SecurIMAG - 2011-11 - Live computer forensics - Virtual memory acquisition and exploitation on Windows NT6+

Similar documents
Firewire-based Physical Security Attacks on Windows 7, EFS and BitLocker

Fall. Forensic Examination of Encrypted Systems Matthew Postinger COSC 374

Detecting Malware With Memory Forensics. Hal Pomeranz SANS Institute

Assessing the Security of Hardware-Based vs. Software-Based Encryption on USB Flash Drives

Windows security for n00bs part 1 Security architecture & Access Control

Cleartext Passwords in Linux Memory

Adi Hayon Tomer Teller

Comparing Free Virtualization Products

Using a Patched Vulnerability to Bypass Windows 8 x64 Driver Signature Enforcement. MJ0011 th_decoder@126.com

Hypervisor Software and Virtual Machines. Professor Howard Burpee SMCC Computer Technology Dept.

An Introduction to Incident Detection and Response Memory Forensic Analysis

Windows8 Internals, Sixth Edition, Part 1

Trusteer Rapport Virtual Implementation Scenarios

Windows NT. Chapter 11 Case Study 2: Windows Windows 2000 (2) Windows 2000 (1) Different versions of Windows 2000

PARALLELS SERVER 4 BARE METAL README

Incident Response and Computer Forensics

Pushing the Limits of Windows: Physical Memory Mark Russinovich (From Mark Russinovich Blog)

VMware Server 2.0 Essentials. Virtualization Deployment and Management

Virtualization System Security

VMware/Hyper-V Backup Plug-in User Guide

13.1 Backup virtual machines running on VMware ESXi / ESX Server

Quick Start Guide for VMware and Windows 7

Acronis Backup & Recovery 11.5

A Comparison of VMware and {Virtual Server}

Virtualization and Other Tricks.

Windows Kernel Internals for Security Researchers

Introduction to BitLocker FVE

The VHD is separated into a series of WinRar files; they can be downloaded from the following page:

Penetration Testing Windows Vista TM BitLocker TM

FORENSIC ARTIFACTS FROM A PASS THE HASH (PTH) ATTACK BY: GERARD LAYGUI

Parallels Desktop 4 for Windows and Linux Read Me

Windows Security Environment

Before we can talk about virtualization security, we need to delineate the differences between the

FATKit: A Framework for the Extraction and Analysis of Digital Forensic Data from Volatile System Memory p.1/11

ERNW Newsletter 42 / December 2013

USB 2.0 Flash Drive User Manual

The virtual safe: A user-focused approach to data encryption

Product Brief. it s Backed Up

Virtualization with Windows

MODULE 3 VIRTUALIZED DATA CENTER COMPUTE

Chapter 14 Virtual Machines

Computer Security: Principles and Practice

Quick Start Guide for Parallels Virtuozzo

Uses for Virtual Machines. Virtual Machines. There are several uses for virtual machines:

CITRIX 1Y0-A14 EXAM QUESTIONS & ANSWERS

Chapter 16: Virtual Machines. Operating System Concepts 9 th Edition

HP Operations Orchestration Software

The Value of Physical Memory for Incident Response

For Hyper-V Edition Practical Operation Seminar. 4th Edition

Citrix Training. Course: Citrix Training. Duration: 40 hours. Mode of Training: Classroom (Instructor-Led)

Kaseya 2. User Guide. Version 7.0. English

Citrix XenServer 6 Administration

HDD Password Tool. User s Manual. English

Recon Montreal

Designing and Deploying Connected Device Solutions for Small and Medium Business

Run-Time Deep Virtual Machine Introspection & Its Applications

4.1 Introduction 4.2 Explain the purpose of an operating system Describe characteristics of modern operating systems Control Hardware Access

Timbuktu Pro for Windows, version 8

A Hypervisor IPS based on Hardware assisted Virtualization Technology

Report on virtualisation technology as used at the EPO for Online Filing software testing

Release Notes: NovaBACKUP v16.1

End-User troubleshooting guide For Sentinel SuperPro/UltraPro and Sentinel Hardware Keys

CXS Citrix XenServer 6.0 Administration

Disk encryption... (not only) in Linux. Milan Brož

In order to upload a VM you need to have a VM image in one of the following formats:

Autodesk Inventor on the Macintosh

Created on May 20, 2015

Parallels Cloud Server 6.0 Readme

Running Windows on a Mac. Why?

USB Flash Drive User s Manual

Chapter 12: Windows XP, Vista, and 7

BackupAssist v6 quickstart guide

BackupAssist v6 quickstart guide

Acronis Backup & Recovery 11.5

How do Users and Processes interact with the Operating System? Services for Processes. OS Structure with Services. Services for the OS Itself

Acronis Backup & Recovery 11

Parallels Cloud Server 6.0

Security Overview for Windows Vista. Bob McCoy, MCSE, CISSP/ISSAP Technical Account Manager Microsoft Corporation

In addition to their professional experience, students who attend this training should have technical knowledge in the following areas.

PARALLELS SERVER BARE METAL 5.0 README

Acronis Backup & Recovery 10 Server for Windows. Installation Guide

Release Notes: NovaBACKUP 17.3

How To Install The Safenet-Inc.Com Software On A Pc Or Mac Or Macintosh (For A Powerpoint) With A Powerline (For Windows) Or Ipad (For Mac) With The Safetime (For Pc

Release Notes

Chapter 4. Operating Systems and File Management

CMB 207 1I Citrix XenApp and XenDesktop Fast Track

Virtualization. Types of Interfaces

Windows Server 2008 R2 Essentials

BIOS Update Release Notes

Yale Software Library

OBM / FREQUENTLY ASKED QUESTIONS (FAQs) Can you explain the concept briefly on how the software actually works? What is the recommended bandwidth?

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Distributed System Monitoring and Failure Diagnosis using Cooperative Virtual Backdoors

Windows Operating Systems. Basic Security

SECURITY SUBSYSTEM IN WINDOWS

How to Backup and Restore a VM using Veeam

A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e. Chapter 3 Installing Windows

Transcription:

SecurIMAG - 2011-11 - Live computer forensics - Virtual memory acquisition and exploitation on Windows NT6+ Fabien Duchene 1,2 Guillaume Touron 2 1 Laboratoire d Informatique de Grenoble, VASCO team firstname.name@imag.fr 2 Grenoble Institute of Technology - Grenoble INP - Ensimag firstname.name@ensimag.fr abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 1/51 2011-11 1 / 51

Outline 1 Computer forensics Introduction Talk focus 2 Acquiring Windows x86 virtual memory Some methods Some tools 3 Memory exploiting / analysis The TrueCrypt example Kmode exploration DKOM attacks 4 Conclusion abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 2/51 2011-11 2 / 51

Outline Computer forensics 1 Computer forensics Introduction Talk focus 2 Acquiring Windows x86 virtual memory Some methods Some tools 3 Memory exploiting / analysis The TrueCrypt example Kmode exploration DKOM attacks 4 Conclusion abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 3/51 2011-11 3 / 51

Computer forensics Introduction Computer Forensics? What? Forensic Science: answer questions of interest to a legal system. Digital forensics: digital devices Computer forensics: identifying, preserving, recovering, analyzing, presenting facts and opinions about the digital information abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 4/51 2011-11 4 / 51

Computer forensics Introduction Computer Forensics? What? Forensic Science: answer questions of interest to a legal system. Digital forensics: digital devices Computer forensics: identifying, preserving, recovering, analyzing, presenting facts and opinions about the digital information Basically answer to the question: What happened? abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 4/51 2011-11 4 / 51

Computer forensics Introduction Computer Forensics? Types of computer forensics static / dead: system dump image analysis (eg: unplug the power cord then analyze ) live: analysis of a running system in-between: analyze memory image of a running system Write-blocking reader abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 5/51 2011-11 5 / 51

Forensics... why? Computer forensics Introduction Why? (forensics, live forensics?) abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 6/51 2011-11 6 / 51

Computer forensics Introduction Forensics... why? Why? (forensics, live forensics?) in search of the truth! because they might still be in memory: cryptographic keys credentials abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 6/51 2011-11 6 / 51

Computer forensics Introduction Live forensics Live acquisition: acquiring data and modifying it the less possible, and being aware of the IMPACT! the Ultimate live forensics goal Get a complete picture shot of the system CPU flags, registers, cache.. storage: RAM, HDD,.. motherboard state peripherals: NIC (buffers, own CPU and memory state..) Can we do it? abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 7/51 2011-11 7 / 51

Computer forensics Introduction Live forensics Live acquisition: acquiring data and modifying it the less possible, and being aware of the IMPACT! Only he can! the Ultimate live forensics goal Get a complete picture shot of the system CPU flags, registers, cache.. storage: RAM, HDD,.. motherboard state peripherals: NIC (buffers, own CPU and memory state..) Can we do it? abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 7/51 2011-11 7 / 51

Computer forensics Talk focus Talk topic Live memory acquisition Post-mortem analysis abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 8/51 2011-11 8 / 51

Outline Acquiring Windows x86 virtual memory 1 Computer forensics Introduction Talk focus 2 Acquiring Windows x86 virtual memory Some methods Some tools 3 Memory exploiting / analysis The TrueCrypt example Kmode exploration DKOM attacks 4 Conclusion abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 9/51 2011-11 9 / 51

cold boot attacks Acquiring Windows x86 virtual memory Some methods Works on: any computer using DRAM Requires: physical access DRAM retain their content for several seconds after powered off Attack Freeze them Plug them into a DRAM reader Dump the content.. and enjoy! [ Lest We Remember: Cold Boot Attacks on Encryption Keys 2008] article findings Bit decay increase over time Pulse decay time is longer when temperature is lower abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 10/51 2011-11 10 / 51

Acquiring Windows x86 virtual memory Some methods virtual machine snapshots Hypervisor examples Microsoft Hyper-V, Virtual-PC VMWare ESX Oracle VirtualBox Parallels Desktop VM snapshot What is a VM snapshot? abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 11/51 2011-11 11 / 51

Acquiring Windows x86 virtual memory Some methods virtual machine snapshots Hypervisor examples Microsoft Hyper-V, Virtual-PC VMWare ESX Oracle VirtualBox Parallels Desktop VM snapshot What is a VM snapshot? photo of the state and data of a VM at a given time basically, the ultimate live forensics goal + the VM power state (powered-on, off, suspended) abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 11/51 2011-11 11 / 51

Acquiring Windows x86 virtual memory VM snapshot attack Some methods Attack Works on: any hypervisor having at least one virtualized computer Requires: online: hypervisor snapshot privilege (take, apply).. or a way to subvert the hypervisor (eg: VM peripheral drivers), do it the teach way! offline: take snapshot and read access to the vhd file take a snapshot export the virtual machine on a storage medium import it apply the snapshot (also restores virtual DRAM content) abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 12/51 2011-11 12 / 51

Virtual Hard Disk Acquiring Windows x86 virtual memory Some methods [lucd 2010] [Savill 2008] Virtualized Hard Disk Types: dynamic-sized file: dynamically evolving size (sectors on which data is written) VHD file size virtual disk capacity fixed-sized file: VHD file size virtual disk capacity better performance differential: dynamic that only stores modification from the parent Snapshot operations: take one delete one merge several ones apply one abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 13/51 2011-11 13 / 51

Acquiring Windows x86 virtual memory Some methods random crap about the Hyper-V and VirtualPC VHD 2010-04-17 abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 14/51 2011-11 14 / 51

Acquiring Windows x86 virtual memory Some methods DMA attacks [ Subverting Windows 7 x64 Kernel with DMA attacks ] Direct Memory Access PCI specifications, for performance any device can issue a read/write DMA request do you spot the problem? abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 15/51 2011-11 15 / 51

Acquiring Windows x86 virtual memory Some methods DMA attacks [ Subverting Windows 7 x64 Kernel with DMA attacks ] Direct Memory Access PCI specifications, for performance any device can issue a read/write DMA request do you spot the problem? bypassing CPU, thus OS abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 15/51 2011-11 15 / 51

Acquiring Windows x86 virtual memory Some methods DMA attacks implementations Attacks implementations (public ones..) Firewire 2004 Maximilian Dornseif (Mac OS X) 2006 Adam Boileau (Windows XP) 2008 Damien Aumaitre (virtual memory reconstruction) PCI 2009 - Christophe Devine and Guillaume Vissian, custom DMA engine implemented on a FPGA card PCMCIA / CardBus / ExpressCard: 2010 Damien Aumaitre, Christophe Devigne abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 16/51 2011-11 16 / 51

Acquiring Windows x86 virtual memory DMA attack - the PCMCIA case Some methods PCMCIA 32-bit port thus only the 4 GB physical memory are addressable need to identify the structures: not working on virtual memory, but directly on physical one! for more good beef: [ Subverting Windows 7 x64 Kernel with DMA attacks ] abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 17/51 2011-11 17 / 51

Acquiring Windows x86 virtual memory Some methods Hibernate file hiberfil.sys: Hibernation file Since Windows 2000 (NT5) Undocumented format File stored on the disk drive Content: physical memory dump related to pagefile.sys (virtual memory control) abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 18/51 2011-11 18 / 51

Acquiring Windows x86 virtual memory Some methods Sandman: from hibernation to physical memory dump Convert hibernation file hiberfil.sys into a regular memory dump [Matthieu Suiche 2008] abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 19/51 2011-11 19 / 51

Acquiring Windows x86 virtual memory Windows Crash Dump Some methods What is a crash dump? abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 20/51 2011-11 20 / 51

Acquiring Windows x86 virtual memory Windows Crash Dump Some methods What is a crash dump? yep that s it! capture of the state of an application (broad sense, including operating system) when a crash event does occur handled by Kernel emergency functions abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 20/51 2011-11 20 / 51

Acquiring Windows x86 virtual memory Some methods Windows Crash Dump I [Hameed 2008] Complete memory dump 1MB header complete physical memory dump Kernel memory dump 1MB header kernel R/W pages kernel non paged memory: list of running processes, loaded device drivers Fabien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 21/51 2011-11 21 / 51

Acquiring Windows x86 virtual memory Some methods Windows Crash Dump II Small memory dump MiniDump 64KB dump (128 KB 64-bit) stop code, parameters, list of loaded device drivers, kernel stack for the thread that crashed, information about the current process and threat abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 22/51 2011-11 22 / 51

Acquiring Windows x86 virtual memory automatic execution Some methods.. : fake ipod USB token loaded, then automatic mounter and commands running in the background. demo? teensy? abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 23/51 2011-11 23 / 51

x86 VMM Acquiring Windows x86 virtual memory Some methods abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 24/51 2011-11 24 / 51

x64 VMM Acquiring Windows x86 virtual memory Some methods abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 25/51 2011-11 25 / 51

Acquiring Windows x86 virtual memory Some tools Win32dd I Win32dd Matthieu Suiche (now part of Moonsols Memory Toolkit ) Goal: dumping physical memory using different acquisition methods Physical memory dumping on Windows XP (NT 5) \Device \PhysicalMemory... Windows Vista (NT6+) No longer available. Other acquisition methods: PFN database MmMapIoSpace abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 26/51 2011-11 26 / 51

PFN database Acquiring Windows x86 virtual memory Some tools abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 27/51 2011-11 27 / 51

Acquiring Windows x86 virtual memory Some tools Win32dd I We focus on MmMapIoSpace method How does it work? Do some RE on Win32 driver User/Kernel comm in Windows Physical memory access only in kernel mode Win32 extracts its driver and registers it Driver creates a device User-land program opens the device and sends commands DeviceIoControl API, sends IRP to driver abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 28/51 2011-11 28 / 51

Acquiring Windows x86 virtual memory Physical address space layout Some tools abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 29/51 2011-11 29 / 51

Acquiring Windows x86 virtual memory Some tools Win32dd I First: Win32dd retrieves physical memory runs runs are physical memory ranges actually used by the system For >= NT5.1: Get MmPhysicalMemoryBlock in KDDEBUGGER DATA64 Otherwise: Use MmGetPhysicalMemoryRanges Build MmPhysicalMemoryBlock yourself abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 30/51 2011-11 30 / 51

Acquiring Windows x86 virtual memory Some tools Win32dd II Second: Win32dd knows every physical runs, global algo: Iterate each run Map it with MmMapIoSpace Write it into your memory dump file Repeat iterations NumberOfRuns times... abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 31/51 2011-11 31 / 51

Outline Memory exploiting / analysis 1 Computer forensics Introduction Talk focus 2 Acquiring Windows x86 virtual memory Some methods Some tools 3 Memory exploiting / analysis The TrueCrypt example Kmode exploration DKOM attacks 4 Conclusion abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 32/51 2011-11 32 / 51

Memory exploiting / analysis Memory forensics Kernel objects listing See next slides Extracting in-memory cryptographic key material TrueCrypt case User can choose to cache its passphrase Go through kernel structures Fabien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 33/51 2011-11 33 / 51

Memory exploiting / analysis The TrueCrypt example Memory forensics - TrueCrypt example I Hypothesis: user enabled passphrase-caching Passphrase-caching Passsphrase is stored by TrueCrypt kernel driver How to find this material? 1: Find DRIVER OBJECT structure Brute-force approach Look for specific structure patterns and constants OBJECT HEADER, DISPATCH HEADER... Kernel addresses > MmSystemRangeStart (0x80000000) List walking approach (e.g PsLoadedModuleList) KDDEBUGGER DATA64 abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 34/51 2011-11 34 / 51

Memory exploiting / analysis The TrueCrypt example Memory forensics - TrueCrypt example II 2: Find DEVICE OBJECT structure Check DRIVER OBJECT.DeviceObject Devices list walking: DeviceObject.NextDevice Retrieve DeviceObject.DeviceExtension Used by driver programmer to store device-specific data Persistent data (non-paged pool) DeviceExtension found, then? Then, analyze TrueCrypt-specific structures and extract master keys abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 35/51 2011-11 35 / 51

Memory exploiting / analysis Kmode exploration Volatility I Volatility framework Framework for Windows physical memory dump exploration Useful features: List process (PSLIST, see next slides...) Dump Windows registry... Focus on PSLIST Goal: retrieve list of active processes when snapshot was taken abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 36/51 2011-11 36 / 51

Volatility II Memory exploiting / analysis Kmode exploration abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 37/51 2011-11 37 / 51

Memory exploiting / analysis Kmode exploration Volatility - PSLIST I First goal Retrieve KPCR.ActiveProcessListHead Problem: where is KPCR? (in phy space) We must find a Page Directory Table Take EPROCESS.PageDirectoryTable[0] (== CR3 x86) EACH PROCESS SHARES THE SAME KERNEL SPACE MAPPING (modulo session space, osef) First step Find a EPROCESS structure in memory By recognizing some patterns abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 38/51 2011-11 38 / 51

Memory exploiting / analysis Kmode exploration Volatility - PSLIST II Once CR3 is found, retrieve KPCR KPCR always mapped at FS:[0] in KMODE At fixed virtual address: 0xffdff 000 We are now able to retrieve KPCR.ActiveProcessListHead PSLIST We can list active process and dump them (their whole vspace) abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 39/51 2011-11 39 / 51

Memory exploiting / analysis DKOM attacks Reminders of windows security mechanisms I [Windows Internal 5th Ed. - Vista and 2008 Server] Windows Internal 5th Ed. - Vista and 2008 Server Securable objects Protected with SECURITY DESCRIPTOR Access Control Lists (SIDs ; associated allowed operations on object) eg: Peripherals, Files, Jobs, Shared memory sections, Pipes, LPC ports, Events, Mutexes, Timers, Semaphores, Access tokens, Window stations, Desktops, SMB shares, Services, Registry keys... abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 40/51 2011-11 40 / 51

Memory exploiting / analysis DKOM attacks Reminders of windows security mechanisms II abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 41/51 2011-11 41 / 51

Memory exploiting / analysis DKOM attacks Reminders of windows security mechanisms III Security Token When accessing an object, the Security Reference Monitor checks the TOKEN of the process: Process owner: user SID, groups SIDs Privileges (f(process, user SIDs)) Virtualization state Session abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 42/51 2011-11 42 / 51

Memory exploiting / analysis DKOM attacks Reminders of windows security mechanisms IV abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 43/51 2011-11 43 / 51

Memory exploiting / analysis DKOM attacks DKOM attacks I DKOM Direct Kernel Object Manipulation Example: Hibernate file retrieved with Sandman Snapshot file (virtual machine) Or DKOM on a living machine, with a kernel driver e.g Rootkits abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 44/51 2011-11 44 / 51

Memory exploiting / analysis DKOM attacks DKOM attacks II FULL ACCESS to physical memory (user and kernel!) YOU CAN READ/MODIFY EVERYTHING YOU WANT Hypothesis: you can re-inject your modifications Get Token TOKEN accessed from EPROCESS structure Possible attack: privilege escalation Find approriate EPROCESS structure e.g a process you can exploit and make exec YOUR shellcode Modify your TOKEN SID Be r00t, take NT AUTHORITY/SYSTEM SID Subsequent object access or process creation performed under SYSTEM abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 45/51 2011-11 45 / 51

DKOM attacks III Memory exploiting / analysis DKOM attacks Conclusion Powerful attack but hard to use IRL Similar escalation process used for kernel vuln exploitation abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 46/51 2011-11 46 / 51

Memory exploiting / analysis DKOM attacks DKOM application: unlocking Windows 7 x64 computer Idea: modify the password validation function msv1 0.dll!MsvpPasswordValidate [Boileau 2006] That password validate function will compare hash(inputted password) and the stored hash(user password) then jump to a location if they are not equal (cmp then jnz) How to modify the memory? [ Subverting Windows 7 x64 Kernel with DMA attacks ] abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 47/51 2011-11 47 / 51

Memory exploiting / analysis DKOM attacks DKOM application: unlocking Windows 7 x64 computer Idea: modify the password validation function msv1 0.dll!MsvpPasswordValidate [Boileau 2006] That password validate function will compare hash(inputted password) and the stored hash(user password) then jump to a location if they are not equal (cmp then jnz) How to modify the memory? jnz jmp [ Subverting Windows 7 x64 Kernel with DMA attacks ] abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 47/51 2011-11 47 / 51

Outline Conclusion 1 Computer forensics Introduction Talk focus 2 Acquiring Windows x86 virtual memory Some methods Some tools 3 Memory exploiting / analysis The TrueCrypt example Kmode exploration DKOM attacks 4 Conclusion abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 48/51 2011-11 48 / 51

Conclusion Conclusion many methods for acquiring memory on a live system: OS independant: cold boot, DMA, snapshot dependent: snapshot (if hypervisor evadation), dumping tools, crash regarding exploitation: take care of keeping the kernel structure coherent (or might have a BSOD!) watch out kernel protection such as PatchGuard (basically periodical checks, so the trick has not to last for too long) abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 49/51 2011-11 49 / 51

Conclusion For Further Reading Boileau, Adam (2006). winlockpwn attack (Firewire). In: http://storm.net.nz/static/files/winlockpwn. Damien Aumaitre, Christophe Devine. Subverting Windows 7 x64 Kernel with DMA attacks. In: Sogeti-ESEC http://esec-lab.sogeti.com/dotclear/public/publications/1 0-hitbamsterdam-dmaattacks.pdf. Hameed, CC (2008). Understanding Crash Dump Files. In: https://blogs.technet.com/themes/blogs/generic/post.aspx? WeblogApp=askperf&y=2008&m=01&d=0 8&WeblogPostName=understanding-crash-dump-files&GroupKeys=. Lest We Remember: Cold Boot Attacks on Encryption Keys (2008). In: J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum and Edward W. Felten https://jhalderm.com/pub/papers/coldboot-sec08.pdf. abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 50/51 2011-11 50 / 51

Conclusion For Further Reading lucd (2010). yadr A vdisk reporter. In: http://www.lucd.info/2010/03/23/yadr-a-vdisk-reporter/. Mark E. Russinovich David A. Solomon, Alex Ionescu and so many more (incl. Bernard Ourghanlian). Windows Internal 5th Ed. - Vista and 2008 Server. http://technet.microsoft.com/en-us/sysinternals/bb963901. Matthieu Suiche, Nicolas Ruff (@Newsoft) (2008). Sandman. In: http://www.msuiche.net/2008/02/26/sandman-10080226-is-out/. Savill, John (2008). Q. I m deleting a Hyper-V virtual machine (VM) that had snapshots. Why is the VM delete taking so long? In: http://www.windowsitpro.com/article/virtualization/q-i-m-de leting-a-hyper-v-virtual-machine-vm-that-had-snapshots-wh y-is-the-vm-delete-taking-so-long-. abien Duchene, Guillaume Touron (SecurIMAG) Forensics-Live mem NT6 51/51 2011-11 51 / 51

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information