Dailydave mailing list archives
Re: Memory, Elephantine
From: Dave Aitel <dave () immunityinc com>
Date: Sat, 04 Mar 2006 11:39:33 -0500
So the web page is pretty but..uh...how does it work! :> The user pre-installs some sort of program? It remotely installs via SMB/FTP? You install it manually off a USB drive? It's a kernel driver? It just cats /dev/memory and then the server parses that? How does it handle swap files? Sending data over the wire can be rather slow, does it optimize it with a hashing algorithm?
You guys should release it at Syscon...you can eat Sting-Ray in Singapore. And they have good beer. :>
-dave Nick Petroni wrote:
While on the topic of memory forensics, the Python enthusiasts in the crowd may be interested in a new extensible research framework for analyzing volatile memory images that we will be releasing at an upcoming (yet to be determined) venue. For more information, check out: http://www.4tphi.net/fatkit/ peace, nick On Fri, 3 Mar 2006, Dave Aitel wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I think it's interesting that Maniant (aka RedCliff) released a memory forensics tool recently (http://www.mandiant.com/features.htm) - this is also something we see people doing a lot more with CANVAS these days. The main benefits of using an exploitation framework for such things is that: 1. We can use the same exploitation path an attacker would use to obtain access to the machine. This means we're completely in memory and haven't messed up the disk at all. (Or we can remotely install as a service, copy a file over, whatever.) 2. You get the power of MOSDEF for doing the hard work...i.e. you can inject into processes, grab all the memory on the system from every process, etc. Of course, the downside is that you have to use MOSDEF to do the hard work. :> The other side of the story is that as an exploitation framework, you now need to clean/encrypt memory up as you go along. And you can do "remote forensics" as you go - I can look at other processes and see if someone else is also using CANVAS or anything similar on this box... - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFECH9pB8JNm+PA+iURAvJpAJ48qV13TcPpRiFXXu1yWCsffoQxpQCcDOBf 37ykn9FpdVIJbVClewwiKLo= =lYqp -----END PGP SIGNATURE-----
Current thread:
- Memory, Elephantine Dave Aitel (Mar 03)
- Re: Memory, Elephantine Nick Petroni (Mar 03)
- Re: Memory, Elephantine Dave Aitel (Mar 04)
- Re: Memory, Elephantine Nick Petroni (Mar 04)
- Re: Memory, Elephantine jnf (Mar 04)
- Re: Memory, Elephantine AAron Walters (Mar 06)
- Re: Memory, Elephantine Julien TINNES (Mar 04)
- Re: Memory, Elephantine Matt Conover (Mar 06)
- Re: Memory, Elephantine Dave Aitel (Mar 04)
- Re: Memory, Elephantine Nick Petroni (Mar 03)