Sunday, October 17, 2010

New Win7 Process Enscript (Beta)

I updated my Basic Memory Analysis Enscripts (Version 6) and rolled them out at the 2010 WACCI Conference. The newest addition is an Enscript to carve for Windows 7 Processes (Exited and Running).

Important ---If you downloaded the new Enscripts prior to 10/17/2010 please update your download to Version 2.1 - I made some changes to the Win7 (Beta) Enscript.

The magic number I am using is part of the _DISPATCHER_HEADER of the _KPROCESS.


The _KPROCESS is the first entry of the _EPROCESS.

Some Information Regarding the New Enscripts:

All the new Enscripts create a default folder to place search hits and bookmarks. If you run the Enscripts at more then one memory image you will co-mingle hits/bookmarks. And if you don’t rename the folders prior to re-running the script – there is no fail-safe check and your original folder will be overwritten.

To run any of the Enscripts just drop them into your main Enscript folder (usually C:\program files\Encase6 \Enscripts).

\x03\x00\x58\x00[\x00\x01]\x00\x00\x00 (Too many false positives)
\xff\xff\x03\x00\x58\x00[\x00\x01]\x00\x00\x00(Missed processes)

I also tried to use something unique besides the Dispatch Header. I tried to use the following magic number which I believe is the Swap List Entry of the KPROCESS Block.

“\x04\x00\x04\x00\x00\x00\x00\x00.\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00[\x09\x08]” I do know that I could have used \x04\x00\x04\x00{36,36}[\x09\x08]

This also missed several processes in my test data.

The following is output from WinDBG for the command “dt _eprocess”:

Windows 7 Kernel Version 7600 MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7600.16617.amd64fre.win7_gdr.100618-1621
Machine Name:
Kernel base = 0xfffff800`02c67000 PsLoadedModuleList = 0xfffff800`02ea4e50
Debug session time: Mon Oct 11 14:12:52.405 2010 (UTC - 5:00)
System Uptime: 0 days 0:15:33.732
lkd> dt _eprocess
+0x000 Pcb : _KPROCESS (Location of the _DISPATCHER_HEADER)
+0x160 ProcessLock : _EX_PUSH_LOCK
+0x168 CreateTime : _LARGE_INTEGER (Dec Offset 360)
+0x170 ExitTime : _LARGE_INTEGER(Dec Offset 368)
+0x178 RundownProtect : _EX_RUNDOWN_REF
+0x180 UniqueProcessId : Ptr64 Void(Dec Offset 384)
+0x188 ActiveProcessLinks : _LIST_ENTRY
+0x290 InheritedFromUniqueProcessId : Ptr64 Void(Dec Offset 656)
+0x2e0 ImageFileName : [15] UChar(Dec Offset 736)

A special “Thank You” to Lance Mueller for his AWESOME Free Enscript Tutorial which was a HUGE Help to me.