reconstructing the scene of the crime reconstructing the
play

Reconstructing the Scene of the Crime Reconstructing the Scene of - PowerPoint PPT Presentation

Oct 16, 2023 •240 likes •795 views

Reconstructing the Scene of the Crime Reconstructing the Scene of the Crime Who are they? STEVE DAVIS PETER SILBERMAN STEVE DAVIS PETER SILBERMAN Security Consultant / Engineer / Researcher Security Consultant / Engineer / Researcher

  1. Reconstructing the Scene of the Crime Reconstructing the Scene of the Crime

  2. Who are they? STEVE DAVIS PETER SILBERMAN STEVE DAVIS PETER SILBERMAN Security Consultant / Engineer / Researcher Security Consultant / Engineer / Researcher     Researcher at MANDIANT Researcher at MANDIANT at MANDIANT at MANDIANT

  3. Agenda  ½ ½ Demo Demo  - Pop it like its Pop it like its hotttt hotttt -  Problem / Solution Problem / Solution   Process Acquisition Process Acquisition   Metasploit Metasploit   Meterpreter Communication Meterpreter Communication   Metasploit Forensic Framework (MSFF) Metasploit Forensic Framework (MSFF)   ½ Demo ½ Demo  - Reconstructing it like its Reconstructing it like its hotttt hotttt -

  4. Demo Part 1  Box Windows XP Fresh SP3 Box Windows XP Fresh SP3  Same box that our slides are running from… … Same box that our slides are running from Oh noes noes! ! Oh  MS08-067 meterpreter bind tcp MS08-067 meterpreter bind tcp 

  5. Back to our regularly scheduled slides...

  6. Problem  Meterpreter Meterpreter  - Traditional disk forensics is helpless Traditional disk forensics is helpless -  Attack vector may never touch disk Attack vector may never touch disk  - No way to determine what happened No way to determine what happened -  Goal Goal  - Reconstruct attacker Reconstruct attacker’ ’s Meterpreter sessions s Meterpreter sessions - with as much reliability as possible with as much reliability as possible

  7. Solution  Acquire exploited processes Acquire exploited processes’ ’ address address  space space  Parse out meterpreter protocol from Parse out meterpreter protocol from  acquired memory sections acquired memory sections - Reconstruct meterpreter sessions Reconstruct meterpreter sessions -

  8. MANDIANT Memoryze ENUMERATION ACQUISITION ENUMERATION ACQUISITION All running processes Physical memory image All running processes Physical memory image     - Handle table Handle table Running process’ ’s s Running process -   - Memory sections Memory sections memory space memory space - - Ports Ports - - Binary Binary - - Strings Strings - - Loaded DLL Loaded DLL’ ’s s - Drivers Drivers   - Stacks Stacks - - Including layered ones Including layered ones - Heaps Heaps - - - Data sections Data sections Certain kernel hooks Certain kernel hooks -   Drivers Drivers  

  9. MANDIANT Memoryze  Can analyze memory live, or from image Can analyze memory live, or from image  - Live analysis can use paging file for a more Live analysis can use paging file for a more - complete picture of memory complete picture of memory  Supported platforms Supported platforms  - 32-bit Windows 2000, XP, 2003 Server 32-bit Windows 2000, XP, 2003 Server - - Beta support for Vista Beta support for Vista -  Download at Download at  - http://www.mandiant.com/ http://www.mandiant.com/ -

  10. Process Acquisition

  11. Why Process Acquisition?  Acquisition was originally used mostly for Acquisition was originally used mostly for  malware analysis malware analysis - Acquire packed binaries running in memory Acquire packed binaries running in memory -  Usually utilized debuggers Usually utilized debuggers   Can defeat most packers Can defeat most packers   Acquisition has other uses: Acquisition has other uses:  - Acquire unknown binaries for Acquire unknown binaries for Virustotal Virustotal - - Acquire memory to look for protocol strings Acquire memory to look for protocol strings -  Encrypted strings are Encrypted strings are unecrypted unecrypted in memory in memory 

  12. Classic Process Acquisition  Current Methodology Current Methodology  - Open handle to process, OR Open handle to process, OR - - Attach to process Attach to process -  ReadProcessMemory ReadProcessMemory( (hProc hProc,
 ,
ImageBase ImageBase, ,  buffer,
ImageSize ImageSize,
 ,
BytesRead BytesRead) ) buffer,
  Current drawbacks Current drawbacks  - Requires Requires “ “touching touching” ” a process a process - - Detecting debuggers is trivial Detecting debuggers is trivial - - Gives an incomplete picture of memory Gives an incomplete picture of memory -

  13. Process Acquisition: Memoryze RELIES ON DOES NOT RELY ON RELIES ON DOES NOT RELY ON Physical memory access Attaching to a process Physical memory access Attaching to a process     with a debugger with a debugger Virtual to physical Virtual to physical   address translation Opening handles to address translation Opening handles to   processes or threads processes or threads API calls API calls   The OS’ ’s Virtual Memory s Virtual Memory The OS   Manager Manager

  14. Memoryze: Process Acquisition  Accessing Physical Memory Accessing Physical Memory  - Live analysis Live analysis - - Acquisition Acquisition -  \Device\ \Device\PhysicalMemory PhysicalMemory  - Section object exposed by Windows Section object exposed by Windows - - Reading from handle allows application to Reading from handle allows application to - read physical memory read physical memory - Every virtual address must be translated to a Every virtual address must be translated to a - physical offset within the section object physical offset within the section object

  15. KPROCESS PAE CR3 Physical address Virtual Address 2 bits 9 bits 9 bits 12 bits Page Directory Index (512) Page Table Index (512) Byte Index (4096) Physical Memory Page Dir Pointers Page Tables PDP index (4) PDP Page Frame Individual page table Page Dir PDE PTE

  16. Memoryze: Process Acquisition  Map physical memory into buffer Map physical memory into buffer   Acquisition: Acquisition:  - Write buffer to disk ( Write buffer to disk ( dd ) dd ) -  Analysis: Analysis:  - Scan buffer for known signatures of kernel Scan buffer for known signatures of kernel - structures, e.g. EPROCESS structures, e.g. EPROCESS

  17. New Process Acquisition  Find all processes (EPROCESS) in physical Find all processes (EPROCESS) in physical  memory memory - VadRoot VadRoot within the EPROCESS structure within the EPROCESS structure - - The The VadRoot VadRoot is the top node of a tree of Memory is the top node of a tree of Memory - Manager Virtual Address Descriptor (MMVAD) Manager Virtual Address Descriptor (MMVAD) entries entries - MMVAD entries contain the virtual start address MMVAD entries contain the virtual start address - and size of each memory section within a process and size of each memory section within a process - MMVAD entries containing mapped DLL MMVAD entries containing mapped DLL’ ’s or s or - EXE’ ’s will have a pointer to the path of the binary s will have a pointer to the path of the binary EXE  Helps manage process Helps manage process’ ’ virtual address space virtual address space 

  18. Memoryze: Process Acquisition  OllyDbg OllyDbg’ ’s s memory map view shows the memory map view shows the  different sections different sections  Each address range is an entry in Each address range is an entry in  , represented by a MMVAD VadRoot , represented by a MMVAD VadRoot structure structure  Enumeration of Enumeration of VadRoot allows access to VadRoot allows access to  heaps, stacks, and binary images heaps, stacks, and binary images

  19. Finding Processes Kernel Address Space … 0x8aadb830 0x8aadb834 0x8aadb838 0x8aadb83C 0x8aadb840 0x8aadb844 0x8aadb848 0x8aadb84C 0x8aadb850 …

  20. Finding Processes Kernel Address Space … 0x8aadb830 0x001b0003 0x8aadb834 0x00000000 0x8aadb838 0x8aadb838 0x8aadb83C 0x8aadb838 0x8aadb840 0x8aadb840 0x8aadb844 0x8aadb840 0x8aadb848 0x0b100020 0x8aadb84C 0x0000b084 0x8aadb850 0x00000000 …

  21. Finding Processes Kernel Address Space Indicates EPROCESS, … DISPATCH_HEADER, 0x8aadb830 0x001b0003 further checks are needed 0x8aadb834 0x00000000 0x8aadb838 0x8aadb838 0x8aadb83C 0x8aadb838 0x8aadb840 0x8aadb840 0x8aadb844 0x8aadb840 0x8aadb848 0x0b100020 0x8aadb84C 0x0000b084 0x8aadb850 0x00000000 …

  22. Finding Processes Found an EPROCESS structure Kernel Address Space … EPROCESS 0x8aadb830 0x00 PCB 0xC4 ObjectTable HANDLE_TABLE _MMVAD 0x11C VadRoot “calc.exe” 0x174 ImageFileName 0x258 Cookie 0x8aadba88 0x8aadba8C 0x8aadba90 0x8aadba94 …

  23. Parsing MMVAD _MMVAD EPROCESS Parent 0x00 PCB StartingVPN 0xC4 ObjectTable EndingVPN 0x11C VadRoot LeftChild RightChild 0x174 ImageFileName 0x258 Cookie _MMVAD _MMVAD Parent Parent StartingVPN StartingVPN EndingVPN EndingVPN LeftChild RightChild LeftChild RightChild

  24. Writing VADs to disk _MMVAD EPROCESS Parent 0x00 PCB StartingVPN 0xC4 ObjectTable EndingVPN 0x11C VadRoot LeftChild RightChild 0x174 ImageFileName 0x258 Cookie _MMVAD _MMVAD Parent Parent StartingVPN StartingVPN For each VAD write EndingVPN EndingVPN to disk: StartVPN to LeftChild RightChild LeftChild RightChild StartVPN+EndingVPN

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Reconstructing web pages from browser cache Iwan Hoogendoorn & Edwin Schaap University of

Reconstructing web pages from browser cache Iwan Hoogendoorn & Edwin Schaap University of

Reconstructing web pages from browser cache Iwan Hoogendoorn & Edwin Schaap University of Amsterdam July 4, 2013 1 Demo I Open Safari Clear Safaris cache Visit www.tweakers.net 2 Criminal research planning a crime committing the

807 views • 28 slides
FOUND IN TRANSLATION: Reconstructing Phylogenetic Language Trees Reconstructing Phylogenetic

FOUND IN TRANSLATION: Reconstructing Phylogenetic Language Trees Reconstructing Phylogenetic

FOUND IN TRANSLATION: Reconstructing Phylogenetic Language Trees Reconstructing Phylogenetic Language Trees Reconstructing Phylogenetic Language Trees Reconstructing Phylogenetic Language Trees from Translations from Translations from

178 views • 17 slides
Reconstructing conductivities in three dimensions using a non-physical scattering transform Kim

Reconstructing conductivities in three dimensions using a non-physical scattering transform Kim

Reconstructing conductivities in three dimensions using a non-physical scattering transform Kim Knudsen Department of Mathematics Technical University of Denmark Joint with Jutta Bikowski and Jennifer Mueller, Colorado State University

633 views • 31 slides
Reconstructing ancestral sequences through a combined bioinformatics and molecular modelling

Reconstructing ancestral sequences through a combined bioinformatics and molecular modelling

Reconstructing ancestral sequences through a combined bioinformatics and molecular modelling approach Subha Kalyaanamoorthy | OCE Post-Doctoral Fellow 07 November 2013 CSIRO ECOSYSTEM SCIENCES Ancestral Sequence Reconstruction A rearward

617 views • 17 slides
Reconstructing networks of pathways via significance analysis of their intersections Embedding

Reconstructing networks of pathways via significance analysis of their intersections Embedding

Reconstructing networks of pathways via significance analysis of their intersections Embedding biological knowledge in genomic statistical analysis Mirko Francesconi, Daniel Remondini, Nicola Neretti, John Sedivy, Ettore Verondini, Luciano

647 views • 45 slides
Recovering continuous conformations and reconstructing the energy landscape of a molecular machine

Recovering continuous conformations and reconstructing the energy landscape of a molecular machine

Recovering continuous conformations and reconstructing the energy landscape of a molecular machine Ali Dashti, Peter Schwander, Abbas Ourmazd, A. Hosseinizadeh, U. of Wisconsin -- the algorithm Robert Langlois and Hstau Liao, Columbia

370 views • 12 slides
Reconstructing Patterns of Information Diffusion from Incomplete Observations Sapienza

Reconstructing Patterns of Information Diffusion from Incomplete Observations Sapienza

Reconstructing Patterns of Information Diffusion from Incomplete Observations Sapienza University Flavio Chierichetti Cornell University Jon Kleinberg Carleton College David Liben-Nowell Internet Activism Very important phenomenon.

1.06k views • 105 slides
*** Reconstructing Concept Networks on the Basis of Crosslinguistic Polysemy J OHANN -M ATTIS L

*** Reconstructing Concept Networks on the Basis of Crosslinguistic Polysemy J OHANN -M ATTIS L

PollyNett *** Reconstructing Concept Networks on the Basis of Crosslinguistic Polysemy J OHANN -M ATTIS L IST , A NSELM T ERHALLE (Heinrich-Heine-University Dsseldorf) 1 Outline of the Talk 1. Conceptual Structures and Meaning Change 2.

816 views • 45 slides
From gene clustering to genetical genomics: Analyzing or reconstructing biological networks

From gene clustering to genetical genomics: Analyzing or reconstructing biological networks

From gene clustering to genetical genomics: Analyzing or reconstructing biological networks Matthieu Vignes 1 Jimmy Vandel 1 Nathalie Keussayan 1 Juliette Blanchet 2 Simon de Givry 1 Brigitte Mangin 1 1 BIA Unit - INRA Toulouse Castanet Tolosan,

809 views • 57 slides
Having Your Cake and Eating it too! Reconstructing Direction in a Liquid Scintillator Detector

Having Your Cake and Eating it too! Reconstructing Direction in a Liquid Scintillator Detector

Having Your Cake and Eating it too! Reconstructing Direction in a Liquid Scintillator Detector Lindley Winslow University of California Los Angeles Scintillation Cherenkov Light Light Energy Directionality Resolution I am particularly

476 views • 47 slides
Reconstructing Netflix Raghuram SV, Aditya Rao, Kunal Lillaney 600.667 Advanced Distributed

Reconstructing Netflix Raghuram SV, Aditya Rao, Kunal Lillaney 600.667 Advanced Distributed

Reconstructing Netflix Raghuram SV, Aditya Rao, Kunal Lillaney 600.667 Advanced Distributed Systems & Communication Johns Hopkins University Netflix Facts Internet has overtaken cable TV as preferred medium for delivering video content

506 views • 27 slides
The Power of DNA in Reconstructing Family Relationships Luke A. D. Hutchison Natalie M. Myres

The Power of DNA in Reconstructing Family Relationships Luke A. D. Hutchison Natalie M. Myres

Growing the Family Tree: The Power of DNA in Reconstructing Family Relationships Luke A. D. Hutchison Natalie M. Myres Scott R. Woodward Sorenson Molecular Genealogy Foundation (smgf.org) Our Genetic Identity Every living individual has a

628 views • 40 slides
How to Reconstruct the Main Idea: Use . . . Reconstructing x . . . From Characteristic . . .

How to Reconstruct the Main Idea: Use . . . Reconstructing x . . . From Characteristic . . .

Main Use of Radars: . . . Radars Provide . . . It Is Desirable to . . . Filtering Filtering: A Problem How to Reconstruct the Main Idea: Use . . . Reconstructing x . . . From Characteristic . . . Original Shape of a Radar Computations: . .

416 views • 18 slides
Recognizing Straight Skeletons and Voronoi Diagrams and Reconstructing Their Input Therese Biedl 1

Recognizing Straight Skeletons and Voronoi Diagrams and Reconstructing Their Input Therese Biedl 1

Recognizing Straight Skeletons and Voronoi Diagrams and Reconstructing Their Input Therese Biedl 1 Martin Held 2 Stefan Huber 3 1 David R. Cheriton School of Computer Science University of Waterloo, Canada 2 FB Computerwissenschaften Universit

831 views • 65 slides
Recognizing Straight Skeletons and Voronoi Diagrams and Reconstructing Their Input Therese Biedl 1

Recognizing Straight Skeletons and Voronoi Diagrams and Reconstructing Their Input Therese Biedl 1

Recognizing Straight Skeletons and Voronoi Diagrams and Reconstructing Their Input Therese Biedl 1 Martin Held 2 Stefan Huber 3 1 David R. Cheriton School of Computer Science University of Waterloo, Canada 2 FB Computerwissenschaften Universit

696 views • 58 slides
Feasibility Study for Reconstructing the Spatial-Temporal Structure of TIDs from High-Resolution

Feasibility Study for Reconstructing the Spatial-Temporal Structure of TIDs from High-Resolution

Feasibility Study for Reconstructing the Spatial-Temporal Structure of TIDs from High-Resolution Backscatter Ionograms Dr. L. J. Nickisch, Dr. Sergey Fridman, Dr. Mark Hausman NorthWest Research Associates, Monterey, California Dr. Geoffrey S.

436 views • 16 slides
Managing Your Learning During BST - Outcome Based Education Keith Farrington Education

Managing Your Learning During BST - Outcome Based Education Keith Farrington Education

Managing Your Learning During BST - Outcome Based Education Keith Farrington Education Specialist 17 July 2019 OBE For Histopathology, BST, 2019 What is OBE? Curriculum comprised of goals, and goals broken down into outcomes

168 views • 13 slides
Autopsy of an automation disaster Jean-Franois Gagn - Saturday, February 4, 2017 FOSDEM MySQL

Autopsy of an automation disaster Jean-Franois Gagn - Saturday, February 4, 2017 FOSDEM MySQL

Autopsy of an automation disaster Jean-Franois Gagn - Saturday, February 4, 2017 FOSDEM MySQL & Friends Devroom To err is human To really foul things up requires a computer [1] (or a script) [1]:

478 views • 30 slides
Inside IHE: Pathology and Laboratory Medicine Webinar Series 2018 Presented by Raj Dash,

Inside IHE: Pathology and Laboratory Medicine Webinar Series 2018 Presented by Raj Dash,

Inside IHE: Pathology and Laboratory Medicine Webinar Series 2018 Presented by Raj Dash, MD, Duke - Planning Committee Co-Chair Riki Merrick, MPH Vernetzt, LLC - Planning Committee Co-Chair Agenda o Intro to IHE Pathology and

710 views • 33 slides
Disclosures Redefining Sudden Cardiac Death: Insights from the San Francisco Industry PO

Disclosures Redefining Sudden Cardiac Death: Insights from the San Francisco Industry PO

Disclosures Redefining Sudden Cardiac Death: Insights from the San Francisco Industry PO stmortem S ystematic None inves T igation of Grants S udden C ardiac D eath Study NIH/NHLBI: R01 HL 102090 NIH/NHLBI: R01 HL 126555 14

412 views • 14 slides
About me Whos me? Ezequiel ZequiV azquez Backend Developer Sysadmin & DevOps

About me Whos me? Ezequiel ZequiV azquez Backend Developer Sysadmin & DevOps

About me Whos me? Ezequiel ZequiV azquez Backend Developer Sysadmin & DevOps Hacking & Security @RabbitLair About me Index Introduction 1 Analysis of Vulnerabilities 2 What if I dont patch? 3 Index Introduction

985 views • 35 slides
Work Group Considerations: Proposed Recommendation Text for Policy Options Mary Choi, MD, MPH

Work Group Considerations: Proposed Recommendation Text for Policy Options Mary Choi, MD, MPH

National Center for Emerging and Zoonotic Infectious Diseases Work Group Considerations: Proposed Recommendation Text for Policy Options Mary Choi, MD, MPH Viral Special Pathogens Branch Centers for Disease Control and Prevention Advisory

369 views • 19 slides
Suicide Prevention: A community effort Zachary K. Parrett, PsyD Clinical Psychologist, Suicide

Suicide Prevention: A community effort Zachary K. Parrett, PsyD Clinical Psychologist, Suicide

Suicide Prevention: A community effort Zachary K. Parrett, PsyD Clinical Psychologist, Suicide Prevention Coordinator Kansas City VAMC 1 Disclosure I have no actual or potential conflict of interest in relation to this

715 views • 50 slides
MMRIA ABSTRACTOR OFFICE HOURS ENHANCING REVIEWS AND SURVEILLANCE TO ELIMINATE MATERNAL MORTALITY

MMRIA ABSTRACTOR OFFICE HOURS ENHANCING REVIEWS AND SURVEILLANCE TO ELIMINATE MATERNAL MORTALITY

MMRIA ABSTRACTOR OFFICE HOURS ENHANCING REVIEWS AND SURVEILLANCE TO ELIMINATE MATERNAL MORTALITY (ERASE MM) NOVEMBER 21, 2019 Centers for Disease Control and Prevention National Center for Chronic Disease Prevention and Health Promotion Division

288 views • 7 slides

More recommend