Matthieu Suiche Founder, MoonSols

Similar documents
Setting Up a Windows Virtual Machine for SANS FOR526

How To Install The Safenet-Inc.Com Software On A Pc Or Mac Or Macintosh (For A Powerpoint) With A Powerline (For Windows) Or Ipad (For Mac) With The Safetime (For Pc

SecurIMAG Live computer forensics - Virtual memory acquisition and exploitation on Windows NT6+

End-User troubleshooting guide For Sentinel SuperPro/UltraPro and Sentinel Hardware Keys

VMWare Workstation 11 Installation MICROSOFT WINDOWS SERVER 2008 R2 STANDARD ENTERPRISE ED.

Hi and welcome to the Microsoft Virtual Academy and

PARALLELS SERVER 4 BARE METAL README

Detecting Malware With Memory Forensics. Hal Pomeranz SANS Institute

13.1 Backup virtual machines running on VMware ESXi / ESX Server

Setting up Windows Phone 8 environment in VMWare

Volatile Memory Acquisition via Warm Boot Memory Survivability

Using Virtual PC 7.0 for Mac with GalleryPro

CHAD TILBURY.

FRONT FLYLEAF PAGE. This page has been intentionally left blank

Hypervisor Software and Virtual Machines. Professor Howard Burpee SMCC Computer Technology Dept.

An Introduction to Incident Detection and Response Memory Forensic Analysis

Server Software Installation Guide

Chapter 14 Analyzing Network Traffic. Ed Crowley

5nine Hyper-V Commander

ELECTRONIC QUALITY MANAGEMENT SOFTWARE

System Requirements - Table of Contents

A Comparison of VMware and {Virtual Server}

Spyware Analysis. Security Event - April 28, 2004 Page 1

Virtdbg. Using virtualization features for debugging the Windows 7 kernel. Damien Aumaitre. Recon 2011

Frontiers in Cyber Security: Beyond the OS

How to create a Virtual machine from a Macrium image backup

A Hypervisor IPS based on Hardware assisted Virtualization Technology

Operating System Software

4.1 Introduction 4.2 Explain the purpose of an operating system Describe characteristics of modern operating systems Control Hardware Access

Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com

vtcommander Installing and Starting vtcommander

System Requirements for LAW PreDiscovery Software ( LAW ) LAW PreDiscovery Software Installation Guide

Microsoft Diagnostics and Recovery Toolset 7 Evaluation Guide

Red Hat enterprise virtualization 3.0 feature comparison

Report on virtualisation technology as used at the EPO for Online Filing software testing

Expert Reference Series of White Papers. VMware vsphere Essentials

Tech Tip: Understanding Server Memory Counters

Penetration Testing LAB Setup Guide

PARALLELS SERVER BARE METAL 5.0 README

Fall. Forensic Examination of Encrypted Systems Matthew Postinger COSC 374

ZEN LOAD BALANCER EE v3.04 DATASHEET The Load Balancing made easy

Note: A WebFOCUS Developer Studio license is required for each developer.

Recover Tab & RecoverAssist User Guide

Memory Forensics with Hyper-V Virtual Machines.

bbc Installing and Deploying LiveCycle ES2 Using JBoss Turnkey Adobe LiveCycle ES2 November 30, 2011 Version 9

ZEN LOAD BALANCER EE v3.02 DATASHEET The Load Balancing made easy

A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e. Chapter 3 Installing Windows

IOmark- VDI. HP HP ConvergedSystem 242- HC StoreVirtual Test Report: VDI- HC b Test Report Date: 27, April

A+ Guide to Managing and Maintaining Your PC, 7e. Chapter 2 Introducing Operating Systems

Format string exploitation on windows Using Immunity Debugger / Python. By Abysssec Inc

COS 318: Operating Systems. I/O Device and Drivers. Input and Output. Definitions and General Method. Revisit Hardware

Virtualization Forensics: Acquisition and analysis of a clustered VMware ESXi servers

Operating System Fundamentals Robert Power & Robert Ford

Practice Test for the Domain 1 - PC Hardware (Brought to you by RMRoberts.com)

Capturing a Forensic Image. By Justin C. Klein Keane <jukeane@sas.upenn.edu> 12 February, 2013

Hyper-V: Microsoft s

eggon SDK for ios 7 Integration Instructions

MULTIFUNCTIONAL DIGITAL SYSTEMS. Network Fax Guide

Windows Server 2003 with SP1 Installation Guide. Version

SUMMARIES OF VIDEOS GRADE 11 SYSTEMS TECHNOLOGIES

Test instructions & HW/SW specifications Contents

How do Users and Processes interact with the Operating System? Services for Processes. OS Structure with Services. Services for the OS Itself

AdminToys Suite. Installation & Setup Guide

Chapter 5: Fundamental Operating Systems

Installing Oracle 12c Enterprise on Windows 7 64-Bit

HoneyBOT User Guide A Windows based honeypot solution

Chapter 4. System Software. What You Will Learn... Computers Are Your Future. System Software. What You Will Learn... Starting the Computer

Introduction to Mirametrix EyeTracker

PCI-to-SATA RAID Adapter AEC-6890M. User s Manual Version:1.0

Autodesk Revit 2016 Product Line System Requirements and Recommendations

Kernel. What is an Operating System? Systems Software and Application Software. The core of an OS is called kernel, which. Module 9: Operating Systems

Guest Operating System. Installation Guide

lesson 1 An Overview of the Computer System

Windows Server 2008 R2 Essentials

Systems Management Tools And Documentation Version 8.1 Installation Guide

WINDOWS PROCESSES AND SERVICES

Chapter 12: Windows XP, Vista, and 7

Melde- und Analysestelle Informationssicherung MELANI Torpig/Mebroot Reverse Code Engineering (RCE)

Acronis Backup & Recovery 11

Hyper-V vs ESX at the datacenter

Horizon Client Workstation Specifications and Deployment

Silver Peak Virtual Appliances

inforouter V8.0 Server & Client Requirements

Forensic Imaging and Artifacts analysis of Linux & Mac (EXT & HFS+)

Part 3: Accessing Local drives and printers from the Terminal Server

Definitions. Hardware Full virtualization Para virtualization Hosted hypervisor Type I hypervisor. Native (bare metal) hypervisor Type II hypervisor

EaseUS Partition Master

CBE Architectural Overview and System Requirements

In order to upload a VM you need to have a VM image in one of the following formats:

System Requirements - CommNet Server

Implement and Utilize Hyper-V

Using WMI Scripts with BitDefender Client Security

Sage Grant Management System Requirements

Advanced Malware Cleaning Techniques for the IT Professional

Remote Desktop Services

VMware Server 2.0 Essentials. Virtualization Deployment and Management

HyperV_Mon. Introduction. A Free Tool From TMurgent Technologies

Transcription:

Matthieu Suiche Founder, MoonSols msuiche@moonsols.com

Founder of MoonSols (based in France) Twitter Addict Turned 21 (Beers please!) Reverse Engineering works related to Physical Memory Windows Hibernation file Memory Acquisition Mac OS X Physical Memory Analysis

Who?

Memory (crash) Dumps are interesting for Kernel developers Kernel troubleshooters Bug hunter Investigator Forensic Expert Malware Analyst Incident Responder

Who? Why?

Bug hunter: Hey man! I just wrote my Python fuzzer in 10 lines of code! I got a remote BSOD! And all I got is this crash dump! Kernel Developer F***! What the F*** is why with this null pointer?

Investigator / Forensic Expert Inspector Gadget just made a memory dump of Dr. Claw computer to extract his Facebook and Twitter activity. Moreover, the login/passwd he used to connect to his pr0n server. Malware Analyst I got this crazy packed Rootkit for Win 7 64-bits! Why the Numega guys stopped to dev SoftIce? I rather disassemble memory area and the dumper driver.

Incident Responder We just got pwned! There is not artifact of the exploit on disk! Let s do a memory dump to find the source of this! @!&$ ^ WTF Adobe Acrobat Reader is using 400MB of the physical address space with only 90 90 90 90 90 90 90 everywhere?

Who? Why? What / How?

Raw dump Virtual Machine State RAM Hibernation File Microsoft Crash Dump

Physical Attacks too DMA via Bus PCI (FireWire, PCMCIA, ExpressCard, ) See VirtDbg (Damien Aumaitre, Christophe Devine 2010) FPGA over CardBus for DMA I/O Early stage of Dev, but looks interesting. Unfortunately, there is no release yet.

Software's way do not require any hardware specification. (Unless you are trying to install a NVIDIA driver on your laptop with hardware virtualization j/k) Can also be an artifact E.g. hibernation file never wiped. Can be acquired remotely over TCP Click n go.

Whatever you can say. It s easy to bypass the O.S. [ ] the cat and mouse game blabla [ ] What people tell you is that it works in both ways! Software is everywhere even in virtualization.

Since virtualization is widely used for servers. Most of Hypervisors do have an pause / suspend feature of the state of the virtual machine. State is saved and/or maintained on disk. E.g..vmem file with VMWare Workstation E.g..bin file with Microsoft Hyper-V

Hibernation file Compressed Microsoft Crash Dump B.S.O.D. Raw \Device\PhysicalMemory

Raw dump Virtual Machine State RAM Hibernation File Microsoft Crash Dump

0.00 GB 4096 B BIOS reserved 2 GB RAM 2.00 GB 2.50 GB 512 MB 1 GB Device Memory (MMIO) 3.50 GB 512 MB 4.00 GB 2 GB 6.00 GB

Blue Blocks are the physical memory These blocks are copied into the Microsoft hibernation file 4GB limitation Microsoft crash dump file 2GB limitation

X0 MB X0 MB X1 MB X1 MB X2 MB --- X3 MB X3 MB X4 MB --- X5 MB X5 MB

X0 MB X1 MB X2 MB Microsoft Crash Dump Header X1 MB 0x1000 bytes on 32-bits system. 0x2000 bytes on 64-bits system. X3 MB X3 MB X4 MB X5 MB X5 MB

X0 MB X1 MB X2 MB X3 MB X4 MB X5 MB Hibernation file header. Memory Range Array a Compressed(X1)0 Compressed(X1)1 [ ] Compressed(X1)n Memory Range Array b Compressed(X1)n+1 Compressed(X2)0 Compressed(X2)1 [ ] 0x7000 bytes max.

Raw dump No file format, then no additional information. Most available tools only support this one, but this is really limited. Hibernation file File format makes our life easier Around 7-8 versions of the file format from WinXP to Win7, moreover it is architecture dependent.

Microsoft Crash Dump Has been used for years by kernel developers, and trouble shooters. Microsoft is maintaining a free tool called Windows Debugger Does load automatically Debugging Symbols Makes it working with every Windows version memory dump. Does have an SDK

MEMORY IMAGING Windows Third Party Tools Crash dump file (BSOD) Hibernation File (Hibernate) win32dd & win64dd Others Raw dump file. Crash dump file (without BSOD) Raw dump file.

MoonSols Windows Memory Toolkit win32dd win64dd dmp2bin bin2dmp hibr2dmp hibr2bin

Physical memory acquisition utility for Windows (x86 and x64, from NT 5.1 to 6.1) Supported format Raw format Microsoft crash dump (don t need to be in debug mode) Hashing features (MD5, SHA1, SHA-256) 3 different memory mapping techniques Let you chose what you want to copy Blue, Red, Green blocks

Can send a memory dump remotely from kernel-land AND does have a server feature to receive the dump Super-fast Support SMB file system as target path NO SYMBOLS REQUIERED Unlike Sysinternal s livekd.

Host to acquire Server Mode windd /t sample.moonsols.com /d Windd /l /f F:\moonsols.dmp sample.moonsols.com Send data to collect from the host to sample.moonsols.com.

Server Side Client Side Commands

UAC Compliant Report on memory activity 60 seconds for 4GB

MoonSols Windows Memory Toolkit win32dd win64dd dmp2bin bin2dmp hibr2dmp hibr2bin

dmp2bin <input> <output> Convert a Microsoft full crash dump into a linear memory dump (raw) Print a MD5 hash of the output file. Works on both x86 and x64 Microsoft full crash dump.

MD5 hash

MoonSols Windows Memory Toolkit win32dd win64dd dmp2bin bin2dmp hibr2dmp hibr2bin

bin2dmp <input> <output> Convert a linear memory dump in to a Microsoft full memory crash dump. Print a MD5 hash of the output file. Works on both x86 and x64 linear memory dump from NT 5.1 (WinXP) to NT 6.1 (Win7) HOT: Can work on live VMWare virtual machine!

MD5 hash

MoonSols Windows Memory Toolkit win32dd win64dd dmp2bin bin2dmp hibr2dmp hibr2bin

hibr2dmp <input> <output> Convert a Microsoft hibernation file into a Microsoft full memory crash dump. Print a MD5 hash of the output file. Works on both x86 and x64 linear memory dump from NT 5.1 (WinXP) to NT 6.1 (Win7)

MD5 hash

MoonSols Windows Memory Toolkit win32dd win64dd dmp2bin bin2dmp hibr2dmp hibr2bin

hibr2bin <input> <output> Convert a Microsoft hibernation file into a linear meomry dump. Print a MD5 hash of the output file. Works on both x86 and x64 linear memory dump from NT 5.1 (WinXP) to NT 6.1 (Win7)

MD5 hash

Maintained by Microsoft itself for years. Firstly, designed for developers for troubleshooting such as crash dump analysis.

WinDbg is a multipurpose graphical debugger for Microsoft Windows, distributed by Microsoft. It can be used to debug user mode applications, drivers, and the operating system itself in kernel mode. Available in Windows SDK [13] or WDK [14].

No more need to get a Blue Screen of Death to get Microsoft Crash Dump. Converting a Windows hibernation file into a Microsoft crash dump is super cool See you at http://moonsols.com/component/jdownloads/view. download/3/2

Virtualization!

Twitter: msuiche Email: msuiche@moonsols.com Web: http://www.moonsols.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information