[prev in list] [next in list] [prev in thread] [next in thread]
List: vol-users
Subject: [Vol-users] Experimenting with notepad.exe
From: brettcu () gmail ! com (Brett Cunningham)
Date: 2013-09-25 1:07:44
Message-ID: CAGopOzc2kT4L_DkdAWRZNv_36EAdaKX0Og0YKLQVpKqp_B+vYw () mail ! gmail ! com
[Download RAW message or body]
I think you're looking to work with volshell. I did a presentation
based upon a lot of the Volatility developer's work:
http://www.irongeek.com/i.php?page=videos/derbycon2/brett-cunningham-beyond-strings-memory-analysis-during-incident-response
To understand how it all works, I read the Windows Sys Internals 5th
Edition's chapter on memory management. I would 100% consider that to
be the greatest resource for mem management in Windows.
On Mon, Sep 23, 2013 at 4:46 PM, Adam Bridge <adam.bridge@yahoo.com> wrote:
> Hi Jesse,
>
> I've been plodding on with this and am fishing for the next tip!
>
> I'm happy that every time a process calls VirtualAlloc, it gets a new
> entry in the VAD tree. And I'm happy with the VAD tree being a binary
> tree structure.
>
> Using Volaility I did:
> $ python vol.py -f ~/memtest/win7.raw --profile=Win7SP1x86 vaddump -D
> ~/memtest/292-vads -p 292
> (292 being the pid of notepad.exe)
>
> Then I was able to find the particular VAD entry that contained my text:
> $ grep "i.-.t.y.p.e.d.-." ~/memtest/292-vads/*
> Binary file 292-vads/notepad.exe.1ef08030.0x00120000-0x0021ffff.dmp matches
>
> By opening this dmp file in a hex editor I found my string at offset
> 0x1dab8.
> Interestingly, I repeated this process for two other notepad processes
> and in both cases the text could be found at the same offset.
>
> I was surprised that the offset was the same in all three cases because
> I know that in the latter two cases I'd done things in notepad I hadn't
> done in the first instance, for example, pasting from the clipboard.
>
> Running the vadtree plugin against the three notepad processes I noticed
> a couple of things:
> - The root node always covered range: 0x75840000 - 0x75913fff.
> - The node containing my text wasn't always in the same position in the
> VAD tree. (It was for the first two, not for the third.)
>
> I'm struggling with the next step.
> I'd really appreciate a suggestion as to what to go read about next!
>
> Thank you,
> Adam
>
> On 21/09/13 20:06, Adam Bridge wrote:
> > HaHa! Thanks Jesse!
> >
> > Thank you for the hints - I'm just trying to get my head around walking
> > the VAD tree at the moment.
> > I'll be sure to ask you if I need some more assistance.
> >
> > Hopefully down the line I'll write a mini-tutorial around this to share
> > with the list.
> >
> > Adam
> >
> > On 21/09/13 19:25, Jesse Kornblum wrote:
> > > Hi Adam,
> > >
> > > Two hints, in progressive levels of practicality:
> > >
> > > 1. I when I tried to do this, I ended up falling down in a Heap.
> > >
> > > 2. Memory allocated by a program is stored in the VADs.
> > >
> > > If you're stuck, write back and I'll show you exactly how to do it!
> > >
> > > Good luck,
>
> --
> Have you sent me your PGP Public Key yet?
>
> _______________________________________________
> Vol-users mailing list
> Vol-users@volatilesystems.com
> http://lists.volatilesystems.com/mailman/listinfo/vol-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic