Thursday, September 07, 2006

Extracting and authenticating files from RAM dumps

Andreas had an interesting post a while back regarding authenticating executable files reconstructed from RAM dumps (Andreas, can you enable comments in your blog?). In the post, Andreas talks about hashing only certain sections of an executable file, as when an executable file is reconstructed from a RAM dump, there are differences between it and the original file...but those differences only occur in certain sections.

Perhaps the easiest way to reach a concensus with regards to which sections to hash is to read the PE header, and locate the DWORD for the Characteristics for each section. If the section is writeable, don't hash it.

Has anyone tried using ssdeep to compare a reconstructed binary to the original? I ran it against the copy of dd.exe pulled from the first DFRWS 2005 Memory Challenge RAM dump file, and compared it to the original file, and got a 97% match.

1 comment:

Andreas Schuster said...

Harlan,

Sorry, the english blog still was in "travel mode" with trackbacks and comments disabled. It should work now, provided you're not posting from a netblock which has been blacklisted due to excess spam activity.

Cheers, Andreas