Update: Win32dd 1.2.2.20090608 (fixes + improvements)

Posted by Matthieu Suiche on June 8, 2009 · Leave a Comment 

This week Im going to give a talk at Shakacon entitled Challenge of Windows physical memory acquisition and exploitation — then I think it’s time to release a new version of win32dd.

Two major bugs fixed in this release are:

      System cache size was growing because the output file was mapped, then it filled the memory with a lot of junk pages. Current version of mdd and Memoryze have this problem too. Thanks to Marnix Kaart (Nederlands Forensisch Instituut) and Tomo Koida (National Police Agency of Japan) for the bug report.
      The output size for raw dump file only was wrong. Instead of using the size of the physical address space, win32dd used the size of the physical memory which is totally different. Current version of mdd also has this problem and Memoryze forget to save one page.

This version also fix a minor bug in the driver loading process, some people experienced problem to load the driver a second time when they interrupted it through Ctrl+C keyboard shortcut.

This version, as you can see on the screenshot, provides further information about memory state, memory dump, and the machine.

And now, win32dd also supports hashing (SHA1).

Your feedback is welcome if you want me to introduce new features or to improve win32dd. Feel free to share your experiences etc.

win32ddwin7


Download win32dd v1.2.2.20090608 now!

Update: Rob Lee announced (via Twitter) win32dd is “is the tool of choice in the SANS Forensic courses for obtaining memory.”
Update 2: Rob will also discuss about court-approved tools during the SANS Forensics Summit 2009. (via Twitter)

Filed under Windows · Tagged with

Undocumented Windows Vista and later registry secrets

Posted by Matthieu Suiche on June 7, 2009 · 1 Comment 

In fact, this new key category appearred for the first time in Windows XP, formely called Whistler, in early 2001. Yes, almost 9 years ago. But its structure CM_BIG_DATA had been removed from Microsoft Windows XP public symbols but not from Windows Vista and later symbols.

Basicaly, this “secret” registry key had been briefly introduced in Windows XP Kernel Enhancements changelog as the following:

Windows XP improves the way the registry handles big data. In versions before Windows XP, if an inefficient application constantly increased a value with a small increment, it created a sparse and wasteful registry file. Windows XP solves this problem with a big cell implementation where cells larger than 16K are split into increments of 16K chunks. This reduces fragmentation when the data length of a value is increased within a certain threshold.

If we take a closer look to CmpGetBootValueData() or CmpGetValueData() functions which handles big data keys we can notice CMHIVE.Version must greater or equal to 4. I guess, this is the Whistler registry version.

To be validated as big data key pointer, CM_KEY_VALUE cell must respect the following conditions:
- CM_KEY_VALUE.DataLength must be greater than 0×3fd8 and smaller than 0×80000000

Then CM_BIG_DATA key first chunk is retrieved using CM_KEY_VALUE.Data as cell offset.

To be validated as big data key, the CM_BIG_DATA cell must respect the following conditions:
- CM_BIG_DATA.Signature must be equal to 0×6264 (”bd”)
- CM_BIG_DATA.Count must be greater than 0
- CM_BIG_DATA.List must be different from 0

According to these information Windows do assinity check to avoid buffer overflow and re-compute CM_KEY_VALUE.DataLength for assinity check like the following:
ASSERT(CM_KEY_VALUE.DataLength < = (CM_BIG_DATA.Count * 0x3fd8))

Then, each CM_BIG_DATA.List entry are read CM_BIG_DATA.Count times as cell index, and 0×3fd8 bytes maximum are copied each time into the output buffer.

It means data chunk are not exactly 16K bytes (0×4000) but 0×3fd8. The difference of 0×28 bytes is in fact the cell header.

If you want to read further information about Windows Registry format, I suggest you to refer to Tim Morgan, Peter Norris documents and moyix blog.

Filed under Forensics, Reverse Engineering, Windows · Tagged with

Microsoft MVP 2009

Posted by Matthieu Suiche on April 11, 2009 · 8 Comments 

It’s official – I’m a Microsoft Entreprise Security MVP

For people who don’t know what MVP means here is the definition from wikipedia:

Microsoft MVPs are exceptional technical community leaders from around the world who have been awarded for voluntarily providing technical expertise towards technical communities supporting Microsoft products or technologies. (Wikipedia)

Past well-know MVPs includes Mark Russinovich, Ken Johnson, and Patchou from Messenger Plus! Live plugin.

mvplogo

Filed under Windows · Tagged with

Low Priority I/O Count Information – SystemLowPriorityInformation

Posted by Matthieu Suiche on April 1, 2009 · Leave a Comment 

Based on Windows Vista I/O priorities manager, Windows 7 provides a new class to retrieve information/statistics about about Low I/O priority counts.

Function: NtQuerySystemInformation
Class: SystemLowPriorityInformation
Privilege: None
Output size: 0×24 bytes

The output structure is the following.

typedef struct _LOW_PRIORITY_INFORMATION
{
ULONG IoLowPriorityReadOperationCount;
ULONG IoLowPriorityWriteOperationCount;
ULONG IoKernelIssuedIoBoostedCount;
ULONG IoPagingReadLowPriorityCount;
ULONG IoPagingReadLowPriorityBumpedCount;
ULONG IoPagingWriteLowPriorityCount;
ULONG IoPagingWriteLowPriorityBumpedCount;
ULONG IoBoostedThreadedIrpCount;
ULONG IoBoostedPagingIrpCount;
ULONG IoBlanketBoostCount; // Added in RC1 (build 7100)
} LOW_PRIORITY_INFORMATION, *PLOW_PRIORITY_INFORMATION;

systemlowiopriorityinfo

Source + Executable are available here.

Edit: LOW_PRIORITY_INFORMATION structure updated in build 7100.

Filed under Reverse Engineering, Windows · Tagged with

Demystifying new Windows 7 System Information Classes

Posted by Matthieu Suiche on March 31, 2009 · Leave a Comment 

This post is the first of a serie of articles/blogposts about new System Information Class under Windows 7 (32bits ATM) used by both NtQuerySystemInformation and extended version of this API called NtQuerySystemInformationEx introduced in Windows 7 and Windows 2008 R2.

First of all, here is the prototype of these functions.

NTSTATUS (WINAPI *NtQuerySystemInformationEx)(SYSTEM_INFORMATION_CLASS SystemInformationClass,
PULONG QueryType,
ULONG Alignment,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength);

NTSTATUS (WINAPI *NtQuerySystemInformation)(SYSTEM_INFORMATION_CLASS SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength);

As you can see there is two further arguments in NtQuerySystemInformationEx: QueryType and Alignment.

And here are new (and undocumented) system information classes added to Windows 7 that will be discussed in next blogposts.

typedef enum _SYSTEM_INFORMATION_CLASS
{
// NtQueryEx
SystemLogicalProcessorAndGroupInformation = 107,
SystemLogicalGroupInformation = 108,

SystemStoreInformation = 109,
SystemVhdBootInformation = 112,
SystemCpuQuotaInformation = 113,

// Removed in build 7100
SystemHardwareCountersInformation = 115, // uses KeQueryHardwareCounterConfiguration() instead

SystemLowPriorityInformation = 116,
SystemTpmBootEntropyInformation = 117,
SystemVerifierInformation = 118,

// NtQueryEx
SystemNumaNodesInformation = 121,
//
// Added in build 7100
//
SystemHalInformation = 122, // 8 bytes size
SystemCommittedMemoryInformation = 123,
MaxSystemInfoClass = 124
} SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS;

PS. For interested people the first issue of the Debugged! MZ/PE: MagaZine is available on Amazon.

Twitt This!

Edit: SYSTEM_INFORMATION_CLASS structure updated in build 7100.

Filed under Debugging, Reverse Engineering, SandMan, Windows · Tagged with

« Previous PageNext Page »