Monday, September 22, 2008

Updates regarding Analysis

There's always something new on the analysis front, isn't there? It seems that I'll go away on a gig for a week or simply not pay attention to what's happening in the community, and BAM! It gets kicked up a notch!

First off, Moyix posted an excellent explanation of how the Windows message queue can be used as a forensic resource during analysis of a memory dump. Reading through the post, it's clear that while this analysis technique might not always work and provide relevant information, we all know that there are enough "buggy" apps out there that it's worth using the Volatility plugin that Moyix wrote to pull this data and have a look. The Windows message queue can hold messages that haven't been processed by the system, giving the examiner a clue as to the activity on the system at one point. The messages are associated with threads, which can be associated with a process, tying that information to an executable image file and a user.

Also, at the end of the post, Moyix mentions the possibility of getting a screen capture from a memory dump!

Excellent work, Moyix...keep it up! Also, reader...keep an eye on Moyix's blog for new plugins to add to Volatility, and expand your capabilities.

From Moyix's blog, I linked on over to the SysInternals Forums to read about a proof-of-concept tool called CrsWalker, from Diablo. This is a very interesting read...even though further down the thread, it's clear that the method of detection used by the tool is/can be circumvented, it's very interesting to see the thought process that Diablo used to develop his code. I don't think it would be a bad idea at all to get a copy of this and run it along with other tools, such as GMER or AV scanning apps.

3 comments:

Claus Valca said...

You got a mention on SANS-ISC Handler's Diary:

More on tools/resources/blogs

Was for a previous post, but cool nevertheless.

You're giving me even more links to add to my pile when I get a chance to come up for air from all this Ike madness (and broadband gets restored at home)!

Congratulations!

--Claus V.

Keydet89 said...

Thanks, dude!

James said...

Diablo (aka EP_X0FF) has posted his article about using CSRSS's linked list on rootkit.com.

-jamie