Dailydave mailing list archives

Re: Memory, Elephantine

From: Dave Aitel <dave () immunityinc com>
Date: Sat, 04 Mar 2006 11:39:33 -0500

So the web page is pretty but..uh...how does it work! :> The userpre-installs some sort of program? It remotely installs via SMB/FTP? Youinstall it manually off a USB drive? It's a kernel driver? It just cats/dev/memory and then the server parses that? How does it handle swapfiles? Sending data over the wire can be rather slow, does it optimizeit with a hashing algorithm?

You guys should release it at Syscon...you can eat Sting-Ray inSingapore. And they have good beer. :>


-dave


Nick Petroni wrote:

While on the topic of memory forensics, the Python enthusiasts in
the crowd may be interested in a new extensible research framework for
analyzing volatile memory images that we will be releasing at an upcoming
(yet to be determined) venue.

For more information, check out: http://www.4tphi.net/fatkit/

peace,
nick


On Fri, 3 Mar 2006, Dave Aitel wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I think it's interesting that Maniant (aka RedCliff) released a memory
forensics tool recently (http://www.mandiant.com/features.htm) - this
is also something we see people doing a lot more with CANVAS these
days. The main benefits of using an exploitation framework for such
things is that:
1. We can use the same exploitation path an attacker would use to
obtain access to the machine. This means we're completely in memory
and haven't messed up the disk at all. (Or we can remotely install as
a service, copy a file over, whatever.)
2. You get the power of MOSDEF for doing the hard work...i.e. you can
inject into processes, grab all the memory on the system from every
process, etc.

Of course, the downside is that you have to use MOSDEF to do the hard
work. :>

The other side of the story is that as an exploitation framework, you
now need to clean/encrypt memory up as you go along. And you can do
"remote forensics" as you go - I can look at other processes and see
if someone else is also using CANVAS or anything similar on this box...

- -dave

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFECH9pB8JNm+PA+iURAvJpAJ48qV13TcPpRiFXXu1yWCsffoQxpQCcDOBf
37ykn9FpdVIJbVClewwiKLo=
=lYqp
-----END PGP SIGNATURE-----

Current thread:

Memory, Elephantine Dave Aitel (Mar 03)
- Re: Memory, Elephantine Nick Petroni (Mar 03)
  - Re: Memory, Elephantine Dave Aitel (Mar 04)
    - Re: Memory, Elephantine Nick Petroni (Mar 04)
  - Re: Memory, Elephantine jnf (Mar 04)
    - Re: Memory, Elephantine AAron Walters (Mar 06)
  - Re: Memory, Elephantine Julien TINNES (Mar 04)
    - Re: Memory, Elephantine Matt Conover (Mar 06)