Sunday, October 17, 2010

New Win7 Process Enscript (Beta)

I updated my Basic Memory Analysis Enscripts (Version 6) and rolled them out at the 2010 WACCI Conference. The newest addition is an Enscript to carve for Windows 7 Processes (Exited and Running).

Important ---If you downloaded the new Enscripts prior to 10/17/2010 please update your download to Version 2.1 - I made some changes to the Win7 (Beta) Enscript.

The magic number I am using is part of the _DISPATCHER_HEADER of the _KPROCESS.


The _KPROCESS is the first entry of the _EPROCESS.

Some Information Regarding the New Enscripts:

All the new Enscripts create a default folder to place search hits and bookmarks. If you run the Enscripts at more then one memory image you will co-mingle hits/bookmarks. And if you don’t rename the folders prior to re-running the script – there is no fail-safe check and your original folder will be overwritten.

To run any of the Enscripts just drop them into your main Enscript folder (usually C:\program files\Encase6 \Enscripts).

\x03\x00\x58\x00[\x00\x01]\x00\x00\x00 (Too many false positives)
\xff\xff\x03\x00\x58\x00[\x00\x01]\x00\x00\x00(Missed processes)

I also tried to use something unique besides the Dispatch Header. I tried to use the following magic number which I believe is the Swap List Entry of the KPROCESS Block.

“\x04\x00\x04\x00\x00\x00\x00\x00.\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00[\x09\x08]” I do know that I could have used \x04\x00\x04\x00{36,36}[\x09\x08]

This also missed several processes in my test data.

The following is output from WinDBG for the command “dt _eprocess”:

Windows 7 Kernel Version 7600 MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7600.16617.amd64fre.win7_gdr.100618-1621
Machine Name:
Kernel base = 0xfffff800`02c67000 PsLoadedModuleList = 0xfffff800`02ea4e50
Debug session time: Mon Oct 11 14:12:52.405 2010 (UTC - 5:00)
System Uptime: 0 days 0:15:33.732
lkd> dt _eprocess
+0x000 Pcb : _KPROCESS (Location of the _DISPATCHER_HEADER)
+0x160 ProcessLock : _EX_PUSH_LOCK
+0x168 CreateTime : _LARGE_INTEGER (Dec Offset 360)
+0x170 ExitTime : _LARGE_INTEGER(Dec Offset 368)
+0x178 RundownProtect : _EX_RUNDOWN_REF
+0x180 UniqueProcessId : Ptr64 Void(Dec Offset 384)
+0x188 ActiveProcessLinks : _LIST_ENTRY
+0x290 InheritedFromUniqueProcessId : Ptr64 Void(Dec Offset 656)
+0x2e0 ImageFileName : [15] UChar(Dec Offset 736)

A special “Thank You” to Lance Mueller for his AWESOME Free Enscript Tutorial which was a HUGE Help to me.

Wednesday, September 1, 2010

The Mystery of ROT (-29)

I know if your reading my blog you've seen ROT13 and know it is used by Microsoft in the UserAssist Registry Key.

But now I’ve found Microsoft using ROT(-29) or Rotate Minus 29 which is considerably more devious, then ROT13, for the forensic investigator.

Do the following steps to uncover ROT(-29):

1. First find a computer running Windows 7 or Vista.

2. Open Notepad and type: “ForensicZoneaaaaaaaaaabbbbbbbbbbcccccccccddddddddddForensicZone”.

3. Run Task Manager (taskmgr.exe).

4. Application Tab > Select the Notepad Task >Right Click and “Create Dump File”.

This action creates a "user-mode process dump file" at C:\Users\Your-UserName\AppData\Local\Temp\notepad.dmp

5. Open notepad.dmp using your favorite hex editor.
Scroll up from the bottom of the dump file approximately 6000 to 11000 bytes and you should see the following:

So if we decipher the information in the notepad.dmp file we see that

ASCII “F” (Dec 70) became ASCII “)” (Dec 41) – A Rotation of Minus 29
ASCII “o” (Dec 111) became ASCII “R” (Dec 82)
ASCII “r” (Hex 72) became ASCII “U” (Hex 55)
ASCII “e” - You get the picture

So “ForensicZone” becomes “ ) R U H Q V L F = R Q H”

Ok. So it is Rotation (-29) and a conversion to Unicode.

The Rotation -29 is more devious then ROT-13 because:

- Numbers and most of the Special Characters do not convert to a printable ASCII range.

- Capitol Letters are converted to numbers and special characters.

- The Unicode also makes it easy to overlook this information.

I then started conducting searches on dead Windows 7 and Vista Machines looking for the ROT (-29) in the wild. I used several search terms but haven’t been able to find much practical use for this information, as of yet. I also couldn't find a consistent magic number and the only hits I could find was on the word Microsoft (Microsoft + ROT(-29) = 0 L F U R V I Q) mostly dealing with Microsoft Office Document Metadata. (Note: The funny looking 0 is a zero)

There might be an easy explanation for Microsoft using ROT (-29) but I don't know what it is. If I am way off base or someone else has information about this please let me know.

I discovered ROT(-29) while preparing for my presentation for the Wisconsin Association Computer Crimes Investigators (WACCI) Conference 2010. One of the Keynote Speakers I am really looking forward to meeting at the WACCI 2010 Conference is Harlan Carvey.