Professional Documents
Culture Documents
Michael Cohen
Software Engineer - Google Inc.
Acknowledgements
Many great researchers in the memory forensics field (and Volatility Contributors): Aaron Walters. Brendan Dolan-Gavitt. Andreas Schuster. Michael Hale Ligh. Andrew Case. Jamie Levy. Mike Auty. ... and many others!
References
Malware Analyst's Cookbook Michael Hale Ligh, Steven Adair, Blake Hartstein, Matthew Richard
http://code.google.com/p/malwarecookbook/
Module 1 - Introduction
Why memory forensics? What can Volatility do for me? Symbols and debugging information.
How does Volatility support multiple operating systems and versions.
Memory imaging
Linux. Windows.
struct foobar { enum options flags; short int bar; uchar *foo; }
<2><111a>: Abbrev Number: 32 (DW_TAG_member) : (indirect string, offset: 0xb200): stack : 18 : 1222 : <0x615> (DW_OP_plus_uconst: 8)
'Pcb' : [ 0x0, ['_KPROCESS']], 'ProcessLock' : [ 0x160, ['_EX_PUSH_LOCK']], 'CreateTime' : [ 0x168, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x170, ['_LARGE_INTEGER']], 'RundownProtect' : [ 0x178, ['_EX_RUNDOWN_REF']],
'UniqueProcessId' : [ 0x180, ['pointer64', ['void']]], 'ActiveProcessLinks' : [ 0x188, ['_LIST_ENTRY']], 'ProcessQuotaUsage' : [ 0x198, ['array', 2, ['unsigned 'CommitCharge' : [ 0x1b8, ['unsigned long long']],
'ProcessQuotaPeak' : [ 0x1a8, ['array', 2, ['unsigned long long']]], 'QuotaBlock' : [ 0x1c0, ['pointer64', ['_EPROCESS_QUOTA_BLOCK']]], 'CpuQuotaBlock' : [ 0x1c8, ['pointer64', ['_PS_CPU_QUOTA_BLOCK']]], 'PeakVirtualSize' : [ 0x1d0, ['unsigned long long']], 'VirtualSize' : [ 0x1d8, ['unsigned long long']], 'SessionProcessLinks' : [ 0x1e0, ['_LIST_ENTRY']], 'DebugPort' : [ 0x1f0, ['pointer64', ['void']]], .....
VType
Overlay
VType
Overlay
VType
Overlay
For linux we must generate vtypes to specific kernel version we are analysing.
This is because the struct layouts vary depending on kernel configuration. (There are #ifdefs in the middle of the structs). We generate a profile_file which is a zip containing: System.map-2.6.32-40-generic A special module.ko built with symbols.
Memory Imaging.
Take a permanent copy of physical memory: Lots of techniques to do this:
Hardware based Firewire. Cold Boot attack. Tribble Software base Hibernation Crash dumps Inserting a special driver. Debugger APIs.
Hibernation
When a system hibernates it copies its memory state to disk.
Volatility can analyse this image. Pros Easy to obtain image. No prior preparation needed. Cons Prior to hibernation, an ACPI pnp event is transmitted to all drivers:
Network sockets are removed. Malware may cleanup.
Driver creates a new device Copy to the target machine and then:
# insmod pmem.ko # dd if=/dev/pmem of=myimage.dd # rmmod pmem
Memory Imaging
Overcommited
Backed Mem
Physical Memory
PTN
Page Frame
PTE
Page Directory
Page Tables
Physical Memory
Large Page
Page Faults
When bit 1 in the PTE is set to 0 (invalid), any access to
this page will generate a page fault. Note that all other bits of PTE are ignored in this case. So the PTE can be technically used for OS private data. Page fault handler is a kernel routine which handles the page fault: Page may be fetched from page file. Page is in transition if Prototype bit is also set.
A page is transition is waiting to be paged out, but is actually valid still. A page fault here can return it into the working set immediately.
Page may be overcommitted and kernel will allocate physical memory for it.
MmapFileAddressSpace IA32PagedMemory
In [15]: find_dtb? find_dtb: A plugin to search for the Directory Table Base for windows systems. Scans the image for the Idle process. ... In [16]: find_dtb -------> find_dtb() _EPROCESS (P) DTB 0x02813140 0x00187000 0x1179b7dc 0x00490050
All tasks are connected in a list. The init task is always alive and its address is hard coded into the kernel symbols.
Init Task
next prev
next prev
next prev
PsActiveProcessHead
Flink Blink
Flink Blink
Flink Blink
Flink Blink
The KDBG is not critical to the operation of the system, so malware can easily corrupt it. You can always list the processes by finding a single _EPROCESS object and following the list around.
The PsActiveProcessHead is not a real process, so will need to discard that.
In [5]: psxview ------> psxview() Offset(P) Name PID pslist 1952 True 4080 True 2040 True 448 False 1424 False 528 True 2624 True 944 True 2740 True 1400 True 1076 True 580 True 1960 False 876 True psscan True True True True True True True True True True True True True True thrdproc pspcdid csrss True True True False False True True True True True True True False True True False True False False True True True True True True True False True True False True False False True True True True True True True False True ---------- -------------------- ------ ------- ------- -------- ------- ------0x01f67500 TaskSwitch.exe 0x02000980 wmiprvse.exe 0x02025608 atiptaxx.exe 0x12cd3020 smss.exe 0x0fe5f8e0 snmp.exe 0x01f8eb10 winlogon.exe 0x02079c18 cmd.exe 0x02218020 PluckSvr.exe 0x01ed76b0 PluckTray.exe 0x01f48da0 tcpsvcs.exe 0x01f6db28 msdtc.exe 0x020e0da0 services.exe 0x1a192a90 Fast.exe 0x01fa8240 Smc.exe
Volatility TP as a library
#!/usr/bin/python from volatility import session s = session.Session() s.filename = "MyImage.raw" s.profile = "Win7SP1x64"
A session is an object which holds all analysis results for the current session.
pslist = s.plugins.pslist() The module is available from the session object. A module exports methods which we can call. for task in pslist.list_eprocess(): print task.UniqueProcessId, task.ImageFileName
Normally the vol() helper calls the render() method of the module, but many modules export many other methods.
DKOM
Very old technique for unlinking _EPROCESS objects: Works because
KDBG Block the scheduler uses threads
PsActiveProcessHe ad
Flink Blink
Flink Blink
Flink Blink
Flink Blink
http://i159.photobucket.com/albums/t141/sovietweasel/hideproc-vmware.jpg
Summary of module 2
Virtual paging
Volatility Address spaces
Analysis techniques
List following
Module 3
Windows internals: The PE File format.
Finding PE files in memory.
PE Executables
The PE file format is specifically designed to allow fast and efficient loading of executables into memory.
The structure of executables on disk is similar to their structure in memory. Imports and Exports are resolved at load time.
PE Overview
http://code.google.com/p/corkami/downloads/detail?name=pe-20110117.pdf
In [8]: p pe.nt_header.OptionalHeader [_IMAGE_OPTIONAL_HEADER OptionalHeader] @ 0x804D7100 0x1C ImageBase 0x20 SectionAlignment 0x24 FileAlignment 0x28 MajorOperatingSystemVersion 0x00000005 0x2A MinorOperatingSystemVersion 0x00000001 [unsigned long:ImageBase]: 0x00400000 [unsigned long:SectionAlignment]: 0x00000080 [unsigned long:FileAlignment]: 0x00000080 [unsigned short:MajorOperatingSystemVersion]: [unsigned short:MinorOperatingSystemVersion]:
[String:Name]: '.data\x00\x00\x00',
------------------------------ ----------------------------------------------------------------------
In [14]: pe = pe_vtypes.PE(address_space=eprocess.get_process_address_space(), image_base=eproc ImageBaseAddress) In [16]: for section in pe.Sections(): print section ('xr-', ('-r-', ('-rw', ('-r-', ('-r-', ('-r-', [String:Name]: '.text\x00\x00\x00', [String:Name]: '.rdata\x00\x00', [String:Name]: '.pdata\x00\x00', [String:Name]: '.reloc\x00\x00', [String:Name]: '.data\x00\x00\x00', [String:Name]: '.rsrc\x00\x00\x00',
DLLs
The _EPROCESS object has 3 lists of dlls loaded:
eprocess.Peb.Ldr.InInitializationOrderModuleList eprocess.Peb.Ldr.InLoadOrderModuleList eprocess.Peb.Ldr.InMemoryOrderModuleList
( [UnicodeString:Key]: u'FileDescription\x00', Natural Language Server Data and Code\x00') ( [UnicodeString:Key]: u'FileVersion\x00', (win7_rtm.090713-1255)\x00') ( [UnicodeString:Key]: u'InternalName\x00',
[UnicodeString:Value]: u'6.1.7600.16385
[UnicodeString:Value]: u'NlsData0009\x00')
# First copy the PE file header, then copy the sections. data = dos_header.obj_vm.zread(image_base, nt_header.OptionalHeader.SizeOfHeaders) fd.seek(0) fd.write(data)
Potential problems:
Rootkits can easily change the in-memory PE headers. (e.g. Section description etc). It is possible to corrupt the headers so the tool blows up - too much data, huge executables. Import Address Table is not patched. Not all sections are fully mapped into memory (e.g. . rsrc not always mapped in).
Packed binaries
Packed binaries have a very small IAT on disk (just enough for the unpacker).
The real import table is built in memory but does not contain any function names - only dll 1 function pointers. dll 1
IAT on disk IAT in memory Binary Code Section export table code
dll 1 code
dll 1 code
Example
In [2]: impscan pid=2236 ------> impscan(pid=2236) ************************************************** Process conhost.exe PID 2236 IAT Call Module Function CreateRectRgn DeleteObject SelectObject SelectPalette DeleteDC GetStockObject PolyPatBlt -------------- -------------- -------------------- -------0x0000ffddf000 0x07fefd7c2520 GDI32.dll 0x0000ffddf018 0x07fefd7c1090 GDI32.dll 0x0000ffddf030 0x07fefd7c1860 GDI32.dll 0x0000ffddf038 0x07fefd7c6274 GDI32.dll 0x0000ffddf048 0x07fefd7c222c GDI32.dll 0x0000ffddf070 0x07fefd7c103c GDI32.dll 0x0000ffddf078 0x07fefd7c14a0 GDI32.dll
Module 3 Summary
The PE executable format.
Relation between PE in memory and PE on disk. Dumping out PE from memory. Different types of PE files: Processes. DLLs. Kernel Drivers.
Allocations come from the pool, and are tagged using a special identifier "Tag":
ExAllocatePoolWithTag Tags are used to track memory owners and detect leaks.
Poolmon
Pool Header
Optional Header
Optional Header
The user of the scanner calls the scan() iterator to receive possible matches. Some useful scanners:
Discontiguous Scanner - can efficiently scan Virtual Address Space. VAD Scanner - used to scan memory accessible to a process.
Discontiguous Scanners.
Discontiguous Scanners
Pool Tag
('CheckPoolSize', dict(condition = lambda x: x >= 0xf8)), ('CheckPoolType', dict(paged = True, non_paged = True, free = True)), ('CheckPoolIndex', dict(value = 0)), ]
We can scan in the physical address space or kernel address space: Physical AS can be fooled by process allocations but is slightly faster. Scanning for kernel objects in kernel address space is sufficient.
Windows 8
The bottom up method does not work on Windows 8:
Windows 8 uses a binned memory allocator: Each allocation is rounded up to the next bin size. Can not calculate object size from allocation size. Need to iterate through all possible header configurations. In addition pool tags are not unique enough e.g. for EPROCESS it is "Proc"
Object Owners
When the object manager allocates a kernel object on behalf of a process, sometimes, there is a reference to the _EPROCESS embedded into the _OBJECT_HEADER: object_obj.HandleInfo.SingleEntry.Process
http://computer.forensikblog.de/en/2009/04/linking-file-objects-to-processes.html
In [4]: vol plugins.filescan, address_space=session.kernel_address_space Offset #Ptr #Hnd Access Owner OwnerPid OwnerName Name
------------------ ---- ---- ------ ------------------ --------- ---------------- ---0x0000f6fd40004530 15 0 RW-rw- ------------------ --------- ---------------\Users\testing\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat 0x0000f6fd40006050 1 1 RW-r-d 0x0000fa80004b09e0 \Windows\System32\wdi\LogFiles\WdiContextLog.etl.001 4 System
$ vol.py --profile WinXPSP2x86 -f malwarecookbook/15/6/prolaco.vmem pslist Offset (V) Name 0x810b1660 System .... (Not found) 1136 1724 2 73 0 False 2010-08-11 16:50:19 PID 4 PPID 0 Thds 56 Hnds Sess Wow64 Start False Exit -
---------- -------------------- ------ ------ ------ -------- ------ ------ -------------------- ---------------253 ------
0xff37a4b0 ImmunityDebugge
PTN
Page Frame
PTE
Page Directory
Page Tables
Physical Memory
The PFN record contains important information about the physical page.
In use/Valid/Paged Virtual Address of the PTE which controls this page.
Page is valid.
The [__unnamed_1534 u3] @ 0xFA800092AD98 PTE UsedPageTableEntries [unsigned short:UsedPageTableEntries]: address in VaType [unsigned char:VaType]: 0x00000000 Kernel Address ViewCount [unsigned char:ViewCount]: 0x00000000 Space
[long:AweReferenceCount]: 0x00000080 [_MMPTE OriginalPte] @ 0xFA800092ADA0 [__unnamed_153c u4] @ 0xFA800092ADA8
[__unnamed_153c u4] @ 0xFA800092ADA8 0x00 PrototypePte 0x00 PteFrame 0x00 Unused [BitField:PrototypePte]: 0x00000000 [BitField:PteFrame]: 0x00019A18 [BitField:Unused]: 0x00000000
Example
In [36]: vtop 0xf880030e3000 -------> vtop(0xf880030e3000) Virtual 0xF880030E3000, Page Directory 0x00187000 pml4e@ 0x00187F88 = 0x2E004863 pdpte@ 0x2E004000 = 0x2E003863 pde@ 0x2E0030C0 = 0x19A18863 pte@ 0x19A18718 = 0x30E48963 PTE mapped@ 0x19A18718 = 0x30E48000
Physical Address
In [37]: ptov 0x30E48000 -------> ptov(0x30E48000) Physical Address 0x0000000030E48000 => Virtual Address 0x0000F880030E3000 DTB @ 0x0000000000187000 PML4E @ 0x0000000000187F88 PDPDE @ 0x000000002E004000 PDE @ 0x000000002E0030C0 PTE @ 0x0000000019A18718
In [35]: pfn 0x30E48 -------> pfn(0x30E48) PFN 0x00030E48 at kernel address 0x0000FA800092AD80 flink 00000000 blink / share count 0000000000000001 (Phys AS) 0x0000000019A18718 ActiveAndValid M color 0 0x00019A18 pteaddress (VAS) 0x0000F6FC40018718 reference count 0001 containing page Modified
0x00001b2c8000 0xfa8001ea5b30 spoolsv.exe 0x0000211a4000 0xfa8001dbfb30 svchost.exe 0x00002ceb9000 0xfa8000a2d060 svchost.exe 0x00002178b000 0xfa8001db5b30 svchost.exe 0x000022e75000 0xfa8000bbd060 conhost.exe 0x000022192000 0xfa8001d03ac0 lsm.exe 0x000019295000 0xfa80020bfb30 sppsvc.exe 0x00001d3a2000 0xfa8001fd9890 svchost.exe 0x00002573b000 0xfa8001974630 winlogon.exe -0x00000001000 -------------- Process not Found! 0x000021533000 0xfa8001e905b0 svchost.exe 0x00001d5c7000 0xfa8001dd7800 explorer.exe .....
The VAD tree: A process-eye view of physical memory - Brendan Dolan-Gavitt digitalinvestigation 4S (2007) S62S64
vadinfo
$ vol.py -f xp-laptop-2005-06-25.img --profile WinXPSP2x86 --pid 4012 vadinfo .... VAD node @ 0x820c9308 Start 0x7c800000 End 0x7c8f3fff Tag Vad Flags: CommitCharge: 5, ImageMap: 1, Protection: 7 Protection: PAGE_EXECUTE_WRITECOPY ControlArea @820e24b8 Segment e165b3d8 Dereference list: Flink 00000000, Blink 00000000 NumberOfSectionReferences: NumberOfMappedViews: WaitingForDeletion Event: 00000000 , Name: \WINDOWS\system32\kernel32.dll 1 NumberOfPfnReferences: 41 NumberOfUserReferences: 119 42
Control Flags: Accessed: 1, File: 1, HadUserReference: 1, Image: 1 FileObject @821745e0 FileBuffer @ e17c2460 Flags2: Inherit: 1 First prototype PTE: e165b410 Last contiguous PTE: fffffffc
The original
Malware can easily unlink a module from these lists, but its harder to manipulate the VAD.
How can we get an executable area without being in the module lists and not having file mapping?
$ vol.py --profile WinXPSP2x86 -f malwarecookbook/stuxnet.vmem --pid 680 --verbose ldrmodules InLoad InInit InMem MappedPath False True True True True True True True True True True True True True False False True True True True True True True True True True True True True True True True True True True True True True True True \WINDOWS\system32\ntdll.dll \WINDOWS\system32\version.dll \WINDOWS\system32\netapi32.dll \WINDOWS\system32\psapi.dll \WINDOWS\system32\msvcrt.dll \WINDOWS\system32\advapi32.dll \WINDOWS\system32\shell32.dll \WINDOWS\system32\dnsapi.dll \WINDOWS\system32\comctl32.dll \WINDOWS\system32\ws2help.dll \WINDOWS\system32\msasn1.dll
False True
Process Hollowing
Malware can attempt to hide by using process hollowing: 1. Create a new process using a legitimate executable, but do not start it. 2. Free the memory section that contains the ImageBase from the executable. 3. Allocate a new memory region in the new process, and copy malicious code into it.
a. VirtualAllocEx, WriteProcessMemory
Malware Analyst's Cookbook - Michael Hale Ligh, Steven Adair, Blake Hartstein, Matthew Richard
---------- -------------------- ------ ------ ------ -------- ------ ------ -------------------- ------
Executable memory 6 Private READWRITE which is notExe backed 5 Mapped EXECUTE_WRITECOPY by Mapped Exe a file???? 2 EXECUTE_READWRITE
0 Mapped 0 Mapped READONLY READONLY
\WINDOWS\system32\ntdll.d
\WINDOWS\system32\locale. \WINDOWS\system32\unicod
In [7]: task = session.profile._EPROCESS(vm=session.kernel_address_space, offset=0x81c498c8) In [8]: dump task.get_process_address_space(), 0x80000 ------> dump(task.get_process_address_space(), 0x80000) 0x00080000 0x00080010 0x00080020 0x00080030 0x00080040 0x00080050 0x00080060 0x00080070 0x00080080 0x00080090 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c7 1c 48 b9 83 7d 26 ea 83 7d 26 ea 83 7d 26 ea a4 bb 4b ea 81 7d 26 ea 9d 2f a2 ea 88 7d 26 ea MZ.............. ........@....... ................ ................ ........!..L.!Th is.program.canno t.be.run.in.DOS. mode....$....... ..H..}&..}&..}&. ..K..}&../...}&.
Module 4: Summary
Scanning for objects in kernel memory.
Discontiguous scanners.
Module 5: Hooking
Hooking means to change the flow control of execution to take control of certain code paths.
Malware uses hooking to monitor and filter various operations. e.g. File operations can be subverted to prevent security software from seeing malware specific files. HTTP traffic can be intercepted even prior to encryption - used for credential stealing etc.
Security software has similar goals - hence many security applications also hook.
ssdt plugin:
Entry 0x0073: 0x8060bc6c (NtOpenEventPair) owned by ntoskrnl.exe Entry 0x0074: 0x8056e26a (NtOpenFile) owned by ntoskrnl.exe Entry 0x0075: 0x8056bab6 (NtOpenIoCompletion) owned by ntoskrnl.exe Entry 0x0076: 0x805ca2ac (NtOpenJobObject) owned by ntoskrnl.exe Entry 0x0077: 0x80619f68 (NtOpenKey) owned by ntoskrnl.exe Entry 0x0078: 0x8060c064 (NtOpenMutant) owned by ntoskrnl.exe Entry 0x0079: 0x805e8fcc (NtOpenObjectAuditAlarm) owned by ntoskrnl.exe Entry 0x007a: 0xfca2953e (NtOpenProcess) owned by lanmandrv.sys Entry 0x007b: 0x805e229e (NtOpenProcessToken) owned by ntoskrnl.exe Entry 0x007c: 0x805e1ea4 (NtOpenProcessTokenEx) owned by ntoskrnl.exe
There are several types of IRPs - each type is handled by a different dispatch routing in the driver.
In [11]: d = session.profile._DRIVER_OBJECT(0x81f7dda0) In [12]: p d [_DRIVER_OBJECT _DRIVER_OBJECT] @ 0x81F7DDA0 0x1C DriverName 0x38 MajorFunction [_UNICODE_STRING DriverName] @ 0x81F7DDBC <IndexedArray 28 x Pointer @ 0x81F7DDD8>
In [13]: p d.MajorFunction <IndexedArray 28 x Pointer @ 0x81F7DDD8> 0x0000 <Function Pointer to [0xF88FA2B0] (IRP_MJ_CREATE)> 0x0002 <Function Pointer to [0xF88FAD74] (IRP_MJ_CLOSE)> 0x0003 <Function Pointer to [0xF88F9E62] (IRP_MJ_READ)> 0x0004 <Function Pointer to [0xF88FA0B4] (IRP_MJ_WRITE)>
Malicious Driver Driver 1 Driver 1 Driver 2 Driver 2 Driver 2 Malicious Driver Driver 1
Driver 3 Driver 3
Driver 3
Usermode hooks
Malware can intercept functions used by user mode programs.
Malware Code dll 1 code Legitimate process IAT in memory Binary Code Section dll 1 code Detour/ Trampoline Malware Code
https://citizenlab.org/wp-content/uploads/2012/07/image29-500.png
Registry Dumping
The windows registry is a central location for configuration data.
A rich source of evidence in a digital investigation. There are many tools that can analyse registry files.
Volatility has a full registry parser and a bunch of modules to deal with registry.
Forensic Analysis of the Windows Registry in Memory. - Brendan Dolan-Gavitt. DFRWS 2008
Registry in Memory
_CMHIVE: System _CMHIVE: Software Linked list
Hive.Storage.Map[].Directory[].Table[].BlockAddress Structure is very similar to a page table which refers to HBINS. If a HBIN is not frequently used it will be paged out (i.e. not memory resident). When a program attempts to read a key which is contained in this HBIN - the HBIN will be paged into memory.
HBIN
HBIN
Not resident
HBIN
Registry in Memory
In [5]: hivescan ------> hivescan() Offset(V) Offset(P) Name 0xe102e008 0x02837008 [no name] @ 0xe102e008 0xe1035b60 0x0283db60 \Device\HarddiskVolume1\WINDOWS\system32\config\system @ 0xe1035b60 0xe1558578 0x02d63578 [no name] @ 0xe1558578 ..... In [9]: printkey key="Software" Legend: (S) = Stable (V) = Volatile ---------------------------Registry: \Device\HarddiskVolume1\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat @ 0xe1bf1b60 Key name: Software (S) Last updated: 2005-03-18 21:42:02 Subkeys: (S) Microsoft ....
------------------------------ -----------------------------------------------------
Example: svcscan
Windows drivers are loaded through the service control manager (SCM).
The SCM is a process (services.exe) which keeps additional accounting on which services are currently registered. The process memory can be analysed. We can carve the process memory for tag signatures of _SERVICE_RECORD objects. Use the VadScanner to only look at the process memory. A malicious kernel driver may remove itself from the module list but will remain in the SCM internal lists.
svcscan
In [14]: svcscan Offset: 0x6e1e90 Order: 1 Process ID: Service Name: Abiosdsk Display Name: Abiosdsk Service Type: SERVICE_KERNEL_DRIVER Service State: SERVICE_STOPPED Binary Path: Offset: 0x6e1f20 Order: 2 Process ID: Service Name: abp480n5 Display Name: abp480n5 Service Type: SERVICE_KERNEL_DRIVER Service State: SERVICE_STOPPED Binary Path: -
Netscan - tcpip.sys
The windows TCP/IP stack is implemented by tcpip.sys
No public symbols available. However... Reverse engineering shows basic structures: _TCP_ENDPOINT _UDP_ENDPOINT _TCP_LISTENER These have well recognized pool tags. We can scan for these but structs must be reversed for each version of windows. Information is mostly private to the tcpip.sys module.
Windows 7: netscan
In [7]: netscan Offset(P) Proto Local Address 0.0.0.0:135 :::135 0.0.0.0:49153 :::49153 0.0.0.0:49155 0.0.0.0:49155 :::49155 :49359 10.0.2.15:49363 :49341 10.0.2.15:49254 10.0.2.15:49171 10.0.2.15:49347 :49369 :49368 10.0.2.15:49296 :49358 :49373 Remote Address 0.0.0.0:0 :::0 0.0.0.0:0 :::0 0.0.0.0:0 0.0.0.0:0 :::0 93.184.220.20:80 173.194.35.38:80 82.165.218.111:80 74.125.31.157:80 204.245.34.130:80 173.194.35.36:80 82.165.218.111:80 82.165.218.111:80 74.125.127.148:80 93.184.220.20:80 82.165.218.111:80 State LISTENING LISTENING LISTENING LISTENING LISTENING LISTENING LISTENING CLOSED ESTABLISHED CLOSED CLOSE_WAIT ESTABLISHED CLOSE_WAIT CLOSED CLOSED CLOSE_WAIT CLOSED CLOSED Pid Owner 628 svchost.exe 628 svchost.exe 444 lsass.exe 444 lsass.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 2820 iexplore.exe 2820 iexplore.exe 2820 iexplore.exe 2820 iexplore.exe 2820 iexplore.exe 2820 iexplore.exe 1892 iexplore.exe 2820 iexplore.exe 2820 iexplore.exe 2820 iexplore.exe 2820 iexplore.exe Created -------------- -------- -------------------- -------------------- ---------------- ----- -------------- ------0x00000f882a30 TCPv4 0x00001121b7b0 TCPv6 0x000017de8980 TCPv4 0x000017de8980 TCPv6 0x000017f35240 TCPv4 0x000017f362b0 TCPv4 0x000017f362b0 TCPv6 0x00001725d010 TCPv4 0x000017270530 TCPv4 0x000017285010 TCPv4 0x000017288a90 TCPv4 0x00001728f6b0 TCPv4 0x000017291ba0 TCPv4 0x000017292cf0 TCPv4 0x0000174e2cf0 TCPv4 0x0000174f9440 TCPv4 0x000017527cf0 TCPv4 0x0000175288b0 TCPv4