I've released lsproc.exe to the WindowsIR site on SourceForge. This is a small tool that parses through a dd.exe-style dump of physical memory (RAM) from a Windows 2000 system, locating EPROCESS blocks. The program prints out some information about each process, as shown here (an excerpt from the output of lsproc.exe, run against the first DFRWS 2005 Memory Challenge dump file):
Type PPID PID Name Offset FLink BLink
---- ---- --- ---- ------ ----- -----
Proc 228 672 WinMgmt.exe 0x0017dd60 0xff1bab80 0xff22f820
Proc 820 324 helix.exe 0x00306020 0xff0e4e00 0xff16e460
Proc 0 0 Idle 0x0046d160 0x00000000 0x00000000
Proc 600 668 UMGR32.EXE 0x0095f020 0xff1916e0 0xff191ce0
Proc 324 1112 cmd2k.exe 0x00dcc020 0xff0dae00 0xff0e4e00
Proc 668 784 dfrws2005.exe(x)0x00e1fb60 0x00000000 0x00000000
Proc 156 176 winlogon.exe 0x01045d60 0xff29d120 0xfcc69520
Proc 156 176 winlogon.exe 0x01048140 0xff29f520 0xfcc6c3a0
Proc 144 164 winlogon.exe 0x0104ca00 0xff2ae0c0 0xfcc7abe0
Proc 156 180 csrss.exe 0x01286480 0xfca28e00 0xfcc99360
Proc 144 168 csrss.exe 0x01297b40 0xfca2faa0 0xfcca50c0
Proc 8 156 smss.exe 0x012b62c0 0xfcc69520 0xfce00d00
Proc 0 8 System 0x0141dc60 0xfcc99360 0x8046b980
Proc 668 784 dfrws2005.exe(x)0x016a9b60 0x00000000 0x00000000
Proc 1112 1152dd.exe(x) 0x019d1980 0x00000000 0x00000000
Sorry about any issues with formatting...however, I have included the complete output from the first dump in the zipped archive provided at SourceForge.
Notice that some of the process names are appended with "(x)". This indicates that the process has exited; this also accounts for why the FLink and BLink values are 0x00 in those cases.
Lsproc.exe works by opening the dump file in binary mode, and searching through that file one DWORD (a DWORD is 4 bytes) at a time. On Windows 2000, the EPROCESS block (as well as the ETHREAD structure) has a specific signature, so by locating that signature and then performing certain follow-on checks, we can locate these structures. Again, lsproc.exe doesn't retrieve *all* of the data about the process...we're leaving that for other tools.
This will be the first of several tools for retrieving information from these dumps. The follow-on tools will make use of the information displayed in the output of lsproc.exe. I wanted to separate the process of searching for processes from the process of gathering process details, as the search can take a while. Once the offset to an EPROCESS block is located, dumping the process environment, memory pages, and image are relatively straightforward.
As with previous tools, this one is (and the others to come) were created in Perl. The approach I've taken with these tools is to try to make them platform independant, meaning that even though the physical memory dump needs to be retrieved from a Windows 2000 system, the tools themselves don't need to be run on Windows. In fact, they can be run on Linux or even a Mac G5...so the analyst is not restricted to a specific analysis platform.
2 comments:
Thanks for posting your tools! Could you please add a version number to the filenames so that I can keep track? thanks,
Jesse,
Yeah, I'll do that.
Post a Comment