by

Volatility Plugin – Office Trust Records

No comments yet

Categories: Forensics, Volatility

As part of the 2014 Volatility Plugin Contest, I created a simple plugin that queries the registry for Office TrustRecords. This post contains details about this registry key. It’s basically used to record Office files that were opened from an untrusted location and manually “trusted” by the user by clicking a prompt to edit the document or enable content. Along with this record of opening the document, the data in the value is the time that the document was opened. This plugin locates the registry key for Word, Excel, Access, and PowerPoint and prints the list of files and their timestamps.

I don’t have a memory sample to provide, but here is some sample output of the plugin.

$ vol.py -f memory.vmem --profile=Win7SP1x86 trustrecords
Volatility Foundation Volatility Framework 2.4
Legend: (S) = Stable   (V) = Volatile

----------------------------
Registry: \??\C:\Users\voltest\ntuser.dat
Key path: Software\Microsoft\Office\14.0\Word\Security\Trusted Documents\TrustRecords
Key name: TrustRecords (S)
Last updated: 2014-09-09 03:37:16 UTC+0000

Values:
2014-09-09 03:34:44.081925	%USERPROFILE%/Desktop/Doc1.docm
2014-09-09 03:37:07.689334	%USERPROFILE%/Desktop/newDoc.docm

by

Volatility Plugin – SSDeep for malfind and apihooks

No comments yet

Categories: Uncategorized


For the 2014 Volatility Plugin contest, I put together a few plugins that all use ssdeep in some way.

Note: To get these plugins to work, you must install ssdeep and pydeep. Both are very standard installations.

ssdeepscan – locating similar memory pages

This plugin is like yarascan (the yarascan.py code was actually used as the starting point), but rather than yara rules, it uses the ssdeep hash of a memory page to scan for.

I was originally trying to use ssdeep (via pydeep) to attempt to find the source EXE or DLL that created the injected code found in malfind output or hooking code in apihooks. The idea was to be able to find injected code or hooks that Volatility might normally not be able to trace back to a specific DLL (lists the hooking module as <unknown>), and see what other EXE or DLL may have copied it into that memory allocation. This likely isn’t always going to work because the hook code won’t be copied directly from one memory location to another, and might be moved via multiple instructions or some other method.

However, it does appear to find some similar code sections. An example follows. I am using the memory image linked to in this post: http://malware.dontneedcoffee.com/2014/08/angler-ek-now-capable-of-fileless.html

A normal scan of malfind finds the following:

$ vol.py -f D5XLBY3J-bf977e52_lookIE_pid_860.vmss --profile=WinXPSP2x86 malfind  | grep Process
Volatility Foundation Volatility Framework 2.4
Process: csrss.exe Pid: 652 Address: 0x7f6f0000
Process: explorer.exe Pid: 1776 Address: 0x29d0000
Process: Fiddler.exe Pid: 4048 Address: 0x3c0000
Process: Fiddler.exe Pid: 4048 Address: 0x360000
Process: iexplore.exe Pid: 3224 Address: 0x1390000
Process: iexplore.exe Pid: 3224 Address: 0x1e40000
Process: iexplore.exe Pid: 3224 Address: 0x5fff0000
Process: iexplore.exe Pid: 860 Address: 0x6a50000
Process: iexplore.exe Pid: 860 Address: 0x1b00000
Process: iexplore.exe Pid: 860 Address: 0x2b70000
Process: iexplore.exe Pid: 860 Address: 0x6480000
Process: iexplore.exe Pid: 860 Address: 0x6440000
Process: iexplore.exe Pid: 860 Address: 0x6410000
Process: iexplore.exe Pid: 860 Address: 0x6400000
Process: iexplore.exe Pid: 860 Address: 0x6430000
Process: iexplore.exe Pid: 860 Address: 0x6420000
Process: iexplore.exe Pid: 860 Address: 0x6460000
Process: iexplore.exe Pid: 860 Address: 0x6450000
Process: iexplore.exe Pid: 860 Address: 0x6470000
Process: iexplore.exe Pid: 860 Address: 0x64b0000
Process: iexplore.exe Pid: 860 Address: 0x64a0000
Process: iexplore.exe Pid: 860 Address: 0x6490000
Process: iexplore.exe Pid: 860 Address: 0x64d0000
Process: iexplore.exe Pid: 860 Address: 0x64c0000
Process: iexplore.exe Pid: 860 Address: 0x64f0000
Process: iexplore.exe Pid: 860 Address: 0x64e0000
Process: iexplore.exe Pid: 860 Address: 0x6520000
Process: iexplore.exe Pid: 860 Address: 0x6500000
Process: iexplore.exe Pid: 860 Address: 0x6540000
Process: iexplore.exe Pid: 860 Address: 0x6560000
Process: iexplore.exe Pid: 860 Address: 0x6580000
Process: iexplore.exe Pid: 860 Address: 0x65a0000
Process: iexplore.exe Pid: 860 Address: 0x65c0000
Process: iexplore.exe Pid: 860 Address: 0x6a10000
Process: iexplore.exe Pid: 860 Address: 0x6a30000
Process: iexplore.exe Pid: 860 Address: 0x6ad0000
Process: iexplore.exe Pid: 860 Address: 0x6a90000
Process: iexplore.exe Pid: 860 Address: 0x6a70000
Process: iexplore.exe Pid: 860 Address: 0x6ab0000
Process: iexplore.exe Pid: 860 Address: 0x6b30000
Process: iexplore.exe Pid: 860 Address: 0x6b10000
Process: iexplore.exe Pid: 860 Address: 0x6af0000
Process: iexplore.exe Pid: 860 Address: 0x6b90000
Process: iexplore.exe Pid: 860 Address: 0x6b60000
Process: iexplore.exe Pid: 860 Address: 0x6bf0000
Process: iexplore.exe Pid: 860 Address: 0x6bc0000
Process: iexplore.exe Pid: 860 Address: 0x6c50000
Process: iexplore.exe Pid: 860 Address: 0x6c20000
Process: iexplore.exe Pid: 860 Address: 0x6c80000
Process: iexplore.exe Pid: 860 Address: 0x6cb0000
Process: iexplore.exe Pid: 860 Address: 0x6ce0000
Process: iexplore.exe Pid: 860 Address: 0x5fff0000

The details of one of these sections (virtual address 0x6c80000) in iexplore.exe (PID 860) is as follows:

Process: iexplore.exe Pid: 860 Address: 0x6c80000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 40, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x06c80000  e7 c4 a6 c1 9d 79 53 59 77 bc 21 52 74 79 de d1   .....ySYw.!Rty..
0x06c80010  5b 53 76 51 f1 b0 27 5c 9f 40 35 51 74 91 50 5a   [SvQ..'\.@5Qt.PZ
0x06c80020  77 54 33 35 73 39 53 e0 3a 0e 36 51 ff 69 d0 99   wT35s9S.:.6Q.i..
0x06c80030  73 32 0f 59 01 40 d8 11 4b d7 cf 11 06 48 68 93   s2.Y.@..K....Hh.

0x6c80000 e7c4             OUT 0xc4, EAX
0x6c80002 a6               CMPSB
0x6c80003 c19d79535977bc   RCR DWORD [EBP+0x77595379], 0xbc
0x6c8000a 215274           AND [EDX+0x74], EDX
0x6c8000d 79de             JNS 0x6c7ffed
0x6c8000f d15b53           RCR DWORD [EBX+0x53], 0x1
0x6c80012 7651             JBE 0x6c80065
0x6c80014 f1               INT1

If you dump the whole VAD section, you can see that this segment is XORed with a repeating 8-byte key, wT6QtySY, which explains why the disassembly looks abnormal. If we take this PID and virtual address and run ssdeepscan, we can find other locations this code exists besides what malfind found, specifically some instances in lsass.exe (100% ssdeep match). The plugin uses the -T option and takes a colon separated PID and BASE virtual offset. The plugin runs ssdeep on the 4096 byte page at the offset provided and scans all other pages to determine similarity. The output provides the ssdeep hash of the page, the ssdeep comparison score, the page offset, the VAD region that offset is in, and the corresponding Process information if available.

$ vol.py -f D5XLBY3J-bf977e52_lookIE_pid_860.vmss --profile=WinXPSP2x86 ssdeepscan -T 860:0x6c80000
Volatility Foundation Volatility Framework 2.4
ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x4b2000L
VAD region: 0x420000L-0x522fffL
Owner: Process lsass.exe Pid 732

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0xcb2000L
VAD region: 0xcb0000L-0xceffffL
Owner: Process lsass.exe Pid 732

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x5b8b4000L
VAD region: 0x5b860000L-0x5b8b4fffL
Owner: Process lsass.exe Pid 732

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x5d0b2000L
VAD region: 0x5d090000L-0x5d129fffL
Owner: Process lsass.exe Pid 732

ssdeep hash: 96:8sJkHbXrUY6Ng00o029c/pIdHDGh1ZnpSWHi80jz:rIrn6r022pIdHDYnpSS0n
ssdeep score: 46
offset: 0x2342000L
VAD region: 0x12e0000L-0x32dffffL
Owner: Process Fiddler.exe Pid 4048

ssdeep hash: 48:2GhcoEikcq0lIuHqB7wkEHSSMQAko2kj2/ENENJMiB4H1w0DbKdsM6ItLr0t2LGI:2Gzjq+HqBc1VOx9jVyN+DH1wndHDGhO
ssdeep score: 19
offset: 0x2362000L
VAD region: 0x12e0000L-0x32dffffL
Owner: Process Fiddler.exe Pid 4048

ssdeep hash: 48:U7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeL:KZnpSWHi80j8Gn3L
ssdeep score: 85
offset: 0x2363000L
VAD region: 0x12e0000L-0x32dffffL
Owner: Process Fiddler.exe Pid 4048

ssdeep hash: 48:2Lr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKet:eGh1ZnpSWHi80j8Gn3t
ssdeep score: 97
offset: 0x23a3000L
VAD region: 0x12e0000L-0x32dffffL
Owner: Process Fiddler.exe Pid 4048

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6a50000L
VAD region: 0x6a50000L-0x6a69fffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6480000L
VAD region: 0x6480000L-0x6488fffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6440000L
VAD region: 0x6440000L-0x6444fffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6410000L
VAD region: 0x6410000L-0x6411fffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6430000L
VAD region: 0x6430000L-0x6433fffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6420000L
VAD region: 0x6420000L-0x6422fffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6460000L
VAD region: 0x6460000L-0x6466fffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6450000L
VAD region: 0x6450000L-0x6455fffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6470000L
VAD region: 0x6470000L-0x6477fffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x64b0000L
VAD region: 0x64b0000L-0x64bbfffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x64a0000L
VAD region: 0x64a0000L-0x64aafffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6490000L
VAD region: 0x6490000L-0x6499fffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x64d0000L
VAD region: 0x64d0000L-0x64ddfffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x64c0000L
VAD region: 0x64c0000L-0x64ccfffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x64f0000L
VAD region: 0x64f0000L-0x64fffffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x64e0000L
VAD region: 0x64e0000L-0x64eefffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6520000L
VAD region: 0x6520000L-0x6531fffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6500000L
VAD region: 0x6500000L-0x6510fffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6540000L
VAD region: 0x6540000L-0x6552fffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6560000L
VAD region: 0x6560000L-0x6573fffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6580000L
VAD region: 0x6580000L-0x6594fffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x65a0000L
VAD region: 0x65a0000L-0x65b5fffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x65c0000L
VAD region: 0x65c0000L-0x65d6fffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6a10000L
VAD region: 0x6a10000L-0x6a27fffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6a30000L
VAD region: 0x6a30000L-0x6a48fffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6ad0000L
VAD region: 0x6ad0000L-0x6aedfffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6a90000L
VAD region: 0x6a90000L-0x6aabfffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6a70000L
VAD region: 0x6a70000L-0x6a8afffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6ab0000L
VAD region: 0x6ab0000L-0x6accfffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6b30000L
VAD region: 0x6b30000L-0x6b50fffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6b10000L
VAD region: 0x6b10000L-0x6b2ffffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6af0000L
VAD region: 0x6af0000L-0x6b0efffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6b90000L
VAD region: 0x6b90000L-0x6bb2fffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6b60000L
VAD region: 0x6b60000L-0x6b81fffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6bf0000L
VAD region: 0x6bf0000L-0x6c14fffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6bc0000L
VAD region: 0x6bc0000L-0x6be3fffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6c50000L
VAD region: 0x6c50000L-0x6c76fffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6c20000L
VAD region: 0x6c20000L-0x6c45fffL
Owner: Process iexplore.exe Pid 860

ssdeep hash: 48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g
ssdeep score: 100
offset: 0x6c80000L
VAD region: 0x6c80000L-0x6ca7fffL
Owner: Process iexplore.exe Pid 860

The ssdeep score was 100, but to verify, we can use volshell to disassemble one of the sections found in lsass.exe and see that it matches the code injected in iexplore.exe.

$ vol.py -f D5XLBY3J-bf977e52_lookIE_pid_860.vmss --profile=WinXPSP2x86 volshell
Volatility Foundation Volatility Framework 2.4
Current context: System @ 0x825c69c8, pid=4, ppid=0 DTB=0x2a20020
Welcome to volshell! Current memory image is:
file:///Users/dave/D5XLBY3J-bf977e52_lookIE_pid_860.vmss
To get help, type 'hh()'
>>> cc(pid=732)
Current context: lsass.exe @ 0x824d7bc0, pid=732, ppid=676 DTB=0x2a200c0
>>> db(0x4b2000L)
0x004b2000  e7 c4 a6 c1 9d 79 53 59 77 bc 21 52 74 79 de d1   .....ySYw.!Rty..
0x004b2010  5b 53 76 51 f1 b0 27 5c 9f 40 35 51 74 91 50 5a   [SvQ..'\.@5Qt.PZ
0x004b2020  77 54 33 35 73 39 53 e0 3a 0e 36 51 ff 69 d0 99   wT35s9S.:.6Q.i..
0x004b2030  73 32 0f 59 01 40 d8 11 4b d7 cf 11 06 48 68 93   s2.Y.@..K....Hh.
0x004b2040  00 79 b7 6d 75 29 16 59 77 21 12 07 ca 79 73 59   .y.mu).Yw!...ysY
0x004b2050  77 32 b3 25 75 6f 0d 2d 67 93 72 50 14 3c 25 61   w2.%uo.-g.rP.<%a
0x004b2060  65 dd 72 50 10 f0 07 58 1f 04 de 2f 76 79 53 6a   e.rP...X.../vySj
0x004b2070  b7 97 63 da 98 28 05 0e 9f fc 34 51 74 f2 a3 d8   ..c..(....4Qt...
>>> dis(0x4b2000L)
0x4b2000 e7c4                             OUT 0xc4, EAX
0x4b2002 a6                               CMPSB
0x4b2003 c19d79535977bc                   RCR DWORD [EBP+0x77595379], 0xbc
0x4b200a 215274                           AND [EDX+0x74], EDX
0x4b200d 79de                             JNS 0x4b1fed
0x4b200f d15b53                           RCR DWORD [EBX+0x53], 0x1
0x4b2012 7651                             JBE 0x4b2065
0x4b2014 f1                               INT1

Back to top

malfinddeep and apihooksdeep – whitelisting injected and hooking code with ssdeep

I wasn’t getting the exact results I hoped for with ssdeepscan, but I realized using ssdeep on pages like this could provide an additional method of whitelisting in malfind and apihooks. I’ve come across several security tools such as AV, DLP, EMET, etc., that have sections of code that are found with malfind and apihooks. Sometimes these are in sections mapped to DLLs and the plugin output provides that information. Other times, they are memory allocated without any reference to a file. In the former case, apihooks provides a whitelisting method to omit those hooks; however, this is more difficult when Volatility can’t identify the corresponding file.

The plugins malfinddeep and apihooksdeep extend the malfind and apihooks classes. They both work in similar ways and add a global whitelist_ssdeep list of tuples in the format (name, ssdeep_hash). For example:

whitelist_ssdeep = [
    ('Sample', '96:gd5l0eLAUpzGA73fBSu5yg7407l4WpE2eSHhhixk0EU0A:opLdpzL34u5dvZrp9/hwCA'),
    ('Badstuff', '48:XLr0t2LGht7aCyI/nGwH7+nWWZEFRD+QI+KNj8GnKeg:BGh1ZnpSWHi80j8Gn3g'),
]

Then, for any injected code or hooks, each 4096 byte page is hashed with ssdeep and compared to the hashes in that whitelist. If they are greater than the specified threshold (-T option, with a default of 25), a message is displayed indicating they matched, rather than printing the normal output. After writing the plugin, I was able to whitelist some malfind and apihooks output I typically see at work. I don’t have a memory sample I can provide for that, but I can show how it works using the same memory sample above.

Running apihooks on PID 860 in the sample finds several hooks in AcLayers.DLL:

************************************************************************
Hook mode: Usermode
Hook type: Import Address Table (IAT)
Process: 860 (iexplore.exe)
Victim module: iexplore.exe (0x400000 - 0x49c000)
Function: kernel32.dll!LoadLibraryExW
Hook address: 0x715ba16b
Hooking module: AcLayers.DLL

Disassembly(0):
0x715ba16b b8d52a5e71       MOV EAX, 0x715e2ad5
0x715ba170 e88b360100       CALL 0x715cd800
0x715ba175 83ec14           SUB ESP, 0x14
0x715ba178 53               PUSH EBX
0x715ba179 56               PUSH ESI
0x715ba17a 57               PUSH EDI
0x715ba17b 8965f0           MOV [EBP-0x10], ESP
0x715ba17e ff7508           PUSH DWORD [EBP+0x8]
0x715ba181 33db             XOR EBX, EBX

Again, this could be bypassed by updating the existing whitelists in apihooks:

whitelist_rules = {
    HOOK_MODE_USER | HOOKTYPE_IAT : [
    # Ignore hooks that point inside AcLayers.DLL
    (".*", ".*", "AcLayers\.DLL", ".*"),
    ]
}

But if this was a hook where “Hooking module” was , that would not work. First we want to find the memory section of the legitimate hooking code then dump it. In this case we can use dlllist and dlldump or vaddump. If the hooking code wasn’t in a loaded DLL, we could use vadinfo and vaddump instead.

$ vol.py -f D5XLBY3J-bf977e52_lookIE_pid_860.vmss --profile=WinXPSP2x86 dlllist -p 860 | grep AcLayers.DLL
Volatility Foundation Volatility Framework 2.4
0x71590000    0x79000        0x1 C:\WINDOWS\AppPatch\AcLayers.DLL

$ vol.py -f D5XLBY3J-bf977e52_lookIE_pid_860.vmss --profile=WinXPSP2x86 vaddump -p 860 -b 0x71590000 -D dumps
Volatility Foundation Volatility Framework 2.4
Pid        Process              Start      End        Result
---------- -------------------- ---------- ---------- ------
       860 iexplore.exe         0x71590000 0x71608fff dumps/iexplore.exe.24296b8.0x71590000-0x71608fff.dmp

Then, using another tool called hash_by_page.py in my DFIR repo on github, we can generate the tuples for the whitelist. This script divides the file specified with -f into 4096 byte chunks, runs ssdeep on those chunks, and puts the hash in a tuple, along with a name provided by the -n option. This name will be displayed in the malfinddeep/apihooksdeep output.

$ python hash_by_page.py -n AcLayers.DLL -f dumps/iexplore.exe.24296b8.0x71590000-0x71608fff.dmp
('AcLayers.DLL', '6:idqLvVg3F+X32xbQ7esfGkxNPWgwh9lorlcIfMfEtj/lkwSM0E/mh6l+tgdwL:eqGSGfP0FWgO9arlcIrUpEec1w'),
('AcLayers.DLL', '96:1SxccXfBWrvZnxbZ3IX26dZC6FsEzSVr6y616GpIHoib8u:uvBWrpxbxGpWEcr3UTpIHPb8u'),
('AcLayers.DLL', '96:ID+ySxDl27kgOXMCAsN6GTMPu2lXOvRdGrOlPieZBpJH0:4SxDsYgQMCA5GTMPueXOJMrk1ZBpJU'),
('AcLayers.DLL', '96:K/1yppIrSQ/bYI1iLK8bWvuUh+ftrim+DH1HPLNgkJXHQc9vNMbMe8q7c9dCTwTw:KjXUAH16GJSx37'),
('AcLayers.DLL', '96:g41MCF7LwINCITDtl8MDM86LwBlsSQPBGHIdT944p4kUvXf:91M67LwINCITDtl8MDM86KlnOGod2RkS'),
('AcLayers.DLL', '96:0snevYPT4Nyj5Elewqci2RT+6aIOkBUXWcD4QdTHro63:0sevYPT4Nyj5fwn3G4QtHro63'),
('AcLayers.DLL', '48:yniBikPm+U4NTDfLTTLTDfLTTvy4YTqTssssjJJeoMOVuAhl6MyT0yu5D8f2kmfc:Lokfdf33Pf3u9cLMOUAukB8ftm30Co'),
('AcLayers.DLL', '96:qgaH5Dq2alZ8jDm278F71xg0wwT7zaDIrgmlTFH4QzLLdgI:qzHolZ8h8x8wT7WDh8TFLLL2I'),
('AcLayers.DLL', '96:KNtR6s1VGPy29Y/I4pbt7zUTB0CntgN5r/ZsAZXggdtn:e6sDGK2l4DzGB0CntgN5r/ZlZQgdN'),
('AcLayers.DLL', '48:fse/+seS+se6xseCxse0LseOW+seZpBseKmselseWse6Fseqse9EbseMWse0seKB:rA8xsZamCD0VqW59aq'),
('AcLayers.DLL', '96:0DvxU+tt5rgdVwAasvDC/H7y1WeeIa6r6Uf3yM1s:0DJUWUdGAfvDC/OgtUf3i'),
('AcLayers.DLL', '96:y1IEXIt5xLE8QZ9GaYMSKczpG1HHfPCagBKZgB8y:yq/LEvZ9GYSoF/PCaihB'),
('AcLayers.DLL', '96:Jd9NR1/1+NjtjPlYqF5PnFWG5QMlrIWoKUQqAxvx0O/BuuW:L95UN9NcMaB3UxZ0O5M'),
('AcLayers.DLL', '96:1G/2YVUCkSupJpNrlehf0p7oxqy5rNPncvYWc1sLN:EuYVnkSVhf0WxkSuLN'),
('AcLayers.DLL', '96:Q43XaN81Gs9fnQVsRT17YZFQ5hRXIbX2lTPF8qndlo:z3XaRsyV4T17SoPwGdFJd6'),
('AcLayers.DLL', '96:uQY0MrX4CyhiFUTJ3ZJYCDdQK4/gS+1inYe:u6w4CmJ37JQK4/gM'),
('AcLayers.DLL', '96:CSBgao7Is+9/DphKW0ABzOhmalA7taImewD1kveeC5:CIDZsahAOdB8IZs1kW15'),
('AcLayers.DLL', '48:gtfltRXnwp+mYyapar6NkK/z4UJpRSrCwig6zQLb6B7AALhhgxsSGgPYm:gftRXAYyapar/AzZ+KgU8WAxW5gPB'),
('AcLayers.DLL', '96:G+s4rSTMefQ1JWAq8o07uWSyqxZR5uZphKxTrUkUKDrYyK:Ns4OTM5JWh8o0HPSRwYKp'),
('AcLayers.DLL', '48:/hdkmQB0i10gGCJpGBgn1JLe6MMptduN/YocxUp2bmo+YfI+4VhxSgq8JFQKH0Xv:5kGCJpGWn1RINnomo+n+4Vz3q8z9Emdm'),
('AcLayers.DLL', '96:vBq5n08qWaAb+EVsN2XLdPdjaJCr+bYa1eiPJfZdiUzIU+ss:JqWFWas+osSLiNzditLx'),
('AcLayers.DLL', '96:WeTUeJz8a7Owm7iMdof0l9FXsvRL96vIbSQ/9fO4PfK8+T7j9:W8bJ1UA0l9psAOpOj9'),
('AcLayers.DLL', '96:BQ25ushGnba6wsV32bpnNPH0TJpG4B6b7NSqeyu78:n5ur26wsx29nNPHaoix78'),
('AcLayers.DLL', '96:DLDDMZdmyzLdfC8cGbqKQ63Cq+CmGWg3CLtYL:fD6dr9vcGbQ6SqpmVg62L'),
('AcLayers.DLL', '96:idZmWh2nukfdyhpmdVugsnaUcpVcQNLHr:izh21yhpq9snCp'),
('AcLayers.DLL', '96:LyKQfK4tV+8MRXyGhmDoSv09Quk44z6bvnx8t:MK4cBQJvGk44zEy'),
('AcLayers.DLL', '96:1V5WH7bMW2KhT1Ob1FArroI71D16kTq8tI8shiNd5qUyA+sdfLtx/:QH3MWDhT1zrroI71D16Eqokib5PLx/'),
('AcLayers.DLL', '96:qzUecvCbE4KkzNCAorOc32+2YZ6fU49dQBh:qUqbDhCf32+206Mg4h'),
('AcLayers.DLL', '96:C7WoLuHqNUUl/KRSyJwOJ//374JRVRInR+J:C7WIuHqNB/KRSyOO8JTRi+J'),
('AcLayers.DLL', '48:18MRm+jh8z0sunwhic714ou+Lws1pog+vwbl2tlq13FPbXFqsWeCCfGsajQ:18ymMhXHn+zKojg4liAhbXF/PFvajQ'),
('AcLayers.DLL', '48:t8br6SIYQM0870if5Uuovhgc77aRCeBjl4pPUqspNkIbPAIzh1S5kin9pdVk3r:6brRIY68Ys5zad77aNCpFyPzmt9nVk3r'),
('AcLayers.DLL', '96:YW4S4rMFXQR5Cz0pysaE6xWYBQRAJlXPF2VA6HYkZxM:aS4rQXQLCsysa4YB1XPFEAVkxM'),
('AcLayers.DLL', '48:/Jj2AcRdSEpeSjqBalu/qNnS4tbtpvE9hlUDl0GgVmuTvzs6x99XI:/JjVaaq44NvmhOuGgVZD/LNI'),
('AcLayers.DLL', '48:vHPWGNiSnsLQyiG8aKGvtWr8mkB8+OY6ERp0GC5lq70/7ODmV37ZM:vH/NiRRUafRmunOY6ERp0GDs7/M'),
('AcLayers.DLL', '96:nBDgbLmIzimcsTCXz/IFhNIZGdEotTnKEuLM/ue/3yb4lnmC:BDBeimmXzMcZG2QbkMGePyb2mC'),
('AcLayers.DLL', '48:rNClJZZiuC4PRdXFzYm3ckyiD5sSGCqyBl:sIu9PRdRx3ckXDh1jBl'),
('AcLayers.DLL', '96:g0/kTSJLa3aFAWxXmBWFuQv3npPOQ2+veWFfzPJVLG7wJ1HNt:j/RgiFxA/o33vxr6oNNt'),
('AcLayers.DLL', '48:sNdhkcX9budG696E6+esCzOpmnj2rbuH4kOF42hXXcdmBPItT+NklvZ:G7kGrnjSbK5qhnc0BgtyN'),
('AcLayers.DLL', '96:eFUhoSkb/fYKshki3uzOCZY5sHfrJKR7M:eaIb/fy33jCZY52DAR'),
('AcLayers.DLL', '3:eQtvM4y/kx7lql2C7s1OGJt:eQt04RnqlDgYGJ'),
('AcLayers.DLL', '12:AkbFKMXEbIC0iF58OOJzuJOwuOzOchuwOwucRzOwuwOzXurOPzOSEkY:kzICrP8Ztp'),
('AcLayers.DLL', '12:26LO5SfXMvmNKzuDsm2KV52LpSPWGVYag:26uSkeKyjL21SRYf'),
('AcLayers.DLL', '96:Nlx0j/gmLGdPqCLSUkBytiDwqNBKAZiHn:Nlx0j/DL+'),

Next, add this into the whitelist_ssdeep variable in apihooksdeep.py shown above. Now when running the plugin, these hooks will not be fully displayed:

$ vol.py -f D5XLBY3J-bf977e52_lookIE_pid_860.vmss --profile=WinXPSP2x86 apihooksdeep -p 860
Volatility Foundation Volatility Framework 2.4
Process: 860 (iexplore.exe)
Hook at 0x715b9e59 in page 0x715b9000 is 100% similar to whitelist hook AcLayers.DLL

Process: 860 (iexplore.exe)
Hook at 0x715ba067 in page 0x715ba000 is 100% similar to whitelist hook AcLayers.DLL

Process: 860 (iexplore.exe)
Hook at 0x715ba16b in page 0x715ba000 is 100% similar to whitelist hook AcLayers.DLL

************************************************************************
Hook mode: Usermode
Hook type: Inline/Trampoline
Process: 860 (iexplore.exe)
Victim module: ntdll.dll (0x7c900000 - 0x7c9b2000)
Function: ntdll.dll!NtTerminateProcess at 0x7c90de6e
Hook address: 0x6cebb88
Hooking module: 

Disassembly(0):
0x7c90de6e e915dd3d8a       JMP 0x6cebb88
0x7c90de73 ba0003fe7f       MOV EDX, 0x7ffe0300
0x7c90de78 ff12             CALL DWORD [EDX]
0x7c90de7a c20800           RET 0x8
0x7c90de7d 90               NOP
0x7c90de7e b802010000       MOV EAX, 0x102
0x7c90de83 ba               DB 0xba
0x7c90de84 0003             ADD [EBX], AL

Disassembly(1):
0x6cebb88 55               PUSH EBP
0x6cebb89 8bec             MOV EBP, ESP
0x6cebb8b 837d08ff         CMP DWORD [EBP+0x8], -0x1
0x6cebb8f 751c             JNZ 0x6cebbad
0x6cebb91 817d0c050000c0   CMP DWORD [EBP+0xc], 0xc0000005
0x6cebb98 7413             JZ 0x6cebbad
0x6cebb9a 81               DB 0x81
0x6cebb9b 7d0c             JGE 0x6cebba9
0x6cebb9d 06               PUSH ES
0x6cebb9e 0000             ADD [EAX], AL

************************************************************************
Hook mode: Usermode
Hook type: Inline/Trampoline
Process: 860 (iexplore.exe)
Victim module: ntdll.dll (0x7c900000 - 0x7c9b2000)
Function: ntdll.dll!ZwTerminateProcess at 0x7c90de6e
Hook address: 0x6cebb88
Hooking module: 

Disassembly(0):
0x7c90de6e e915dd3d8a       JMP 0x6cebb88
0x7c90de73 ba0003fe7f       MOV EDX, 0x7ffe0300
0x7c90de78 ff12             CALL DWORD [EDX]
0x7c90de7a c20800           RET 0x8
0x7c90de7d 90               NOP
0x7c90de7e b802010000       MOV EAX, 0x102
0x7c90de83 ba               DB 0xba
0x7c90de84 0003             ADD [EBX], AL

Disassembly(1):
0x6cebb88 55               PUSH EBP
0x6cebb89 8bec             MOV EBP, ESP
0x6cebb8b 837d08ff         CMP DWORD [EBP+0x8], -0x1
0x6cebb8f 751c             JNZ 0x6cebbad
0x6cebb91 817d0c050000c0   CMP DWORD [EBP+0xc], 0xc0000005
0x6cebb98 7413             JZ 0x6cebbad
0x6cebb9a 81               DB 0x81
0x6cebb9b 7d0c             JGE 0x6cebba9
0x6cebb9d 06               PUSH ES
0x6cebb9e 0000             ADD [EAX], AL

************************************************************************
Hook mode: Usermode
Hook type: Inline/Trampoline
Process: 860 (iexplore.exe)
Victim module: kernel32.dll (0x7c800000 - 0x7c8f6000)
Function: kernel32.dll!ExitProcess at 0x7c81d20a
Hook address: 0x6cebb78
Hooking module: 

Disassembly(0):
0x7c81d20a e969e94c8a       JMP 0x6cebb78
0x7c81d20f 6aff             PUSH -0x1
0x7c81d211 68b0f3e877       PUSH DWORD 0x77e8f3b0
0x7c81d216 ff7508           PUSH DWORD [EBP+0x8]
0x7c81d219 e846ffffff       CALL 0x7c81d164
0x7c81d21e e9               DB 0xe9
0x7c81d21f 7ac8             JP 0x7c81d1e9
0x7c81d221 01               DB 0x1

Disassembly(1):
0x6cebb78 e8dd060000       CALL 0x6cec25a
0x6cebb7d 68010000c0       PUSH DWORD 0xc0000001
0x6cebb82 e8b8b7ffff       CALL 0x6ce733f
0x6cebb87 cc               INT 3
0x6cebb88 55               PUSH EBP
0x6cebb89 8bec             MOV EBP, ESP
0x6cebb8b 837d08ff         CMP DWORD [EBP+0x8], -0x1
0x6cebb8f 75               DB 0x75

Process: 860 (iexplore.exe)
Hook at 0x715ba16b in page 0x715ba000 is 100% similar to whitelist hook AcLayers.DLL

Process: 860 (iexplore.exe)
Hook at 0x715ba067 in page 0x715ba000 is 100% similar to whitelist hook AcLayers.DLL

Process: 860 (iexplore.exe)
Hook at 0x715b9e59 in page 0x715b9000 is 100% similar to whitelist hook AcLayers.DLL

Process: 860 (iexplore.exe)
Hook at 0x715b9e59 in page 0x715b9000 is 100% similar to whitelist hook AcLayers.DLL

Process: 860 (iexplore.exe)
Hook at 0x715ba067 in page 0x715ba000 is 100% similar to whitelist hook AcLayers.DLL

Process: 860 (iexplore.exe)
Hook at 0x715b9e59 in page 0x715b9000 is 100% similar to whitelist hook AcLayers.DLL

Process: 860 (iexplore.exe)
Hook at 0x715ba067 in page 0x715ba000 is 100% similar to whitelist hook AcLayers.DLL

Process: 860 (iexplore.exe)
Hook at 0x715ba16b in page 0x715ba000 is 100% similar to whitelist hook AcLayers.DLL

Process: 860 (iexplore.exe)
Hook at 0x715b9e59 in page 0x715b9000 is 100% similar to whitelist hook AcLayers.DLL

Process: 860 (iexplore.exe)
Hook at 0x715ba067 in page 0x715ba000 is 100% similar to whitelist hook AcLayers.DLL

************************************************************************
Hook mode: Usermode
Hook type: Inline/Trampoline
Process: 860 (iexplore.exe)
Victim module: USER32.dll (0x7e410000 - 0x7e4a1000)
Function: USER32.dll!CallNextHookEx at 0x7e42b3c6
Hook address: 0x3e2dd1c5
Hooking module: IEFRAME.dll

Disassembly(0):
0x7e42b3c6 e9fa1debbf       JMP 0x3e2dd1c5
0x7e42b3cb 64a118000000     MOV EAX, [FS:0x18]
0x7e42b3d1 83784000         CMP DWORD [EAX+0x40], 0x0
0x7e42b3d5 0f84d06c0100     JZ 0x7e4420ab
0x7e42b3db 53               PUSH EBX
0x7e42b3dc 56               PUSH ESI
0x7e42b3dd 57               PUSH EDI

Disassembly(1):
0x3e2dd1c5 8bff             MOV EDI, EDI
0x3e2dd1c7 55               PUSH EBP
0x3e2dd1c8 8bec             MOV EBP, ESP
0x3e2dd1ca 56               PUSH ESI
0x3e2dd1cb 33f6             XOR ESI, ESI
0x3e2dd1cd e824000000       CALL 0x3e2dd1f6
0x3e2dd1d2 85c0             TEST EAX, EAX
0x3e2dd1d4 7514             JNZ 0x3e2dd1ea
0x3e2dd1d6 ff7514           PUSH DWORD [EBP+0x14]
0x3e2dd1d9 ff7510           PUSH DWORD [EBP+0x10]
0x3e2dd1dc ff               DB 0xff


Implementing the whitelist in malfinddeep works the same way and uses the same options.

Back to top

by

SANS SEC503: Intrusion Detection In-Depth Mentor Class

No comments yet

Categories: Training

If you live in the New Orleans area and are interested in SANS training but can’t make it to a conference, I will be leading a mentor session starting in March for SEC503: Intrusion Detection In-Depth.

Enter Promo Code MGIAC13 when registering for Security 503 from the Mentor Program to receive your FREE GIAC Exam attempt

Mentor classes meets once a week for 10 weeks in the evening for two hours – much like a graduate school course. No need to be out of the office or travel, and you’ll get more time to digest the content and more interaction. The class includes MP3 audio files so you can study at your own pace in between sessions and have questions ready for the next class. This course spans a wide variety of topics from foundational material such as TCP/IP to detecting an intrusion, building in breadth and depth along the way.

Course Details:

SECURITY 503: Intrusion Detection In-Depth

Start Date: March 27 – 6:30-8:30pm

Registration and full class information: http://www.sans.org/mentor/class/31040

by

Christmas 2012 Hacking Challenge

No comments yet

Categories: Challenges, Penetration Testing

Ed Skoudis and SANS’s holiday hacking challenges are something fun I look forward to every year. They’re always entertaining a good little test of security skills. This year’s “The Year Without a Santa… Hack” was no different. I don’t think I’ve ever seen “The Year Without a Santa,” but the Control Systems twist for the challenge was cool.

Since the submission deadline has passed, I thought I’d post my report here. Looking forward to seeing the results, hopefully this coming week.

2012 Holiday Hack Challenge

by

Christmas 2011 Hacking Challenge

No comments yet

Categories: Challenges, Forensics

I spent a couple nights over my Christmas vacation working on the Christmas 2011 Hacking Challenge on the SANS Pen Test blog. This is the first year I’ve done the challenge, and I had a lot of fun with it. I may have gone a little overboard with the report, but I wanted to try to make it somewhat realistic.

I ended up getting honorable mention when the results were posted. I was pretty happy with that, even though it meant I didn’t win a copy of Ed Skoudis’s book. That wasn’t a big deal since I ended up winning a copy during NetWars at SANS2012 in Orlando, and I wouldn’t really need two copies. I had always meant to post my report when the challenge was over, and I’m just now getting around to that.

Here’s a link to my report and here is what Ed had to say about it in the results post:

Dave Lassalle: Your report was very detailed, and was a close second. You explained the Apple Software Update component of the attack well, explained all of the fields in the CellLocation table, mentioned the GPS anomalies and the duplicate timestamps, and included a great map showing all of the places. You also extracted and ran the iTunesSetup.exe malware and wrote your own handler for it, which was very impressive. Amazing work, beautifully executed.

2011HolidayHackChallenge

by

srch_strings_wrap — history and examples

1 comment

Categories: Forensics, Tags: , ,

I recently took SANS FOR508 with Rob Lee in Las Vegas.  It was a great class and I highly recommend it to everyone interested in Digital Forensics.  I’m new to forensics and learned so much from the class.

One of the topics covered is using the srch_strings command from the Sleuth Kit on a filesystem image to obtain not just the strings within the file, but also the byte offset of each string.  This is done using the “-t d” option:

$ srch_strings -a -t d sda1.img
 7208 vmlinuz-2.2.14-5.0
 7336 System.map-2.2.14-5.0smp
 7464 module-info-2.2.14-5.0
 262176 lost+found
 262196 kernel.h
 262212 System.map-2.2.14-5.0
 262244 module-info-2.2.14-5.0

Then, after obtaining the block size of the filesystem using fsstat, we figure out which block each of these strings is in.  For example, this is an image of a filesystem with 1024 byte blocks, so divide each byte offset by 1024:

Block  String
 7     vmlinuz-2.2.14-5.0
 7     System.map-2.2.14-5.0smp
 7     module-info-2.2.14-5.0
 256   lost+found
 256   kernel.h
 256   System.map-2.2.14-5.0
 256   module-info-2.2.14-5.0

During class, I got tired of opening the calculator to figure out these blocks, so I came up with a little one liner to do everything at once:

$ strings -a -t d sda1.img | tee file | awk '{print $1"/1024"}' | bc | paste - file
7       7208 vmlinuz-2.2.14-5.0
7       7336 System.map-2.2.14-5.0smp
7       7464 module-info-2.2.14-5.0
256     262176 lost+found
256     262196 kernel.h
256     262212 System.map-2.2.14-5.0
256     262244 module-info-2.2.14-5.0

Eventually, I got tired of typing that out and turned it into a script after getting back home after class.  I emailed Rob Lee about it and he put me in touch with Hal Pomeranz, who had been working on a similar script.  Hal and I had some other ideas of where this could be taken, and that’s what eventually became srch_strings_wrap.

In a previous post, I gave an overview of the command line options and functionality, so now I’d just like to show some examples. Continue reading →

by

srch_strings_wrap — forensics tool

No comments yet

Categories: Forensics, Tags: ,

I wrote a tool called srch_strings_wrap (available at GitHub – https://github.com/superponible/Search-Strings-Extension) that extends the functionality of the srch_strings command in the Sleuth Kit.  The idea came from repeatedly having to determine the block that corresponded to the results of srch_strings during FOR508.  I contacted Rob Lee about what I had written and he put me in touch with Hal Pomeranz, who had a similar script and some other ideas.

There are other scripts in my repository that are previous versions of this script, but they are not as fully functional as srch_strings_wrap.

The original srch_strings will pull out the strings within a file and gives the byte offset if requested.  My script srch_strings_wrap will obtain the byte offset, but also will use that byte offset to determine, if available, the block, inode, and filename that string is in.  Several command line options exists for filtering results, modifying output, and automatically carving matched files/inodes/blocks.

Currently, the command line options include:

If no special options are given, srch_strings_wrap can be used in place of srch_strings.

The blocksize of the filesystem can be specified (-b) or automatically determined from the image (-d).  Multiple filesystem images can be given as arguments, but only one full disk image can be specified.  The output can be grouped by file/inode/block (-O) or printed out line by line (default).  It supports custom delimiters (-F) and can output to CSV (-C).  Output can be written, if desired with a header (-H), to a file (-w), to standard out (default), or not at all (-N).  Grep terms can be passed on the command line (-g) or in a dirty word file (-G), with case insensitivity (-i).

If full lookups to the filename layer are not needed, the level can be specified to decrease runtime: byte (-l0, no different from “srch_strings -t d”), block (-l1), inode (-l2), and filename (-l3, the default).  There is an option to autocarve (-A) which will carve out all matching strings at the highest level available.

And if multiple grep searches will be conducted, “srch_strings -a -t d fs.img > output.asc” can be run on an image to capture all the strings and save the output to a file, then -P can be used to accept the output of that file piped in (“cat output.asc | srch_strings_wrap -P -I fs.img“).

See my overview post for some more examples and a little history on the tool.  It should be available in future versions of the SANS Investigative Forensics Toolkit (SIFT) Workstation.

* Link to this post: http://blog.superponible.com/2011/11/17/srch_strings_wrap-forensics-tool/
* Link to the examples: http://blog.superponible.com/2011/11/17/srch_strings_wrap-history-and-examples/
* Link to GitHub repository: https://github.com/superponible/Search-Strings-Extension

 

by

starting hands

No comments yet

Categories: Poker, Tags:

Time for my quarterly poker related post. I created a single page with tables of the starting hand strategies recommended by Abdul Jalib and the ones for Tight and Loose games in Small Stakes Hold ‘Em.

I thought I could do this and figure out why I’m playing so tight (and losing so much), but it doesn’t seem to be helping. I don’t know what my problem is.

1 2