Dailydave mailing list archives
Re: Memory, Elephantine
From: Nick Petroni <npetroni () cs umd edu>
Date: Sat, 4 Mar 2006 11:53:43 -0500 (EST)
Sorry for the confusion, we'll be posting more details when time allows. The tool is meant for image *analysis*, so the assumption is you have used dd/helix/some fancy hardware/a CANVAS module to gain access to physical (or virtual) memory. You could also use /dev/mem etc. directly. The question we are trying to address is "What do you do once you have all of those bits? One of the primary features is to automate the low-level "this chunk of memory is a struct foo" part and allow you to write higher-level analyses. For example, our "list processes" function is 12 lines as opposed to dozens of lines of C that other approaches to this problem have taken. The idea is to allow for easy extension by writing routines to, for example, search for hidden processes, decrypt/brute force regions, etc. As for swap files, we're working on integrating that and other features. We'd be happy to discuss this more with those who are interested on/off list. thanks, nick On Sat, 4 Mar 2006, Dave Aitel wrote:
So the web page is pretty but..uh...how does it work! :> The user pre-installs some sort of program? It remotely installs via SMB/FTP? You install it manually off a USB drive? It's a kernel driver? It just cats /dev/memory and then the server parses that? How does it handle swap files? Sending data over the wire can be rather slow, does it optimize it with a hashing algorithm? You guys should release it at Syscon...you can eat Sting-Ray in Singapore. And they have good beer. :> -dave Nick Petroni wrote:While on the topic of memory forensics, the Python enthusiasts in the crowd may be interested in a new extensible research framework for analyzing volatile memory images that we will be releasing at an upcoming (yet to be determined) venue. For more information, check out: http://www.4tphi.net/fatkit/ peace, nick On Fri, 3 Mar 2006, Dave Aitel wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I think it's interesting that Maniant (aka RedCliff) released a memory forensics tool recently (http://www.mandiant.com/features.htm) - this is also something we see people doing a lot more with CANVAS these days. The main benefits of using an exploitation framework for such things is that: 1. We can use the same exploitation path an attacker would use to obtain access to the machine. This means we're completely in memory and haven't messed up the disk at all. (Or we can remotely install as a service, copy a file over, whatever.) 2. You get the power of MOSDEF for doing the hard work...i.e. you can inject into processes, grab all the memory on the system from every process, etc. Of course, the downside is that you have to use MOSDEF to do the hard work. :> The other side of the story is that as an exploitation framework, you now need to clean/encrypt memory up as you go along. And you can do "remote forensics" as you go - I can look at other processes and see if someone else is also using CANVAS or anything similar on this box... - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFECH9pB8JNm+PA+iURAvJpAJ48qV13TcPpRiFXXu1yWCsffoQxpQCcDOBf 37ykn9FpdVIJbVClewwiKLo= =lYqp -----END PGP SIGNATURE-----
Current thread:
- Memory, Elephantine Dave Aitel (Mar 03)
- Re: Memory, Elephantine Nick Petroni (Mar 03)
- Re: Memory, Elephantine Dave Aitel (Mar 04)
- Re: Memory, Elephantine Nick Petroni (Mar 04)
- Re: Memory, Elephantine jnf (Mar 04)
- Re: Memory, Elephantine AAron Walters (Mar 06)
- Re: Memory, Elephantine Julien TINNES (Mar 04)
- Re: Memory, Elephantine Matt Conover (Mar 06)
- Re: Memory, Elephantine Dave Aitel (Mar 04)
- Re: Memory, Elephantine Nick Petroni (Mar 03)