Saturday, December 1, 2007

User Assist Data in the RAM Dump

Lately some good information has been posted on the web regarding the importance of the USER ASSIST.

Especially by Didier Stevens (http://blog.didierstevens.com/programs/userassist/) and Harlan Carvey (http://windowsir.blogspot.com/)

Recently and completely by coincidence I found some USER ASSIST Remnants in the RAM Dumps I was analyzing. The information was obfuscated by ROT-13 but I found quite a bit of useful information. For more ROT-13 Fun (and a Microsoft Easter Egg) check out the shdoclc.dll from your system32 folder.

I used the good old dfrws2005-physical-memory1.dmp for this demonstration but all the RAM Dumps ( Vista , XPSP2, XPSP1 and WinServer2003) I reviewed appear to have similarities.

I started with a simple search of HRZR_EHACNGU (which is “UEME_RUNPATH”).

It returned 35 hits. The following is a partial sample of the search hits:

HRZR_EHACNGU:P:\Flfcerc\FLFCERC.RKR

HRZR_EHACNGU:P:\Cebtenz Svyrf\CbjreCnary\Cebtenz\CpsZte.rkre

HRZR_EHACNGU:P:\Cebtenz Svyrf\FBAL\Fbal Abgrobbx Frghc\FAFrghc.rkrv

HRZR_EHACNGU:P:\JVAAG\flfgrz32\zzp.rkr

HRZR_EHACNGU:P:\JVAAG\flfgrz32\pzq.rkr

HRZR_EHACNGU:P:\JVAAG\flfgrz32\ehaqyy32.rkr.RU0

HRZR_EHACNGU:P:\Cebtenz Svyrf\Fhccbeg.pbz\Pyvrag\ova\gtpzq.rkr

HRZR_EHACNGU:P:\Cebtenz Svyrf\Fbal\Wbt Qvny Hgvyvgl\WbtFrei2.rkr

HRZR_EHACNGU:Q:\0102901.FAP\Frghc.rkr

HRZR_EHACNGU:P:\fbalflf\purpxQZV.rkr

Decrypted using ROT13 (http://www.download.com/3001-2092_4-1535479.html)

UEME_RUNPATH:C:\Sysprep\SYSPREP.EXE

UEME_RUNPATH:C:\Program Files\PowerPanel\Program\PcfMgr.exer

UEME_RUNPATH:C:\Program Files\SONY\Sony Notebook Setup\SNSetup.exei

UEME_RUNPATH:C:\WINNT\system32\mmc.exe

UEME_RUNPATH:C:\WINNT\system32\cmd.exe

UEME_RUNPATH:C:\WINNT\system32\rundll32.exe.EH0

UEME_RUNPATH:C:\Program Files\Support.com\Client\bin\tgcmd.exe

UEME_RUNPATH:C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe

UEME_RUNPATH:D:\0102901.SNC\Setup.exe

UEME_RUNPATH:C:\sonysys\checkDMI.exe

Another search of .yax (“.lnk”) is also proves to be useful

HRZR_EHACVQY:%pfvqy2%\Fbal Abgrobbx Frghc\Fbal Abgrobbx Frghc.yax

HRZR_EHACVQY:P:\Qbphzragf naq Frggvatf\Nyy Hfref\Fgneg Zrah\I N V B\INVB Fhccbeg Ntrag.yax

HRZR_EHACVQY:%pfvqy2%\Npprffbevrf\Flfgrz Gbbyf\Punenpgre Znc.yax

HRZR_EHACVQY:%pfvqy2%\Argfpncr Pbzzhavpngbe\Hgvyvgvrf\Thrfg.yax

Decrypted.....

UEME_RUNPIDL:%csidl2%\Sony Notebook Setup\Sony Notebook Setup.lnk

UEME_RUNPIDL:C:\Documents and Settings\All Users\Start Menu\V A I O\VAIO Support Agent.lnk

UEME_RUNPIDL:%csidl2%\Accessories\System Tools\Character Map.lnk

UEME_RUNPIDL:%csidl2%\Netscape Communicator\Utilities\Guest.lnk

You get the idea!

Now the follow-up is to try and find the same date/time stamps or counter information that is in the USER ASSIST Keys