reconstructing the scene of the crime reconstructing the
play

Reconstructing the Scene of the Crime Reconstructing the Scene of - PowerPoint PPT Presentation

Reconstructing the Scene of the Crime Reconstructing the Scene of the Crime Who are they? STEVE DAVIS PETER SILBERMAN STEVE DAVIS PETER SILBERMAN Security Consultant / Engineer / Researcher Security Consultant / Engineer / Researcher


  1. Reconstructing the Scene of the Crime Reconstructing the Scene of the Crime

  2. Who are they? STEVE DAVIS PETER SILBERMAN STEVE DAVIS PETER SILBERMAN Security Consultant / Engineer / Researcher Security Consultant / Engineer / Researcher     Researcher at MANDIANT Researcher at MANDIANT at MANDIANT at MANDIANT

  3. Agenda  ½ ½ Demo Demo  - Pop it like its Pop it like its hotttt hotttt -  Problem / Solution Problem / Solution   Process Acquisition Process Acquisition   Metasploit Metasploit   Meterpreter Communication Meterpreter Communication   Metasploit Forensic Framework (MSFF) Metasploit Forensic Framework (MSFF)   ½ Demo ½ Demo  - Reconstructing it like its Reconstructing it like its hotttt hotttt -

  4. Demo Part 1  Box Windows XP Fresh SP3 Box Windows XP Fresh SP3  Same box that our slides are running from… … Same box that our slides are running from Oh noes noes! ! Oh  MS08-067 meterpreter bind tcp MS08-067 meterpreter bind tcp 

  5. Back to our regularly scheduled slides...

  6. Problem  Meterpreter Meterpreter  - Traditional disk forensics is helpless Traditional disk forensics is helpless -  Attack vector may never touch disk Attack vector may never touch disk  - No way to determine what happened No way to determine what happened -  Goal Goal  - Reconstruct attacker Reconstruct attacker’ ’s Meterpreter sessions s Meterpreter sessions - with as much reliability as possible with as much reliability as possible

  7. Solution  Acquire exploited processes Acquire exploited processes’ ’ address address  space space  Parse out meterpreter protocol from Parse out meterpreter protocol from  acquired memory sections acquired memory sections - Reconstruct meterpreter sessions Reconstruct meterpreter sessions -

  8. MANDIANT Memoryze ENUMERATION ACQUISITION ENUMERATION ACQUISITION All running processes Physical memory image All running processes Physical memory image     - Handle table Handle table Running process’ ’s s Running process -   - Memory sections Memory sections memory space memory space - - Ports Ports - - Binary Binary - - Strings Strings - - Loaded DLL Loaded DLL’ ’s s - Drivers Drivers   - Stacks Stacks - - Including layered ones Including layered ones - Heaps Heaps - - - Data sections Data sections Certain kernel hooks Certain kernel hooks -   Drivers Drivers  

  9. MANDIANT Memoryze  Can analyze memory live, or from image Can analyze memory live, or from image  - Live analysis can use paging file for a more Live analysis can use paging file for a more - complete picture of memory complete picture of memory  Supported platforms Supported platforms  - 32-bit Windows 2000, XP, 2003 Server 32-bit Windows 2000, XP, 2003 Server - - Beta support for Vista Beta support for Vista -  Download at Download at  - http://www.mandiant.com/ http://www.mandiant.com/ -

  10. Process Acquisition

  11. Why Process Acquisition?  Acquisition was originally used mostly for Acquisition was originally used mostly for  malware analysis malware analysis - Acquire packed binaries running in memory Acquire packed binaries running in memory -  Usually utilized debuggers Usually utilized debuggers   Can defeat most packers Can defeat most packers   Acquisition has other uses: Acquisition has other uses:  - Acquire unknown binaries for Acquire unknown binaries for Virustotal Virustotal - - Acquire memory to look for protocol strings Acquire memory to look for protocol strings -  Encrypted strings are Encrypted strings are unecrypted unecrypted in memory in memory 

  12. Classic Process Acquisition  Current Methodology Current Methodology  - Open handle to process, OR Open handle to process, OR - - Attach to process Attach to process -  ReadProcessMemory ReadProcessMemory( (hProc hProc,
 ,
ImageBase ImageBase, ,  buffer,
ImageSize ImageSize,
 ,
BytesRead BytesRead) ) buffer,
  Current drawbacks Current drawbacks  - Requires Requires “ “touching touching” ” a process a process - - Detecting debuggers is trivial Detecting debuggers is trivial - - Gives an incomplete picture of memory Gives an incomplete picture of memory -

  13. Process Acquisition: Memoryze RELIES ON DOES NOT RELY ON RELIES ON DOES NOT RELY ON Physical memory access Attaching to a process Physical memory access Attaching to a process     with a debugger with a debugger Virtual to physical Virtual to physical   address translation Opening handles to address translation Opening handles to   processes or threads processes or threads API calls API calls   The OS’ ’s Virtual Memory s Virtual Memory The OS   Manager Manager

  14. Memoryze: Process Acquisition  Accessing Physical Memory Accessing Physical Memory  - Live analysis Live analysis - - Acquisition Acquisition -  \Device\ \Device\PhysicalMemory PhysicalMemory  - Section object exposed by Windows Section object exposed by Windows - - Reading from handle allows application to Reading from handle allows application to - read physical memory read physical memory - Every virtual address must be translated to a Every virtual address must be translated to a - physical offset within the section object physical offset within the section object

  15. KPROCESS PAE CR3 Physical address Virtual Address 2 bits 9 bits 9 bits 12 bits Page Directory Index (512) Page Table Index (512) Byte Index (4096) Physical Memory Page Dir Pointers Page Tables PDP index (4) PDP Page Frame Individual page table Page Dir PDE PTE

  16. Memoryze: Process Acquisition  Map physical memory into buffer Map physical memory into buffer   Acquisition: Acquisition:  - Write buffer to disk ( Write buffer to disk ( dd ) dd ) -  Analysis: Analysis:  - Scan buffer for known signatures of kernel Scan buffer for known signatures of kernel - structures, e.g. EPROCESS structures, e.g. EPROCESS

  17. New Process Acquisition  Find all processes (EPROCESS) in physical Find all processes (EPROCESS) in physical  memory memory - VadRoot VadRoot within the EPROCESS structure within the EPROCESS structure - - The The VadRoot VadRoot is the top node of a tree of Memory is the top node of a tree of Memory - Manager Virtual Address Descriptor (MMVAD) Manager Virtual Address Descriptor (MMVAD) entries entries - MMVAD entries contain the virtual start address MMVAD entries contain the virtual start address - and size of each memory section within a process and size of each memory section within a process - MMVAD entries containing mapped DLL MMVAD entries containing mapped DLL’ ’s or s or - EXE’ ’s will have a pointer to the path of the binary s will have a pointer to the path of the binary EXE  Helps manage process Helps manage process’ ’ virtual address space virtual address space 

  18. Memoryze: Process Acquisition  OllyDbg OllyDbg’ ’s s memory map view shows the memory map view shows the  different sections different sections  Each address range is an entry in Each address range is an entry in  , represented by a MMVAD VadRoot , represented by a MMVAD VadRoot structure structure  Enumeration of Enumeration of VadRoot allows access to VadRoot allows access to  heaps, stacks, and binary images heaps, stacks, and binary images

  19. Finding Processes Kernel Address Space … 0x8aadb830 0x8aadb834 0x8aadb838 0x8aadb83C 0x8aadb840 0x8aadb844 0x8aadb848 0x8aadb84C 0x8aadb850 …

  20. Finding Processes Kernel Address Space … 0x8aadb830 0x001b0003 0x8aadb834 0x00000000 0x8aadb838 0x8aadb838 0x8aadb83C 0x8aadb838 0x8aadb840 0x8aadb840 0x8aadb844 0x8aadb840 0x8aadb848 0x0b100020 0x8aadb84C 0x0000b084 0x8aadb850 0x00000000 …

  21. Finding Processes Kernel Address Space Indicates EPROCESS, … DISPATCH_HEADER, 0x8aadb830 0x001b0003 further checks are needed 0x8aadb834 0x00000000 0x8aadb838 0x8aadb838 0x8aadb83C 0x8aadb838 0x8aadb840 0x8aadb840 0x8aadb844 0x8aadb840 0x8aadb848 0x0b100020 0x8aadb84C 0x0000b084 0x8aadb850 0x00000000 …

  22. Finding Processes Found an EPROCESS structure Kernel Address Space … EPROCESS 0x8aadb830 0x00 PCB 0xC4 ObjectTable HANDLE_TABLE _MMVAD 0x11C VadRoot “calc.exe” 0x174 ImageFileName 0x258 Cookie 0x8aadba88 0x8aadba8C 0x8aadba90 0x8aadba94 …

  23. Parsing MMVAD _MMVAD EPROCESS Parent 0x00 PCB StartingVPN 0xC4 ObjectTable EndingVPN 0x11C VadRoot LeftChild RightChild 0x174 ImageFileName 0x258 Cookie _MMVAD _MMVAD Parent Parent StartingVPN StartingVPN EndingVPN EndingVPN LeftChild RightChild LeftChild RightChild

  24. Writing VADs to disk _MMVAD EPROCESS Parent 0x00 PCB StartingVPN 0xC4 ObjectTable EndingVPN 0x11C VadRoot LeftChild RightChild 0x174 ImageFileName 0x258 Cookie _MMVAD _MMVAD Parent Parent StartingVPN StartingVPN For each VAD write EndingVPN EndingVPN to disk: StartVPN to LeftChild RightChild LeftChild RightChild StartVPN+EndingVPN

Recommend


More recommend