Art of Memory Forensicsdistinct Different Between Process Handles and Tokens

6 Processes, Handles, and Tokens

This Chapter combines 3 of the most mutual initial steps in an investigation: determining what applications are running, what they're doing(in terms of access to files, registry keys, and so on), and what security context(or privilege level) they take obtained.

> Processes

There are several of the basic resources that vest to a process:

• _EPROCESS: the name of the structure that Windows uses to represent a process.

  all operating systems share the same concepts that are described in this high-level diagram.

• each process has its own individual memory infinite that's isolated from other processes.

Inside this retentivity space, yous tin observe the process executable; its list of loaded modules (DLLs or shared libraries); and its stacks, heaps, and allocated memory regions containing everything from user input to application-specific information structures.

• SIDs(security identifiers) and privilege data: a Security Identifier (commonly abbreviated SID) is a unique, immutable identifier of a user, user group, or other security principal.

>> Data Structures

Windows tracks processes by assigning them a unique _EPROCESS structure that resides in a non-paged pool of kernel memory.

and below:

• Pcb: The kernel's process control block (_KPROCESS). This construction is found at the base of operations of _EPROCESS and contains several critical fields, including the DirectoryTableBase for accost translation and the amount of time the process has spent in kernel way and user mode.

• CreateTime: A UTC timestamp indicating when the process first started.

• ExitTime: A UTC timestamp indicating the time the process exited. This value is zero for still-running processes.

• UniqueProcessId: An integer that uniquely identifies the process (likewise known as the PID).

• ActiveProcessLinks: The doubly linked listing that bondage together active processes on the machine. Nearly APIs on a running system rely on walking this listing.

  we can admission all the process using ActiveProcessLinks

• SessionProcessLinks: Some other doubly linked list that chains together processes in the same session.

• InheritedFromUniqueProcessId: An integer that specifies the PID of the parent process. After a procedure is running, this member is not modified, even if its parent terminates.

• Session: This member points to the _MM_SESSION_SPACE structure (see Chapter xiv) that stores information on a user'southward logon session and graphical user interface (GUI) objects.

• ImageFileName: The filename portion of the process' executable. This field stores the first xvi ASCII characters, so longer filenames will appear truncated. To go the total path to the executable, or to see the Unicode proper name, you tin access the respective VAD node or members in the PEB (come across Chapter 7).

• ThreadListHead: A doubly linked list that chains together all the process' threads (each list element is an _ETHREAD).

• ActiveThreads: An integer indicating the number of active threads running in the process context. Seeing a process with null active threads is a good sign that the process has exited.

• Peb: A pointer to the Process Environment Block (PEB). Although this member (_EPROCESS.Peb) exists in kernel fashion, it points to an accost in user fashion. The PEB contains pointers to the process' DLL lists, current working directory, command line arguments, environment variables, heaps, and standard handles.

• VadRoot: The root node of the VAD tree. Information technology contains detailed information virtually a process' allocated memory segments, including the original access permissions (read, write, execute) and whether a file is mapped into the region.

>> Procedure Organisation

The _EPROCESS structure contains a _LIST_ENTRY construction called ActiveProcessLinks.

The _LIST_ENTRY structure contains ii members:

• Flink (forrad link) that points to the _LIST_ENTRY of the next _EPROCESS structure
• Blink (backward link) that points to the _LIST_ENTRY of the previous _EPROCESS structure.

_LIST_ENTRY structures:

Review:

To list processes, Volatility first locates the kernel debugger data block ( _KDDEBUGGER_DATA64). From in that location, it accesses the PsActiveProcessHead member, which points to the head of the doubly linked listing of _EPROCESS structures.

We likewise discussed the pool-scanning approach in Chapter 5.

In this chapter, we present many other ways to detect processes in a memory dump. It is important to implement alternative methods because the debugger information cake, the linked-list pointers, and the pool tags are all nonessential to Bone stability—which ways they can exist manipulated (accidentally or intentionally) to defeat forensic tools without disrupting the system or its processes.

>> Disquisitional System Processes

if you lot know what's normal, you lot can notice what'due south abnormal more rapidly

Then for now nosotros'll just focus on the theoretical concepts of how things should appear on make clean systems.

• Idle and System: These are not real processes (in the sense that they have no corresponding executable on disk). Idle is just a container that the kernel uses to charge CPU time for idle threads. Similarly, System serves equally the default dwelling for threads that run in kernel mode. Thus, the Arrangement process (PID iv) appears to own whatever sockets or handles to files that kernel modules open up.
• csrss.exe: The client/server runtime subsystem plays a role in creating and deleting processes and threads. It maintains a individual listing of the objects that y'all can utilize to cross-reference with other data sources.
• services.exe: The Service Control Manager (SCM) in curt, information technology manages Windows services and maintains a listing of such services in its individual retentiveness space. This process should be the parent for whatsoever svchost.exe (service host) instances that you see, in addition to processes such equally spoolsv.exe and SearchIndexer.exe that implement services. There should be only one copy of services.exe on a system, and it should exist running from the system32 directory.
• svchost.exeast: A make clean arrangement has multiple shared host processes running meantime, each providing a container for DLLs that implement services. As previously mentioned, their parent should be services.exe, and the path to their executable should point to the system32 directory. In his weblog, Patrick identifies a few of the common names (such equally scvhost.exe and svch0st.exe) used by malware to blend in with these processes.
• lsass.exe: The local security authority subsystem process is responsible for enforcing the security policy, verifying passwords, and creating admission tokens. As such, information technology's often the target of code injection because the plaintext password hashes can be found in its private memory infinite. There should be only 1 case of lsass.exe running from the system32 directory, and its parent is winlogon.exe on pre-Vista machines, and wininit.exe on Vista and later systems. Stuxnet created two fake copies of lsass.exe, which caused them to stick out like a sore thumb.
• winlogon.exe : This process presents the interactive logon prompt, initiates the screen saver when necessary, helps load user profiles, and responds to Secure Attention Sequence (SAS) keyboard operations such every bit CTRL+ALT+DEL. Also, this process monitors files and directories for changes on systems that implement Windows File Protection (WFP). As with most other critical processes, its executable is located in the system32 directory.
• explorer.exe: You lot'll encounter i Windows Explorer process for each logged-on user. Information technology is responsible for handling a diversity of user interactions such equally GUI-based folder navigation, presenting the outset carte du jour, so on. Information technology also has access to sensitive material such as the documents you open up and credentials y'all utilise to log in to FTP sites via Windows Explorer.
• smss.exe: The session manager is the outset existent user-mode procedure that starts during the kicking sequence. It is responsible for creating the sessions (see Chapter 14) that isolate Os services from the various users who may log on via the console or Remote Desktop Protocol (RDP).

>> Analyzing Procedure Activity*

• pslist finds and walks the doubly linked list of processes and prints a summary of the data. This method typically cannot show you terminated or hidden processes.
• pstree takes the output from pslist and formats information technology in a tree view, and so you lot tin can easily see parent and child relationships.
• psscan scans for _EPROCESS objects instead of relying on the linked list. This plugin can also discover terminated and unlinked (hidden) processes.
• psxview locates processes using alternate procedure listings, and so you tin can then cross-reference different sources of information and reveal malicious discrepancies.

>> Process Tree Visualizations

1 2 3 4 five

python vol.py psscan –f simple007.mem --contour=Win7SP1x64 --output=dot --output-file=processes.dot ⚙ chuqiz@Narny-half-dozen => ~/Downloads/graphviz-2.forty.i => dot -Tsvg -o ~/tree.svg ~/Desktop/processes.dot

Tree likes below：

>> Detecting DKOM Attacks

Many attacks are possible with Direct Kernel Object Manipulation (DKOM), only i of the most common is hiding a procedure by unlinking its entry from the doubly linked list. To attain this, overwrite the Flink and Blink pointers of surrounding objects so that they point effectually the _EPROCESS structure of the process to hide. Tools that execute on a running organisation and Volatility's pslist control are susceptible to this assail, because they rely on the linked list. However, the psscan plugin uses the puddle-scanning approach.

Process Cantankerous-View Plugin

The psxview plugin enumerates processes in seven unlike means: the active process linked listing and the 6 methods previously identified. Thus, it's unlikely that a rootkit tin can successfully hide from psxview.

> Process Tokens

A process' token describes its security context. This context includes security identifiers (SIDs) of users or groups that the process is running every bit and the various privileges (specific tasks) that it is allowed to perform.

When the kernel needs to decide whether a process can access an object or call a particular API, information technology consults data in the process' token.

>> Information Structures

The _TOKEN structure is large, so nosotros won't brandish all the members.

and below:

• UserAndGroupCount: This integer stores the size of the UserAndGroups assortment.

• UserAndGroups: An assortment of _SID_AND_ATTRIBUTES structures associated with the token. Each element in the assortment describes a different user or grouping that the process is a member of. The Sid member of _SID_AND_ATTRIBUTES points to a _SID construction, which has IdentifierAuthority and SubAuthority members that you tin can combine to form the Due south-ane-5-[snip] SID strings.

• PrivilegeCount (Windows XP and 2003 only): This integer stores the size of the Privileges array.

• Privileges (Windows XP and 2003): An array of _LUID_AND_ATTRIBUTES structures

  that each describe a unlike privilege and its attributes (that is, nowadays, enabled, enabled past default).

• Privileges (Windows Vista and later): This is an instance of _SEP_TOKEN_PRIVILEGES, which has three parallel 64-bit values (Present, Enabled, EnabledByDefault). The fleck positions correspond to particular privileges, and the values of the bit (on or off) describe the privilege's status.

>> Accessing Tokens

On a live machine, a process can access its ain token through the OpenProcessToken API. To enumerate the SIDs or privileges, it can and then use GetTokenInformation with the desired parameters.

With administrator access, it tin besides query (or set) the tokens of other users' processes, including the organization-disquisitional ones. Of course, existing tools already provide this type of functionality for yous, such equally Sysinternals Process Explorer.

This instance of explorer.exe belongs to a user named Jimmy, whose SID string is S-1-5-21-[snip]-1000. By analyzing the other SIDs in this process' token, yous tin can encounter it's too in the Everyone, LOCAL, and NT Authorization\Authenticated Users groups.

>> Extracting and Translating SIDs in Memory

at that place are User SIDs such as S-1-5-21-4010035002-774237572-2085959976-1000. These SIDs intermission downwardly into the following components:

• Southward: Prefix indicating that the string is a SID
• one: The revision level (version of the SID specification) from _SID.Revision
• v: The identifier authority value from _SID.IdentifierAuthority.Value
• 21-4010035002-774237572-2085959976: The local computer or domain identifier from the _SID.SubAuthority values
• thousand: A relative identifier that represents any user or group that doesn't exist by default

You can map the SID cord to a username by querying the registry:

1	python vol.py -f memory.img --profile=Win7SP0x86 printkey -Chiliad "Microsoft\Windows NT\CurrentVersion\ProfileList\Due south-1-five-21-4010035002-774237572-2085959976-1000"

>> Detecting Lateral Motion

If y'all demand to acquaintance a procedure with a user account or investigate potential lateral movement attempts, use the getsids plugin.

1 2 3 4 5 vi

$ python vol.py –f grrcon.img --profile=WinXPSP3x86 getsids –p 1096 explorer.exe: Southward-1-v-21-2682149276-1333600406-3352121115-500 (administrator) explorer.exe: S-1-5-21-2682149276-1333600406-3352121115-513 (Domain Users) explorer.exe: S-1-1-0 (Everyone) explorer.exe: South-1-5-32-545 (Users) explorer.exe: S-1-5-32-544 (Administrators) explorer.exe: S-i-5-iv (Interactive) explorer.exe: S-ane-5-11 (Authenticated Users) explorer.exe: S-1-5-5-0-206541 (Logon Session) explorer.exe: S-1-2-0 (Local (Users with the ability to log in locally)) explorer.exe: South-one-five-21-2682149276-1333600406-3352121115-519 (Enterprise Admins) explorer.exe: South-ane-5-21-2682149276-1333600406-3352121115-1115 explorer.exe: S-1-5-21-2682149276-1333600406-3352121115-518 (Schema Admins) explorer.exe: South-1-5-21-2682149276-1333600406-3352121115-512 (Domain Admins)

This control shows the SIDs associated with explorer.exe for the current logged-on user.

> Privileges

Privileges are another disquisitional component involved in security and admission control. A privilege is the permission to perform a specific task, such as debugging a procedure, shutting downwards the computer, changing the time zone, or loading a kernel driver.

Before a procedure tin can enable a privilege, the privilege must be present in the process' token. Administrators determine which privileges are present by configuring them in the Local Security Policy (LSP),

You tin can access the LSP by going to Start ➪ Run and typing SecPol.msc:

In English:

From a forensic perspective, yous should be most concerned with the following privileges when they've been explicitly enabled:

• SeBackupPrivilege: This grants read access to any file on the file system, regardless of its specified admission control list (ACL). Attackers can leverage this privilege to copy locked files.

• SeDebugPrivilege: This grants the ability to read from or write to another process' private retention space. Information technology allows malware to bypass the security boundaries that typically isolate processes. Practically all malware that performs code injection from user fashion relies on enabling this privilege.

• SeLoadDriverPrivilege: This grants the ability to load or unload kernel drivers.

• SeChangeNotifyPrivilege: This allows the caller to register a callback part that gets executed when specific files and directories change. Attackers can use this to make up one's mind immediately when 1 of their configuration or executable files are removed by antivirus or administrators.
• SeShutdownPrivilege: This allows the caller to reboot or shut down the arrangement. Some infections, such as those that modify the Master Kick Tape (MBR) don't activate until the next time the organisation boots. Thus, you lot'll often come across malware trying to manually speed up the procedure past invoking a reboot.

>> Analyzing Explicit Privileges

Here'southward the output of the Volatility privs plugin. Yous'll see the privilege name forth with its attributes (present, enabled, and/or enabled by default):

1	python vol.py -f grrcon.img privs -p 1096

and below:

Yous tin can meet several privileges present in the output. Only half-dozen of them are enabled, simply three are enabled by default.

> Process Handles

A handle is a reference to an open instance of a kernel object, such every bit a file, registry key, mutex, process, or thread.

By enumerating and analyzing the specific objects a process was accessing at the fourth dimension of a memory capture, information technology is possible to go far at a number of forensically relevant conclusions—such as what process was reading or writing a detail file, what procedure accessed one of the registry run keys, and which process mapped remote file systems.

>> Lifetime of a Handle

Before a process tin access an object, it first opens a handle to the object by calling an API such as CreateFile, RegOpenKeyEx, or CreateMutex. These APIs render a special Windows information type called HANDLE, which is just an index into a process-specific handle table.

For case, when you call CreateFile,

a pointer to the corresponding _FILE_OBJECT in kernel memory is placed in the first available slot in the calling process' handle table, and the respective alphabetize (such as 0x40) is returned. Additionally, the handle count for the object is incremented. The calling process and so passes the HANDLE value to functions that perform operations on the object, such as reading, writing, waiting, or deleting. Thus, APIs such every bit ReadFile and WriteFile work in the following mode:

1. Notice the base address of the calling process' handle tabular array.
2. Seek to alphabetize 0x40.
3. Retrieve the _FILE_OBJECT pointer.
4. Bear out the requested functioning.

When a procedure is finished using an object, information technology should shut the handle by calling the advisable part (CloseHandle, RegCloseHandle, and so on). These APIs decrement the object's handle count and remove the pointer to the object from the process' handle tabular array.

❓WHY USE HANDLE TABLE MODEL❓

The handle tabular array model was designed for both convenience and security.

• It's convenient because you don't have to laissez passer the full proper noun or path of an object each time yous perform an functioning—only when y'all initially open up or create the object.
• For security purposes, it also helps to conceal the addresses of objects in kernel memory. Because processes in user mode should never direct access kernel objects, there's no reason why they would need the pointers.
• Furthermore, the model provides a centralized way for the kernel to monitor access to kernel objects, thus giving it the take chances to enforce security based on SIDs and privileges.

>> Reference Counts and Kernel Handles

And so far in this section, we've been referring to processes every bit the entities that interact with objects via handles.

However, kernel modules, or threads in kernel manner, can telephone call the equivalent kernel APIs (i.e., NtCreateFile, NtReadFile, NtCreateMutex) in a like manner. In this case, the handles are allocated from the Organization (PID four) process' handle table.

Thus, when you dump the handles of the System process, you're actually seeing all the currently open resources requested by kernel modules.

• Even if handles are closed, and references are released, in that location'south all the same a run a risk that you lot tin can detect the objects by scanning the physical accost space (every bit described in Affiliate v).

• Of course, they wouldn't be associated with a process' handle table at that signal, merely their presence in RAM can still lend clues to your investigations.

  Likewise, subsequently a process terminates, its handle table is destroyed, merely that doesn't mean all objects created by the procedure are destroyed at the aforementioned time.

>> Handle Table Internals

Each process' _EPROCESS.ObjectTable fellow member points to a handle tabular array ( _HANDLE_TABLE). This structure has a TableCode that serves 2 critical purposes:

• It specifies the number of levels in the table.
• It points to the base of operations accost of the first level.

All processes start out with a single-level table, which is shown in Figure six-12. The table size is one page (4096 bytes), and this scheme allows for up to 512 handles on a 32-bit system or 256 on a 64-bit system. Indexes in the table contain _HANDLE_TABLE_ENTRY structures if they're in employ; otherwise, they're zeroed out.

Also, in that location are ii-level even three-level table.

You lot tin can prototype information technology every bit Page Directory and Page Table Entry and so on.

>> Data Structures

and below:

Some key points for _HANDLE_TABLE:

• TableCode: This value tells y'all the number of levels in the table and points to the address of the top-level table. The dual purpose is achieved using a bit mask of vii (7). For example, to obtain the number of tables, you can compute TableCode & 7; and to obtain the accost, you can compute TableCode & ~7.
• QuotaProcess : A pointer to the process to which the handle table belongs. It can come up in handy if you find handle tables using the pool-scanning approach described in Chapter 5 rather than enumerating processes and following their ObjectTable pointer.
• HandleTableList: A linked list of procedure handle tables in kernel retentiveness. Yous tin use it to locate other handle tables—potentially even those for processes that have been unlinked from the procedure list.
• HandleCount: The total number of handle table entries that are currently in use by the process. This field was removed starting in Windows 8 and Server 2012.

Some fundamental points for _HANDLE_TABLE_ENTRY:

• Object: This member points to the _OBJECT_HEADER of the corresponding object. The _EX_FAST_REF is a special data type that combines reference count data into the least meaning bits of the pointer.

• GrantedAccess: A bit mask that specifies the granted access rights (read, write, delete, synchronize, etc.) that the owning process has obtained for the object.

> Enumerating Handles in Retention*

The Volatility handles plugin generates output by walking the handle tabular array data structures. In that location are a few filtering options:

• Filter by procedure ID: You can pass ane or more (comma-separated) procedure IDs to the -p/--pid option.

• Filter by process get-go: You can supply the concrete get-go of an _EPROCESS structure to the -o/--start pick.

• Filter by object blazon: If you lot're interested in only a particular type of object, such every bit files or registry keys, you lot tin specify the appropriate name(s) to the -t/--object-type pick. See Chapter five or enter !object \ObjectTypes into Windbg to see the full listing of object types.

• Filter past name: Not all objects have names. Unnamed objects are obviously useless when searching for indicators by name, and so one way to reduce racket is to use the --silent option, which suppresses handles to unnamed objects.

1	python vol.py -f zeus.vmem --profile=WinXPSP3x86 -p 632 handles

and below:

Every bit shown in the next example, you can limit your search to files and mutexes opened by PID 632 and ignore unnamed objects:

ane 2 3

python vol.py -f zeus.vmem --profile=WinXPSP3x86 -p 632 handles -t File,Mutant --silent

Y'all see the user.ds and local.ds files, which contain the configuration and stolen data. The sdra64.exe file in the system32 directory is the initial Zeus installer.

ou likewise may observe several open handles to \Device\Tcp and \Device\Ip. These are manifestly different from the handles to files prefixed with \Device\HarddiskVolume1.

Specifically, Tcp and Ip are not files on the car's hard bulldoze. This is described in Chapter eleven, but what you lot're essentially seeing are artifacts of network sockets that the process creates. Although sockets aren't files, they support similar operations such as opening, reading, writing, and deleting. As a result, the same handle/descriptor subsystem can service both files and network sockets.

Along the same lines, named pipes are as well represented as file objects. Thus, if malware creates a named pipage for interprocess communication or to redirect output of a backdoor command beat out into a file, you can determine which processes are involved in that activeness, provided that you lot know the proper noun of the pipage information technology creates. In this case, it's easy to identify because the name of the pipe that Zeus uses is the same as the standard mutex it creates to mark its presence on systems ( _AVIRA_).

>> Detecting Registry Persistence

Malware oft leverages the registry for persistence. To write the pertinent values, the malicious procedure must first open a handle to the desired registry key.

y'all'll see how obvious it is when malware chooses a well-known location (such every bit the Run key) and also suffers from a handle leak. Y'all should not just recognize the registry fundamental name but also the fact that you have numerous open handles to the same fundamental.

1 2 three

python vol.py -f laqma.mem --profile=WinXPSP3x86 handles --object-type=Key --pid=1700

The process has almost xx open handles to the RUN central (non all are shown). This is indicative of a issues in the code that fails to close its handles after opening them.

Of course, the artifacts won't always be this obvious, and just considering a handle to a key is open, that doesn't hateful the process added values.

Still, you can always confirm your suspicions by using the printkey plugin (run across Chapter x) to wait at the bodily data that the fundamental contains:

1	python vol.py -f laqma.mem printkey -1000 "MICROSOFT\WINDOWS\CURRENTVERSION\RUN"

Based on their names, the final 2 entries seem suspicious—they crusade lanmanwrk.exe and KernelDrv.exe to offset automatically at each boot.

>> Identifying Remote Mapped Drives

Many adversaries rely on commands such as net view and net use to explore the surrounding network and map remote drives.

Obtaining read admission to a company's Server Message Block (SMB) file server or write access to various other workstations or servers in an enterprise can pb to successful lateral movement.

• The post-obit example shows how an attacker navigates the network to mount two remote drives. The Users directory of a arrangement named WIN-464MMR8O7GF is mounted on P, and the C$ share of a organization named LH-7J277PJ9J85I is mounted at Q:

• The flim-flam to finding evidence of remote mapped drives in memory is to look for file handles prefixed with \Device\Mup and \Device\LanmanRedirector:

  MUP, which stands for Multiple Universal Naming Convention (UNC) Provider, is a kernel-style component that channels requests to access remote files using UNC names to the advisable network redirector. In this case, LanmanRedirector handles the SMB protocol.

one	python vol.py -f hop.mem --profile=VistaSP2x64 handles -t File | grep Mup

Y'all have several evidently handles to \Device\Mup (they are normal). The few in assuming are the ones you lot should notice interesting because they actually display the local drive letter, the remote NetBIOS proper noun, and the share or file system path name.

There are also 2 different process IDs shown: 752 and 1544. In this case, 752 is the example of svchost.exe that runs the LanmanWorkstation service; it creates and maintains client network connections to remote servers using the SMB protocol. PID 1544 is the cmd.exe shell, and information technology has a handle to C$\Users\Jimmy\Documents as a issue of the attacker irresolute into that directory.

lockettawalinis1955.blogspot.com

Source: https://icegrave0391.github.io/2020/03/08/memfor-6/

Share this post