the impact of microsoft windows pool allocation
play

The impact of Microsoft Windows pool allocation strategies on memory - PowerPoint PPT Presentation

May 26, 2023 •245 likes •511 views

The impact of Microsoft Windows pool allocation strategies on memory forensics Andreas Schuster Andreas Schuster / DFRWS 2008 2008-08-12 1 Introduction. A simulated attack. Attacker launches shell (cmd.exe) launches payload

  1. The impact of Microsoft Windows pool allocation strategies on memory forensics Andreas Schuster Andreas Schuster / DFRWS 2008 2008-08-12 1

  2. Introduction. A simulated attack.  Attacker  launches shell (cmd.exe)  launches “payload” (nc.exe)  launches fu.exe to hide payload  closes shell  Incident Responder  launches (trusted) shell  obtains memory image Andreas Schuster / DFRWS 2008 2008-08-12 3

  3. Introduction. Expectation vs. Observation  payload (netcat listener nc.exe) is visible, but “isolated”  no evidence of terminated programs (attacker’s shell and rootkit) Andreas Schuster / DFRWS 2008 2008-08-12 4

  4. Persistence of pool allocations.

  5. Persistence of memory pool allocations. Related work.  Farmer and Venema (2004) measured decay of freed memory on FreeBSD 4.1 and RedHat Linux 6.2. After “some ten minutes, about 90 percent of the monitored memory was changed“.  Walters and Petroni (2007) counted changed memory pages on Windows XP SP2 running as VMware guest. After 15 hours of idle activity, 85% of 512 MB RAM were unchanged.  Sol Solomon, , Hueb uebner, Bem em and and Sz Sze ż ynska (2 (2007) ) used used pro probe proc processes to to meas measure the decay of userland data. “The majority of pages persisted for less than 5 min[utes] with single pages only lasting longer.”  Cho how, , Pfaf aff, f, Garf arfinkel and and Rose Rosenblum (2 (2005) ) fil ille led net network buf buffe fers in in kerne ernel l spac space e with marked and timestamped data. After 14 days of “everyday work” 3 MB out of ini initi tiall lly 4 MB we were re still still ac acce cessible. e. Andreas Schuster / DFRWS 2008 2008-08-12 6

  6. Persistence of memory pool allocations. Test environment.  Goal #1: avoid as much unwanted activity as possible  deactivated unneeded system services  firewall,  background file transfer,  NTP client… Andreas Schuster / DFRWS 2008 2008-08-12 7

  7. Persistence of memory pool allocations. Test environment.  Goal #2: sampling shall not change the state of the observable  run observed OS as guest in VMware  see Walters and Petroni, 2007  suspend VM to obtain the memory dump Andreas Schuster / DFRWS 2008 2008-08-12 8

  8. Persistence of memory pool allocations. Test environment.  Goal #3: experiments shall be reproducible  OS with prepared analysis environment (shell, debugger) stored as snapshot  probe binaries and log files kept on host, accessed through VMware’s shared folder  test plan implemented as CMD batch Andreas Schuster / DFRWS 2008 2008-08-12 9

  9. Persistence of memory pool allocations. Test plan. 1. launch probes no. 1 to 100 2. give the system time to settle down (5 minutes) 3. obtain memory image (reference) and scan for EPROCESS structures 4. terminate all probes 5. obtain memory image and scan for EPROCESS structures 6. repeat 1, 5, 15, 30, 60 minutes and 24 hours thereafter Andreas Schuster / DFRWS 2008 2008-08-12 10

  10. Persistence of memory pool allocations. Results. low file system activity: high file system activity:  90 EPRO ROCESS stru structu tures  88 EPRO ROCESS stru structu tures after af ter 24 hou hours after af ter 24 hou hours  8 ETHREAD, belonging to  7 file system related data, SYSTEM and svchost.exe e.g. MFT entries of probe files  1 network related  3 ETHREAD belonging to background activity (svchost.exe, services.exe)  1 not identified  1 network related  1 VAD Andreas Schuster / DFRWS 2008 2008-08-12 11

  11. Reuse of pool allocations.

  12. Reuse of pool allocations. Related work.  SoBeIt (2005): How to exploit Windows kernel memory pool. http://xcon.xfocus.org/xcon2005/archives/2005/Xcon2005_SoBeIt.pdf  Johnson (2007): Memory Allocator Attack and Defense. http://seattle.toorcon.org/talks/richardjohnson.pptx  Kortchinsky (2008): Real World Kernel Pool Exploitation. http://www.immunitysec.com/downloads/KernelPool.odp  detailed description of data structures and algorithms  offensive usage  highly recommended! Andreas Schuster / DFRWS 2008 2008-08-12 13

  13. Reuse of pool allocations. Keeping track of free allocations. POOL_DESCRIPTOR ListHeads 0 … BlockSize 79 POOL_HEADER ex ETHREAD 80 POOL_HEADER POOL_HEADER ex EPROCESS ex EPROCESS … 511 Andreas Schuster / DFRWS 2008 2008-08-12 14

  14. Reuse of pool allocations. POOL_HEADER (allocated) kd> dt _POOL_HEADER nt!_POOL_HEADER +0x000 PreviousSize : Pos 0, 9 Bits +0x000 PoolIndex : Pos 9, 7 Bits +0x002 BlockSize : Pos 0, 9 Bits +0x002 PoolType : Pos 9, 7 Bits +0x004 PoolTag : Uint4B +0x008 Payload Andreas Schuster / DFRWS 2008 2008-08-12 15

  15. Reuse of pool allocations. POOL_HEADER (free) +0x000 PreviousSize : Pos 0, 9 Bits +0x000 PoolIndex : Pos 9, 7 Bits +0x002 BlockSize : Pos 0, 9 Bits +0x002 PoolType : Pos 9, 7 Bits +0x004 PoolTag : Uint4B +0x008 FreeList : _LIST_ENTRY +0x000 Flink : Ptr32 +0x004 Blink : Ptr32 +0x010 RemainingPayload Andreas Schuster / DFRWS 2008 2008-08-12 16

  16. Reuse of pool allocations. Test plan. 1. launch probes no. 1 to 3 2. terminate all probes in reverse order 3. obtain memory image and scan for EPROCESS structures 4. launch probe no. 4 5. obtain memory image and scan for EPROCESS structures Andreas Schuster / DFRWS 2008 2008-08-12 17

  17. Reuse of pool allocations. Results. Probe Page Directory PID EPROCESS no. Base Address 1 464 0x04c9 c9a020 0x06bf1000 2 492 0x04878da0 0x01876000 3 500 0x01082da0 0x04b9f000 4 540 0x04c9 c9a020 0x039f9000 Andreas Schuster / DFRWS 2008 2008-08-12 18

  18. Conclusion.

  19. Conclusion. Nonpaged pool.  contains lots of meta-data about kernel objects and other objects (processes, threads, modules, files, network connections)  no signs of active wiping and pool compaction  data persists until  block of memory is reused  whole page is unused and gets removed from the pool Andreas Schuster / DFRWS 2008 2008-08-12 20

  20. Conclusion. Reuse of pool allocations.  join adjacent free blocks  reallocate:  matching size “EPROCESS overwrites EPROCES”  if there’s no free allocation of matching size, then use a larger one “ETHREAD overwrites EPROCESS”  prefer free allocations near the borders over those in the middle of the pool (buddy algorithm by Donald E. Knuth)) Andreas Schuster / DFRWS 2008 2008-08-12 21

  21. Conclusion. Impact on memory acquisition tools.  Installed prior to an incident (aka “Enterprise Forensic Solution”)  pre-allocate resources during initialization  activate resources when needed  Installed post incident  use as little resources as possible  single thread  allow only 1 network connection  overlay instead of spawning a new process Andreas Schuster / DFRWS 2008 2008-08-12 22

  22. Conclusion. Measure the impact of IR/memory acquisition tools.  Ian Sutherland, Jon Evans, Theodore Tryfonas, Andrew Blyth (2008): “Acquiring Volatile Operating System Data – Tools and Techniques”  memory footprint  page file bytes  virtual bytes  working set  time elapsed  impact on registry  use of DLLs  proposal: also measure impact on pools, track calls to ExAllocatePoolWithTag Andreas Schuster / DFRWS 2008 2008-08-12 23

  23. Conclusion. Impact on memory analysis tools.  first 8 bytes of payload overwritten, if allocation is marked as free (PoolType == 0)  usually affects OBJECT_HEADER  opportunity to improve signatures for pool allocations:  both pointers are pointing into kernel memory (upper half of address space)  alignment on 8-byte boundary  affects PoolFinder  identified more than 200 false-positives among 42.000 records Andreas Schuster / DFRWS 2008 2008-08-12 24

  24. Questions?

  25. Thank you for your attention! Andreas Schuster / DFRWS 2008 2008-08-12 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

1. 2. 3. 1. 2. 3. Windows 10 IoT Core Universal Windows Platform (UWP) Microsoft Azure v7

1. 2. 3. 1. 2. 3. Windows 10 IoT Core Universal Windows Platform (UWP) Microsoft Azure v7

1. 2. 3. 1. 2. 3. Windows 10 IoT Core Universal Windows Platform (UWP) Microsoft Azure v7 v8 Windows Embedded Standard One core Multiple SKUs v8. Windows Embedded 1 Windows 10 Windows Embedded Handheld Converged OS kernel Converged

1.08k views • 60 slides
Microsoft Powerpoint Presentation 2010 For Windows 7 microsoft powerpoint windows 7 free download

Microsoft Powerpoint Presentation 2010 For Windows 7 microsoft powerpoint windows 7 free download

Microsoft Powerpoint Presentation 2010 For Windows 7 microsoft powerpoint windows 7 free download - Microsoft PowerPoint 2013 Microsoft PowerPoint 2013 15.0.4420.1017 PowerPoint Viewer 2010 1.0 received a PowerPoint presentation (in PPT format)

282 views • 4 slides
Windows 10 IoT Core Product Overview Microsoft Windows 10 IoT Core One platform that can scale

Windows 10 IoT Core Product Overview Microsoft Windows 10 IoT Core One platform that can scale

Windows 10 IoT Core Product Overview Microsoft Windows 10 IoT Core One platform that can scale down to small and low cost devices Leading connectivity to empower business scenarios Enterprise-grade security specifically designed for the

744 views • 40 slides
Support for Multilingual Windows Web Apps (WWA) and HTML 5 in Windows 8 Jan Anders Nelson Senior

Support for Multilingual Windows Web Apps (WWA) and HTML 5 in Windows 8 Jan Anders Nelson Senior

Support for Multilingual Windows Web Apps (WWA) and HTML 5 in Windows 8 Jan Anders Nelson Senior Program Manager Lead Microsoft Corporation Windows 8: Using the language you want More languages than ever before Microsoft will continue to

338 views • 10 slides
DNSSEC in Windows DNS Server Kumar Ashutosh, Microsoft Windows DNS Server Widely deployed in

DNSSEC in Windows DNS Server Kumar Ashutosh, Microsoft Windows DNS Server Widely deployed in

DNSSEC in Windows DNS Server Kumar Ashutosh, Microsoft Windows DNS Server Widely deployed in enterprises Fair presence in the DNS resolver space Standards compliant and interoperable Secure and scalable DNSSEC in Windows DNS

266 views • 14 slides
Windows NT and Real-Time? Reading: Inside Microsoft Windows 2000, (Solomon,

Windows NT and Real-Time? Reading: Inside Microsoft Windows 2000, (Solomon,

CPSC-663: Real-Time Systems Windows NT/2000 and Real-Time Windows NT and Real-Time? Reading: Inside Microsoft Windows 2000, (Solomon, Russinovich, Microsoft Programming Series) Real-Time Systems and Microsoft Windows NT

208 views • 8 slides
beatsch@microsoft.com - http://cloudbeatsch.com - @cloudbeatsch spectrum of IT services Windows

beatsch@microsoft.com - http://cloudbeatsch.com - @cloudbeatsch spectrum of IT services Windows

Open and Flexible PaaS with Windows Azure Beat Schwegler - Director, Platform Strategy Group - Microsoft corp. beatsch@microsoft.com - http://cloudbeatsch.com - @cloudbeatsch spectrum of IT services Windows Azure global footprint 99.95%

367 views • 26 slides
Implementing IPv6 for Windows NT Richard P. Draves, Microsoft Research Allison Mankin, USC/ISI

Implementing IPv6 for Windows NT Richard P. Draves, Microsoft Research Allison Mankin, USC/ISI

Implementing IPv6 for Windows NT Richard P. Draves, Microsoft Research Allison Mankin, USC/ISI Brian D. Zill, Microsoft Research Main Points Windows NT is a good base for network protocol development Our release is great sample code:

171 views • 16 slides
https://github.com/Microsoft/Windows-universal-

https://github.com/Microsoft/Windows-universal-

Any questions please contact winhectpe@microsoft.com https://github.com/Microsoft/Windows-universal- samples/tree/master/Samples/SpeechRecognitionAndSynthesis https://www.projectoxford.ai/demo/speech Area Microsoft Speech Azure Speech

466 views • 31 slides
Download microsoft office 2007 presentation on windows 8 This is a case of a senior executive

Download microsoft office 2007 presentation on windows 8 This is a case of a senior executive

Download microsoft office 2007 presentation on windows 8. Although a formal vote must still be taken by the Parliament, the new agreement should come into force on July 1. Download microsoft office 2007 presentation on windows 8 This is a case

214 views • 4 slides
and DNS data mining Making Windows DNS Server Cloud Ready ~Kumar Ashutosh, Microsoft Windows DNS

and DNS data mining Making Windows DNS Server Cloud Ready ~Kumar Ashutosh, Microsoft Windows DNS

DNS Traffic Management and DNS data mining Making Windows DNS Server Cloud Ready ~Kumar Ashutosh, Microsoft Windows DNS Server Widely deployed in enterprises Fair presence in the DNS resolver space Standards compliant and

296 views • 13 slides
Engineering Better Software at Microsoft Jason Yang jasony@microsoft.com Principal Development

Engineering Better Software at Microsoft Jason Yang jasony@microsoft.com Principal Development

Engineering Better Software at Microsoft Jason Yang jasony@microsoft.com Principal Development Lead Windows Engineering Desktop Microsoft Corporation Who we are Windows Engineering Desktop Analysis Technologies Team Develops and supports

870 views • 58 slides
Tax Allocation in Pass-Through Entities Minimizing Tax Impact Through Strategic Allocation of

Tax Allocation in Pass-Through Entities Minimizing Tax Impact Through Strategic Allocation of

Presenting a live 110-minute teleconference with interactive Q&A Tax Allocation in Pass-Through Entities Minimizing Tax Impact Through Strategic Allocation of Income, Gains, Losses and Liabilities THURSDAY, JUNE 6, 2013 1pm Eastern |

1.16k views • 61 slides
Tax Allocation in Partnerships and LLCs Minimizing Tax Impact Through Strategic Allocation of

Tax Allocation in Partnerships and LLCs Minimizing Tax Impact Through Strategic Allocation of

Presenting a live 110 minute teleconference with interactive Q&A Tax Allocation in Partnerships and LLCs Minimizing Tax Impact Through Strategic Allocation of Income, Gains, Losses and Liabilities WEDNESDAY, FEBRUARY 6, 2013 1pm Eastern

1.65k views • 147 slides
Allocated Market Pool Committee Overview of Recommendation Process for FY2014 Allocation The

Allocated Market Pool Committee Overview of Recommendation Process for FY2014 Allocation The

Allocated Market Pool Committee Overview of Recommendation Process for FY2014 Allocation The Allocated Market Pool Committee (AMPC) is a joint committee appointed by the BGSU-FA (Joel ODorisio, Co-Chair; Steve Demuth; Ray Schuck) and

213 views • 7 slides
FAT File system Case studies Microsoft, late 70s FAT late 70s; Microsoft File Allocation Table

FAT File system Case studies Microsoft, late 70s FAT late 70s; Microsoft File Allocation Table

FAT File system Case studies Microsoft, late 70s FAT late 70s; Microsoft File Allocation Table (FAT) key idea: linked list started with MSDOS Today: flash sticks in FAT-32, supports 2 28 blocks and files of 2 32 -1 bytes Unix FFS mid 80 s

225 views • 10 slides
Notes for PAC Public Hearing, 3 February 2015 Illawarra Residents for Responsible Mining

Notes for PAC Public Hearing, 3 February 2015 Illawarra Residents for Responsible Mining

Notes for PAC Public Hearing, 3 February 2015 Illawarra Residents for Responsible Mining presentation, Part 1 (Presented by Kaye Osborn) 4.7 mtpa over 5 years, yet application is for 3mtpa. This document contains major errors and omissions. We

504 views • 5 slides
Accountable Care: A Value-Based Approach to Health Care Transformation The 27th Annual IHI

Accountable Care: A Value-Based Approach to Health Care Transformation The 27th Annual IHI

11/23/2015 Sunday, December 6, 2015 These presenters have nothing to disclose Accountable Care: A Value-Based Approach to Health Care Transformation The 27th Annual IHI National Forum on Quality Improvement in Health Care Molly Bogan, MA

572 views • 44 slides
GVCs and Global Economic Transformation: How GVCs shape international trade and the global

GVCs and Global Economic Transformation: How GVCs shape international trade and the global

GVCs and Global Economic Transformation: How GVCs shape international trade and the global economy? TPSA Workshop, Jakarta, February 20, 2018 Jeff Neilson School of Geosciences (economic geography) University of Sydney or The chain

629 views • 16 slides
Draft Environmental Impact

Draft Environmental Impact

Draft Environmental Impact Statement (DEIS) Overview 2013 ?

1.31k views • 44 slides
Ma ssa g e a nd the Histo ry o f Physio the ra py K AY NI AS K AY.NI AS@ SCI E NCE MUSE

Ma ssa g e a nd the Histo ry o f Physio the ra py K AY NI AS K AY.NI AS@ SCI E NCE MUSE

Ma ssa g e a nd the Histo ry o f Physio the ra py K AY NI AS K AY.NI AS@ SCI E NCE MUSE UM.AC.UK Me dic a lisa tio n o f ma ssa g e Physio the ra py a t the Ro ya l Gymna stic s Ce ntra l I nstitute in Arvid K e llg re n, T e c

66 views • 6 slides
BUILDING ON FIRM FOUNDATIONS DELIVERING A SUSTAINABLE FUTURE ENHANCING OUTCOMES MEDIA Sinah

BUILDING ON FIRM FOUNDATIONS DELIVERING A SUSTAINABLE FUTURE ENHANCING OUTCOMES MEDIA Sinah

KUMBA IRON ORE LIMITED 2018 INTERIM FINANCIAL RESULTS FOR THE SIX MONTHS ENDED 30 JUNE 2018 BUILDING ON FIRM FOUNDATIONS DELIVERING A SUSTAINABLE FUTURE ENHANCING OUTCOMES MEDIA Sinah Phochana sinah.phochana@angloamerican.com Tel: +27 12

633 views • 49 slides
PH - PROGRESO Philippine Program for Recovery with Equity and Solidarity Turning the

PH - PROGRESO Philippine Program for Recovery with Equity and Solidarity Turning the

DRAFT FOR DISCUSSION ONLY. SUBJECT TO CHANGE. PH - PROGRESO Philippine Program for Recovery with Equity and Solidarity Turning the crisis into an opportunity A proposed economic recovery program Draft proposal for discussion purpose

442 views • 31 slides
Developing Coopera.ve Mechanisms for the Management of the

Developing Coopera.ve Mechanisms for the Management of the

Developing Coopera.ve Mechanisms for the Management of the Marine Environment in the SCS 9 th ARF-IMS-MS Marine Environment and Sustainable

666 views • 14 slides

More recommend