Sunday, October 17, 2010

New Win7 Process Enscript (Beta)

I updated my Basic Memory Analysis Enscripts (Version 6) and rolled them out at the 2010 WACCI Conference. The newest addition is an Enscript to carve for Windows 7 Processes (Exited and Running).

Important ---If you downloaded the new Enscripts prior to 10/17/2010 please update your download to Version 2.1 - I made some changes to the Win7 (Beta) Enscript.

The magic number I am using is part of the _DISPATCHER_HEADER of the _KPROCESS.

\x03\x00\x58\x00[\x00\x01]\x00\x00\x00.[\x01-\xff]....\xff\xff.

The _KPROCESS is the first entry of the _EPROCESS.

Some Information Regarding the New Enscripts:

All the new Enscripts create a default folder to place search hits and bookmarks. If you run the Enscripts at more then one memory image you will co-mingle hits/bookmarks. And if you don’t rename the folders prior to re-running the script – there is no fail-safe check and your original folder will be overwritten.

To run any of the Enscripts just drop them into your main Enscript folder (usually C:\program files\Encase6 \Enscripts).



My RESEARCH:
\x03\x00\x58\x00[\x00\x01]\x00\x00\x00 (Too many false positives)
\xff\xff\x03\x00\x58\x00[\x00\x01]\x00\x00\x00(Missed processes)

I also tried to use something unique besides the Dispatch Header. I tried to use the following magic number which I believe is the Swap List Entry of the KPROCESS Block.

“\x04\x00\x04\x00\x00\x00\x00\x00.\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00[\x09\x08]” I do know that I could have used \x04\x00\x04\x00{36,36}[\x09\x08]

This also missed several processes in my test data.

The following is output from WinDBG for the command “dt _eprocess”:

Windows 7 Kernel Version 7600 MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7600.16617.amd64fre.win7_gdr.100618-1621
Machine Name:
Kernel base = 0xfffff800`02c67000 PsLoadedModuleList = 0xfffff800`02ea4e50
Debug session time: Mon Oct 11 14:12:52.405 2010 (UTC - 5:00)
System Uptime: 0 days 0:15:33.732
lkd> dt _eprocess
nt!_EPROCESS
+0x000 Pcb : _KPROCESS (Location of the _DISPATCHER_HEADER)
+0x160 ProcessLock : _EX_PUSH_LOCK
+0x168 CreateTime : _LARGE_INTEGER (Dec Offset 360)
+0x170 ExitTime : _LARGE_INTEGER(Dec Offset 368)
+0x178 RundownProtect : _EX_RUNDOWN_REF
+0x180 UniqueProcessId : Ptr64 Void(Dec Offset 384)
+0x188 ActiveProcessLinks : _LIST_ENTRY
-------------------------Truncated
+0x290 InheritedFromUniqueProcessId : Ptr64 Void(Dec Offset 656)
------------------------Truncated
+0x2e0 ImageFileName : [15] UChar(Dec Offset 736)

THANK YOU:
A special “Thank You” to Lance Mueller for his AWESOME Free Enscript Tutorial which was a HUGE Help to me.

2 comments:

furniture jati said...

Thank you for presenting a wide variety of information that is very interesting to see in this artikle


wisata karimunjawa
and jual furniture
or jepara furniture
and toko tenun

Unknown said...

Thank you for presenting a wide variety of information that is very interesting to see in this artikle, good job adnd succes For you



tenun rangrang
tenun baron
tenun troso
baju tenun
tenun endek
tenun bima
tenun sutra
tenun sby
tenun polosan
tenun troso