Memory Analysis RECon2010. Looking In The Eye Of The Bits By Assaf Nativ

Memory Analysis RECon21 Looking In The Eye Of The Bits By Assaf Nativ

Who am I?

Wandering in memory land 1 2 3 4 5 6 7 8 9 A B C D E F 1 11 12 13 14 A 11 FF 1F FF 1F FF 1F FF 18F FF 1F FF 1F FF 1F FF 1F 11 FF FF FF F8F FF 8F42 FF F41 FF F41 FF F8F FF FF FF FF 9 11 FF 414 FF 414 FF 414 FF 44 FF 414 FF 4241 FF F8F FF FF 11 FF 44 FF 44 FF 44 FF 4141 FF 418F FF 42F FF FF FF 8FF - 9 11 FF 44 FF 44 FF 4141 FF 428F FF FF FF FF FF FF FF FF 1F FF 1F FF 1F FF 1F FF 1F FF 1F FF 1F FF 1F FF 1F FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

A hint...

Memory land 1 2 3 4 5 6 7 8 9 A B C D E F 1 11 12 13 14 A 11 FF 1F FF 1F FF 1F FF 18F FF 1F FF 1F FF 1F FF 1F 11 FF FF FF F8F FF 8F42 FF F41 FF F41 FF F8F FF FF FF FF 9 11 FF 414 FF 414 FF 414 FF 44 FF 414 FF 4241 FF F8F FF FF 11 FF 44 FF 44 FF 44 FF 4141 FF 418F FF 42F FF FF FF 8FF - 9 11 FF 44 FF 44 FF 4141 FF 428F FF FF FF FF FF FF FF FF 1F FF 1F FF 1F FF 1F FF 1F FF 1F FF 1F FF 1F FF 1F FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

Memory land 1 2 3 4 5 6 7 8 9 A B C D E F 1 11 12 13 14 A 11 FF 1F FF 1F FF 1F FF 18F FF 1F FF 1F FF 1F FF 1F 11 FF FF FF F8F FF 8F42 FF F41 FF F41 FF F8F FF FF FF FF 9 11 FF 414 FF 414 FF 414 FF 44 FF 414 FF 4241 FF F8F FF FF 11 FF 44 FF 44 FF 44 FF 4141 FF 418F FF 42F FF FF FF 8FF - 9 11 FF 44 FF 44 FF 4141 FF 428F FF FF FF FF FF FF FF FF 1F FF 1F FF 1F FF 1F FF 1F FF 1F FF 1F FF 1F FF 1F FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

Memory land 1 2 3 4 5 6 7 8 9 A B C D E F 1 11 12 13 14 A 11 FF 1F FF 1F FF 1F FF 18F FF 1F FF 1F FF 1F FF 1F 11 FF FF FF F8F FF 8F42 FF F41 FF F41 FF F8F FF FF FF FF 9 11 FF 414 FF 414 FF 414 FF 44 FF 414 FF 4241 FF F8F FF FF 11 FF 44 FF 44 FF 44 FF 4141 FF 418F FF 42F FF FF FF 8FF - 9 11 FF 44 FF 44 FF 4141 FF 428F FF FF FF FF FF FF FF FF 1F FF 1F FF 1F FF 1F FF 1F FF 1F FF 1F FF 1F FF 1F FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

MS SQL Server

MS SQL Server - User Info 1 2 3 4 5 6 7 4 8 1 1 5993988 4 3 14 5993A18 1A 59939D 14 C 11D9D4AA 11D9D4AA 1711 187 5F21 5993988: sa (unicode) c 5F3C38 59939F 5993998 59939B8 5F3FF...8<.....9...9.....9.....:......9...9.....p......?..

MS SQL Server - User Info 1 2 3 4 5 6 7 4 8 1 1 5993988 4 3 14 5993A18 1A 59939D 14 C 11D9D4AA 11D9D4AA 1711 187 5F21 5993988: sa (unicode) 59939B8: master (unicode) c 5F3C38 59939F 5993998 59939B8 5F3FF...8<.....9...9.....9.....:......9...9.....p......?..

MS SQL Server - User Info 1 2 3 4 5 6 7 4 8 1 1 5993988 4 3 14 5993A18 1A 59939D 14 C 11D9D4AA 11D9D4AA 1711 187 5F21 5993988: sa (unicode) 59939B8: master (unicode) 5993998: mypa55word (unicode) c 5F3C38 59939F 5993998 59939B8 5F3FF...8<.....9...9.....9.....:......9...9.....p......?..

MS Response From our investigation it appears that to locate any of the authentication information administrator level privileges are required. This tends to fall under Rule 6 of the 1 Immutable Laws of Security ( http://www.microsoft.com/technet/archive/community/colu ) where basically you have to trust your administrators.

The Web Response

Passwordizer Pass-what? How does it work Current status

How does it work? session =... INFO_OFFSETS = \ [xe, x18, x1d4, x**, x**] # MSSQL build #$%^ info = mint.resolveoffsetslist(session, INFO_OFFSETS)[-1] username = mint.readdword(info + x28) username_len, username = \ ((username >> 16), username & xffff) print 'User name:', mint.readstring(info + username, \ isunicode=true) password = mint.readdword(info + x2c) password_len, password = \ ((username >> 16), username & xffff) print 'Password:', mint.readstring(info + password, \ isunicode=true)

Current status SQL Server 2 SQL Server 25 SQL Server 28 SQL Server 28r2 (AKA: 21)

Definition of Memory Software Analysis Recovering internal implementation by reading the memory of a running process. Without disassembling machine code.

The Hedgehog connection Database activity monitoring

More reasons to read memory Not everyone can do SRE, while everyone knows C++ It's a great new useful method Avoiding conflicts with the law

Can be used for Security / Monitoring Debugging Cheating in games

Wait a minute, this ain't new. Game cheating engines Analysis of crash dumps

The Environment

Tools for the task Remote process memory reader Python is just the best PyDbg Mint Any other debugger

API needed Read memory Search Differential search Recursive search Wandering around

Reading memory 1 2 3 4 5 6 7 8 9 A B C D E F 6C29 1 67B 747B B7B C47B 7C 147C 76A C63 C63 C63 C63 C63 C63 6C29 387B 747B 887B C47B D87B 147C 76A C63 C63 C63 C63 C63 C63-1 387B 4C7B 887B 9C7B D87B EC7B C63 C63 C63 C63 C63 C63 4C7B 67B 9C7B B7B EC7B 7C C63 C63 C63 C63 C63 C63 l)v.l)v......8{..8{......l{..l{.....`{.. `{... t{..t{......{...{......{...{.....{...{....{...{......{...{......{...{..................

Reading memory 1 2 3 4 5 6 7 8 9 a b c d e f A76296C 1 3C67B6 3C67B74 3C67BB 3C67BC4 3C67C 3C67C14 A76296C 3C67B38 3C67B74 3C67B88 3C67BC4 3C67BD8 3C67C14 1 3C67B38 3C67B4C 3C67B88 3C67B9C 3C67BD8 3C67BEC 3C67B4C 3C67B6 3C67B9C 3C67BB 3C67BEC 3C67C l)v.l)v......8{..8{......l{..l{.....`{.. `{... t{..t{......{...{......{...{.....{...{....{...{......{...{......{...{..................

Reading memory 14 28 3c 5 64 78 8c a b4 c8 dc f A76296C 3C67B38 3C67B4C 3C67B6 3C67B74 3C67B88 3C67B9C 3C67BB 3C67BC4 3C67BD8 3C67BEC 3C67C 3C67C14 A76296C 3C67B38 3C67B4C 3C67B6 3C67B74 3C67B88 3C67B9C 3C67BB 3C67BC4 3C67BD8 3C67BEC 3C67C 3C67C14 1 1

Reading memory Next 14 28 3c 5 64 78 8c a b4 c8 dc f A76296C 3C67B38 3C67B4C 3C67B6 3C67B74 3C67B88 3C67B9C 3C67BB 3C67BC4 3C67BD8 3C67BEC 3C67C 3C67C14 Prev A76296C 3C67B38 3C67B4C 3C67B6 3C67B74 3C67B88 3C67B9C 3C67BB 3C67BC4 3C67BD8 3C67BEC 3C67C 3C67C14 Num items 1 2 * Dont Know 1

Recursive Search

Let's take a trip to memory land

What lives in the memory realm? Pointers Data Text Time stamp Complete Random Code

Data types (Session data) 8B4354 37EA374 37EA374 1 1 59E8258 2 33 3 4FEEEB5 474591B 5B8DEA9A 4 7C6F9AD9 2E2A97 2 33 5 3EA 6 1 1 7 E6 8 F1E71 9D8B F8717C2F 8 9 FB145 9D8B FB145 9D8B a EC866 9D8B 2 b F8717C2F 8 39 c 3D5 d e f 39 1 3D5 F 11 4E 4E 12 4E 13 11DA8F 14 F8717C2F 8 15 5B8ED6 TC...t.~.t.~....X......3......O..EG...[..o p...3... q.../ q... E...E... / q...9... 9... N...N... N....../ q.....[...

Data types: Data 8B4354 37EA374 37EA374 1 1 59E8258 2 33 3 4FEEEB5 474591B 5B8DEA9A 4 7C6F9AD9 2E2A97 2 33 5 3EA 6 1 1 7 E6 8 F1E71 9D8B F8717C2F 8 9 FB145 9D8B FB145 9D8B a EC866 9D8B 2 b F8717C2F 8 39 c 3D5 d e f 39 1 3D5 F 11 4E 4E 12 4E 13 11DA8F 14 F8717C2F 8 15 5B8ED6 TC...t.~.t.~....X......3......O..EG...[..o p...3... q.../ q... E...E... / q...9... 9... N...N... N....../ q.....[...

Data types: Pointers 8B4354 37EA374 37EA374 1 1 59E8258 2 33 3 4FEEEB5 474591B 5B8DEA9A 4 7C6F9AD9 2E2A97 2 33 5 3EA 6 1 1 7 E6 8 F1E71 9D8B F8717C2F 8 9 FB145 9D8B FB145 9D8B a EC866 9D8B 2 b F8717C2F 8 39 c 3D5 d e f 39 1 3D5 F 11 4E 4E 12 4E 13 11DA8F 14 F8717C2F 8 15 5B8ED6 TC...t.~.t.~....X......3......O..EG...[..o p...3... q.../ q... E...E... / q...9... 9... N...N... N....../ q.....[...

Where this memory belongs to Data section Code section Stack Heap OS

Data types: Time stamp 8B4354 37EA374 37EA374 1 1 59E8258 2 33 3 4FEEEB5 474591B 5B8DEA9A 4 7C6F9AD9 2E2A97 2 33 5 3EA 6 1 1 7 E6 8 F1E71 9D8B F8717C2F 8 9 FB145 9D8B FB145 9D8B a EC866 9D8B 2 b F8717C2F 8 39 c 3D5 d e f 39 1 3D5 F 11 4E 4E 12 4E 13 11DA8F 14 F8717C2F 8 15 5B8ED6 TC...t.~.t.~....X......3......O..EG...[..o p...3... q.../ q... E...E... / q...9... 9... N...N... N....../ q.....[...

Data types: Random 8B4354 37EA374 37EA374 1 1 59E8258 2 33 3 4FEEEB5 474591B 5B8DEA9A 4 7C6F9AD9 2E2A97 2 33 5 3EA 6 1 1 7 E6 8 F1E71 9D8B F8717C2F 8 9 FB145 9D8B FB145 9D8B a EC866 9D8B 2 b F8717C2F 8 39 c 3D5 d e f 39 1 3D5 F 11 4E 4E 12 4E 13 11DA8F 14 F8717C2F 8 15 5B8ED6 TC...t.~.t.~....X......3......O..EG...[..o p...3... q.../ q... E...E... / q...9... 9... N...N... N....../ q.....[...

Data types: Code 1 2 3 4 5 6 7 8 9 A B C D E F 6884 26A 99 432 8B75 5E8B 68 4534 5B8 E8E8 8A5D 684 C74 B1F4 14C5 C744 2478 1E8 98B 233 C74 4DFC 1 C5FF FE 16C5 88A 322 4884 FF8B B2F4 26A 85E6 FF55 C589 983 33CD 8B45 FF8B C3F6 1BC DB74 E55D 3368 B6 8BEC 45FC 3D9 E8C9 8D85 183 535 7514 D856 83C 228B B1 C21-6824 83C4 81EC 833D C76D 14C5 FCFE C4C 8D8D 83C4 8D95 235 D8C 5E8B 8B B1 782 1433 41 8CC7 2 FF8B FFFF 3DFE FCFE C83 FCFE E8CA C76D 4DFC 159 5E8B 6878 CC3 6D2 7513 E55D 6A FFFF FE2 FFFF 68D 25B 33CD C76D 4DFC 2478 99 A124 56 32C C21 5E8 72 5651 766B 52B9 85 C744 E841 25B 33CD h.$x.j3hh$x.hx$x.j...3......u...$ @2.3..E..=..m..V.u.t..=..m..u.2. ^.M.3...]...h...j.P. E4...E...=...r...SP...VQ...u...vk.]...V...R. h@2...#p..h....th..t"...m.[.d...^.m.3..a...]...m.[.d...^.m.3.

Data types: Code 1 2 3 4 5 6 7 8 9 A B C D E F 6884 26A 99 432 8B75 5E8B 68 4534 5B8 E8E8 8A5D 684 C74 B1F4 14C5 C744 2478 1E8 98B 233 C74 4DFC 1 C5FF FE 16C5 88A 322 4884 FF8B B2F4 26A 85E6 FF55 C589 983 33CD 8B45 FF8B C3F6 1BC DB74 E55D 3368 B6 8BEC 45FC 3D9 E8C9 8D85 183 535 7514 D856 83C 228B B1 C21-6824 83C4 81EC 833D C76D 14C5 FCFE C4C 8D8D 83C4 8D95 235 D8C 5E8B 8B B1 782 1433 41 8CC7 2 FF8B FFFF 3DFE FCFE C83 FCFE E8CA C76D 4DFC 159 5E8B 6878 CC3 6D2 7513 E55D 6A FFFF FE2 FFFF 68D 25B 33CD C76D 4DFC 2478 99 A124 56 32C C21 5E8 72 5651 766B 52B9 85 C744 E841 25B 33CD h.$x.j3hh$x.hx$x.j...3......u...$ @2.3..E..=..m..V.u.t..=..m..u.2. ^.M.3...]...h...j.P. E4...E...=...r...SP...VQ...u...vk.]...V...R. h@2...#p..h....th..t"...m.[.d...^.m.3..a...]...m.[.d...^.m.3.

Data types: Virtual table 1 2 3 4 5 4 8 c 1BF767C 1BF7674 151866 1518B9 1CF93D 1CF96 1CB78 145AA92 1CF9C7 145AC1F 9999 55FF8B9 5653EC8B 8BF98B57 2A83847 6A8875 AC3985F 8B6646 458BC55 25D8B8 3314758B 14D39C9 3C578966 95F178B

Data types: Virtual table 1 2 3 4 5 4 8 c 1BF767C 1BF7674 151866 1518B9 1CF93D 1CF96 1CB78 145AA92 1CF9C7 145AC1F 9999 55FF8B9 5653EC8B 8BF98B57 2A83847 6A8875 AC3985F 8B6646 458BC55 25D8B8 3314758B 14D39C9 3C578966 95F178B

Example Searching for sessions table

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Step A

Step B

Step C

Step D 1 2 3 4 5 6 7 8 9 a b c d e f 65ea6 58ba6 65ee5 65fa2 65fc18 37ea454 37ea464 37ea474 37ea484 37ea494 37ea4a4 37ea4b4 37ea4c4 37ea4d4 37ea4e4 37ea4f4 4 65ea6 65ec58 65ee5 65f48 65f63 37ea454 37ea464 37ea474 37ea484 37ea494 37ea4a4 37ea4b4 37ea4c4 37ea4d4 37ea4e4 37ea4f4 8 1 2 1 4 3 c `.P.`.P... `...X.P... P.P.P.P....P.H.P.....P..P... T.~.T.~... d.~.d.~... t.~.t.~.....~...~.....~...~.....~...~.....~...~.....~...~.....~...~.....~...~.....~...~...

Step E

Step F

What did we get? A pointer to a table set in a global address (In the data section) All currently connected sessions A struct with information about every session, such as session id, user name, password...

Version proofed Everything is lost with each new update o Is it? o Hardly ever, because when they add something to a class / struct they add it to the end of it. o They hardly ever change the basic stuff o It just doesn't happen

Patterns

Automating Update Proof Lets say that there are changes in memory structures o The patterns survive o x86 vs AMD64 vs IA64 vs all the others

Candy Python environment to define memory patterns o Patterns of shape Name Range Data type Extra check function

Range One of three: 1. End range 2. (start, end) 3. (start, end, step) x1 (x1, x2) (x1, x2, 4)

Data Types NUMBER (const value / range / enum, size) BUFFER (const value / anything goes, size) STRING (Nullterm, is_unicode, isprintable, const value) TIME_STAMP(datetime) POINTER POINTER_TO_STRUCT STRUCT ARRAY

Shape example SHAPE( "name", (x1, x2), STRING("RECon") )

Example of pattern 1 2 3 4 5 6 7 8 9 a b c d e f 25DB8 C52D15 33 B 2E 29D284 2 2 29E2 4 8 c 29E28 3 2B57C C52CA 45F189 3E 1 41 41 41 C6BFD 45E57C 73735 26692 26692 27EC8C 2668A4 2668A4 2669 F2F 1 21 29E2 29E2 4BC8E4 41..].(.......W..,...-...E...>... 3...A......A...A.......E....Pss.... i` i`..~ @(..h`.h`.i`......!..........k......a...

Example of pattern Pattern = [ SHAPE("pssSlotsTable", x1, POINTER_TO_STRUCT( [ SHAPE("next",, POINTER()), SHAPE("prev",, POINTER()), SHAPE("name", (x5, x1), STRING("Pss")) ] ] # Shape is (Name, Place, Data type, Extra check function)

Search on Windows 32bit

How about Solaris SPARC 64bit?

Example of complicated pattern 1 2 3 4 5 6 7 225589 2A1C 24A6CB 24A7 4 1 1FF 2A1D 24A68 24A6E 24A7C 8 2A1E 24E88 24A696 24A6ED 24A71E c 22569 2ADF 24A6A1 24A6F7 24A723...`%.X%..............N......hJ `ij.jj.lj.nj.nj poj.pj.pj.qj rj

Pattern #2 Pattern = [ SHAPE("cache", (, x1), STRUCT([ SHAPE("table_size",, NUMBER((x1, x1))), SHAPE("table1",, POINTER()), SHAPE("table2",, POINTER(), extracheck = lambda context: context.table2 == context.table1 + ((context.table_size + 1) * PSIZE)))]))] # Shape is (Name, Place, Data type, Extra check function)

The Real World

What's next? Web Servers Monitoring Anti-Virus Flash debugger Open sourcing everything Coffe...

FIN Questions? Nativ.Assaf@gmail.com

A trick to uncover asterisks passwords

Step 2

Step 3

Step 4