A regex to select a process by name. (type: RegEx) |
scan_kernel | Scan the entire kernel address space. (type: Boolean)
|
scan_kernel_code | Scan the kernel image and loaded drivers. (type: Boolean)
|
scan_kernel_nonpaged_pool | Scan the kernel non-paged pool. (type: Boolean)
|
scan_kernel_paged_pool | Scan the kernel paged pool. (type: Boolean)
|
scan_kernel_session_pools | Scan session pools for all processes. (type: Boolean)
|
scan_physical | Scan the physical address space only. (type: Boolean)
|
scan_process_memory | Scan all of process memory. Uses process selectors to narrow down selections. (type: Boolean)
|
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
Windows uses a layered driver architecture, or driver chain so that multiple drivers can inspect or respond to an IRP. Rootkits often insert drivers (or devices) into this chain for filtering purposes (to hide files, hide network connections, steal keystrokes or mouse movements). The devicetree plugin shows the relationship of a driver object to its devices (by walking _DRIVER_OBJECT.DeviceObject.NextDevice) and any attached devices (_DRIVER_OBJECT.DeviceObject.AttachedDevice).
Notes
In the current implementation this plugin uses scanning methods to locate the driver and device objects. This is an inefficient method which is also susceptible to false positives and active subversion. We are working on converting this plugin to use the object_tree plugin to directly parse kernel driver structures.
Sample output
[snip]
DRV 0x2bb31060 \Driver\winpmem
---| DEV 0xfa80019ba060 pmem FILE_DEVICE_UNKNOWN
DRV 0x2bb36600 \Driver\TermDD
---| DEV 0xfa80019ff040 - FILE_DEVICE_8042_PORT
------| ATT 0xfa80019ff980 - - \Driver\mouclass FILE_DEVICE_MOUSE
---| DEV 0xfa80019e2040 - FILE_DEVICE_8042_PORT
------| ATT 0xfa80019e2960 - - \Driver\kbdclass FILE_DEVICE_KEYBOARD
[snip]
In the above we can see that the winpmem driver has a device called “pmem”. We also can see the mouse and keyboard drivers attached to the terminal services driver.
dis
View SourceDisassemble the given offset.
Plugin Arguments
address_space | The address space to use. (type: AddressSpace) |
branch | If set we follow all branches to cover all code. (type: Boolean)
|
canonical | If set emit canonical instructions. These can be used to develop signatures. (type: Boolean)
|
end | The end address to disassemble up to. (type: IntParser) |
length | The number of instructions (lines) to disassemble. (type: IntParser) |
mode | Disassemble Mode (AMD64 or I386). Defaults to ‘auto’. (type: Choices)
|
offset | An offset to disassemble. This can also be the name of a symbol with an optional offset. For example: tcpip!TcpCovetNetBufferList. (type: SymbolAddress) |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
This plugin is used to disassemble memory regions. The offset to disassemble may be given as:
-
An address in the current default address space (See the cc plugin for an explaination of the default address space).
-
The name of a kernel module with an optional symbol name. The symbol may be an experted symbol, or non-exported symbol as defined in the pdb file for that kernel module.
Notes
-
When using the interactive console you can complete symbol names by double tapping the [tab] key. For example dis “nt!KiSetTi[tab][tab].
-
Rekall attempts to resolve addresses in the disassembly back to known symbol names. Additionally, for indirect operations, Rekall also prints the current value of the memory location. This feature is especially useful for understanding where indirect jumps are going - without needing to consider PE import tables etc. This works since the IAT is already patched into memory, hence Rekall can completely ignore IAT resoltion (unlike a standalone PE analyser like IDA).
Sample output
Here we disassemble the kernel function KiSetTimerEx to observe the DPC pointer obfuscation that Patch Guard uses on 64 bit Windows 7. We can see the names of the symbols used and their current values, as well as the name of internally called functions.
win7.elf 23:48:14> dis "nt!KiSetTimerEx"
-----------------> dis("nt!KiSetTimerEx")
Address Rel Op Codes Instruction Comment
-------------- ---- -------------------- ------------------------------ -------
------ nt!KiSetTimerEx ------
0xf8000269d4f0 0 48895c2408 MOV [RSP+0x8], RBX
0xf8000269d4f5 5 4889542410 MOV [RSP+0x10], RDX
0xf8000269d4fa A 55 PUSH RBP
0xf8000269d4fb B 56 PUSH RSI
0xf8000269d4fc C 57 PUSH RDI
0xf8000269d4fd D 4154 PUSH R12
0xf8000269d4ff F 4155 PUSH R13
0xf8000269d501 11 4156 PUSH R14
0xf8000269d503 13 4157 PUSH R15
0xf8000269d505 15 4883ec50 SUB RSP, 0x50
0xf8000269d509 19 488b05f09b2200 MOV RAX, [RIP+0x229bf0] 0x6D7CFFA404933FBB nt!KiWaitNever
0xf8000269d510 20 488b1dc19c2200 MOV RBX, [RIP+0x229cc1] 0x933DD660CFFF8004 nt!KiWaitAlways
0xf8000269d517 27 4c8bb424b0000000 MOV R14, [RSP+0xb0]
0xf8000269d51f 2F 4933de XOR RBX, R14
0xf8000269d522 32 488bf1 MOV RSI, RCX
0xf8000269d525 35 450fb6f9 MOVZX R15D, R9B
0xf8000269d529 39 480fcb BSWAP RBX
0xf8000269d52c 3C 418bf8 MOV EDI, R8D
0xf8000269d52f 3F 4833d9 XOR RBX, RCX
0xf8000269d532 42 8bc8 MOV ECX, EAX
0xf8000269d534 44 48d3cb ROR RBX, CL
0xf8000269d537 47 4833d8 XOR RBX, RAX
0xf8000269d53a 4A 450f20c4 MOV R12, CR8
0xf8000269d53e 4E b802000000 MOV EAX, 0x2
0xf8000269d543 53 440f22c0 MOV CR8, RAX
0xf8000269d547 57 65488b2c2520000000 MOV RBP, [GS:0x20]
0xf8000269d550 60 33d2 XOR EDX, EDX
0xf8000269d552 62 488bce MOV RCX, RSI
0xf8000269d555 65 e8f6b0ffff CALL 0xf80002698650 nt!KiCancelTimer
0xf8000269d55a 6A 48895e30 MOV [RSI+0x30], RBX
dlldump
View SourceDump DLLs from a process address space
Plugin Arguments
dump_dir | Path suitable for dumping files. (type: String) |
eprocess | Kernel addresses of eprocess structs. (type: ArrayIntParser)
|
method | Method to list processes. (type: ChoiceArray)
|
out_fd | A file like object to write the output. (type: String) |
pids | One or more pids of processes to select. (type: ArrayIntParser)
|
proc_regex | A regex to select a process by name. (type: RegEx) |
regex | A Regular expression for selecting the dlls to dump. (type: RegEx)
|
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
To extract a DLL from a process’s memory space and dump it to disk for analysis, use the dlldump command. All the usual process selectors are supported. Additionally a regular expression can be specified for the DLL name to dump.
Note
-
In order to dump any PE file from memory we need the PE header to be memory resident. Often this is not the case, and the header is flushed out of virtual memory. In this case it is still possible to dump parts of the PE image using the vaddump plugin.
-
When dumping any binary from memory, it is not usually a perfect binary (i.e. you can not just run it). This is because the Import Address Table (IAT) reflects the patched version in memory and some pages may be missing. The resultant binary is probably only useful to analyses using a tool like IDA pro.
Sample output
win8.1.raw 14:51:37> dlldump proc_regex="winpmem", dump_dir="/tmp/"
-------------------> dlldump(proc_regex="winpmem", dump_dir="/tmp/")
_EPROCESS Name Base Module Dump File
-------------- ---------------- -------------- -------------------- ---------
0xe0000204a900 winpmem_1.5.2. 0x000000020000 winpmem_1.5.2.exe module.2628.3d04a900.20000.winpmem_1.5.2.exe
0xe0000204a900 winpmem_1.5.2. 0x7ff87f320000 ntdll.dll module.2628.3d04a900.7ff87f320000.ntdll.dll
0xe0000204a900 winpmem_1.5.2. 0x000076f50000 wow64.dll module.2628.3d04a900.76f50000.wow64.dll
0xe0000204a900 winpmem_1.5.2. 0x000076fa0000 wow64win.dll module.2628.3d04a900.76fa0000.wow64win.dll
0xe0000204a900 winpmem_1.5.2. 0x000077010000 wow64cpu.dll module.2628.3d04a900.77010000.wow64cpu.dll
dlllist
View SourcePrints a list of dll modules mapped into each process.
Plugin Arguments
eprocess | Kernel addresses of eprocess structs. (type: ArrayIntParser)
|
method | Method to list processes. (type: ChoiceArray)
|
pids | One or more pids of processes to select. (type: ArrayIntParser)
|
proc_regex | A regex to select a process by name. (type: RegEx) |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
Lists dll modules loaded into a process by following the doubly linked list of LDR_DATA_TABLE_ENTRY stored in in _EPROCESS.Peb.Ldr.InLoadOrderModuleList. DLLs are automatically added to this list when a process calls LoadLibrary (or some derivative such as LdrLoadDll) and they aren’t removed until FreeLibrary is called and the reference count reaches zero.
All the usual process selectors are supported.
Note
-
Wow64 processes (i.e. 32 bit binaries running on 64 bit windows) load dlls through a different mechanism.
-
Since the InLoadOrderModuleList is maintained in the process address space, it is simple to manipulate from Ring 3 (without kernel access). This means that this plugin may not show all the linked in DLLs.
-
A better plugin to use is the ldrmodules plugin, which uses the VAD to enumerate dlls. The VAD is maintained in kernel memory and therefore can only be accessed through Ring 0 access.
Sample output
Below we see winpmem used to acquire the image of this Windows 8.1 system. Since winpmem is a 32 bit application, we see the wow64.dll dynamically loaded. Note that in this case, the 32 bit dlls will not show in the InLoadOrderModuleList. Using the ldrmodules plugin reveals all the 32 bit dlls loaded.
win8.1.raw 15:35:10> dlllist proc_regex="winpmem"
-------------------> dlllist(proc_regex="winpmem")
winpmem_1.5.2. pid: 2628
Command line : winpmem_1.5.2.exe -2 win8.1.raw
Note: use ldrmodules for listing DLLs in Wow64 processes
Base Size Load Reason/Count Path
-------------- -------------- ------------------------------ ----
0x000000020000 0x2d000 LoadReasonStaticDependency C:\temp\winpmem_1.5.2.exe
0x7ff87f320000 0x1a9000 LoadReasonStaticDependency C:\Windows\SYSTEM32\ntdll.dll
0x000076f50000 0x49000 LoadReasonDynamicLoad C:\Windows\SYSTEM32\wow64.dll
0x000076fa0000 0x68000 LoadReasonStaticDependency C:\Windows\system32\wow64win.dll
0x000077010000 0x9000 LoadReasonStaticDependency C:\Windows\system32\wow64cpu.dll
win8.1.raw 15:35:51> ldrmodules proc_regex="winpmem"
-------------------> ldrmodules(proc_regex="winpmem")
Pid Process Base InLoad InInit InMem MappedPath
-------- -------------------- -------------- ------ ------ ----- ----------
2628 winpmem_1.5.2. 0x0000753b0000 False False False \Windows\SysWOW64\KernelBase.dll
2628 winpmem_1.5.2. 0x000000020000 True False True \temp\winpmem_1.5.2.exe
2628 winpmem_1.5.2. 0x000076c30000 False False False \Windows\SysWOW64\kernel32.dll
2628 winpmem_1.5.2. 0x000074a40000 False False False \Windows\SysWOW64\cryptbase.dll
2628 winpmem_1.5.2. 0x000074a50000 False False False \Windows\SysWOW64\sspicli.dll
2628 winpmem_1.5.2. 0x000077010000 True True True \Windows\System32\wow64cpu.dll
2628 winpmem_1.5.2. 0x000076f50000 True True True \Windows\System32\wow64.dll
2628 winpmem_1.5.2. 0x000076fa0000 True True True \Windows\System32\wow64win.dll
2628 winpmem_1.5.2. 0x000075250000 False False False \Windows\SysWOW64\rpcrt4.dll
2628 winpmem_1.5.2. 0x0ff87f320000 False False False \Windows\System32\ntdll.dll
2628 winpmem_1.5.2. 0x000077020000 False False False \Windows\SysWOW64\ntdll.dll
2628 winpmem_1.5.2. 0x0000749e0000 False False False \Windows\SysWOW64\bcryptprimitives.dll
2628 winpmem_1.5.2. 0x000074ff0000 False False False \Windows\SysWOW64\advapi32.dll
2628 winpmem_1.5.2. 0x000076f10000 False False False \Windows\SysWOW64\sechost.dll
2628 winpmem_1.5.2. 0x000074d80000 False False False \Windows\SysWOW64\msvcrt.dll
dns_cache
View SourceDump the windows DNS resolver cache.
Plugin Arguments
hashtable | Optionally provide the hashtable (type: String) |
no_index | Should we not use the index (type: Boolean) |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
driverirp
View SourceDriver IRP hook detection
Plugin Arguments
eprocess | Kernel addresses of eprocess structs. (type: ArrayIntParser)
|
limit | The length of data to search in each selected region. (type: IntParser)
|
method | Method to list processes. (type: ChoiceArray)
|
pids | One or more pids of processes to select. (type: ArrayIntParser)
|
proc_regex | A regex to select a process by name. (type: RegEx) |
regex | Analyze drivers matching REGEX (type: RegEx) |
scan_kernel | Scan the entire kernel address space. (type: Boolean)
|
scan_kernel_code | Scan the kernel image and loaded drivers. (type: Boolean)
|
scan_kernel_nonpaged_pool | Scan the kernel non-paged pool. (type: Boolean)
|
scan_kernel_paged_pool | Scan the kernel paged pool. (type: Boolean)
|
scan_kernel_session_pools | Scan session pools for all processes. (type: Boolean)
|
scan_physical | Scan the physical address space only. (type: Boolean)
|
scan_process_memory | Scan all of process memory. Uses process selectors to narrow down selections. (type: Boolean)
|
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
Windows drivers export a table of functions called the IRP MajorFunction table. In that table, the driver installs function handlers to handle verious types of requests from userspace. A common way to hook a legitimate driver is to replace these function pointers with a malicious function.
Many drivers forward their IRP functions to other drivers for legitimate purposes, so detecting hooked IRP functions based on containing modules is not a good method. Instead, we print everything and let you be the judge. The command also checks for Inline hooks of IRP functions and optionally prints a disassembly of the instructions at the IRP address (pass –verbosity to enable this).
This command outputs information for all drivers, unless you specify a regular expression filter.
Notes
In the current implementation this plugin uses scanning methods to locate the driver and device objects. This is an inefficient method which is also susceptible to false positives and active subversion. We are working on converting this plugin to use the object_tree plugin to directly parse kernel driver structures.
Sample output
In the below we see that the pmem driver handles the IRP_MJ_CREATE, IRP_MJ_CLOSE, IRP_MJ_READ and IRP_MJ_DEVICE_CONTROL IRP types.
win8.1.raw 16:15:36> driverirp regex="pmem"
-------------------> driverirp(regex="pmem")
**************************************************
DriverName: pmem
DriverStart: 0xf800025ca000
DriverSize: 0x10000
DriverStartIo: 0x0
- Func Name Func Addr Module
---- ------------------------------------ -------------- ------
0 IRP_MJ_CREATE 0xf800025cb210 \??\C:\Users\test\AppData\Local\Temp\pmeA86F.tmp
1 IRP_MJ_CREATE_NAMED_PIPE 0xf802d31131b8 \SystemRoot\system32\ntoskrnl.exe
2 IRP_MJ_CLOSE 0xf800025cb270 \??\C:\Users\test\AppData\Local\Temp\pmeA86F.tmp
3 IRP_MJ_READ 0xf800025cbfa0 \??\C:\Users\test\AppData\Local\Temp\pmeA86F.tmp
4 IRP_MJ_WRITE 0xf802d31131b8 \SystemRoot\system32\ntoskrnl.exe
5 IRP_MJ_QUERY_INFORMATION 0xf802d31131b8 \SystemRoot\system32\ntoskrnl.exe
6 IRP_MJ_SET_INFORMATION 0xf802d31131b8 \SystemRoot\system32\ntoskrnl.exe
7 IRP_MJ_QUERY_EA 0xf802d31131b8 \SystemRoot\system32\ntoskrnl.exe
8 IRP_MJ_SET_EA 0xf802d31131b8 \SystemRoot\system32\ntoskrnl.exe
9 IRP_MJ_FLUSH_BUFFERS 0xf802d31131b8 \SystemRoot\system32\ntoskrnl.exe
10 IRP_MJ_QUERY_VOLUME_INFORMATION 0xf802d31131b8 \SystemRoot\system32\ntoskrnl.exe
11 IRP_MJ_SET_VOLUME_INFORMATION 0xf802d31131b8 \SystemRoot\system32\ntoskrnl.exe
12 IRP_MJ_DIRECTORY_CONTROL 0xf802d31131b8 \SystemRoot\system32\ntoskrnl.exe
13 IRP_MJ_FILE_SYSTEM_CONTROL 0xf802d31131b8 \SystemRoot\system32\ntoskrnl.exe
14 IRP_MJ_DEVICE_CONTROL 0xf800025cb300 \??\C:\Users\test\AppData\Local\Temp\pmeA86F.tmp
15 IRP_MJ_INTERNAL_DEVICE_CONTROL 0xf802d31131b8 \SystemRoot\system32\ntoskrnl.exe
16 IRP_MJ_SHUTDOWN 0xf802d31131b8 \SystemRoot\system32\ntoskrnl.exe
17 IRP_MJ_LOCK_CONTROL 0xf802d31131b8 \SystemRoot\system32\ntoskrnl.exe
18 IRP_MJ_CLEANUP 0xf802d31131b8 \SystemRoot\system32\ntoskrnl.exe
19 IRP_MJ_CREATE_MAILSLOT 0xf802d31131b8 \SystemRoot\system32\ntoskrnl.exe
20 IRP_MJ_QUERY_SECURITY 0xf802d31131b8 \SystemRoot\system32\ntoskrnl.exe
21 IRP_MJ_SET_SECURITY 0xf802d31131b8 \SystemRoot\system32\ntoskrnl.exe
22 IRP_MJ_POWER 0xf802d31131b8 \SystemRoot\system32\ntoskrnl.exe
23 IRP_MJ_SYSTEM_CONTROL 0xf802d31131b8 \SystemRoot\system32\ntoskrnl.exe
24 IRP_MJ_DEVICE_CHANGE 0xf802d31131b8 \SystemRoot\system32\ntoskrnl.exe
25 IRP_MJ_QUERY_QUOTA 0xf802d31131b8 \SystemRoot\system32\ntoskrnl.exe
26 IRP_MJ_SET_QUOTA 0xf802d31131b8 \SystemRoot\system32\ntoskrnl.exe
27 IRP_MJ_PNP 0xf802d31131b8 \SystemRoot\system32\ntoskrnl.exe
driverscan
View SourceScan for driver objects _DRIVER_OBJECT
Plugin Arguments
eprocess | Kernel addresses of eprocess structs. (type: ArrayIntParser)
|
limit | The length of data to search in each selected region. (type: IntParser)
|
method | Method to list processes. (type: ChoiceArray)
|
pids | One or more pids of processes to select. (type: ArrayIntParser)
|
proc_regex | A regex to select a process by name. (type: RegEx) |
scan_kernel | Scan the entire kernel address space. (type: Boolean)
|
scan_kernel_code | Scan the kernel image and loaded drivers. (type: Boolean)
|
scan_kernel_nonpaged_pool | Scan the kernel non-paged pool. (type: Boolean)
|
scan_kernel_paged_pool | Scan the kernel paged pool. (type: Boolean)
|
scan_kernel_session_pools | Scan session pools for all processes. (type: Boolean)
|
scan_physical | Scan the physical address space only. (type: Boolean)
|
scan_process_memory | Scan all of process memory. Uses process selectors to narrow down selections. (type: Boolean)
|
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
To find _DRIVER_OBJECTs in physical memory using pool tag scanning, use this plugin. This is another way to locate kernel modules, although not all kernel modules have an associated _DRIVER_OBJECT.
The usual way for malware to enter Ring 0 is via loading a kernel driver of some sort. A malicious kernel driver is a strong indication that malware is running in Ring 0.
Notes
- Like other pool scanning plugins, this plugin may produce false positives since it essentially carves _DRIVER_OBJECT structures out of memory. On the other hand, this plugin may reveal drivers which have been unloaded.
Sample output
win8.1.raw 16:17:29> driverscan
-------------------> driverscan()
Offset(P) #Ptr #Hnd Start Size Service Key Name Driver Name
- -------------- ---- ---- -------------- -------------- -------------------- ------------ -----------
...
0x00003e569c60 3 0 0xf80000b14000 0x10000 pcw pcw \Driver\pcw
0x00003e569e60 3 0 0xf80000aeb000 0x29000 VBoxGuest VBoxGuest \Driver\VBoxGuest
0x00003e59e590 17 0 0xf80000c26000 0x118000 NDIS NDIS \Driver\NDIS
0x00003e5a1060 8 0 0xf80000ec5000 0x27f000 Tcpip Tcpip \Driver\Tcpip
0x00003eb8d870 3 0 0xf800025ca000 0x10000 pmem pmem \Driver\pmem
0x00003f066e60 3 0 0xf80001c69000 0xe000 monitor monitor \Driver\monitor
....
dtbscan
View SourceScans the physical memory for DTB values.
This plugin can compare the DTBs found against the list of known processes to find hidden processes.
Plugin Arguments
eprocess | Kernel addresses of eprocess structs. (type: ArrayIntParser)
|
limit | Stop scanning after this many mb. (type: IntParser)
|
method | Method to list processes. (type: ChoiceArray)
|
pids | One or more pids of processes to select. (type: ArrayIntParser)
|
proc_regex | A regex to select a process by name. (type: RegEx) |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
The PFN database can be used to resolve a physical address to its virtual address in the process address space. Since processes must have unique page tables, and therefore a unique DTB, we can enumerate all unique page tables on the system.
Using this technique allows us to locate hidden processes. We simply check each physical page and locate its DTB (or page table directory base) offset. We then match the DTB to a known process DTB. If the DTB is not known this is a strong indication that the process is hidden.
Sample output
win8.1.raw 16:23:50> dtbscan
-------------------> dtbscan()
DTB VAddr _EPROCESS Image Name Known
-------------- -------------- -------------- -------------------- -----
0x0000001a7000 0xf6fb7dbed000 0xe00000074580 System True
0x0000118a3000 0xf6fb7dbed000 0xe00002073900 explorer.exe True
0x00000923e000 0xf6fb7dbed000 0xe000020ea900 svchost.exe True
0x000036ea3000 0xf6fb7dbed000 0xe000006208c0 taskhost.exe True
0x000004c01000 0xf6fb7dbed000 0xe000000ce080 wininit.exe True
0x00000d0a4000 0xf6fb7dbed000 0xe000022c6900 MsMpEng.exe True
0x0000093c4000 0xf6fb7dbed000 0xe000020df080 svchost.exe True
0x0000348c6000 0xf6fb7dbed000 0xe00001e2f700 dwm.exe True
0x000011504000 0xf6fb7dbed000 0xe000007a3080 svchost.exe True
0x000007c94000 0xf6fb7dbed000 0xe00001f22080 cmd.exe True
0x00002fe03000 0xf6fb7dbed000 0xe00002043900 conhost.exe True
0x00002f8ce000 0xf6fb7dbed000 0xe00001299900 SearchIndexer. True
0x0000207b9000 0xf6fb7dbed000 0xe00002645080 VBoxTray.exe True
dumpfiles
View SourceDump files from memory.
The interface is loosely based on the Volatility plugin of the same name, although the implementation is quite different.
Plugin Arguments
dump_dir | Path suitable for dumping files. (type: String) |
eprocess | Kernel addresses of eprocess structs. (type: ArrayIntParser)
|
file_objects | Kernel addresses of _FILE_OBJECT structs. (type: ArrayIntParser) |
method | Method to list processes. (type: ChoiceArray)
|
pids | One or more pids of processes to select. (type: ArrayIntParser)
|
proc_regex | A regex to select a process by name. (type: RegEx) |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
evtlogs
View SourceExtract Windows Event Logs (XP/2003 only)
Plugin Arguments
hive-offsets | A list of hive offsets as found by hivelist. If not provided we call hivelist ourselves and list the keys on all hives. (type: ArrayIntParser) |
hive_regex | A regex to filter hive names.If not provided we use all hives. |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
The evtlogs command extracts and parses binary event logs from memory. Binary event logs are found on Windows XP and 2003 machines, therefore this plugin only works on these architectures. These files are extracted from VAD of the services.exe process, parsed and shown as output.
Notes
- This plugin will only work on Windows XP/2003. Modern windows systems use evtx event log format. We are still working on supporting these logs.
Sample output
xp-laptop-2005-06-25.img 16:43:19> evtlogs
---------------------------------> evtlogs()
TimeWritten Filename Computer Sid Source Event Id Event Type Message
----------- -------- -------- --- ------ -------- ---------- -------
2004-05-05 19:36:55+0000 SecEvent.Evt MOIT-A-PHXMOD2 S-1-5-18 Security 612 Success '-';'+';'+';'+';'+';'+';'-';'-';'-';'-';'+';'+';'+';'+';'+';'+';'+';'+';'MOIT-A-PHXMOD2$';'BALTIMORE';'(0x0,0x3E7)'
2004-05-05 19:36:56+0000 SecEvent.Evt MOIT-A-PHXMOD2 S-1-5-18 Security 618 Success 'MOIT-A-PHXMOD2$';'BALTIMORE';'(0x0,0x3E7)';'PolEfDat: <binary data> (none); '
2004-05-05 19:37:03+0000 SecEvent.Evt MOIT-A-PHXMOD2 S-1-5-18 Security 537 Failure 'AJ.Morning';'BALTIMORE';'11';'User32 ';'Negotiate';'MOIT-A-PHXMOD2';'0xC000005E';'0x0'
2004-05-05 19:37:03+0000 SecEvent.Evt MOIT-A-PHXMOD2 S-1-5-21-487349131-2095749132-2248483902-19753 Security 528 Success 'AJ.Morning';'BALTIMORE';'(0x0,0x113AD)';'2';'User32 ';'Negotiate';'MOIT-A-PHXMOD2';'{5c92d34f-85d3-2f5d-d036-759d7c97bfd7}'
2004-05-05 19:37:32+0000 SecEvent.Evt MOIT-A-PHXMOD2 S-1-5-19 Security 528 Success 'LOCAL SERVICE';'NT AUTHORITY';'(0x0,0x3E5)';'5';'Advapi ';'Negotiate';'';'{00000000-0000-0000-0000-000000000000}'
2004-05-05 19:37:33+0000 SecEvent.Evt MOIT-A-PHXMOD2 S-1-5-21-487349131-2095749132-2248483902-19753 Security 596 Failure '619be804-cde6-484f-aff4-2a5e588d6eef';'';'';'0x57'
filescan
View SourceScan Physical memory for _FILE_OBJECT pool allocations
Plugin Arguments
eprocess | Kernel addresses of eprocess structs. (type: ArrayIntParser)
|
limit | The length of data to search in each selected region. (type: IntParser)
|
method | Method to list processes. (type: ChoiceArray)
|
pids | One or more pids of processes to select. (type: ArrayIntParser)
|
proc_regex | A regex to select a process by name. (type: RegEx) |
scan_kernel | Scan the entire kernel address space. (type: Boolean)
|
scan_kernel_code | Scan the kernel image and loaded drivers. (type: Boolean)
|
scan_kernel_nonpaged_pool | Scan the kernel non-paged pool. (type: Boolean)
|
scan_kernel_paged_pool | Scan the kernel paged pool. (type: Boolean)
|
scan_kernel_session_pools | Scan session pools for all processes. (type: Boolean)
|
scan_physical | Scan the physical address space only. (type: Boolean)
|
scan_process_memory | Scan all of process memory. Uses process selectors to narrow down selections. (type: Boolean)
|
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
To find FILE_OBJECTs in physical memory using pool tag scanning, use the filescan command. This will find open files even if a rootkit is hiding the files on disk and if the rootkit hooks some API functions to hide the open handles on a live system.
The plugin also resolves back the _FILE_OBJECT into the ownning process. This works only if the _FILE_OBJECT is actually in use (it does not work for closed files).
Notes
-
Like other pool scanning plugins, this plugin may produce false positives since it essentially carves _FILE_OBJECT structures out of memory. On the other hand, this plugin may reveal files which have been closed or freed.
-
When inspecting the output, the #Hnd column indicates the number of handles to this _FILE_OBJECT. Objects in use will have a non zero value here and are likely to not be freed.
-
The plugin displays the physical address of the _FILE_OBJECT found. It may be possible to derive their virtual address using the ptov plugin. Alternatively, specify the scan_in_kernel option, to ensure scanning occurs in the kernel address space.
Sample output
win8.1.raw 16:55:44> filescan scan_in_kernel=True
-------------------> filescan(scan_in_kernel=True)
Offset #Ptr #Hnd Access Owner Owner Pid Owner Name Name
- -------------- ------ ---- ------ -------------- --------- ---------------- ----
0xe000000421e0 17 0 RW-rwd -------------- ---- ---------------- \$Directory
0xe00000057d70 14 0 R--rwd -------------- ---- ---------------- \Windows\System32\AuthBroker.dll
0xe000000599d0 32758 1 R--rw- 0xe00000074580 4 System \Windows\CSC\v2.0.6
0xe000000686e0 19 0 RW-rwd -------------- ---- ---------------- \$Directory
0xe0000006a1f0 19 0 RW-rwd -------------- ---- ---------------- \$Directory
0xe0000006b5a0 16 0 R--r-d -------------- ---- ---------------- \Windows\Fonts\modern.fon
0xe0000006d8c0 4 0 R--r-d -------------- ---- ---------------- \Windows\System32\negoexts.dll
0xe0000006dc40 16 0 R--r-- -------------- ---- ---------------- \Windows\Fonts\meiryob.ttc
0xe0000006e1f0 29617 1 ------ 0xe0000204a900 2628 winpmem_1.5.2. \Connect
0xe0000006edd0 16 0 R--rwd -------------- ---- ---------------- \Windows\System32\msctf.dll
0xe00000079270 16 0 R--r-- -------------- ---- ---------------- \Windows\Cursors\aero_up.cur
0xe0000007abc0 12 0 R--rwd -------------- ---- ---------------- \Windows\System32\puiobj.dll
0xe0000007ba90 18 0 RW-rwd -------------- ---- ---------------- \$Directory
0xe0000007e070 3 0 R--r-- -------------- ---- ---------------- \Windows\Fonts\segoeui.ttf
0xe0000007e360 4 0 RW-rwd -------------- ---- ---------------- \$ConvertToNonresident
0xe0000007e890 7 0 R--r-d -------------- ---- ---------------- \Windows\System32\usbmon.dll
0xe0000007f360 32768 1 R--r-d 0xe000000ce080 432 wininit.exe \Windows\System32\en-GB\user32.dll.mui
0xe0000007f980 4 0 R--r-d -------------- ---- ---------------- \Windows\System32\KBDUK.DLL
0xe000000b1d90 17 0 RW-rwd -------------- ---- ---------------- \$Directory
0xe000000b1f20 5 0 R--r-d -------------- ---- ---------------- \Windows\System32\AppXDeploymentServer.dll
0xe000000b4610 12 0 R--rwd -------------- ---- ---------------- \Windows\SysWOW64\winmmbase.dll
0xe000000b6820 1 1 RWD--- 0xe00000074580 4 System \Windows\System32\config\RegBack\SECURITY
0xe000000b6a50 32766 1 RW---- 0xe00000074580 4 System \Windows\System32\config\SECURITY.LOG2
find_dtb
View SourceA plugin to search for the Directory Table Base for windows systems.
There are a number of ways to find the DTB:
-
Scanner method: Scans the image for a known kernel process, and read the DTB from its Process Environment Block (PEB).
-
Get the DTB from the KPCR structure.
-
Note that the kernel is mapped into every process’s address space (with the exception of session space which might be different) so using any process’s DTB from the same session will work to read kernel data structures. If this plugin fails, try psscan to find potential DTBs.
Plugin Arguments
process_name | The name of the process to search for. |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
Notes
- This is an internally used plugin for discovering the Directory Table Base (DTB) on windows systems. It is unlikely to be useful to a user by itself.
fls
View SourcePlugin Arguments
path | Path to print stats for. (type: String)
|
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
handles
View SourcePrint list of open handles for each process
Plugin Arguments
eprocess | Kernel addresses of eprocess structs. (type: ArrayIntParser)
|
method | Method to list processes. (type: ChoiceArray)
|
named_only | Output only handles with a name . (type: Boolean) |
object_types | Types of objects to show. (type: ArrayStringParser) |
pids | One or more pids of processes to select. (type: ArrayIntParser)
|
proc_regex | A regex to select a process by name. (type: RegEx) |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
This plugin displays the handle table of processes. The handle table in the process stores securable kernel objects.
When a user mode process obtains a securable kernel object, they receive a handle to it - i.e. an integer which is the location in the handle table, rather than the raw kernel level pointer. User processes then use the handle to operate of the kernel level object. For example, if a process opens a file the _FILE_OBJECT will be stored in the handle table, and the userspace code will receive the offset into the handle table.
This plugin is especially useful to find all resources that are opened by a user space program, such as open files, registry keys etc. In fact any of the objects shown by the object_types plugin are stored in the handle table as can be seen by this module.
All the usual process selectors are supported. Additionally, it is possible to filter the output by using a comma separated list of handle types (as can be seen by the object_types plugin.
Sample output
In the following output we see the winpmem acquisition tool’s handle table. Note that it has an open file to the raw device \Device\pmem and the output file of \Device\HarddiskVolume2\temp\win8.1.raw.
win8.1.raw 18:00:43> handles proc_regex="winpmem"
-------------------> handles(proc_regex="winpmem")
Offset (V) Pid Handle Access Type Details
-------------- ------ -------------- -------------- ---------------- -------
0xe00001f82f20 2628 0x4 0x12019f File \Device\ConDrv\Reference
0xe00001d17e00 2628 0x10 0x100020 File \Device\HarddiskVolume2\Windows
0xe00001f546b0 2628 0x18 0x12019f File \Device\ConDrv\Input
0xe00001eef800 2628 0x1c 0x12019f File \Device\ConDrv\Output
0xe00001eef800 2628 0x20 0x12019f File \Device\ConDrv\Output
0xe00001d0db80 2628 0x24 0x100020 File \Device\HarddiskVolume2\temp
0xe0000006e1f0 2628 0x28 0x12019f File \Device\ConDrv\Connect
0xe00000637480 2628 0x30 0x1f0001 ALPC Port
0xe000006bd290 2628 0x34 0x1f0003 Event
0xe00001ed6060 2628 0x38 0x1 WaitCompletionPacket
0xe00001ecd080 2628 0x3c 0x1f0003 IoCompletion
0xe00001ec7060 2628 0x40 0xf00ff TpWorkerFactory
0xe00000778320 2628 0x44 0x100002 IRTimer
0xe00001ecfb80 2628 0x48 0x1 WaitCompletionPacket
0xe00001a629d0 2628 0x4c 0x100002 IRTimer
0xe00001ec8f90 2628 0x50 0x1 WaitCompletionPacket
0xe00002048970 2628 0x54 0x804 EtwRegistration
0xe0000077dd00 2628 0x58 0x100003 Semaphore
0xe00001d1b340 2628 0x5c 0x100001 File \Device\CNG
0xe000006b82c0 2628 0x60 0x100003 Semaphore
0xe00001d0c6e0 2628 0x64 0x120196 File \Device\HarddiskVolume2\temp\win8.1.raw
0xe000007db2f0 2628 0x74 0x1f0003 Event
0xe000023eda60 2628 0x78 0x804 EtwRegistration
0xe000024c56c0 2628 0x7c 0x804 EtwRegistration
0xe00001f803e0 2628 0x80 0x804 EtwRegistration
0xe00000813330 2628 0x84 0x1f0003 Event
0xe00001254440 2628 0x88 0x1fffff Thread TID 3420 PID 2628
0xe0000061ebb0 2628 0x8c 0x1f0001 ALPC Port
0xe00001d0c340 2628 0x90 0x12019f File \Device\pmem
hooks_eat
View SourceDetect EAT hooks in process and kernel memory
Plugin Arguments
eprocess | Kernel addresses of eprocess structs. (type: ArrayIntParser)
|
method | Method to list processes. (type: ChoiceArray)
|
pids | One or more pids of processes to select. (type: ArrayIntParser)
|
proc_regex | A regex to select a process by name. (type: RegEx) |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
hooks_iat
View SourceDetect IAT/EAT hooks in process and kernel memory
Plugin Arguments
eprocess | Kernel addresses of eprocess structs. (type: ArrayIntParser)
|
method | Method to list processes. (type: ChoiceArray)
|
pids | One or more pids of processes to select. (type: ArrayIntParser)
|
proc_regex | A regex to select a process by name. (type: RegEx) |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
hooks_inline
View SourceDetect API hooks in process and kernel memory
Plugin Arguments
eprocess | Kernel addresses of eprocess structs. (type: ArrayIntParser)
|
method | Method to list processes. (type: ChoiceArray)
|
pids | One or more pids of processes to select. (type: ArrayIntParser)
|
proc_regex | A regex to select a process by name. (type: RegEx) |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
imageinfo
View SourceList overview information about this image.
Plugin Arguments
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
This plugin prints an overview of certain parameters of the image.
Notes
- Since Rekall does not require users to select the profiles manually this plugin is not required to be run prior to any analysis. In fact the plugin itself needs to have accurate profiles loaded. It therefore does not server the same purpose as in previous version of the software.
Sample output
win8.1.raw 18:00:48> imageinfo
-------------------> imageinfo()
Fact Value
-------------------- -----
Kernel DTB 0x1a7000
NT Build 9600.winblue_gdr.130913-2141
NT Build Ex 9600.16404.amd64fre.winblue_gdr.130913-2141
Signed Drivers -
Time (UTC) 2014-01-24 21:20:05+0000
Time (Local) 2014-01-24 21:20:05+0000
Sec Since Boot 764.359375
NtSystemRoot C:\Windows
**************** Physical Layout ****************
Physical Start Physical End Number of Pages
-------------- -------------- ---------------
0x000000001000 0x00000009f000 158
0x000000100000 0x000000102000 2
0x000000103000 0x00003fff0000 261869
impscan
View SourceScan for calls to imported functions.
Plugin Arguments
base | Base address in process memory if –pid is supplied, otherwise an address in kernel space (type: IntParser) |
eprocess | Kernel addresses of eprocess structs. (type: ArrayIntParser)
|
kernel | Scan in kernel space. (type: Boolean) |
method | Method to list processes. (type: ChoiceArray)
|
pids | One or more pids of processes to select. (type: ArrayIntParser)
|
proc_regex | A regex to select a process by name. (type: RegEx) |
size | Size of memory to scan (type: IntParser) |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
Sample output
win8.1.raw 18:30:34> impscan proc_regex="dwm.exe"
-------------------> impscan(proc_regex="dwm.exe")
**************************************************
Process dwm.exe PID 692
IAT Call Module Function
-------------- -------------- -------------------- --------
0x7ff7474f4000 0x7ff87f2c369c sechost.dll ConvertStringSecurityDescriptorToSecurityDescriptorW
0x7ff7474f4030 0x7ff87b48beb0 uxtheme.dll CloseThemeData
0x7ff7474f4038 0x7ff87b4bfc80 uxtheme.dll OpenThemeData
0x7ff7474fa020 0x7ff87e4b5d34 msvcrt.dll 382
0x7ff7474fa030 0x7ff87e4b5f18 msvcrt.dll 410
0x7ff7474fa050 0x7ff87e4b9948 msvcrt.dll 144
0x7ff7474fa058 0x7ff87e4babc0 msvcrt.dll 129
0x7ff7474fa0e0 0x7ff87e4b468c msvcrt.dll 35
0x7ff7474fa0e8 0x7ff87e4b1cd4 msvcrt.dll 36
0x7ff7474fa120 0x7ff87f38f85c ntdll.dll 1252
0x7ff7474fa128 0x7ff87f36e384 ntdll.dll 1229
0x7ff7474fa130 0x7ff87c9a3dec KERNELBASE.dll 170
0x7ff7474fa138 0x7ff87f33c31c ntdll.dll 815
0x7ff7474fa148 0x7ff87f383270 ntdll.dll RtlInitializeCriticalSection
0x7ff7474fa158 0x7ff87f36d100 ntdll.dll RtlAcquireSRWLockShared
0x7ff7474fa168 0x7ff87f36b810 ntdll.dll RtlLeaveCriticalSection
0x7ff7474fa170 0x7ff87c9a24f4 KERNELBASE.dll 157
0x7ff7474fa180 0x7ff87f36e50c ntdll.dll 1228
0x7ff7474fa188 0x7ff87f35db60 ntdll.dll RtlAcquireSRWLockExclusive
0x7ff7474fa190 0x7ff87f36b550 ntdll.dll 867
0x7ff7474fa1a0 0x7ff87c9a14a0 KERNELBASE.dll 635
0x7ff7474fa1c8 0x7ff87c9a1440 KERNELBASE.dll 481
0x7ff7474fa1e8 0x7ff87f37c7c0 ntdll.dll RtlSetLastWin32Error
0x7ff7474fa1f8 0x7ff87f366b90 ntdll.dll 928
0x7ff7474fa200 0x7ff87f3620d0 ntdll.dll RtlAllocateHeap
0x7ff7474fa208 0x7ff87c9ac960 KERNELBASE.dll 684
0x7ff7474fa218 0x7ff87c9a14e0 KERNELBASE.dll 554
0x7ff7474fa230 0x7ff87edd3184 KERNEL32.DLL GetStartupInfoW
0x7ff7474fa238 0x7ff87edd3074 KERNEL32.DLL SetPriorityClass
kdbgscan
View SourceScan for possible _KDDEBUGGER_DATA64 structures.
The scanner is detailed here: http://moyix.blogspot.com/2008/04/finding-kernel-global-variables-in.html
The relevant structures are detailed here: http://doxygen.reactos.org/d3/ddf/include_2psdk_2wdbgexts_8h_source.html
We can see that _KDDEBUGGER_DATA64.Header is:
typedef struct _DBGKD_DEBUG_DATA_HEADER64 { LIST_ENTRY64 List; ULONG OwnerTag; ULONG Size; }
We essentially search for an owner tag of “KDBG”, then overlay the _KDDEBUGGER_DATA64 struct on it. We test for validity by reflecting through the Header.List member.
Plugin Arguments
full_scan | Scan the full address space. (type: Boolean) |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
Windows keeps a store of some useful global variables in a structure called _KDDEBUGGER_DATA64. This information is used by the microsoft kernel debugger in order to bootstap the analysis of a crash dump.
Rekall no longer uses the Kernel Debugger Block for analysis - instead accurate global symbol information are fetched from Microsoft PDB files containing debugging symbols.
Notes
- Previous versions of Rekall used the KDBG heavily for analysis, and by extension used this plugin. Currently the KDBG is not used by Rekall at all so this plugin is not all that useful.
kpcr
View SourceA plugin to print all KPCR blocks.
Plugin Arguments
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
Windows maintains per-processor information for each physical CPU in the system. This plugin displays this infomation.
Sample output
win8.1.raw 21:15:09> kpcr
-------------------> kpcr()
**************************************************
Property Value
------------------------------ -----
Offset (V) 0xf802d3307000
KdVersionBlock Pointer to -
IDT 0xf802d4a43080
GDT 0xf802d4a43000
CurrentThread : 0xe00001254440 TID 3420 (winpmem_1.5.2.:2628)
IdleThread : 0xf802d335fa80 TID 0 (System:0)
Details : CPU 0 (GenuineIntel @ 2517 MHz)
CR3/DTB : 0x1a7000
ldrmodules
View SourceDetect unlinked DLLs
Plugin Arguments
eprocess | Kernel addresses of eprocess structs. (type: ArrayIntParser)
|
method | Method to list processes. (type: ChoiceArray)
|
pids | One or more pids of processes to select. (type: ArrayIntParser)
|
proc_regex | A regex to select a process by name. (type: RegEx) |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
There are many ways to hide a DLL. One of the ways involves unlinking the DLL from one (or all) of the linked lists in the PEB. However, when this is done, there is still information contained within the VAD (Virtual Address Descriptor) which identifies the base address of the DLL and its full path on disk. To cross-reference this information (known as memory mapped files) with the 3 PEB lists, use the ldrmodules command.
For each memory mapped PE file, the ldrmodules command prints True or False if the PE exists in the PEB lists.
win8.1.raw 22:17:36> ldrmodules proc_regex="winpmem"
-------------------> ldrmodules(proc_regex="winpmem")
Pid Process Base InLoad InInit InMem MappedPath
-------- -------------------- -------------- ------ ------ ----- ----------
2628 winpmem_1.5.2. 0x0000753b0000 False False False \Windows\SysWOW64\KernelBase.dll
2628 winpmem_1.5.2. 0x000000020000 True False True \temp\winpmem_1.5.2.exe
2628 winpmem_1.5.2. 0x000076c30000 False False False \Windows\SysWOW64\kernel32.dll
2628 winpmem_1.5.2. 0x000074a40000 False False False \Windows\SysWOW64\cryptbase.dll
2628 winpmem_1.5.2. 0x000074a50000 False False False \Windows\SysWOW64\sspicli.dll
2628 winpmem_1.5.2. 0x000077010000 True True True \Windows\System32\wow64cpu.dll
2628 winpmem_1.5.2. 0x000076f50000 True True True \Windows\System32\wow64.dll
2628 winpmem_1.5.2. 0x000076fa0000 True True True \Windows\System32\wow64win.dll
2628 winpmem_1.5.2. 0x000075250000 False False False \Windows\SysWOW64\rpcrt4.dll
2628 winpmem_1.5.2. 0x7ff87f320000 True True True \Windows\System32\ntdll.dll
2628 winpmem_1.5.2. 0x000077020000 False False False \Windows\SysWOW64\ntdll.dll
2628 winpmem_1.5.2. 0x0000749e0000 False False False \Windows\SysWOW64\bcryptprimitives.dll
2628 winpmem_1.5.2. 0x000074ff0000 False False False \Windows\SysWOW64\advapi32.dll
2628 winpmem_1.5.2. 0x000076f10000 False False False \Windows\SysWOW64\sechost.dll
2628 winpmem_1.5.2. 0x000074d80000 False False False \Windows\SysWOW64\msvcrt.dll
Since the PEB and the DLL lists that it contains all exist in user mode, its also possible for malware to hide (or obscure) a DLL by simply overwriting the path. Tools that only look for unlinked entries may miss the fact that malware could overwrite C:\bad.dll to show C:\windows\system32\kernel32.dll. So you can also pass the verbosity=10 parameter to ldrmodules to see the full path of all entries.
For concrete examples, see ZeroAccess Misleads Memory-File Link and QuickPost: Flame & Volatility.
win8.1.raw 22:17:41> ldrmodules proc_regex="winpmem", verbosity=10
-------------------> ldrmodules(proc_regex="winpmem", verbosity=10)
Pid Process Base InLoad InInit InMem MappedPath
-------- -------------------- -------------- ------ ------ ----- ----------
2628 winpmem_1.5.2. 0x0000753b0000 False False False \Windows\SysWOW64\KernelBase.dll
2628 winpmem_1.5.2. 0x000000020000 True False True \temp\winpmem_1.5.2.exe
Load Path: C:\temp\winpmem_1.5.2.exe : winpmem_1.5.2.exe
Mem Path: C:\temp\winpmem_1.5.2.exe : winpmem_1.5.2.exe
2628 winpmem_1.5.2. 0x000076c30000 False False False \Windows\SysWOW64\kernel32.dll
2628 winpmem_1.5.2. 0x000074a40000 False False False \Windows\SysWOW64\cryptbase.dll
2628 winpmem_1.5.2. 0x000074a50000 False False False \Windows\SysWOW64\sspicli.dll
2628 winpmem_1.5.2. 0x000077010000 True True True \Windows\System32\wow64cpu.dll
Load Path: C:\Windows\system32\wow64cpu.dll : wow64cpu.dll
Init Path: C:\Windows\system32\wow64cpu.dll : wow64cpu.dll
Mem Path: C:\Windows\system32\wow64cpu.dll : wow64cpu.dll
2628 winpmem_1.5.2. 0x000076f50000 True True True \Windows\System32\wow64.dll
Load Path: C:\Windows\SYSTEM32\wow64.dll : wow64.dll
Init Path: C:\Windows\SYSTEM32\wow64.dll : wow64.dll
Mem Path: C:\Windows\SYSTEM32\wow64.dll : wow64.dll
2628 winpmem_1.5.2. 0x000076fa0000 True True True \Windows\System32\wow64win.dll
Load Path: C:\Windows\system32\wow64win.dll : wow64win.dll
Init Path: C:\Windows\system32\wow64win.dll : wow64win.dll
Mem Path: C:\Windows\system32\wow64win.dll : wow64win.dll
2628 winpmem_1.5.2. 0x000075250000 False False False \Windows\SysWOW64\rpcrt4.dll
2628 winpmem_1.5.2. 0x7ff87f320000 True True True \Windows\System32\ntdll.dll
Load Path: C:\Windows\SYSTEM32\ntdll.dll : ntdll.dll
Init Path: C:\Windows\SYSTEM32\ntdll.dll : ntdll.dll
Mem Path: C:\Windows\SYSTEM32\ntdll.dll : ntdll.dll
2628 winpmem_1.5.2. 0x000077020000 False False False \Windows\SysWOW64\ntdll.dll
2628 winpmem_1.5.2. 0x0000749e0000 False False False \Windows\SysWOW64\bcryptprimitives.dll
2628 winpmem_1.5.2. 0x000074ff0000 False False False \Windows\SysWOW64\advapi32.dll
2628 winpmem_1.5.2. 0x000076f10000 False False False \Windows\SysWOW64\sechost.dll
2628 winpmem_1.5.2. 0x000074d80000 False False False \Windows\SysWOW64\msvcrt.dll
Notes
- Wow64 processes (i.e. 32 bit processes on 64 bit windows) will not show any 32 bit DLLs in any of the loader lists. This is normal (and you will see the Dlls loaded from the \Windows\Wow64 directory.
load_profile
View SourceLoads the profile into the session.
If the profile does not exist in the repositories, fetch and build it from the symbol server. This plugin allows the user to change resolution of selected binaries by forcing the fetching of symbol files from the symbol server interactively.
Plugin Arguments
guid | The guid of the module. (type: String) |
module_name | The name of the module (without the .pdb extensilon). (type: String) |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
malfind
View SourceFind hidden and injected code
Plugin Arguments
dump_dir | Path suitable for dumping files. (type: String) |
eprocess | Kernel addresses of eprocess structs. (type: ArrayIntParser)
|
method | Method to list processes. (type: ChoiceArray)
|
pids | One or more pids of processes to select. (type: ArrayIntParser)
|
proc_regex | A regex to select a process by name. (type: RegEx) |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
The malfind command helps find hidden or injected code/DLLs in user mode memory, based on characteristics such as VAD tag and page permissions.
Note: malfind does not detect DLLs injected into a process using CreateRemoteThread->LoadLibrary. DLLs injected with this technique are not hidden and thus you can view them with dlllist. The purpose of malfind is to locate DLLs that standard methods/tools do not see.
Here is an example of using it to detect the presence of Zeus. The first memory segment (starting at 0x2aa0000) was detected because it is executable, marked as private (not shared between processes) and has a VadS tag… which means there is no memory mapped file already occupying the space. Based on a disassembly of the data found at this address, it seems to contain some API hook trampoline stubs.
The second memory segment (starting at 0x3080000) was detected because it contained an executable that isn’t listed in the PEB’s module lists.
If you want to save extracted copies of the memory segments identified by malfind, just supply an output directory with the dump_dir parameter. In this case, an unpacked copy of the Zeus binary that was injected into explorer.exe would be written to disk.
zeus2x4.vmem 22:53:43> malfind proc_regex="explorer"
---------------------> malfind(proc_regex="explorer")
**************************************************f pid 1752
Process: explorer.exe Pid: 1752 Address: 0x2aa0000
Vad Tag: VadS Protection: EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x2aa0000 b8 35 00 00 00 e9 a9 d1 e6 79 68 6c 02 00 00 e9 .5.......yhl....
0x2aa0010 b4 63 e7 79 8b ff 55 8b ec e9 7c 11 d7 79 8b ff .c.y..U...|..y..
0x2aa0020 55 8b ec e9 01 32 77 74 8b ff 55 8b ec e9 7c 60 U....2wt..U...|`
0x2aa0030 72 74 8b ff 55 8b ec e9 ca e9 72 74 8b ff 55 8b rt..U.....rt..U.
0x02aa0000 b835000000 MOV EAX, 0x35
0x02aa0005 e9a9d1e679 JMP 0x7c90d1b3
0x02aa000a 686c020000 PUSH DWORD 0x26c
0x02aa000f e9b463e779 JMP 0x7c9163c8
0x02aa0014 8bff MOV EDI, EDI
0x02aa0016 55 PUSH EBP
0x02aa0017 8bec MOV EBP, ESP
0x02aa0019 e97c11d779 JMP 0x7c81119a
0x02aa001e 8bff MOV EDI, EDI
0x02aa0020 55 PUSH EBP
0x02aa0021 8bec MOV EBP, ESP
0x02aa0023 e901327774 JMP 0x77213229
0x02aa0028 8bff MOV EDI, EDI
0x02aa002a 55 PUSH EBP
0x02aa002b 8bec MOV EBP, ESP
0x02aa002d e97c607274 JMP 0x771c60ae
0x02aa0032 8bff MOV EDI, EDI
0x02aa0034 55 PUSH EBP
0x02aa0035 8bec MOV EBP, ESP
0x02aa0037 e9cae97274 JMP 0x771cea06
0x02aa003c 8bff MOV EDI, EDI
0x02aa003e 55 PUSH EBP
0x02aa003f 8bec MOV EBP, ESP
0x02aa0041 e9e8327774 JMP 0x7721332e
0x02aa0046 8bff MOV EDI, EDI
0x02aa0048 55 PUSH EBP
0x02aa0049 8bec MOV EBP, ESP
0x02aa004b e9494d7274 JMP 0x771c4d99
0x02aa0050 8bff MOV EDI, EDI
0x02aa0052 55 PUSH EBP
0x02aa0053 8bec MOV EBP, ESP
0x02aa0055 e99d827274 JMP 0x771c82f7
0x02aa005a 8bff MOV EDI, EDI
0x02aa005c 55 PUSH EBP
0x02aa005d 8bec MOV EBP, ESP
0x02aa005f e9ef927574 JMP 0x771f9353
0x02aa0064 8bff MOV EDI, EDI
0x02aa0066 55 PUSH EBP
0x02aa0067 8bec MOV EBP, ESP
0x02aa0069 e9fe897374 JMP 0x771d8a6c
0x02aa006e 6a2c PUSH 0x2c
0x02aa0070 68187b1c77 PUSH DWORD 0x771c7b18
0x02aa0075 e957797274 JMP 0x771c79d1
0x02aa007a 8bff MOV EDI, EDI
0x02aa007c 55 PUSH EBP
0x02aa007d 8bec MOV EBP, ESP
0x02aa007f e9ac3d016f JMP 0x71ab3e30
0x02aa0084 8bff MOV EDI, EDI
0x02aa0086 55 PUSH EBP
0x02aa0087 8bec MOV EBP, ESP
0x02aa0089 e99e4b016f JMP 0x71ab4c2c
0x02aa008e 8bff MOV EDI, EDI
0x02aa0090 55 PUSH EBP
0x02aa0091 8bec MOV EBP, ESP
0x02aa0093 e96768016f JMP 0x71ab68ff
0x02aa0098 8bff MOV EDI, EDI
0x02aa009a 55 PUSH EBP
0x02aa009b 8bec MOV EBP, ESP
0x02aa009d e9598b977b JMP 0x7e418bfb
0x02aa00a2 8bff MOV EDI, EDI
0x02aa00a4 55 PUSH EBP
0x02aa00a5 8bec MOV EBP, ESP
0x02aa00a7 e9130d997b JMP 0x7e430dbf
0x02aa00ac 8bff MOV EDI, EDI
0x02aa00ae 55 PUSH EBP
**************************************************
Process: explorer.exe Pid: 1752 Address: 0x3080000
Vad Tag: VadS Protection: EXECUTE_READWRITE
Flags: CommitCharge: 52, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x3080000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ..............
0x3080010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
0x3080020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x3080030 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 ................
0x03080000 4d DEC EBP
0x03080001 5a POP EDX
0x03080002 90 NOP
0x03080003 0003 ADD [EBX], AL
0x03080005 0000 ADD [EAX], AL
0x03080007 000400 ADD [EAX+EAX], AL
0x0308000a 0000 ADD [EAX], AL
0x0308000c ff DB 0xff
0x0308000d ff00 INC DWORD [EAX]
0x0308000f 00b800000000 ADD [EAX+0x0], BH
0x03080015 0000 ADD [EAX], AL
0x03080017 004000 ADD [EAX+0x0], AL
0x0308001a 0000 ADD [EAX], AL
0x0308001c 0000 ADD [EAX], AL
0x0308001e 0000 ADD [EAX], AL
memdump
View SourceDump windows processes.
Plugin Arguments
all | Use the entire range of address space. (type: Boolean)
|
coalesce | Merge contiguous pages into larger ranges. (type: Boolean)
|
dump_dir | Path suitable for dumping files. (type: String) |
eprocess | Kernel addresses of eprocess structs. (type: ArrayIntParser)
|
method | Method to list processes. (type: ChoiceArray)
|
pids | One or more pids of processes to select. (type: ArrayIntParser)
|
proc_regex | A regex to select a process by name. (type: RegEx) |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
To dump all addressable memory in a process, use the memdump plugin. This plugin enumerates the process page tables and writes them out into an external file. An index file is also created which can be used to find the virtual address of each byte in the output file.
You would typically use this output file in order to scan for e.g. virus signatures or other patterns in tools which do not understand virtual memory mappings.
The plugin accepts all the usual process filtering commands (e.g. by pid, proc_regex etc). Additionally if no filtering command is specified the plugin dumps the kernel’s address space. (You can dump all processes by providing a proc_regex of ‘.’).
Notes
-
This plugin is very similar to the vaddump plugin, except that it dumps the page table, and not only the VAD tree. This plugin actually contains all memory currently accessible to the process (despite any possible manipulation of the VAD tree).
-
The process’s virtual address space is typically fragmented and had large, unmapped gaps in it. Therefore this plugin does not just zero fill these gaps, rather it writes all addressable memory directly to the output file. This means that contiguous memory in the output file is not necessarily contiguous in memory.
-
To find out where a particular byte in the output file maps in the process virtual memory, check the index file (Example below).
-
Note that processes typically alway map the kernel in the upper memory region (i.e. above the symbol
MmHighestUserAddress. This plugin does not dump the kernel portion of the address space, unless the –all parameter is specified.
Sample output
win7.elf 00:30:52> memdump pid=2912, dump_dir="/tmp/"
-----------------> memdump(pid=2912, dump_dir="/tmp/")
**************************************************
Writing vol.exe 0xfa8002193060 to vol.exe_2912.dmp
win7.elf 00:30:55> ls -l /tmp/vol.exe_2912.dmp -h
-rw-r----- 1 scudette staff 2.2M Jun 18 00:30 /tmp/vol.exe_2912.dmp
win7.elf 00:30:59> less /tmp/vol.exe_2912.dmp.idx
File Address Length Virtual Addr
-------------- -------------- --------------
0x000000000000 0x000000001000 0x000000010000
0x000000001000 0x000000001000 0x000000020000
0x000000002000 0x000000001000 0x000000021000
0x000000003000 0x000000001000 0x00000002f000
0x000000004000 0x000000001000 0x000000040000
0x000000005000 0x000000001000 0x000000050000
0x000000006000 0x000000001000 0x000000051000
memmap
View SourceCalculates the memory regions mapped by a process.
Plugin Arguments
all | Use the entire range of address space. (type: Boolean)
|
coalesce | Merge contiguous pages into larger ranges. (type: Boolean)
|
eprocess | Kernel addresses of eprocess structs. (type: ArrayIntParser)
|
method | Method to list processes. (type: ChoiceArray)
|
pids | One or more pids of processes to select. (type: ArrayIntParser)
|
proc_regex | A regex to select a process by name. (type: RegEx) |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
To enumerate the address space of a process use this plugin.
It is not that useful in practice, unless you want to manually translate a physical address to a virtual address.
Notes
-
It is not often necessary to dump the entire page tables of each process. Instead it is possible to first switch to the process context (using the cc plugin), and then use vtop to translate the virtual address to physical address.
-
Similar to the memdump plugin, we do not dump the kernel address space portion for processes unless the all parameter is specified.
Sample output
win7.elf 00:54:22> memmap pid=2912
-----------------> memmap(pid=2912)
**************************************************
Process: 'vol.exe' pid: 2912
Dumping address space at DTB 0x271ec000
Virtual Physical Size
-------------- -------------- --------------
0x000000010000 0x000007c4c000 0x1000
0x000000020000 0x00000818f000 0x1000
0x000000021000 0x000007e11000 0x1000
0x00000002f000 0x000008010000 0x1000
0x000000040000 0x00002428e000 0x1000
0x000000050000 0x000001e6b000 0x1000
0x000000051000 0x000007f49000 0x1000
mftdump
View SourceEnumerate MFT entries from the cache manager.
Plugin Arguments
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
mimikatz
View SourceExtract and decrypt passwords from the LSA Security Service.
Plugin Arguments
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
moddump
View SourceDump kernel drivers from kernel space.
Plugin Arguments
dump_dir | Path suitable for dumping files. (type: String) |
eprocess | Kernel addresses of eprocess structs. (type: ArrayIntParser)
|
method | Method to list processes. (type: ChoiceArray)
|
out_fd | A file like object to write the output. (type: String) |
pids | One or more pids of processes to select. (type: ArrayIntParser)
|
proc_regex | A regex to select a process by name. (type: RegEx) |
regex | A Regular expression for selecting the dlls to dump. (type: RegEx)
|
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
To extract a kernel module from memory and dump it to disk for analysis, use the moddump command. A regular expression can be specified for the module name to dump.
Note
-
In order to dump any PE file from memory we need the PE header to be memory resident. Often this is not the case, and the header is flushed out of virtual memory.
-
When dumping any binary from memory, it is not usually a perfect binary (i.e. you can not just run it). This is because the Import Address Table (IAT) reflects the patched version in memory and some pages may be missing. The resultant binary is probably only useful to analyses using a tool like IDA pro.
Sample output
In this example we dump the winpmem driver to disk. The winpmem driver loads from a temporary file name (You can see it using the modules plugin.
win8.1.raw 23:27:12> moddump regex="tmp", dump_dir="/tmp"
-------------------> moddump(regex="tmp", dump_dir="/tmp")
Dumping pmeA86F.tmp, Base: f800025ca000 output: driver.f800025ca000.sys
modscan
View SourceScan Physical memory for _LDR_DATA_TABLE_ENTRY objects.
Plugin Arguments
eprocess | Kernel addresses of eprocess structs. (type: ArrayIntParser)
|
limit | The length of data to search in each selected region. (type: IntParser)
|
method | Method to list processes. (type: ChoiceArray)
|
pids | One or more pids of processes to select. (type: ArrayIntParser)
|
proc_regex | A regex to select a process by name. (type: RegEx) |
scan_kernel | Scan the entire kernel address space. (type: Boolean)
|
scan_kernel_code | Scan the kernel image and loaded drivers. (type: Boolean)
|
scan_kernel_nonpaged_pool | Scan the kernel non-paged pool. (type: Boolean)
|
scan_kernel_paged_pool | Scan the kernel paged pool. (type: Boolean)
|
scan_kernel_session_pools | Scan session pools for all processes. (type: Boolean)
|
scan_physical | Scan the physical address space only. (type: Boolean)
|
scan_process_memory | Scan all of process memory. Uses process selectors to narrow down selections. (type: Boolean)
|
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
The modscan command finds LDR_DATA_TABLE_ENTRY structures by scanning physical memory for pool tags. This can pick up previously unloaded drivers and drivers that have been hidden/unlinked by rootkits.
Notes
- Like other pool scanning plugins, this plugin may produce false positives since it essentially carves _LDR_DATA_TABLE_ENTRY structures out of memory. On the other hand, this plugin may reveal files which have been closed or freed.
Sample output
In this example we can identify the pmem driver which was loaded from a temporary location.
win8.1.raw 23:27:24> modscan
-------------------> modscan()
Offset(P) Name Base Size File
-------------- -------------------- -------------- -------------- ----
0x000001ce507e 0x20c483483824 0xebc08b44
0x00003ce163b0 mrxsmb.sys 0xf80002174000 0x6d000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x00003ce17610 mrxsmb20.sys 0xf80002000000 0x39000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x00003ce1e830 mpsdrv.sys 0xf8000215d000 0x17000 \SystemRoot\System32\drivers\mpsdrv.sys
0x00003ce4cf30 Ndu.sys 0xf800022cd000 0x1d000 \SystemRoot\system32\drivers\Ndu.sys
0x00003ce4df20 mrxsmb10.sys 0xf80002282000 0x4b000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x00003ce80170 peauth.sys 0xf800022ea000 0xa9000 \SystemRoot\system32\drivers\peauth.sys
0x00003ce8b010 srvnet.sys 0xf8000239e000 0x43000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x00003ce8bc20 secdrv.SYS 0xf80002393000 0xb000 \SystemRoot\System32\Drivers\secdrv.SYS
0x00003ceae280 tcpipreg.sys 0xf800023e1000 0x12000 \SystemRoot\System32\drivers\tcpipreg.sys
0x00003ceae520 srv2.sys 0xf800024ec000 0xad000 \SystemRoot\System32\DRIVERS\srv2.sys
0x00003cec9ee0 0x665602050006 0x0
0x00003ceede60 srv.sys 0xf80002400000 0x98000 \SystemRoot\System32\DRIVERS\srv.sys
0x00003cf44eb0 mslldp.sys 0xf80002498000 0x16000 \SystemRoot\system32\DRIVERS\mslldp.sys
0x00003d144160 rspndr.sys 0xf80001caf000 0x18000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x00003d145a50 lltdio.sys 0xf80001c9b000 0x14000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x00003d18c850 HTTP.sys 0xf80002043000 0xfa000 \SystemRoot\system32\drivers\HTTP.sys
0x00003d29b010 pmeA86F.tmp 0xf800025ca000 0x10000 \??\C:\Users\test\AppData\Local\Temp\pmeA86F.tmp
0x00003d655520 HdAudio.sys 0xf80001d45000 0x66000 \SystemRoot\system32\drivers\HdAudio.sys
0x00003d6593e0 tunnel.sys 0xf800024ae000 0x2d000 \SystemRoot\system32\DRIVERS\tunnel.sys
modules
View SourcePrint list of loaded kernel modules.
Plugin Arguments
name_regex | Filter module names by this regex. (type: RegEx) |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
To view the list of kernel drivers loaded on the system, use the modules command. This walks the doubly-linked list of _LDR_DATA_TABLE_ENTRY structures pointed to by PsLoadedModuleList.
It cannot find hidden/unlinked kernel drivers, however modscan serves that purpose. Also, since this plugin uses list walking techniques, you typically can assume that the order the modules are displayed in the output is the order they were loaded on the system.
Notes
- The Base address is the location where the kernel module’s PE header is mapped. For example you can examine information about the module’s IAT/EAT using the peinfo plugin, providing the base address.
Sample output
win8.1.raw 23:35:19> modules
-------------------> modules()
Offset (V) Name Base Size File
-------------- -------------------- -------------- -------------- ----
0xe00000057620 ntoskrnl.exe 0xf802d3019000 0x781000 \SystemRoot\system32\ntoskrnl.exe
0xe00000057530 hal.dll 0xf802d379a000 0x6f000 \SystemRoot\system32\hal.dll
0xe000000557c0 storahci.sys 0xf800006d9000 0x1d000 \SystemRoot\System32\drivers\storahci.sys
0xe0000149ade0 mssmbios.sys 0xf800018c4000 0xc000 \SystemRoot\System32\drivers\mssmbios.sys
0xe000013871e0 Npfs.SYS 0xf800008ba000 0x14000 \SystemRoot\System32\Drivers\Npfs.SYS
0xe00000055d50 volmgrx.sys 0xf80000393000 0x5f000 \SystemRoot\System32\drivers\volmgrx.sys
0xe00002145a50 lltdio.sys 0xf80001c9b000 0x14000 \SystemRoot\system32\DRIVERS\lltdio.sys
0xe00000055e40 volmgr.sys 0xf8000045d000 0x15000 \SystemRoot\System32\drivers\volmgr.sys
0xe00000054950 fwpkclnt.sys 0xf80001144000 0x6c000 \SystemRoot\System32\drivers\fwpkclnt.sys
0xe00000054c60 NETIO.SYS 0xf80000d3e000 0x79000 \SystemRoot\system32\drivers\NETIO.SYS
0xe000014b3500 kbdclass.sys 0xf80001a1f000 0x10000 \SystemRoot\System32\drivers\kbdclass.sys
0xe00001339b50 drmk.sys 0xf80001c00000 0x1c000 \SystemRoot\system32\drivers\drmk.sys
0xe00000054b70 ksecpkg.sys 0xf80000db7000 0x34000 \SystemRoot\System32\Drivers\ksecpkg.sys
0xe00000054100 CLASSPNP.SYS 0xf80000800000 0x56000 \SystemRoot\System32\drivers\CLASSPNP.SYS
mutantscan
View SourceScan for mutant objects _KMUTANT
Plugin Arguments
eprocess | Kernel addresses of eprocess structs. (type: ArrayIntParser)
|
limit | The length of data to search in each selected region. (type: IntParser)
|
method | Method to list processes. (type: ChoiceArray)
|
pids | One or more pids of processes to select. (type: ArrayIntParser)
|
proc_regex | A regex to select a process by name. (type: RegEx) |
scan_kernel | Scan the entire kernel address space. (type: Boolean)
|
scan_kernel_code | Scan the kernel image and loaded drivers. (type: Boolean)
|
scan_kernel_nonpaged_pool | Scan the kernel non-paged pool. (type: Boolean)
|
scan_kernel_paged_pool | Scan the kernel paged pool. (type: Boolean)
|
scan_kernel_session_pools | Scan session pools for all processes. (type: Boolean)
|
scan_physical | Scan the physical address space only. (type: Boolean)
|
scan_process_memory | Scan all of process memory. Uses process selectors to narrow down selections. (type: Boolean)
|
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
This plugin uses pool scanning techniques to find _KMUTANT objects.
Mutants implement a “named semaphore” in windows. This is used by malware to ensure only a single copy of the malware is running at the same time. By analyzing the name of the Mutant that a specific malware strand is using it is possible to tell immediately if the malware is running on the machine.
For more information, see Andreas Schuster’s Searching for Mutants.
Notes
-
Like other pool scanning plugins, this plugin may produce false positives since it essentially carves _KMUTANT structures out of memory.
-
It is more efficient to search for named mutants using the object_tree plugin - since it does not use pool scanning techniques.
-
When inspecting the output, the #Hnd column indicates the number of handles to this _KMUTANT. Objects in use will have a non zero value here and are likely to not be freed.
Sample output
win8.1.raw 23:46:56> mutantscan scan_in_kernel=1
-------------------> mutantscan(scan_in_kernel=1)
Offset(P) #Ptr #Hnd Signal Thread CID Name
- -------------- ------ ---- ------ -------------- --------- ----
0xe0000007f810 3 2 1 0x000000000000 C::Users:test:AppData:Local:Microsoft:Windows:Explorer:thumbcache_sr.db!dfMaintainer
0xe0000007f8d0 3 2 1 0x000000000000 C::Users:test:AppData:Local:Microsoft:Windows:Explorer:thumbcache_1600.db!dfMaintainer
0xe000000b8d00 32722 1 1 0x000000000000 BcdSyncMutant
0xe00000624240 32769 1 0 0xe00000624700 556:1396 F659A567-8ACB-4E4A-92A7-5C2DD1884F72
0xe000006f4a60 32768 1 0 0xe000006dc080 2332:2460 Instance2: ESENT Performance Data Schema Version 255
0xe00001253080 32768 1 0 0xe000007fd080 880:3144 Instance3: ESENT Performance Data Schema Version 255
0xe00001262360 2 1 1 0x000000000000 ARC_AppRepSettings_Mutex
0xe00001272530 5 4 1 0x000000000000 C::Users:test:AppData:Local:Microsoft:Windows:Explorer:iconcache_1024.db!dfMaintainer
0xe000012725f0 5 4 1 0x000000000000 C::Users:test:AppData:Local:Microsoft:Windows:Explorer:iconcache_256.db!dfMaintainer
0xe000012726b0 5 4 1 0x000000000000 C::Users:test:AppData:Local:Microsoft:Windows:Explorer:iconcache_96.db!dfMaintainer
0xe00001272770 5 4 1 0x000000000000 C::Users:test:AppData:Local:Microsoft:Windows:Explorer:iconcache_48.db!dfMaintainer
0xe00001272ac0 131007 4 1 0x000000000000 C::Users:test:AppData:Local:Microsoft:Windows:Explorer:iconcache_32.db!dfMaintainer
0xe0000128e1e0 131005 4 1 0x000000000000 C::Users:test:AppData:Local:Microsoft:Windows:Explorer:iconcache_16.db!dfMaintainer
0xe0000129a2c0 32734 1 1 0x000000000000 SmartScreen_AppRepSettings_Mutex
0xe000012c7950 131061 4 1 0x000000000000 C::Users:test:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!IconCacheInit
0xe000012c7a10 5 4 1 0x000000000000 C::Users:test:AppData:Local:Microsoft:Windows:Explorer:iconcache_wide_alternate.db!dfMaintainer
0xe000012c7ad0 5 4 1 0x000000000000 C::Users:test:AppData:Local:Microsoft:Windows:Explorer:iconcache_exif.db!dfMaintainer
0xe000012c7b90 5 4 1 0x000000000000 C::Users:test:AppData:Local:Microsoft:Windows:Explorer:iconcache_wide.db!dfMaintainer
0xe000012c7c50 5 4 1 0x000000000000 C::Users:test:AppData:Local:Microsoft:Windows:Explorer:iconcache_sr.db!dfMaintainer
...
netscan
View SourceScan a Vista, 2008 or Windows 7 image for connections and sockets
Plugin Arguments
eprocess | Kernel addresses of eprocess structs. (type: ArrayIntParser)
|
limit | The length of data to search in each selected region. (type: IntParser)
|
method | Method to list processes. (type: ChoiceArray)
|
pids | One or more pids of processes to select. (type: ArrayIntParser)
|
proc_regex | A regex to select a process by name. (type: RegEx) |
scan_kernel | Scan the entire kernel address space. (type: Boolean)
|
scan_kernel_code | Scan the kernel image and loaded drivers. (type: Boolean)
|
scan_kernel_nonpaged_pool | Scan the kernel non-paged pool. (type: Boolean)
|
scan_kernel_paged_pool | Scan the kernel paged pool. (type: Boolean)
|
scan_kernel_session_pools | Scan session pools for all processes. (type: Boolean)
|
scan_physical | Scan the physical address space only. (type: Boolean)
|
scan_process_memory | Scan all of process memory. Uses process selectors to narrow down selections. (type: Boolean)
|
tcpip_guid | Force this profile to be used for tcpip. |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
netstat
View SourcePrint the active network connections.
Plugin Arguments
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
netstat
View SourceEnumerate image for connections and sockets
Plugin Arguments
tcpip_guid | Force this profile to be used for tcpip. |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
object_tree
View SourceVisualize the kernel object tree.
Ref: http://msdn.microsoft.com/en-us/library/windows/hardware/ff557762(v=vs.85).aspx
Plugin Arguments
type_regex | Filter the type of objects shown. (type: RegEx)
|
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
The windows kernel has the notion of a Kernel Object. Objects are managed by the kernel through a dedicated API. Kernel Objects are typically used to manage resources which the kernel manages on behalf of user space, for example, open files are managed via the _FILE_OBJECT object.
Objects can be named using a directory structure not unlike a filesystem. Objects are placed inside an _OBJECT_DIRECTORY object which contains other objects, including other directories. This means that named kernel objects forma tree in memory.
It is possible to discover all currently in-use named objects by following this object tree in memory, which is what this plugin does. This is an alternative to the scanning approach employed by plugins like psscan, driverscan etc.
Notes
-
The object tree only tracks named objects. So for example Process objects are typically not tracked here, but Mutants, SymbolicLinks etc are.
-
It is possible to filter objects by types. So for example to enumerate all Mutants one would use the type_regex=”Mutant” option.
-
SymbolicLinks also contain the timestamp when they were created. Note that SymbolicLinks are typically used to provide userspace access to a kernel driver (via the CreateFile api), so a timestamp here is a good indication of when a driver was loaded.
Sample output
# Enumeate all drivers
win7.elf 01:25:12> object_tree type_regex="Driver"
-----------------> object_tree(type_regex="Driver")
_OBJECT_HEADER Type Name
-------------- -------------------- --------------------
0xfa80025e5d10 Driver . mrxsmb10
0xfa80025e1190 Driver . mrxsmb
0xfa8001953940 Driver . mrxsmb20
....
# We can examine a specific object using the virtual offset.
win7.elf 01:28:18> x=profile._OBJECT_HEADER(0xfa80019fb8d0)
win7.elf 01:28:34> print x.get_object_type()
Driver
# We can dereference the exact object contained in this header (in this case
# _DRIVER_OBJECT.
win7.elf 01:28:40> print x.Object
[_DRIVER_OBJECT _DRIVER_OBJECT] @ 0xFA80019FB900
0x00 Type [short:Type]: 0x00000004
0x02 Size [short:Size]: 0x00000150
0x08 DeviceObject <_DEVICE_OBJECT Pointer to [0xFA80019FB550] (DeviceObject)>
0x10 Flags [unsigned long:Flags]: 0x00000012
0x18 DriverStart <Void Pointer to [0xF88003B45000] (DriverStart)>
0x20 DriverSize [unsigned long:DriverSize]: 0x0000B000
0x28 DriverSection <Void Pointer to [0xFA80019FB7C0] (DriverSection)>
0x30 DriverExtension <_DRIVER_EXTENSION Pointer to [0xFA80019FBA50] (DriverExtension)>
0x38 DriverName [_UNICODE_STRING DriverName] @ 0xFA80019FB938 (\Driver\rdpbus)
0x48 HardwareDatabase <_UNICODE_STRING Pointer to [0xF80002B59558] (HardwareDatabase)>
0x50 FastIoDispatch <_FAST_IO_DISPATCH Pointer to [0x00000000] (FastIoDispatch)>
0x58 DriverInit <Function Pointer to [0xF88003B4D1B0] (DriverInit)>
0x60 DriverStartIo <Function Pointer to [0x00000000] (DriverStartIo)>
0x68 DriverUnload <Function Pointer to [0xF88003B4B480] (DriverUnload)>
0x70 MajorFunction <IndexedArray 28 x Pointer @ 0xFA80019FB970>
win7.elf 01:29:01> print x.Object.DriverName
\Driver\rdpbus
In the next example we search for SymbolicLinks for the pmem device and discover when the pmem driver was loaded.
win7.elf 01:38:53> object_tree type_regex="Symbolic"
0xf8a0003a58a0 SymbolicLink . Root#MS_PPPOEMINIPORT#0000#{cac88484-7515-4c03-82e6-71a87abac361}-> \Device\00000034 (2012-10-01 21:39:55+0000)
0xf8a0003c1030 SymbolicLink . Root#*ISATAP#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}-> \Device\00000001 (2012-10-01 21:39:51+0000)
0xf8a00007fda0 SymbolicLink . WMIAdminDevice-> \Device\WMIAdminDevice (2012-10-01 21:39:45+0000)
0xf8a0056e8dd0 SymbolicLink . pmem-> \Device\pmem (2012-10-01 14:40:44+0000)
0xf8a0001111c0 SymbolicLink . Root#MS_NDISWANIP#0000#{cac88484-7515-4c03-82e6-71a87abac361}-> \Device\00000032 (2012-10-01 21:39:55+0000)
0xf8a0003bef20 SymbolicLink . Root#MS_NDISWANBH#0000#{cac88484-7515-4c03-82e6-71a87abac361}-> \Device\00000031 (2012-10-01 21:39:55+0000)
0xf8a000006f40 SymbolicLink . Global-> \GLOBAL?? (2012-10-01 21:39:45+0000)
object_types
View SourceDisplays all object Types on the system.
Plugin Arguments
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
The windows kernel has the notion of a Kernel Object. Objects are managed by the kernel through a dedicated API. Kernel Objects are typically used to manage resources which the kernel manages on behalf of user space, for example, open files are managed via the _FILE_OBJECT object.
There is a fixed number of kernel objects, each is described by an _OBJECT_TYPE structure, the address of which can be found at the ObpObjectTypes symbol.
Notes
-
Each time a new object is created by the kernel, the Number of Objects count increases. For every free’s object, this number decreases. The counter therefore represents the total number of active instances of this object type.
-
The number of kernel objects varies between windows kernel version. In order to find the size of the ObpObjectTypes array, Rekall uses the reference count on the Type object type - each kernel object type has a unique _OBJECT_TYPE structure.
-
The Number of Objects count also has forensic significance. For example the total number of Process objects represents the total number of _EPROCESS structures in current use (Note that a process may be terminated but the _EPROCESS is still kept in use).
Sample output
The below output indicates that there should be 41 processes active, and 548 threads.
win7.elf 01:39:36> object_types
-----------------> object_types()
Index Number Objects PoolType Name
----- --------------- --------------- ----
2 42 NonPagedPool Type
3 40 PagedPool Directory
4 173 PagedPool SymbolicLink
5 704 PagedPool Token
6 3 NonPagedPool Job
7 41 NonPagedPool Process
8 548 NonPagedPool Thread
9 0 NonPagedPool UserApcReserve
10 1 NonPagedPool IoCompletionReserve
...
pagefiles
View SourceReport all the active pagefiles.
Plugin Arguments
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
pas2vas
View SourceResolves a physical address to a virtual addrress in a process.
Plugin Arguments
eprocess | Kernel addresses of eprocess structs. (type: ArrayIntParser)
|
method | Method to list processes. (type: ChoiceArray)
|
offsets | A list of physical offsets to resolve. (type: ArrayIntParser) |
pids | One or more pids of processes to select. (type: ArrayIntParser)
|
proc_regex | A regex to select a process by name. (type: RegEx) |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
In virtual (or protected) mode, the CPU can not access physical memory directly. Instead each memory access made by the CPU is translated using the MMU into a relevant physical address. This translation is controlled by page tables loaded in the memory address controlled by the CR3 register.
Each processes has a unique page table structure, and therefore a unique view of physical memory. In order to know what physical address is mapped to each virtual address you can use the vtop plugin. However, the reverse mapping is not so simple - there can be many virtual addresses mapped to the same physical address.
This plugin enumerates all virtual to physical mappings in one or more processes. It then builds a large lookup table in memory to be able to reverse the mapping. i.e. given a physical address, the plugin is able to determine the virtual address that maps to it, and in which processes it exists.
Forensically this can be used if you find an interesting string in the physical image (e.g. with a hex editor) and want to know which process has that physical memory mapped. Another use case is to detect shared memory between multiple processes.
Notes
-
This plugin only enumerates the userspace portion of the process address space (since all processes share the same kernel address space).
-
The plugin may take a while to run while it builds its lookup table. The next time you run it it should be very fast. The lookup map is also stored in the session cache so you can use the -s parameter to store the session for next time.
Sample output
In the following we see that the process vol.exe is a Wow64 process and maps
\Windows\SysWOW64\ws2_32.dll. We want to know who else is using this dll. We
first find the physical address of the mapped dll (note we need to switch to the
correct process context first), then we use the pas2vas plugin to determine
which other process has that physical page mapped.
win7.elf 12:29:35> pslist
Offset (V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
-------------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------ ------------------------
...
0xfa8002193060 vol.exe 2912 2644 1 19 1 True 2012-10-01 14:41:03+0000 -
0xfa80017f9060 vol.exe 2920 2912 4 169 1 True 2012-10-01 14:41:03+0000 -
win7.elf 12:29:59> vad 2912
-----------------> vad(2912)
**************************************************
Pid: 2912 vol.exe
VAD lev start end com - - Protect Filename
-------------- --- -------------- -------------- ---- ------- ------ -------------------- --------
0xfa80026f9d80 1 0x74400 0x7443e 3 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\wow64.dll
...
0xfa80021da200 3 0x766c0 0x766f4 2 Mapped Exe EXECUTE_WRITECOPY \Windows\SysWOW64\ws2_32.dll
0xfa80026eb5e0 4 0x75ef0 0x75fdf 2 Mapped Exe EXECUTE_WRITECOPY \Windows\SysWOW64\rpcrt4.dll
...
0xfa80028f59d0 5 0x7fff0 0x7fffffef -1 Private READONLY
win7.elf 12:30:08> cc 2912
Switching to process context: vol.exe (Pid 2912@0xfa8002193060)
win7.elf 12:32:45> vtop 0x766c0000
-----------------> vtop(0x766c0000)
Virtual 0x766c0000 Page Directory 0x271ec000
pml4e@ 0x271ec000 = 0x70000008844867
pdpte@ 0x8844008 = 0x80000007845867
pde@ 0x7845d98 = 0x7b55847
pte@ 0x7b55600 = 0x1a58f005
PTE mapped@ 0x7b55600 = 0x1a58f000
Physical Address 0x1a58f000
win7.elf 12:32:53> pas2vas 0x1a58f000
Physical Virtual Pid Name
-------------- -------------- ------ ----
0x00001a58f000 0x0000766c0000 2616 Console.exe
0x00001a58f000 0x0000766c0000 2920 vol.exe
0x00001a58f000 0x0000766c0000 2912 vol.exe
We see that Console.exe also maps the same dll - probably since it is also a
Wow64 process which requires network access.
pedump
View SourceDump a PE binary from memory.
Plugin Arguments
address_space | The address space to use. (type: AddressSpace) |
image_base | The address of the image base (dos header). (type: SymbolAddress) |
out_fd | A file like object to write the output. (type: String) |
out_file | The file name to write. (type: String) |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
Windows executable files (PE Files) are mapped into memory from disk. This plugin can dump arbitrary PE files from memory (whether they are executables, DLLs, kernel modules etc). All we require is the PE file’s mapped base addresses (i.e. the location in the virtual address space where the MZ header resides.
The image_base offset can be specified using a named address as usual. So for example, to specify a kernel module it is sufficient to just name it (e.g. pedump “nt” - will dump the kernel image).
This plugin is used by the dlldump, moddump, procdump etc plugins.
Note
-
In order to dump any PE file from memory we need the PE header to be memory resident. Often this is not the case, and the header is flushed out of virtual memory. In this case it is still possible to dump parts of the PE image using the vaddump plugin.
-
When dumping any binary from memory, it is not usually a perfect binary (i.e. you can not just run it). This is because the Import Address Table (IAT) reflects the patched version in memory and some pages may be missing. The resultant binary is probably only useful to analyses using a tool like IDA pro.
peinfo
View SourcePrint information about a PE binary.
Plugin Arguments
address_space | The address space to use. (type: String) |
executable | If provided we create an address space from this file. (type: String) |
image_base | The base of the image. (type: SymbolAddress) |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
The peinfo plugin examines a PE file mapped into memory and displays a rich variety of information about it:
- Metadata about the file (architecture, build date etc)
- The PDB guid for the file.
- The list of sections and where they are mapped into the virtual address space
- The import directory.
- The export directory.
- A version resource strings that might exist in the executable.
Notes
-
This plugin depends on having a valid mapped PE header into memory. Sometimes this is not the case, since under memory pressure the kernel will unmapped the PE headers (since they are not needed after loading).
-
This plugin also works on disk files (PE executable). Simply pass a filename parameter to have it print information about external files.
Sample output
win8.1.raw 15:11:02> peinfo "nt"
-------------------> peinfo("nt")
Attribute Value
-------------------- -----
Machine IMAGE_FILE_MACHINE_AMD64
TimeDateStamp 2013-09-14 08:23:16+0000
Characteristics IMAGE_FILE_EXECUTABLE_IMAGE, IMAGE_FILE_LARGE_ADDRESS_AWARE
GUID/Age FD3D00D28EDC4527BB922BCC0509D2851
PDB ntkrnlmp.pdb
MajorOperatingSystemVersion 6
MinorOperatingSystemVersion 3
MajorImageVersion 6
MinorImageVersion 3
MajorSubsystemVersion 6
MinorSubsystemVersion 3
Sections (Relative to 0xF802D3019000):
Perm Name VMA Size
---- -------- -------------- --------------
xr- .text 0x000000001000 0x00000028d600
xr- NONPAGED 0x00000028f000 0x000000000200
xr- POOLCODE 0x000000290000 0x000000002800
-rw .data 0x000000293000 0x00000000be00
-r- .reloc 0x000000778000 0x000000008e00
...
Data Directories:
- VMA Size
---------------------------------------- -------------- --------------
IMAGE_DIRECTORY_ENTRY_EXPORT 0xf802d36ab000 0x0000000135ff
IMAGE_DIRECTORY_ENTRY_IMPORT 0xf802d335b728 0x00000000012c
IMAGE_DIRECTORY_ENTRY_RESOURCE 0xf802d375f000 0x000000031d20
IMAGE_DIRECTORY_ENTRY_EXCEPTION 0xf802d331c000 0x00000003ed6c
IMAGE_DIRECTORY_ENTRY_SECURITY 0xf802d3725e00 0x000000002158
IMAGE_DIRECTORY_ENTRY_BASERELOC 0xf802d3791000 0x000000003cd4
IMAGE_DIRECTORY_ENTRY_DEBUG 0xf802d301a100 0x000000000038
IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x000000000000 0x000000000000
IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x000000000000 0x000000000000
IMAGE_DIRECTORY_ENTRY_TLS 0x000000000000 0x000000000000
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0xf802d3033f20 0x000000000094
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x000000000000 0x000000000000
IMAGE_DIRECTORY_ENTRY_IAT 0xf802d335b000 0x000000000728
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x000000000000 0x000000000000
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x000000000000 0x000000000000
IMAGE_DIRECTORY_ENTRY_RESERVED 0x000000000000 0x000000000000
Import Directory (Original):
Name Ord
-------------------------------------------------- -----
ext-ms-win-ntos-werkernel-l1-1-0.dll!WerLiveKernelCloseHandle 1
ext-ms-win-ntos-werkernel-l1-1-0.dll!WerLiveKernelOpenDumpFile 4
ext-ms-win-ntos-werkernel-l1-1-0.dll!WerLiveKernelCancelReport 0
ext-ms-win-ntos-werkernel-l1-1-0.dll!WerLiveKernelInitSystem 3
...
msrpc.sys!MesDecodeBufferHandleCreate 11
msrpc.sys!NdrMesTypeDecode3 45
Export Directory:
Entry Stat Ord Name
-------------- ---- ----- --------------------------------------------------
0xf802d30ed1f4 M 3 ntoskrnl.exe!AlpcGetHeaderSize (nt!AlpcGetHeaderSize)
0xf802d30ed080 M 4 ntoskrnl.exe!AlpcGetMessageAttribute (nt!AlpcGetMessageAttribute)
0xf802d30ed19c M 5 ntoskrnl.exe!AlpcInitializeMessageAttribute (nt!AlpcInitializeMessageAttribute)
0xf802d36a4004 - 6 ntoskrnl.exe!BgkDisplayCharacter (nt!BgkDisplayCharacter)
0xf802d36a40b8 - 7 ntoskrnl.exe!BgkGetConsoleState (nt!BgkGetConsoleState)
0xf802d36a40e0 - 8 ntoskrnl.exe!BgkGetCursorState (nt!BgkGetCursorState)
0xf802d36a4108 - 9 ntoskrnl.exe!BgkSetCursor (nt!BgkSetCursor)
0xf802d31d23c8 M 10 ntoskrnl.exe!CcAddDirtyPagesToExternalCache (nt!CcAddDirtyPagesToExternalCache)
0xf802d3106888 M 11 ntoskrnl.exe!CcCanIWrite (nt!CcCanIWrite)
...
pfn
View SourcePrints information about an address from the PFN database.
Plugin Arguments
pfn | The PFN to examine. (type: IntParser) |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
phys_map
View SourcePrints the boot physical memory map.
Plugin Arguments
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
This plugin will simply print the kernels idea of the physical memory layout on a machine. Typically the physical address space is not contiguous (i.e. does not have RAM chip mapping all address ranges between 0 and the maximum number). This is because the BIOS needs to leave gaps for DMA devices to be mapped.
The BIOS sets up an initial mapping and communicates the mapping to the kernel through a BIOS service call (Or EFI call) which can be done while the kernel still boots (In real mode). The kernel then keeps this information and returns it through the MmGetPhysicalMemoryRanges() function.
Notes
- It is rather easy to manipulate this information to subvert acquisition. Most acquisition tools use this information to determine where it is safe to read and to avoid reading from DMA mapped memory.
Sample output
win8.1.raw 15:19:26> phys_map
-------------------> phys_map()
Phys Start Phys End Number of Pages
-------------- -------------- ---------------
0x000000001000 0x00000009f000 158
0x000000100000 0x000000102000 2
0x000000103000 0x00003fff0000 261869
pool_tracker
View SourceEnumerate pool tag usage statistics.
Plugin Arguments
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
The Windows kernel allocates memory from a shared pool. In order to track memory
leaks and to aid in debugging, pool allocations typically have fixed tags
indicating the component which allocated the memory. For example, in windows 8,
allocating an _EPROCESS struct will result in a pool allocation with a tag of
Proc.
To aid in debugging, Windows tracks pool allocation in a special table found by the symbol PoolTrackTable. This table can show the total number of allocation and deallocations associated with a particular pool tag.
From a forensic point of view, this information can be useful to assess the number of outstanding allocations. For example we can see how many live processes we expect to be preset.
Notes
- Just because the process is terminated does not mean the _EPROCESS structure is immediately deallocated. Windows might keep these structures alive for some time for various reasons. A discrepancy here is at best a hint that something does’nt add up.
Sample output
win8.1.raw 15:29:07> pool_tracker
Tag NP Alloc NP Bytes P Alloc P Bytes
---- -------------------- ---------- -------------------- ----------
DMV 1 (0) 0 0 (0) 0
8042 6 (4) 4048 12 (0) 0
ACPI 4 (0) 0 0 (0) 0
AFGp 1 (0) 0 0 (0) 0
ALPC 3211 (770) 434240 0 (0) 0
ARFT 0 (0) 0 151 (3) 192
AcpA 2 (2) 160 0 (0) 0
AcpB 0 (0) 0 121 (0) 0
...
Pprl 0 (0) 0 3 (0) 0
Ppsu 0 (0) 0 1394 (223) 18512
Prcr 5 (4) 5440 13 (0) 0
Proc 137 (48) 91328 0 (0) 0
PsFn 136 (0) 0 0 (0) 0
...
win8.1.raw 15:36:40> pslist
-------------------> pslist()
Offset (V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
-------------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------ ------------------------
DEBUG:root:Listed 48 processes using PsActiveProcessHead
DEBUG:root:Listed 43 processes using CSRSS
DEBUG:root:Listed 47 processes using PspCidTable
DEBUG:root:Listed 45 processes using Sessions
DEBUG:root:Listed 45 processes using Handles
...
In the above example we see that there are 48 outstanding _EPROCESS objects and there are 48 members in the PsActiveProcessHead list.
pools
View SourcePrints information about system pools.
Ref: http://illmatics.com/Windows%208%20Heap%20Internals.pdf https://media.blackhat.com/bh-dc-11/Mandt/BlackHat_DC_2011_Mandt_kernelpool-wp.pdf https://immunityinc.com/infiltrate/archives/kernelpool_infiltrate2011.pdf http://gate.upm.ro/os/LABs/Windows_OS_Internals_Curriculum_Resource_Kit-ACADEMIC/WindowsResearchKernel-WRK/WRK-v1.2/base/ntos/ex/pool.c
Plugin Arguments
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
privileges
View SourcePrints process privileges.
Plugin Arguments
eprocess | Kernel addresses of eprocess structs. (type: ArrayIntParser)
|
method | Method to list processes. (type: ChoiceArray)
|
pids | One or more pids of processes to select. (type: ArrayIntParser)
|
proc_regex | A regex to select a process by name. (type: RegEx) |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
procdump
View SourceDump a process to an executable file sample
Plugin Arguments
dump_dir | Path suitable for dumping files. (type: String) |
eprocess | Kernel addresses of eprocess structs. (type: ArrayIntParser)
|
method | Method to list processes. (type: ChoiceArray)
|
out_fd | A file like object to write the output. (type: String) |
pids | One or more pids of processes to select. (type: ArrayIntParser)
|
proc_regex | A regex to select a process by name. (type: RegEx) |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
This plugin dumps the mapped PE files associated with a windows process. It is equivalent to calling pedump with an image base corresponding to the VAD section of the main process executable.
The procdump plugin is a thin wrapper around the pedump plugin.
Sample output
win7.elf 14:42:55> procdump proc_regex="csrss", dump_dir="/tmp/"
**************************************************
Dumping csrss.exe, pid: 348 output: executable.csrss_exe_348.exe
**************************************************
Dumping csrss.exe, pid: 396 output: executable.csrss_exe_396.exe
procinfo
View SourceDump detailed information about a running process.
Plugin Arguments
eprocess | Kernel addresses of eprocess structs. (type: ArrayIntParser)
|
method | Method to list processes. (type: ChoiceArray)
|
pids | One or more pids of processes to select. (type: ArrayIntParser)
|
proc_regex | A regex to select a process by name. (type: RegEx) |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
The procinfo plugin displays basic information about a process. It takes all the usual process selectors (e.g. pid, name etc) and prints information about the PE file (using peinfo) as well as the process environment strings.
Sample output
win7.elf 14:43:15> procinfo proc_regex="csrss"
**************************************************
Pid: 348 csrss.exe
Process Environment
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=AMD64
PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 37 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=2502
PSModulePath=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Windows\TEMP
TMP=C:\Windows\TEMP
USERNAME=SYSTEM
windir=C:\Windows
PE Infomation
Attribute Value
-------------------- -----
Machine IMAGE_FILE_MACHINE_AMD64
TimeDateStamp 2009-07-13 23:19:49+0000
Characteristics IMAGE_FILE_EXECUTABLE_IMAGE, IMAGE_FILE_LARGE_ADDRESS_AWARE
GUID/Age E8979C26A0EE47A69575E54FA6C7F6BE1
PDB csrss.pdb
MajorOperatingSystemVersion 6
MinorOperatingSystemVersion 1
MajorImageVersion 6
MinorImageVersion 1
MajorSubsystemVersion 6
MinorSubsystemVersion 1
Sections (Relative to 0x497B0000):
Perm Name VMA Size
---- -------- -------------- --------------
xr- .text 0x000000001000 0x000000000c00
-rw .data 0x000000002000 0x000000000200
-r- .pdata 0x000000003000 0x000000000200
-r- .rsrc 0x000000004000 0x000000000800
-r- .reloc 0x000000005000 0x000000000200
Data Directories:
- VMA Size
---------------------------------------- -------------- --------------
IMAGE_DIRECTORY_ENTRY_EXPORT 0x000000000000 0x000000000000
IMAGE_DIRECTORY_ENTRY_IMPORT 0x0000497b17c4 0x00000000003c
IMAGE_DIRECTORY_ENTRY_RESOURCE 0x0000497b4000 0x0000000007f8
IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0000497b3000 0x00000000003c
IMAGE_DIRECTORY_ENTRY_SECURITY 0x000000000000 0x000000000000
IMAGE_DIRECTORY_ENTRY_BASERELOC 0x0000497b5000 0x00000000000c
IMAGE_DIRECTORY_ENTRY_DEBUG 0x0000497b10a0 0x00000000001c
IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x000000000000 0x000000000000
IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x000000000000 0x000000000000
IMAGE_DIRECTORY_ENTRY_TLS 0x000000000000 0x000000000000
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x000000000000 0x000000000000
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0000497b02b0 0x000000000030
IMAGE_DIRECTORY_ENTRY_IAT 0x0000497b1000 0x000000000098
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x000000000000 0x000000000000
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x000000000000 0x000000000000
IMAGE_DIRECTORY_ENTRY_RESERVED 0x000000000000 0x000000000000
Import Directory (Original):
Name Ord
-------------------------------------------------- -----
ntdll.dll!NtSetInformationProcess 498
ntdll.dll!RtlSetHeapInformation 1158
ntdll.dll!RtlSetUnhandledExceptionFilter 1179
ntdll.dll!NtTerminateProcess 535
ntdll.dll!RtlVirtualUnwind 1264
ntdll.dll!RtlLookupFunctionEntry 1025
ntdll.dll!RtlCaptureContext 635
ntdll.dll!NtTerminateThread 536
ntdll.dll!RtlUnhandledExceptionFilter 1219
ntdll.dll!RtlSetProcessIsCritical 1166
ntdll.dll!isspace 1900
ntdll.dll!RtlUnicodeStringToAnsiString 1222
ntdll.dll!RtlAllocateHeap 613
ntdll.dll!RtlFreeAnsiString 840
ntdll.dll!RtlNormalizeProcessParams 1041
CSRSRV.dll!CsrServerInitialization 22
CSRSRV.dll!CsrUnhandledExceptionFilter 26
Export Directory:
Entry Stat Ord Name
-------------- ---- ----- --------------------------------------------------
Version Information:
key value
-------------------- -----
CompanyName Microsoft Corporation
FileDescription Client Server Runtime Process
FileVersion 6.1.7600.16385 (win7_rtm.090713-1255)
InternalName CSRSS.Exe
LegalCopyright Microsoft Corporation. All rights reserved.
OriginalFilename CSRSS.Exe
ProductName Microsoft Windows Operating System
ProductVersion 6.1.7600.16385
pslist
View SourceList processes for windows.
Plugin Arguments
eprocess | Kernel addresses of eprocess structs. (type: ArrayIntParser)
|
method | Method to list processes. (type: ChoiceArray)
|
pids | One or more pids of processes to select. (type: ArrayIntParser)
|
proc_regex | A regex to select a process by name. (type: RegEx) |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
The pslist plugin list all the processes on windows using a variety of methods. Since it is required by all plugins which has process selectors, this plugin will, by default, list processes using all methods.
The output of this plugin is typically cached in the session, so the first time it is run there might be a slight delay while all methods are used, but subsequent invokations should be almost instant.
Currently the following process listing methods are used:
-
PsActiveProcessHead: This method follows the doubly linked list found by the symbol PsActiveProcessHead. It is the simplest and fastest method for listing processes, but it is easily subverted by simply removing an _EPROCESS struct from this list.
-
CSRSS: The client-server runtime service is responsible for monitoring all running processes. It therefore maintains open handles to running processes. This method locates the
csrss.exeprocess and enumerates its handle table finding all handles to processes. Note that this will not typically find the csrss.exe proces itself, nor system processes which were started before it. -
PspCidTable: The PspCidTable is a handle table for process and thread client IDs Ref. The process’s pid is the index into this table. This method enumerates the table in order to find all processes. (Note a rootkit can easily remove a process from this table).
-
Sessions: This enumerates all the processes in all windows sessions (SessionProcessLinks member of _MM_SESSION_SPACE struct).
-
Handles: The enumerates all handle tables (Which are found on a list from the symbol HandleTableListHead) and collects their owning process (The QuotaProcess member).
Sample output
Offset (V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
-------------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------ ------------------------
DEBUG:root:Listed 48 processes using PsActiveProcessHead
DEBUG:root:Listed 43 processes using CSRSS
DEBUG:root:Listed 47 processes using PspCidTable
DEBUG:root:Listed 45 processes using Sessions
DEBUG:root:Listed 45 processes using Handles
0xe00000074580 System 4 0 97 -------- ------ False 2014-01-24 22:07:24+0000 -
0xe00001499040 smss.exe 292 4 2 -------- ------ False 2014-01-24 22:07:24+0000 -
0xe0000212c900 svchost.exe 372 528 15 -------- 0 False 2014-01-24 21:07:51+0000 -
0xe00001be1280 csrss.exe 380 372 8 -------- 0 False 2014-01-24 22:07:32+0000 -
0xe000000ce080 wininit.exe 432 372 1 -------- 0 False 2014-01-24 22:07:32+0000 -
0xe000000d9280 csrss.exe 440 424 9 -------- 1 False 2014-01-24 22:07:32+0000 -
psscan
View SourceScan Physical memory for _EPROCESS pool allocations.
Status flags: E: A known _EPROCESS address from pslist. P: A known pid from pslist.
Plugin Arguments
eprocess | Kernel addresses of eprocess structs. (type: ArrayIntParser)
|
limit | The length of data to search in each selected region. (type: IntParser)
|
method | Method to list processes. (type: ChoiceArray)
|
pids | One or more pids of processes to select. (type: ArrayIntParser)
|
proc_regex | A regex to select a process by name. (type: RegEx) |
scan_kernel | Scan the entire kernel address space. (type: Boolean)
|
scan_kernel_code | Scan the kernel image and loaded drivers. (type: Boolean)
|
scan_kernel_nonpaged_pool | Scan the kernel non-paged pool. (type: Boolean)
|
scan_kernel_paged_pool | Scan the kernel paged pool. (type: Boolean)
|
scan_kernel_session_pools | Scan session pools for all processes. (type: Boolean)
|
scan_physical | Scan the physical address space only. (type: Boolean)
|
scan_process_memory | Scan all of process memory. Uses process selectors to narrow down selections. (type: Boolean)
|
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
Pool scanning is a technique for discovering kernel data structures based on signatures. It is essentially the memory forensic equivalent of carving. The psscan plugin carves for _EPROCESS structures in memory.
By default the plugin scans in the physical address space. Any hits are resolved into the virtual address space by following the lists. If scan_in_kernel is specified, the scanning occurs in kernel space.
Notes
-
Like other pool scanning plugins, this plugin may produce false positives since it essentially carves _EPROCESS structures out of memory. On the other hand, this plugin may reveal files which have been closed or freed.
-
The plugin displays the physical address of the _EPROCESS found. It may be possible to derive their virtual address using the ptov plugin. Alternatively, specify the scan_in_kernel option, to ensure scanning occurs in the kernel address space.
pstree
View SourcePrint process list as a tree
Plugin Arguments
eprocess | Kernel addresses of eprocess structs. (type: ArrayIntParser)
|
method | Method to list processes. (type: ChoiceArray)
|
pids | One or more pids of processes to select. (type: ArrayIntParser)
|
proc_regex | A regex to select a process by name. (type: RegEx) |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
This plugin displays all known processes in a tree form (i.e. the process parents with their children). This is useful to see which process launched another process.
Notes
-
Sometimes malware will launch a processes called “lsass.exe” or “csrss.exe”. This plugin helps to highlight discrepencies since these processes are normally only launched from known processes.
-
Using the verbose=1 flag will also print the command lines of each process as determined by three methods:
- cmd: **task.Peb.ProcessParameters.CommandLine
- path: **task.Peb.ProcessParameters.ImagePathName
- audit: task.SeAuditProcessCreationInfo.ImageFileName.Name
Sample output
win7.elf 14:55:19> pstree verbose=1
Name Pid PPid Thds Hnds Time
---------------------------------------- ------ ------ ------ ------ ------------------------
0xFA8002259060:csrss.exe 348 340 9 436 2012-10-01 21:39:57+0000
cmd: %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
path: C:\Windows\system32\csrss.exe
audit: \Device\HarddiskVolume2\Windows\System32\csrss.exe
0xFA8000901060:wininit.exe 384 340 3 75 2012-10-01 21:39:57+0000
cmd: wininit.exe
path: C:\Windows\system32\wininit.exe
audit: \Device\HarddiskVolume2\Windows\System32\wininit.exe
. 0xFA800206D5F0:services.exe 480 384 11 208 2012-10-01 21:39:58+0000
cmd: C:\Windows\system32\services.exe
path: C:\Windows\system32\services.exe
audit: \Device\HarddiskVolume2\Windows\System32\services.exe
.. 0xFA80024F85D0:svchost.exe 236 480 19 455 2012-10-01 14:40:01+0000
cmd: C:\Windows\system32\svchost.exe -k LocalService
path: C:\Windows\system32\svchost.exe
audit: \Device\HarddiskVolume2\Windows\System32\svchost.exe
psxview
View SourceFind hidden processes with various process listings
Plugin Arguments
eprocess | Kernel addresses of eprocess structs. (type: ArrayIntParser)
|
method | Method to list processes. (type: ChoiceArray)
|
pids | One or more pids of processes to select. (type: ArrayIntParser)
|
proc_regex | A regex to select a process by name. (type: RegEx) |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
ptov
View SourceConverts a physical address to a virtual address.
Plugin Arguments
eprocess | Kernel addresses of eprocess structs. (type: ArrayIntParser)
|
method | Method to list processes. (type: ChoiceArray)
|
physical_address | The Virtual Address to examine. (type: IntParser) |
pids | One or more pids of processes to select. (type: ArrayIntParser)
|
proc_regex | A regex to select a process by name. (type: RegEx) |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
This plugin uses the PFN Database to convert a physical page to its virtual address. It is similar to the pas2vas plugin in this regard, but does not need to enumerate all address spaces prior to running (so it is a bit faster).
Notes
-
The plugin currently only works for kernel addresses and for 4k pages. So for example this will not work reliably for pool memory (since Pool is allocated in 2mb pages).
-
If this plugin does not work for a certain address, try to use the pas2vas plugin.
Sample output
win7.elf 15:22:57> vtop 0xfa8002635810
-----------------> vtop(0xfa8002635810)
Virtual 0xfa8002635810 Page Directory 0x271ec000
pml4e@ 0x271ecfa8 = 0x4000863
pdpte@ 0x4000000 = 0x4001863
pde@ 0x4001098 = 0x2ac009e3
Large page mapped 0x2ae35810
Physical Address 0x2ac35810
win7.elf 15:23:05> ptov 0x2ac35810
-----------------> ptov(0x2ac35810)
Physical Address 0x2ac35810 => Virtual Address 0xf6fd40035810
DTB @ 0x187000
PML4E @ 0x187f68
PDPTE @ 0x187fa8
PDE @ 0x4000000
PTE @ 0x40011a8
rammap
View SourceScan all physical memory and report page owners.
Plugin Arguments
end | Physical memory address to end displaying. (type: IntParser) |
start | Physical memory address to start displaying. (type: IntParser)
|
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
raw2dmp
View SourceConvert the physical address space to a crash dump.
The Windows debugger (Windbg) works only with memory dumps stored in the proprietary ‘crashdump’ file format. This file format contains the following features:
1) Physical memory ranges are stored in a sparse way - there is a ‘Runs’ table which specifies the mapping between the physical offset and the file offset of each page. This allows the format to omit unmapped regions (unlike raw format which must pad them with zero to maintain alignment).
2) The crash dump header contains metadata about the image. Specifically, the header contain a copy of the Kernel Debugger Data Block (AKA the KDBG). This data is used to bootstrap the windows debugger by providing critical initial hints to the debugger.
Since the KDBG block is created at system boot and never used (until the crash dump is written) it is trivial for malware to overwrite it - making it really hard for responders since windbg will not be able to read the file. In later versions of windows, the kdbg is also obfuscated (See the function “nt!KdCopyDataBlock” which decrypts it.).
Rekall itself does not use the KDBG block any more, although older memory forensic tools still do use it. Rekall instead relies on accurate debugging symbols to locate critical kernel data structures, reducing the level of trust we place on the image itself (so Rekall is more resilient to manipulation).
In order to ensure that the windows debugger is able to read the produced crash dump, we recreate the kernel debugger block from the symbol information we already have.
NOTE: The crashdump file format can be deduced by:
dis ‘nt!IoFillDumpHeader’
This is the reference for this plugin.
Plugin Arguments
destination | The destination path to write the crash dump. (type: String) |
rebuild | Rebuild the KDBG data block. (type: Boolean) |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
The Windows debugger (Windbg) works only with memory dumps stored in the proprietary ‘crashdump’ file format. This file format contains the following features:
-
Physical memory ranges are stored in a sparse way - there is a
Runstable which specifies the mapping between the physical offset and the file offset of each page. This allows the format to omit unmapped regions (unlike raw format which must pad them with zero to maintain alignment). -
The crash dump header contains metadata about the image. Specifically, the header contain a copy of the Kernel Debugger Data Block (AKA the KDBG). This data is used to bootstrap the windows debugger by providing critical initial hints to the debugger.
Since the KDBG block is created at system boot and never used (until the
crash dump is written) it is trivial for malware to overwrite it - making it
really hard for responders since windbg will not be able to read the file. In
later versions of windows, the KDBG is also obfuscated (See the function
nt!KdCopyDataBlock which decrypts it.).
Rekall itself does not use the KDBG block any more, although older memory forensic tools still do use it. Rekall instead relies on accurate debugging symbols to locate critical kernel data structures, reducing the level of trust we place on the image itself (so Rekall is more resilient to manipulation).
In order to ensure that the windows debugger is able to read the produced crash dump, we recreate the kernel debugger block from the symbol information we already have.
Notes:
-
The crashdump file format can be deduced by:
dis 'nt!IoFillDumpHeader'This is the reference for this plugin. -
This plugin is really only useful in order to produce an image compatible with the windows debugger for the purpose of further investigation by the debugger. If you find that the windows debugger has a useful feature that Rekall does not have, please let us know so we can implement it in Rekall. We intend to replace the use of the windows debugger in digital forensics.
services
View SourceEnumerate all services.
Plugin Arguments
hive-offsets | A list of hive offsets as found by hivelist. If not provided we call hivelist ourselves and list the keys on all hives. (type: ArrayIntParser) |
hive_regex | A regex to filter hive names.If not provided we use all hives. |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
sigscan
View SourceRuns a signature scans against physical, kernel or process memory.
Plugin Arguments
eprocess | Kernel addresses of eprocess structs. (type: ArrayIntParser)
|
method | Method to list processes. (type: ChoiceArray)
|
pids | One or more pids of processes to select. (type: ArrayIntParser)
|
proc_regex | A regex to select a process by name. (type: RegEx) |
scan_kernel | If specified we scan the kernel address space. (type: Boolean)
|
scan_physical | If specified we scan the physcial address space. (type: Boolean)
|
signature | The signature(s) to scan for. Format is 0001020506AAFF |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
simple_certscan
View SourceDump RSA private and public SSL keys from the physical address space.
Plugin Arguments
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
This plugin is similar to the cert_vad_scan plugin. It attempts to detect DER encoded X509 certificates or RSA private keys in physical memory.
Optionally, if a dump directory is provided the DER encoded certificates are also dumped to files in the specified directory.
Sample Output
win8.1.raw 22:07:35> certscan
-------------------> certscan()
Address Type Length Description
-------------- ---------- ---------- -----------
0x000000030c95 X509 1287 /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows
0x00000003119c X509 1499 /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows Production PCA 2011
0x000000031b94 X509 1653 /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Time-Stamp PCA 2010
0x000000032209 X509 1246 /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=MOPR/OU=nCipher DSE ESN:F528-3777-8A76/CN=Microsoft Time-Stamp Service
0x00000017114e X509 1499 /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows Production PCA 2011
0x000000171b46 X509 1653 /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Time-Stamp PCA 2010
sockets
View SourcePrint list of open sockets. [Windows xp only]
This module enumerates the active sockets from tcpip.sys
Note that if you are using a hibernated image this might not work because Windows closes all sockets before hibernating.
_ADDRESS_OBJECT are arranged in a hash table found by the _AddrObjTable symbol. The hash table has a size found by the _AddrObjTableSize symbol.
Plugin Arguments
tcpip_guid | Force this profile to be used for tcpip. |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
This module enumerates the active sockets from tcpip.sys
Note that if you are using a hibernated image this might not work because Windows closes all sockets before hibernating.
_ADDRESS_OBJECT are arranged in a hash table found by the _AddrObjTable symbol. The hash table has a size found by the _AddrObjTableSize symbol.
epydoc: rekall.plugins.windows.connections.Sockets-class.html args: tcpip_guid: ‘Force this profile to be used for tcpip.’
ssdt
View SourceEnumerate the SSDT.
Plugin Arguments
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
The System Service Descritor Table is the main interface to the kernel from user space. In the past, malware used to install hook in this SSDT in order to intercept userspace->kernel calls. In more recent versions of Windows, Microsoft has implemented PatchGuard specifically to prevent these kinds of hooks. Therefore, its very rare to see these kinds of hooks any more.
The ssdt plugin enumerates the the SSDT table and resolves the addresses back to the names of the functions. Windows has two SSDTs - one for the kernel and one for the GUI subsystem (win32k driver).
An intalled ssdt hook will appear as a function in a different module (or an unknown module).
Sample output
win7.elf 15:35:25> ssdt
************ Table 0 @ 0xf80002691b00 ************
Entry Target Symbol
-------------- -------------- ------
0x0 0xf80002aa2190 nt!NtMapUserPhysicalPagesScatter
0x1 0xf80002988a00 nt!NtWaitForSingleObject
0x2 0xf80002688dd0 nt!NtCallbackReturn
0x3 0xf800029abb10 nt!NtReadFile
0x4 0xf800029a9bb0 nt!NtDeviceIoControlFile
0x5 0xf800029a4ee0 nt!NtWriteFile
0x6 0xf8000294adc0 nt!NtRemoveIoCompletion
0x7 0xf80002947f10 nt!NtReleaseSemaphore
0x8 0xf8000299fda0 nt!NtReplyWaitReceivePort
0x9 0xf80002a71e20 nt!NtReplyPort
...
0x18c 0xf8000297a92c nt!NtWaitForKeyedEvent
0x18d 0xf800026a1010 nt!NtWaitForWorkViaWorkerFactory
0x18e 0xf80002ab0b00 nt!NtWaitHighEventPair
0x18f 0xf80002ab0b90 nt!NtWaitLowEventPair
0x190 0xf80002678fc4 nt!NtWorkerFactoryWorkerReady
************ Table 1 @ 0xf960001a1c00 ************
Entry Target Symbol
-------------- -------------- ------
0x0 0xf96000195580 win32k!NtUserGetThreadState
0x1 0xf96000192630 win32k!NtUserPeekMessage
0x2 0xf960001a3c6c win32k!NtUserCallOneParam
0x3 0xf960001b1dd0 win32k!NtUserGetKeyState
0x4 0xf960001ab1ac win32k!NtUserInvalidateRect
0x5 0xf960001a3e70 win32k!NtUserCallNoParam
0x6 0xf9600019b5a0 win32k!NtUserGetMessage
0x7 0xf9600017fbec win32k!NtUserMessageCall
...
0x334 0xf96000153b80 win32k!NtUserValidateHandleSecure
0x335 0xf960001acd9c win32k!NtUserWaitForInputIdle
0x336 0xf960001a6304 win32k!NtUserWaitForMsgAndEvent
0x337 0xf960001acef0 win32k!NtUserWindowFromPhysicalPoint
0x338 0xf960001ae06c win32k!NtUserYieldTask
0x339 0xf960001a6b84 win32k!NtUserSetClassLongPtr
0x33a 0xf96000181ca0 win32k!NtUserSetWindowLongPtr
svcscan
View SourceScan for Windows services
Plugin Arguments
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
Windows uses services for long running processes. Serivces are managed by the “services.exe” process. The svcscan plugin scans the heap memory of the “services.exe” process for _SERVICE_RECORD records). These records describe the services which are loaded by the system, and even once the services are unloaded, we might find _SERVICE_RECORD records.
Notes
-
Since loading kernel code is usually done by inserting a kernel driver, and kernel drivers are loaded through a service, this plugin will also show forensically significant kernel drivers loading.
-
This plugin relies on memory scanning and so it is not all that reliable. Often it will not reveal services which we know are running. However, it might also reveal services which have been deleted.
-
A better plugin is the services plugin which enumerates all services from the registry.
Sample output
The below example shows a kernel driver being loaded as a service.
Offset: 0x26f7d6a10
Order: 402
Process ID: -
Service Name: WFPLWFS
Display Name: Microsoft Windows Filtering Platform
Service Type: SERVICE_KERNEL_DRIVER
Service State: SERVICE_RUNNING
Binary Path: \Driver\WFPLWFS
symlinkscan
View SourceScan for symbolic link objects
Plugin Arguments
eprocess | Kernel addresses of eprocess structs. (type: ArrayIntParser)
|
limit | The length of data to search in each selected region. (type: IntParser)
|
method | Method to list processes. (type: ChoiceArray)
|
pids | One or more pids of processes to select. (type: ArrayIntParser)
|
proc_regex | A regex to select a process by name. (type: RegEx) |
scan_kernel | Scan the entire kernel address space. (type: Boolean)
|
scan_kernel_code | Scan the kernel image and loaded drivers. (type: Boolean)
|
scan_kernel_nonpaged_pool | Scan the kernel non-paged pool. (type: Boolean)
|
scan_kernel_paged_pool | Scan the kernel paged pool. (type: Boolean)
|
scan_kernel_session_pools | Scan session pools for all processes. (type: Boolean)
|
scan_physical | Scan the physical address space only. (type: Boolean)
|
scan_process_memory | Scan all of process memory. Uses process selectors to narrow down selections. (type: Boolean)
|
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
A symbolic link is a kernel object which maps a device from one name in the kernel object tree to another name. Often a driver will set up a symbolic link to a “dos device name” to allow access to a kernel device from userspace.
For example, the pmem driver makes a symbolic link from \GLOBAL??\pmem to \Devices\pmem so that a user space program can use the CreateFile API to open a handle to \.\pmem.
This plugin scans for _OBJECT_SYMBOLIC_LINK objects using pool scanning techniques.
Notes
-
Like other pool scanning plugins, this plugin may produce false positives since it essentially carves _OBJECT_SYMBOLIC_LINK structures out of memory. On the other hand, this plugin may reveal symlinks which have been closed or freed.
-
The interesting thing about a symlink is that it contains the timestamp of when it was created. This can be significant when determining when the system was compromised.
-
Since the symlinkscan plugin carves out _OBJECT_SYMBOLIC_LINK objects it has no context of where in the object tree the symlink exists. Hence it is unable to show parent object directories. A better plugin to use is the object_tree plugin.
Sample output
Here we see the symlinkscan plugin detecting the pmem link.
Offset(P) #Ptr #Hnd Creation time From To
- -------------- ------ ------ ------------------------ ---- ------------------------------------------------------------
0x00000010d470 3 2 2014-01-24 22:07:29+0000 HDAUDIO#FUNC_01&VEN_8384&DEV_7680&SUBSYS_83847680&REV_1034#4&136d1aa0&0&0001#{65e8773e-8f56-11d0-a3b9-00a0c9223196} \Device\0000001e
0x00000040e940 1 0 2014-01-24 22:07:23+0000 Psched \Device\Psched
0x0000004e9490 2 1 2014-01-24 22:07:32+0000 DISPLAY#Default_Monitor#4&d9dcf0b&0&UID0#{e6f07b5f-ee97-4a90-b076-33f57bf4eaa7} \Device\00000021
...
0x00002be706f0 2 1 2014-01-24 22:07:32+0000 AppContainerNamedObjects \Sessions\1\AppContainerNamedObjects
0x00002bf89f20 2 1 2014-01-24 22:07:32+0000 Global \BaseNamedObjects
0x00002c0b8270 2 1 2014-01-24 22:07:32+0000 1 \Sessions\1\BaseNamedObjects
0x00002dbdbe00 1 0 2014-01-24 21:20:05+0000 pmem \Device\pmem
0x00002f2b7240 1 0 2014-01-24 22:07:26+0000 HCD0 \Device\USBFDO-0
thrdscan
View SourceScan physical memory for _ETHREAD objects
Plugin Arguments
eprocess | Kernel addresses of eprocess structs. (type: ArrayIntParser)
|
limit | The length of data to search in each selected region. (type: IntParser)
|
method | Method to list processes. (type: ChoiceArray)
|
pids | One or more pids of processes to select. (type: ArrayIntParser)
|
proc_regex | A regex to select a process by name. (type: RegEx) |
scan_kernel | Scan the entire kernel address space. (type: Boolean)
|
scan_kernel_code | Scan the kernel image and loaded drivers. (type: Boolean)
|
scan_kernel_nonpaged_pool | Scan the kernel non-paged pool. (type: Boolean)
|
scan_kernel_paged_pool | Scan the kernel paged pool. (type: Boolean)
|
scan_kernel_session_pools | Scan session pools for all processes. (type: Boolean)
|
scan_physical | Scan the physical address space only. (type: Boolean)
|
scan_process_memory | Scan all of process memory. Uses process selectors to narrow down selections. (type: Boolean)
|
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
Pool scanning is a technique for discovering kernel data structures based on signatures. It is essentially the memory forensic equivalent of carving. The thrdscan plugin carves for _KTHREAD structures in memory.
By default the plugin scans in the physical address space. Any hits are resolved into the virtual address space by following the lists. If scan_in_kernel is specified, the scanning occurs in kernel space.
Notes
-
Like other pool scanning plugins, this plugin may produce false positives since it essentially carves _KTHREAD structures out of memory. On the other hand, this plugin may reveal files which have been closed or freed.
-
The plugin displays the physical address of the _KTHREAD found. It may be possible to derive their virtual address using the ptov plugin. Alternatively, specify the scan_in_kernel option, to ensure scanning occurs in the kernel address space.
-
This plugin is the pool scanning variant of the threads plugin.
Sample output
The below is an example of running thrdscan over a windows system. Note that we can still see exited threads. Rekall resolves the start address of the thread (i.e. the function which started running in this thread). This helps to identify what the thread is supposed to be doing.
win8.1.raw 18:52:26> thrdscan
Offset(P) PID TID Start Address Create Time Exit Time Process Symbol
-------------- ------ ------ -------------- ------------------------ ------------------------ ---------------- ------
0x0000001ab080 2332 3976 0x7ff87f35b5c0 - - svchost.exe \Windows\System32\ntdll.dll!TpPostWork+0x4a0
0x000000230880 2392 3212 0x7ff6670fd0bc - 2014-01-24 21:18:44+0000 VBoxTray.exe \Windows\System32\VBoxTray.exe!+0xd0bc
0x00000025e080 3644 1068 0x7ff7a4831070 - - conhost.exe \Windows\System32\conhost.exe!+0x1070
0x000000261080 880 2440 0x7ff866dbaf44 - - svchost.exe \Windows\System32\wuaueng.dll!+0x3af44
0x000000261880 880 3512 0x7ff87f35b5c0 - - svchost.exe \Windows\System32\ntdll.dll!TpPostWork+0x4a0
0x0000002d6080 3644 3688 0x7ff7a4833060 - - conhost.exe \Windows\System32\conhost.exe!+0x3060
0x0000002e1080 976 3932 0x7ff877104924 - 2014-01-24 21:18:37+0000 svchost.exe \Windows\System32\sysmain.dll!+0x94924
0x0000002e1880 880 3324 0x7ff87f35b5c0 - - svchost.exe \Windows\System32\ntdll.dll!TpPostWork+0x4a0
0x00000035d080 880 1752 0x7ff866dbaf44 - - svchost.exe \Windows\System32\wuaueng.dll!+0x3af44
0x000000558080 880 3524 0x7ff87f35b5c0 - - svchost.exe \Windows\System32\ntdll.dll!TpPostWork+0x4a0
0x000000613080 880 3496 0x7ff866dbaf44 - - svchost.exe \Windows\System32\wuaueng.dll!+0x3af44
0x000000613880 3400 3648 0x7ff87f35b5c0 - - MpCmdRun.exe \Windows\System32\ntdll.dll!TpPostWork+0x4a0
0x000000668080 880 3524 0x7ff87f35b5c0 - - svchost.exe \Windows\System32\ntdll.dll!TpPostWork+0x4a0
0x0000006c0080 880 3692 0x7ff8733911b0 - - svchost.exe \Windows\System32\aelupsvc.dll!+0x11b0
0x0000006ce080 880 3180 0x7ff866d81f3c - - svchost.exe \Windows\System32\wuaueng.dll!+0x1f3c
0x000002bd2080 880 3736 0x7ff866dbaf44 - - svchost.exe \Windows\System32\wuaueng.dll!+0x3af44
0x00000370a080 976 3932 0x7ff877104924 - 2014-01-24 21:18:37+0000 svchost.exe \Windows\System32\sysmain.dll!+0x94924
0x00000370a880 880 3324 0x7ff87f35b5c0 - - svchost.exe \Windows\System32\ntdll.dll!TpPostWork+0x4a0
0x000004eef080 880 3692 0x7ff8733911b0 - - svchost.exe \Windows\System32\aelupsvc.dll!+0x11b0
0x0000051a4874 2124654 30318413 0xffe800000000 - - ----------------
0x000005d8a080 880 3692 0x7ff8733911b0 - - svchost.exe \Windows\System32\aelupsvc.dll!+0x11b0
0x000009f5d080 2332 3928 0x7ff87f35b5c0 - - svchost.exe \Windows\System32\ntdll.dll!TpPostWork+0x4a0
0x00000cbde080 2392 3880 0x7ff6670fd0bc - 2014-01-24 21:18:24+0000 VBoxTray.exe \Windows\System32\VBoxTray.exe!+0xd0bc
0x00000dbdb080 2392 4084 0x7ff6670fd0bc - 2014-01-24 21:19:27+0000 VBoxTray.exe \Windows\System32\VBoxTray.exe!+0xd0bc
0x00000f345080 880 1532 0x7ff866dbaf44 - - svchost.exe \Windows\System32\wuaueng.dll!+0x3af44
0x00000f345880 880 2932 0x7ff87f35b5c0 - - svchost.exe \Windows\System32\ntdll.dll!TpPostWork+0x4a0
0x00000f413080 4 3176 0xf802d3613418 - - System nt!MiStoreEvictThread
threads
View SourceEnumerate threads.
Plugin Arguments
eprocess | Kernel addresses of eprocess structs. (type: ArrayIntParser)
|
method | Method to list processes. (type: ChoiceArray)
|
pids | One or more pids of processes to select. (type: ArrayIntParser)
|
proc_regex | A regex to select a process by name. (type: RegEx) |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
The threads plugin iterates over all processes and lists all threads in all processes. This is the list walking version of the thrdscan plugin.
Sample output
_ETHREAD PID TID Start Address Process Symbol
-------------- ------ ------ -------------- ---------------- ------
0xe00000089880 4 8 0xf802d3509ec8 System nt!Phase1Initialization
0xe0000011f040 4 12 0xf802d3154c04 System nt!PopIrpWorkerControl
0xe0000011f880 4 16 0xf802d312f868 System nt!PopIrpWorker
0xe0000011e040 4 20 0xf802d312f868 System nt!PopIrpWorker
0xe0000011e880 4 24 0xf802d31551c0 System nt!PopFxEmergencyWorker
0xe0000011d040 4 28 0xf802d3520f14 System nt!ExpWorkerThreadBalanceManager
0xe0000011d880 4 32 0xf802d30533a8 System nt!ExpWorkerThread
0xe0000011c880 4 36 0xf802d314cb04 System nt!ExpWorkerFactoryManagerThread
0xe00000120040 4 40 0xf802d3146fdc System nt!KiExecuteDpc
0xe00000120880 4 44 0xf802d314f764 System nt!MiDereferenceSegmentThread
0xe00000124040 4 48 0xf802d3151a8c System nt!MiModifiedPageWriter
0xe00000124880 4 52 0xf802d314de28 System nt!KeBalanceSetManager
0xe00000123040 4 56 0xf802d314bc18 System nt!KeSwapProcessOrStack
0xe00000122040 4 64 0xf802d314cd68 System nt!CcQueueLazyWriteScanThread
0xe00000122880 4 68 0xf802d3154b9c System nt!FsRtlWorkerThread
0xe00000121040 4 72 0xf802d3154b9c System nt!FsRtlWorkerThread
0xe00000133040 4 76 0xf802d3492540 System nt!EtwpLogger
0xe00000133880 4 80 0xf802d30533a8 System nt!ExpWorkerThread
0xe00000137040 4 84 0xf802d314c94c System nt!MiMappedPageWriter
....
timers
View SourcePrint kernel timers and associated module DPCs.
Ref: http://computer.forensikblog.de/en/2011/10/timers-and-times.html
Plugin Arguments
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
The windows kernel has a mechanism for drivers to schedule Deferred Procedure Calls (DPCs) wither periodically or in a future time. This mechanism is useful for malware which wants to remain persistant, but not necessarily run at all times (This reduces the malware’s footprint).
The kernel uses _KTIMER objects to keep track of these DPCs. Depending on the exact OS version, the timers are arranged in slightly different data structures:
-
On Window XP there is a symbol KiTimerTableListHead which enumerates all timer hash tables.
-
On windows 7, the timer list is at _KPCR.PrcbData.TimerTable.TimerEntries.
Since Windows 7, PatchGuard was introduced. This uses the timer table to schedule periodic runs. Microsoft felt it was necessary to protect PatchGuard by obfuscating all DPC pointers in the timer table. This unfortunately also obfuscates all other timers, including ones possibly used by malware.
Rekall is able to de-obfuscate these DPC address and resolve them back to their correct module. Rekall will also indicate when the timer is due to go off.
Sample output
win8.1.raw 22:25:53> timers
Table Offset DueTime(H) DueTime Period(ms) Signaled Routine Module
----- -------------- ---------- -------------------- ---------- ---------- -------------- --------------------
2 0xe00001a58708 0x0000000001f0df8a92 2014-01-24 21:21:14+0000 1000 Yes 0xf80000298480 wdf01000 + 0x8480
8 0xf802d32ecd00 0x0000000001c789ad30 2014-01-24 21:20:05+0000 0 - 0xf802d311b194 nt!CcScanDpc
9 0xf802d32bcce0 0x0000010c0d9d767529 2015-01-01 00:00:00+0000 0 - 0xf802d32467b4 nt!ExpNextYearDpcRoutine
9 0xf802d32ac920 0x0000000001e478b3c5 2014-01-24 21:20:53+0000 0 - 0xf802d3116abc nt!CmpLazyFlushDpcRoutine
13 0xf80002146660 0x0000000001f3302411 2014-01-24 21:21:18+0000 43348 Yes 0xf80002140c44 bowser + 0x3c44
15 0xf8000072e320 0x00000000c877502ee7 2014-01-25 21:02:20+0000 0 - 0xf80000719230 storport + 0x23230
17 0xf800024cbb28 0x0000000001fdfb093c 2014-01-24 21:21:36+0000 28348 Yes 0xf800024af550 tunnel + 0x1550
18 0xe0000127ff40 0x0000000002f06baf46 2014-01-24 21:28:23+0000 0 - 0xf80000b31394 volsnap + 0x2394
21 0xe0000137bb40 0x0000000001f0df8a92 2014-01-24 21:21:14+0000 1000 Yes 0xf8000194a860 usbport + 0x2860
24 0xe00000203b88 0x0000000002534bd8cd 2014-01-24 21:23:59+0000 0 - 0xf80001a930a4 battc + 0x10a4
38 0xe00001493278 0x0000000001f1249ec9 2014-01-24 21:21:14+0000 0 - 0xf80000c2ac30 ndis + 0x4c30
38 0xe00002327228 0x00000000024c651b42 2014-01-24 21:23:47+0000 944848 - 0xf8000249cbb4 mslldp + 0x4bb4
38 0xe000013f7ef8 0x00000000324d602123 2014-01-25 03:07:25+0000 21600000 - 0xf80001491cf0 dxgkrnl + 0x19cf0
38 0xf802d32ea250 0x0000000001d163bc04 2014-01-24 21:20:21+0000 60000 Yes 0xf802d3116bac nt!IopIrpStackProfilerTimer
40 0xf80000e981c0 0x0000000002840a55a8 2014-01-24 21:25:21+0000 0 - 0xf80000e94c9c mup + 0x1c9c
times
View SourceReturn current time, as known to the kernel.
Plugin Arguments
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
tokens
View SourcePrint the SIDs owning each process token.
Plugin Arguments
eprocess | Kernel addresses of eprocess structs. (type: ArrayIntParser)
|
method | Method to list processes. (type: ChoiceArray)
|
pids | One or more pids of processes to select. (type: ArrayIntParser)
|
proc_regex | A regex to select a process by name. (type: RegEx) |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
In windows a process runs with a set of Tokens. These tokens are used to enforce Windows Mandatory ACL system. From a forensic point of view it is interesting to see what tokens a process is running with.
For non system processes, the process will also possess the token of the user who started it.
Sample output
In the below we can see that this cmd.exe process was started by the user test
with SID S-1-5-21-1077689984-2177008626-1601812314-1001.
win8.1.raw 22:41:01> tokens
-------------------> tokens()
Process Pid Sid Comment
---------------- ----- -------------------------------------------------- -------
...
cmd.exe 888 S-1-5-21-1077689984-2177008626-1601812314-1001 User: test
cmd.exe 888 S-1-5-21-1077689984-2177008626-1601812314-513 Domain Users
cmd.exe 888 S-1-1-0 Everyone
cmd.exe 888 S-1-5-114
cmd.exe 888 S-1-5-21-1077689984-2177008626-1601812314-1002
cmd.exe 888 S-1-5-32-544 Administrators
cmd.exe 888 S-1-5-32-545 Users
cmd.exe 888 S-1-5-4 Interactive
cmd.exe 888 S-1-2-1 Console Logon (Users who are logged onto the physical console)
cmd.exe 888 S-1-5-11 Authenticated Users
cmd.exe 888 S-1-5-15 This Organization
cmd.exe 888 S-1-5-113
cmd.exe 888 S-1-5-5-0-126935 Logon Session
cmd.exe 888 S-1-2-0 Local (Users with the ability to log in locally)
cmd.exe 888 S-1-5-64-10 NTLM Authentication
cmd.exe 888 S-1-16-12288 High Mandatory Level
...
unloaded_modules
View SourcePrint a list of recently unloaded modules.
Ref: http://volatility-labs.blogspot.de/2013/05/movp-ii-22-unloaded-windows-kernel_22.html
Plugin Arguments
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
For debugging purposes windows keeps a list of the last few kernel modules to have been unloaded. Sometimes if malware inserts a kernel component, and then removes it this will leave traces in this list.
Sample output
The below sample shows that win32dd was used to acquire this sample, and that
the Honeynet project’s capture
tools
were used.
130115b.w32 22:53:17> unloaded_modules
INFO:root:Detected kernel base at 0x804D7000-
Name Start End Time
-------------------- ---------- ---------- ----
Sfloppy.SYS 0xf8383000 0xf8386000 2013-01-15 22:06:06+0000
Cdaudio.SYS 0xf89c2000 0xf89c7000 2013-01-15 22:06:06+0000
processr.sys 0xf88aa000 0xf88b3000 2013-01-15 22:06:06+0000
splitter.sys 0xf8bc6000 0xf8bc8000 2013-01-15 22:06:41+0000
aec.sys 0xb1be6000 0xb1c09000 2013-01-15 22:06:41+0000
swmidi.sys 0xb1d06000 0xb1d14000 2013-01-15 22:06:41+0000
DMusic.sys 0xb1cf6000 0xb1d03000 2013-01-15 22:06:41+0000
drmkaud.sys 0xf8c9f000 0xf8ca0000 2013-01-15 22:06:41+0000
kmixer.sys 0xb1b1b000 0xb1b46000 2013-01-15 22:06:51+0000
kmixer.sys 0xb14df000 0xb150a000 2013-01-15 22:08:04+0000
kmixer.sys 0xb14df000 0xb150a000 2013-01-15 22:09:21+0000
win32dd.sys 0xb160a000 0xb1616000 2013-01-15 22:27:39+0000
fastdumpx86.sys 0xf8942000 0xf8948000 2013-01-15 22:30:55+0000
CaptureFileMonitor.sys 0xb1c3a000 0xb1c3d000 2013-01-15 22:35:48+0000
CaptureRegistryMonitor.sys 0xf8c1e000 0xf8c20000 2013-01-15 22:39:51+0000
CaptureProcessMonitor.sys 0xf8c0e000 0xf8c10000 2013-01-15 22:39:52+0000
CaptureFileMonitor.sys 0xb15ba000 0xb15bd000 2013-01-15 22:39:52+0000
vacbs
View SourceEnumerate all blocks cached in the cache manager.
Plugin Arguments
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
vad
View SourceConcise dump of the VAD.
Similar to windbg’s !vad.
Plugin Arguments
eprocess | Kernel addresses of eprocess structs. (type: ArrayIntParser)
|
method | Method to list processes. (type: ChoiceArray)
|
offset | Only print the vad corresponding to this offset. (type: IntParser) |
pids | One or more pids of processes to select. (type: ArrayIntParser)
|
proc_regex | A regex to select a process by name. (type: RegEx) |
regex | A regular expression to filter VAD filenames. (type: RegEx) |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
The windows kernel manages process memory using the Virtual Address Descriptor tree. The VAD is a tree of mapped memory regions into the process address space. The VAD regions are used to manage the process address space (i.e. its page tables).
The vad plugin displays all the vad regions in the process and their properties.
Notes
-
The
startandendcolumns refer to the page number of the region. To convert from an address to page number simply multiply (or divide) by 0x1000. -
If a memory region is mapped from a file (e.g. via the mmap call) the filename will be shown.
-
Most executables (e.g. dlls) are mapped with the EXECUTE_WRITECOPY permission. This is so that the executable pages are shared between all processes. As soon as a process attempts to write to that region the binary will be mapped EXECUTE_READWRITE.
-
When a dll is mapped into the vad, the PE header is placed at the vad’s start address. This means that you can dump the dll by simply passing the vad’s start address to pedump as the image base.
Sample output
win7_trial_64bit.dmp.E01 23:10:34> vad 1232
**************************************************
Pid: 1232 grrservice.exe
VAD lev start end com - - Protect Filename
-------------- --- -------------- -------------- ---- ------- ------ -------------------- --------
0xfa80020877a0 1 0x73660 0x736bb 6 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\wow64win.dll
0xfa8002083a50 2 0x400 0x427 8 Mapped Exe EXECUTE_WRITECOPY \Python27\grrservice.exe
0xfa800207fd80 3 0x290 0x293 0 Mapped READONLY Pagefile-backed section
0xfa800205a6d0 4 0x50 0x8f 7 Private READWRITE
0xfa80020848f0 5 0x40 0x40 0 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\apisetschema.dll
0xfa800208b590 6 0x10 0x1f 0 Mapped READWRITE Pagefile-backed section
0xfa8002066300 5 0x90 0x28f 3 Private READWRITE
0xfa800208acd0 4 0x2b0 0x316 0 Mapped READONLY \Windows\System32\locale.nls
0xfa8002082470 5 0x2a0 0x2a0 1 Private READWRITE
0xfa80020aaad0 5 0x360 0x39f 7 Private READWRITE
0xfa80020a0170 6 0x3a0 0x3df 7 Private READWRITE
0xfa800207e180 3 0x830 0x92f 28 Private READWRITE
0xfa800208aa30 4 0x580 0x58f 3 Private READWRITE
0xfa800209f6d0 5 0x430 0x4af 1 Private READWRITE
0xfa80020590f0 5 0x5f0 0x66f 6 Private READWRITE
0xfa8001fea860 4 0x735d0 0x7361a 4 Mapped Exe EXECUTE_WRITECOPY \Windows\SysWOW64\apphelp.dll
0xfa80020a01c0 5 0xb30 0xd2f 3 Private READWRITE
0xfa800209f680 6 0xd30 0xf2f 3 Private READWRITE
0xfa8002087f00 5 0x73650 0x73657 2 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\wow64cpu.dll
0xfa80020838a0 2 0x7efb0 0x7efd2 0 Mapped READONLY Pagefile-backed section
0xfa8002087c00 3 0x760a0 0x7619f 3 Mapped Exe EXECUTE_WRITECOPY \Windows\SysWOW64\kernel32.dll
0xfa800208af80 4 0x74b50 0x74b95 3 Mapped Exe EXECUTE_WRITECOPY \Windows\SysWOW64\KernelBase.dll
0xfa8002087cb0 5 0x74a70 0x74a7b 2 Mapped Exe EXECUTE_WRITECOPY \Windows\SysWOW64\cryptbase.dll
0xfa8002085e30 6 0x736c0 0x736fe 3 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\wow64.dll
0xfa800208a900 6 0x74a80 0x74adf 2 Mapped Exe EXECUTE_WRITECOPY \Windows\SysWOW64\sspicli.dll
0xfa800208b900 5 0x76000 0x7609f 5 Mapped Exe EXECUTE_WRITECOPY \Windows\SysWOW64\advapi32.dll
0xfa8002086430 4 0x76ce0 0x76dfe 0 Private Exe EXECUTE_READWRITE
0xfa80020874f0 5 0x767b0 0x7685b 8 Mapped Exe EXECUTE_WRITECOPY \Windows\SysWOW64\msvcrt.dll
0xfa800208aaf0 6 0x763b0 0x7649f 2 Mapped Exe EXECUTE_WRITECOPY \Windows\SysWOW64\rpcrt4.dll
0xfa800208b1d0 6 0x76860 0x76878 4 Mapped Exe EXECUTE_WRITECOPY \Windows\SysWOW64\sechost.dll
0xfa80020839c0 5 0x771b0 0x7735b 12 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\ntdll.dll
0xfa8001d47490 6 0x76f50 0x77049 0 Private Exe EXECUTE_READWRITE
0xfa8002083930 6 0x77390 0x7750f 9 Mapped Exe EXECUTE_WRITECOPY \Windows\SysWOW64\ntdll.dll
0xfa800209f5e0 7 0x7efad 0x7efaf 3 Private READWRITE
0xfa800204f6b0 3 0x7f0e0 0x7ffdf 0 Private READONLY
0xfa8002084980 4 0x7efde 0x7efde 1 Private READWRITE
0xfa8002084350 5 0x7efdb 0x7efdd 3 Private READWRITE
0xfa800209f9b0 6 0x7efd5 0x7efd7 3 Private READWRITE
0xfa8002083800 5 0x7efdf 0x7efdf 1 Private READWRITE
0xfa800208b260 6 0x7efe0 0x7f0df 0 Mapped READONLY Pagefile-backed section
0xfa800207c840 4 0x7ffe0 0x7ffef -1 Private READONLY
0xfa80020810b0 5 0x7fff0 0x7fffffef -1 Private READONLY
vaddump
View SourceDumps out the vad sections to a file
Plugin Arguments
dump_dir | Path suitable for dumping files. (type: String) |
eprocess | Kernel addresses of eprocess structs. (type: ArrayIntParser)
|
max_size | Maximum file size to dump. (type: IntParser)
|
method | Method to list processes. (type: ChoiceArray)
|
offset | Only print the vad corresponding to this offset. (type: IntParser) |
pids | One or more pids of processes to select. (type: ArrayIntParser)
|
proc_regex | A regex to select a process by name. (type: RegEx) |
regex | A regular expression to filter VAD filenames. (type: RegEx) |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
Although you can dump a process executable using the procdump plugin, this only dumps the main executable. For further analysis of a process it is useful to dump its entire address space. Since the address space is discontiguous it is best to dump it out one vad segment at a time.
Sample output
win7_trial_64bit.dmp.E01 23:45:01> vaddump pid=1232, dump_dir="/tmp"
************* grrservice.exe (1232) *************
Start End Length Filename Comment
-------------- -------------- -------------- ------------------------------------------------------------ -------
0x000073660000 0x0000736bbfff 0x5bfff grrservice.exe.2f684a70.73660000-736bbfff.dmp \Windows\System32\wow64win.dll
0x000000400000 0x000000427fff 0x27fff grrservice.exe.2f684a70.00400000-00427fff.dmp \Python27\grrservice.exe
0x000000290000 0x000000293fff 0x3fff grrservice.exe.2f684a70.00290000-00293fff.dmp Pagefile-backed section
0x000000050000 0x00000008ffff 0x3ffff grrservice.exe.2f684a70.00050000-0008ffff.dmp
0x000000040000 0x000000040fff 0xfff grrservice.exe.2f684a70.00040000-00040fff.dmp \Windows\System32\apisetschema.dll
0x000000010000 0x00000001ffff 0xffff grrservice.exe.2f684a70.00010000-0001ffff.dmp Pagefile-backed section
0x000000090000 0x00000028ffff 0x1fffff grrservice.exe.2f684a70.00090000-0028ffff.dmp
0x0000002b0000 0x000000316fff 0x66fff grrservice.exe.2f684a70.002b0000-00316fff.dmp \Windows\System32\locale.nls
0x0000002a0000 0x0000002a0fff 0xfff grrservice.exe.2f684a70.002a0000-002a0fff.dmp
0x000000360000 0x00000039ffff 0x3ffff grrservice.exe.2f684a70.00360000-0039ffff.dmp
0x0000003a0000 0x0000003dffff 0x3ffff grrservice.exe.2f684a70.003a0000-003dffff.dmp
0x000000830000 0x00000092ffff 0xfffff grrservice.exe.2f684a70.00830000-0092ffff.dmp
0x000000580000 0x00000058ffff 0xffff grrservice.exe.2f684a70.00580000-0058ffff.dmp
0x000000430000 0x0000004affff 0x7ffff grrservice.exe.2f684a70.00430000-004affff.dmp
0x0000005f0000 0x00000066ffff 0x7ffff grrservice.exe.2f684a70.005f0000-0066ffff.dmp
0x0000735d0000 0x00007361afff 0x4afff grrservice.exe.2f684a70.735d0000-7361afff.dmp \Windows\SysWOW64\apphelp.dll
0x000000b30000 0x000000d2ffff 0x1fffff grrservice.exe.2f684a70.00b30000-00d2ffff.dmp
0x000000d30000 0x000000f2ffff 0x1fffff grrservice.exe.2f684a70.00d30000-00f2ffff.dmp
0x000073650000 0x000073657fff 0x7fff grrservice.exe.2f684a70.73650000-73657fff.dmp \Windows\System32\wow64cpu.dll
0x00007efb0000 0x00007efd2fff 0x22fff grrservice.exe.2f684a70.7efb0000-7efd2fff.dmp Pagefile-backed section
0x0000760a0000 0x00007619ffff 0xfffff grrservice.exe.2f684a70.760a0000-7619ffff.dmp \Windows\SysWOW64\kernel32.dll
0x000074b50000 0x000074b95fff 0x45fff grrservice.exe.2f684a70.74b50000-74b95fff.dmp \Windows\SysWOW64\KernelBase.dll
0x000074a70000 0x000074a7bfff 0xbfff grrservice.exe.2f684a70.74a70000-74a7bfff.dmp \Windows\SysWOW64\cryptbase.dll
0x0000736c0000 0x0000736fefff 0x3efff grrservice.exe.2f684a70.736c0000-736fefff.dmp \Windows\System32\wow64.dll
0x000074a80000 0x000074adffff 0x5ffff grrservice.exe.2f684a70.74a80000-74adffff.dmp \Windows\SysWOW64\sspicli.dll
0x000076000000 0x00007609ffff 0x9ffff grrservice.exe.2f684a70.76000000-7609ffff.dmp \Windows\SysWOW64\advapi32.dll
0x000076ce0000 0x000076dfefff 0x11efff grrservice.exe.2f684a70.76ce0000-76dfefff.dmp
0x0000767b0000 0x00007685bfff 0xabfff grrservice.exe.2f684a70.767b0000-7685bfff.dmp \Windows\SysWOW64\msvcrt.dll
0x0000763b0000 0x00007649ffff 0xeffff grrservice.exe.2f684a70.763b0000-7649ffff.dmp \Windows\SysWOW64\rpcrt4.dll
0x000076860000 0x000076878fff 0x18fff grrservice.exe.2f684a70.76860000-76878fff.dmp \Windows\SysWOW64\sechost.dll
0x0000771b0000 0x00007735bfff 0x1abfff grrservice.exe.2f684a70.771b0000-7735bfff.dmp \Windows\System32\ntdll.dll
0x000076f50000 0x000077049fff 0xf9fff grrservice.exe.2f684a70.76f50000-77049fff.dmp
0x000077390000 0x00007750ffff 0x17ffff grrservice.exe.2f684a70.77390000-7750ffff.dmp \Windows\SysWOW64\ntdll.dll
0x00007efad000 0x00007efaffff 0x2fff grrservice.exe.2f684a70.7efad000-7efaffff.dmp
0x00007f0e0000 0x00007ffdffff 0xefffff grrservice.exe.2f684a70.7f0e0000-7ffdffff.dmp
0x00007efde000 0x00007efdefff 0xfff grrservice.exe.2f684a70.7efde000-7efdefff.dmp
0x00007efdb000 0x00007efddfff 0x2fff grrservice.exe.2f684a70.7efdb000-7efddfff.dmp
0x00007efd5000 0x00007efd7fff 0x2fff grrservice.exe.2f684a70.7efd5000-7efd7fff.dmp
0x00007efdf000 0x00007efdffff 0xfff grrservice.exe.2f684a70.7efdf000-7efdffff.dmp
0x00007efe0000 0x00007f0dffff 0xfffff grrservice.exe.2f684a70.7efe0000-7f0dffff.dmp Pagefile-backed section
0x00007ffe0000 0x00007ffeffff 0xffff grrservice.exe.2f684a70.7ffe0000-7ffeffff.dmp
0x00007fff0000 0x07fffffeffff 0x7ff7fffffff grrservice.exe.2f684a70.7fff0000-7fffffeffff.dmp
...
win7_trial_64bit.dmp.E01 23:45:13> peinfo executable="/tmp/grrservice.exe.2f684a70.760a0000-7619ffff.dmp"
Attribute Value
-------------------- -----
Machine IMAGE_FILE_MACHINE_I386
TimeDateStamp 2011-07-16 04:33:08+0000
Characteristics IMAGE_FILE_32BIT_MACHINE, IMAGE_FILE_DLL,
IMAGE_FILE_EXECUTABLE_IMAGE
GUID/Age 0EB73428EC4E430FB8EDD94C5946855B2
PDB wkernel32.pdb
MajorOperatingSystemVersion 6
MinorOperatingSystemVersion 1
MajorImageVersion 6
MinorImageVersion 1
MajorSubsystemVersion 6
MinorSubsystemVersion 1
Sections (Relative to 0x760A0000):
Perm Name VMA Size
---- -------- -------------- --------------
xr- .text 0x000000010000 0x0000000c0000
-rw .data 0x0000000d0000 0x000000010000
-r- .rsrc 0x0000000e0000 0x000000010000
-r- .reloc 0x0000000f0000 0x000000010000
Data Directories:
- VMA Size
---------------------------------------- -------------- --------------
IMAGE_DIRECTORY_ENTRY_EXPORT 0x00007615f728 0x00000000aa1a
IMAGE_DIRECTORY_ENTRY_IMPORT 0x00007616a144 0x0000000001f4
IMAGE_DIRECTORY_ENTRY_RESOURCE 0x000076180000 0x000000000520
IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x000000000000 0x000000000000
IMAGE_DIRECTORY_ENTRY_SECURITY 0x000000000000 0x000000000000
IMAGE_DIRECTORY_ENTRY_BASERELOC 0x000076190000 0x00000000ad3c
IMAGE_DIRECTORY_ENTRY_DEBUG 0x00007616feb8 0x000000000038
IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x000000000000 0x000000000000
IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x000000000000 0x000000000000
IMAGE_DIRECTORY_ENTRY_TLS 0x000000000000 0x000000000000
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x000076123330 0x000000000040
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x000000000000 0x000000000000
IMAGE_DIRECTORY_ENTRY_IAT 0x0000760b0000 0x000000000ddc
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x000000000000 0x000000000000
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x000000000000 0x000000000000
IMAGE_DIRECTORY_ENTRY_RESERVED 0x000000000000 0x000000000000
Import Directory (Original):
Name Ord
-------------------------------------------------- -----
API-MS-Win-Core-RtlSupport-L1-1-0.dll!RtlUnwind 3
API-MS-Win-Core-RtlSupport-L1-1-0.dll!RtlCaptureContext 0
API-MS-Win-Core-RtlSupport-L1-1-0.dll!RtlCaptureStackBackTrace 1
ntdll.dll!NtCreateEvent 227
ntdll.dll!NtDuplicateObject 275
ntdll.dll!RtlConvertSidToUnicodeString 686
ntdll.dll!NtNotifyChangeKey 337
ntdll.dll!RtlRunOnceInitialize 1151
vadmap
View SourceInspect each page in the VAD and report its status.
This allows us to see the address translation status of each page in the VAD.
Plugin Arguments
end | Stop reading at this offset. (type: IntParser)
|
eprocess | Kernel addresses of eprocess structs. (type: ArrayIntParser)
|
method | Method to list processes. (type: ChoiceArray)
|
pids | One or more pids of processes to select. (type: ArrayIntParser)
|
proc_regex | A regex to select a process by name. (type: RegEx) |
start | Start reading from this page. (type: IntParser)
|
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
version_modules
View SourceTry to determine the versions for all kernel drivers.
Plugin Arguments
name_regex | Filter module names by this regex. (type: RegEx) |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
Each time a windows binary is built using the Microsoft Visual Studio compiler suite a new unique GUID is generated for this file. The GUID is used to link the executable and the pdb file (which contains debugging symbols).
The GUID is embedded in the executable in an RSDS record (i.e. the record has
a signature starting with the letters RSDS). Rekall can scan for this
signature in order to identify the executable version.
This plugin scans for the version string for each loaded kernel module. Use the version_scan module to search for RSDS signatures in physical memory.
Sample output
win7_trial_64bit.dmp.E01 23:48:26> version_modules
Offset (V) Name GUID/Version PDB
-------------- -------------------- -------------------------------- ------------------------------
0xf800027f4b0c ntoskrnl.exe C07170995AA8441B952E3B9AE3F3754B2 ntkrnlmp.pdb
0xf8000262deb4 hal.dll 0C72B43B8AC64E22AB88B564E69330372 hal.pdb
0xf88002d34af4 wanarp.sys 7BA2309F029F4DE7878AED80636C2D132 wanarp.pdb
0xf8800183eed4 TDI.SYS C519554437F04B63BC39FF4E69578DC42 tdi.pdb
0xf88000d95b24 volmgrx.sys C047BA32ABCB4A948CBB8930F352B1032 volmgrx.pdb
0xf88003de7c60 dump_dumpfve.sys A2CC4DFB86424750871BCB8E1E841E3C1 dumpfve.pdb
0xf880019d4e00 watchdog.sys 79ACBD31D1BD428A8311AD9D5DCDEAA61 watchdog.pdb
0xf8800111004c cng.sys F0AA00E320D4468A9D3F7078E2AE2BF52 cng.pdb
0xf88002c2e648 csc.sys 56B7C3B9040B47D9821E6A57E6A5AE4A1 csc.pdb
0xf88000c02f48 CI.dll 5F1BDC2205AC402CB0F09FC7CF17A3701 ci.pdb
0xf88003c3f2dc USBD.SYS BE6200B21204452DADDF85CED51A5BDE1 usbd.pdb
0xf88002d0a1fc netbios.sys 084EB51DBDE844CF9EAD3B5FDFABDC721 netbios.pdb
0xf88000cc80a0 mcupdate.dll 8C7A27566CD54FB9A00AF26B5BF941651 mcupdate_GenuineIntel.pdb
0xf8800145c920 ndis.sys 40D6C85AC9F74887A652601839A1F56D2 ndis.pdb
0xf880019eb04c rdpencdd.sys C299649119AC4CC888F37C32A216781A1 RDPENCDD.pdb
0xf88003814d08 srv.sys 20C4A475BE954C10997EAD2C623E40C32 srv.pdb
0xf88003a52c10 raspptp.sys C9106AFB80474EFCAF9384DA26CC35622 raspptp.pdb
0xf880019b42ec VIDEOPRT.SYS 1B0FC2CC31FE41CEBEAC4ABB7375EA481 videoprt.pdb
0xf88000fda340 PCIIDEX.SYS 2C4F146DA2774ACEA1D5499284DDDB271 pciidex.pdb
0xf88003c2962c HIDCLASS.SYS 1815DD7E268B4BB9BCD5226204CFEC9C1 hidclass.pdb
0xf88000fd105c intelide.sys B72598DF61A84806B7AC593BA128300C1 intelide.pdb
0xf88003a37320 raspppoe.sys 39B224364B9042649CA0CDB8270762931 raspppoe.pdb
0xf88000e040ec atapi.sys 4E82D8C0AB5A41799B979539D280167D1 atapi.pdb
0xf88002cba464 netbt.sys 840D3E3C828C4D60A905DC82D8CBF8FA2 netbt.pdb
0xf880011f647c kbdclass.sys D5F7E088FAF44B60A3774197A9ADEEC01 kbdclass.pdb
0xf88000e361f0 amdxata.sys 8D1A5FFBAEEA4D388F8B7B3B9378C3671 amdxata.pdb
0xf880031abb04 srvnet.sys 608D364BC5524794BD70C89773BD51EF2 srvnet.pdb
0xf880028fa614 bowser.sys 26FAC99A52F8439E9A5B8B4B37F90D5B1 bowser.pdb
0xf88002ddb6f4 dfsc.sys 827F5D478C94478299C7FEC7FEE4DAFA1 dfsc.pdb
0xf880011bf9dc fvevol.sys 2FBEA7856251499B87C65A29FC51E6191 fvevol.pdb
0xf80000bc13b0 kdcom.dll ACC6A823A2844D22B68CD5D48D42381F2 kdcom.pdb
0xf88000fbe5a4 volmgr.sys 39E92F60716140C38C723CDF21B956CD2 volmgr.pdb
0xf88000f5c108 msisadrv.sys 09A612E6691847ED98E4F36F3CC9EE641 msisadrv.pdb
0xf8800183127c tdx.sys FB912A34EB1A44EC9F65E250879944B52 tdx.pdb
0xf8800119f10c rdyboost.sys 20E6E50C6F9B42589E18D96AD84608DB1 rdyboost.pdb
virt_map
View SourcePrints the Windows Kernel Virtual Address Map.
On 32 bit windows, the kernel virtual address space can be managed dynamically. This plugin shows each region and what it is used for.
Note that on 64 bit windows the address space is large enough to not worry about it. In that case, the offsets and regions are hard coded.
http://www.woodmann.com/forum/entry.php?219-Using-nt!_MiSystemVaType-to-navigate-dynamic-kernel-address-space-in-Windows7
Plugin Arguments
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
vtop
View SourcePrints information about the virtual to physical translation.
Plugin Arguments
eprocess | Kernel addresses of eprocess structs. (type: ArrayIntParser)
|
method | Method to list processes. (type: ChoiceArray)
|
pids | One or more pids of processes to select. (type: ArrayIntParser)
|
proc_regex | A regex to select a process by name. (type: RegEx) |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
virtual_address | The Virtual Address to examine. (type: SymbolAddress) |
This plugin displays all the page translation steps needed to resolve a virtual address to a physical address.
Notes
- The plugin uses the current default address space to calculate the mapping. If you want to resolve the virtual address in a process space you will need to switch the process context first (i.e. use the cc plugin.
Sample output
win7_trial_64bit.dmp.E01 23:52:53> vtop 0xfa8000a2d060
Virtual 0xfa8000a2d060 Page Directory 0x00187000
pml4e@ 0x187fa8 = 0x3c00863
pdpte@ 0x3c00000 = 0x3c01863
pde@ 0x3c01028 = 0x30c009e3
Large page mapped 0x30e2d060
Physical Address 0x30c2d060
win32k_autodetect
View SourceAutomatically detect win32k struct layout.
Plugin Arguments
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
yarascan
View SourceScan using yara signatures.
Plugin Arguments
binary_string | A binary string (encoded as hex) to search for. e.g. 000102[1-200]0506 (type: String) |
context | Context to print after the hit. (type: IntParser)
|
eprocess | Kernel addresses of eprocess structs. (type: ArrayIntParser)
|
hits | Quit after finding this many hits. (type: IntParser)
|
limit | The length of data to search in each selected region. (type: IntParser)
|
method | Method to list processes. (type: ChoiceArray)
|
pids | One or more pids of processes to select. (type: ArrayIntParser)
|
pre_context | Context to print before the hit. (type: IntParser)
|
proc_regex | A regex to select a process by name. (type: RegEx) |
scan_kernel | Scan the entire kernel address space. (type: Boolean)
|
scan_kernel_code | Scan the kernel image and loaded drivers. (type: Boolean)
|
scan_kernel_nonpaged_pool | Scan the kernel non-paged pool. (type: Boolean)
|
scan_kernel_paged_pool | Scan the kernel paged pool. (type: Boolean)
|
scan_kernel_session_pools | Scan session pools for all processes. (type: Boolean)
|
scan_physical | Scan the physical address space only. (type: Boolean)
|
scan_process_memory | Scan all of process memory. Uses process selectors to narrow down selections. (type: Boolean)
|
string | A verbatim string to search for. (type: String) |
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
yara_expression | If provided we scan for this yara expression. (type: String) |
yara_file | The yara signature file to read. (type: String) |
yarascan_physical
View SourceAn experimental yara scanner over the physical address space.
Yara does not provide a streaming interface, which means that when we scan for yara rules we can only ever match strings within the same buffer. This is a problem for physical address space scanning because each page (although it might appear to be contiguous) usually comes from a different process/mapped file.
Therefore we need a more intelligent way to apply yara signatures on the physical address space:
-
The original set of yara rules is converted into a single rule with all the strings from all the rules in it. The rule has a condition “any of them” which will match any string appearing in the scanned buffer.
-
This rule is then applied over the physical address space.
-
For each hit we derive a context and add the hit to the context.
-
Finally we test all the rules within the same context with the original rule set.
Plugin Arguments
context | Context to print after the hit. (type: IntParser)
|
hits | Quit after finding this many hits. (type: IntParser)
|
limit | The length of data to search. (type: IntParser)
|
pre_context | Context to print before the hit. (type: IntParser)
|
start | Start searching from this offset. (type: IntParser)
|
verbosity | An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
|
yara_ast | If provided we scan for this yara expression specified in the yara JSON AST. (type: String) |
yara_expression | If provided we scan for this yara expression specified in the yara DSL. (type: String) |